How to find the reverse connection Domain Name of the reverse trojan

Author: kofj
Contact info: kofj2005 at gmail.com

The main planting method of reverse Trojans is to run the trojan program through many vulnerabilities in Internet Explorer, so that unpatched users can download and run the trojan program after clicking it, these users are basically personal users with dynamic IP addresses. If you do not use reverse connections, you will not be able to control them for a long time.

Next, let's discuss how to find out the most critical element of a Trojan-the reverse connection domain name. Once you know the reverse connection domain name, you can always find out where the culprit is, whether the domain name is online or other private information, or even Domain Name Hijacking, so that all the units under his control are connected to the IP address you set. It can be seen that once the Reverse Domain Name is exposed, it is easy to grasp the Black Hands behind the scenes. The trojan reverse connection must first send a query request to the Domain Name Server, and then the Domain Name Server Returns the query result-the IP address corresponding to the domain name, and then connect to the master end after the IP address is available. Many Trojans have implemented service hiding, process hiding, file hiding, and port hiding in the system by modifying system files, process insertion, and api hook, therefore, the system output is no longer reliable, and your packet capture data may have been maliciously tampered, erased Trojan-related data (I found that my test object was not doing this... But it is not ruled out that other Trojans will do this ...). So I thought of the physical method. Although Trojans can be hidden in the system, requests for this domain name query will be sent through the network cable or wireless signal in any way.

To locate the reverse connection domain name, construct the following network topology:
A NOTEBOOK and a PC are connected to the HUB, and the adsl modem is connected to the hub uplink port (Note: Generally, the UPLINK port of the HUB cannot be used together with the interface next to it ), the reason for choosing a HUB instead of a Broadband Router is that I have no money... The real reason is that the HUB can forward data sent from any port to any port other than its own port. Therefore, all data of the notebook nic will flow through the PC Nic, network data that may be hidden by Trojans in The NOTEBOOK system will be exposed to the NIC of the PC without any reservation.

If you need to thoroughly understand and improve the technology or practice, I will use the famous gray pigeon Trojan horse in China for testing, try to find out the reverse connection Domain Name of the gray pigeon Trojan (you can use other Trojans for testing, because my machine is not small, so it will be counted ). The monitoring tool on PC selects WINDOWS. To use WinDump, you must first install WinPcap 3.1 and then download WinDump version 3.9.3 to run it directly.
WinDump:
Http://www.winpcap.org/windump/install/bin/windump_3_9_3/WinDump.exe
Winpc AP 3.1:
Http://www.winpcap.org/install/bin/WinPcap_3_1.exe
Before listening, we will introduce the NOTEBOOK status, where the gray pigeon Trojan is installed. The method for checking the service name is simple. You can use the intrusion detection tool icesword to view all processes and services, whether hidden or not, the IEXPLORER process and the lente service are hidden at a Glance (see figure 1 and figure 2), so the lente service is disabled. (If there is no icesword, there is no problem. Go to security mode and search _ hook in the system32 folder. dll, found a dirty en_hook.dll, apparently the gray pigeon, search for Shen en in the registry, found the associated service name lente), disable all the third-party boot self-start programs related to the network in the NOTEBOOK of the gray pigeon, to prevent unnecessary domain name query obfuscation listening results, change the lente service to Manual, start the service, and observe the listening results on the PC.

Figure 1

520) this. width = 520; "style =" CURSOR: hand "onclick = javascript: window. open (this. src); src = "http://www.bkjia.com/uploads/allimg/131129/12210KZ9-0.jpg" width = 520 onload = "javascript: if (this. width> 520) this. width = 520; "align = absMiddle border = 0>

Figure 2

520) this. width = 520; "style =" CURSOR: hand "onclick = javascript: window. open (this. src); src = "http://www.bkjia.com/uploads/allimg/131129/12210IY4-1.jpg" width = 520 onload = "javascript: if (this. width> 520) this. width = 520; "align = absMiddle border = 0>
192.168.1.2 is the IP address of NOTEBOOK, 202.96.209.6 is the primary Domain Name Server of NOTEBOOK, and no secondary Domain Name Server is set. The IP address of the PC is 192.168.1.3, which is not very important because it is connected through the HUB. As long as the NIC is enabled, the data of the NOTEBOOK will be monitored no matter how it is set.

Listen to the NOTEBOOK domain name query request from the default Domain Name Server (202.96.209.6) (Figure 3 ):
Figure 3

520) this. width = 520; "style =" CURSOR: hand "onclick = javascript: window. open (this. src); src = "http://www.bkjia.com/uploads/allimg/131129/12210M526-2.jpg" width = 520 onload = "javascript: if (this. width> 520) this. width = 520; "align = absMiddle border = 0>

Run the following command on the PC:
Windump-vvnXi2 src 192.168.1.2 and dst 202.96.209.6
In the command, vv indicates more detailed display of the output. n indicates that the Service port is expressed in numbers and the IP address is used to represent the IP address of a known domain name.
Src 192.168.1.2 and dst 202.96.209.6 indicates that only the packets from 192.168.1.2 and whose destination is 202.96.209.6 can be listened to. Of course, the requests can be changed randomly as needed.
 

Listen to the NOTEBOOK to receive the domain name query response from the default Domain Name Server (202.96.209.6) (Figure 4 ):

Figure 4

520) this. width = 520; "style =" CURSOR: hand "onclick = javascript: window. open (this. src); src = "http://www.bkjia.com/uploads/allimg/131129/12210MY6-3.jpg" width = 520 onload = "javascript: if (this. width> 520) this. width = 520; "align = absMiddle border = 0>

According to the above monitoring data, only the ns1.3322.net IP address is queried from the Domain Name Server during the startup of the gray Pigeon Service. The result returned by the Domain Name Server tells me that the IP address of ns1.3322.net is 61.177.95.125 and the query type is, that is, the most common domain name to the IP address query. Of course, ns1.3322.net cannot be the reverse connection domain name, because it is the primary DNS server for dynamic domain name resolution of xiwang. The gray pigeon actually queries the IP address of another DNS server from my default DNS server, maybe it uses another Domain Name Server to hide its eyes and ears? I stopped listening on the PC and prepared to listen for data between ns1.3322.net and NOTEBOOK. As expected, I got the following results.

Listen to the NOTEBOOK request to the Domain Name Server ns1.3322.net (figure 5 ):

Figure 5

520) this. width = 520; "style =" CURSOR: hand "onclick = javascript: window. open (this. src); src = "http://www.bkjia.com/uploads/allimg/131129/12210II3-4.jpg" width = 520 onload = "javascript: if (this. width> 520) this. width = 520; "align = absMiddle border = 0>

Listening to NOTEBOOK receives the domain name query response from the DNS server ns1.3322.net (figure 6 ):

Figure 6

520) this. width = 520; "style =" CURSOR: hand "onclick = javascript: window. open (this. src); src = "http://www.bkjia.com/uploads/allimg/131129/12210MP9-5.jpg" width = 520 onload = "javascript: if (this. width> 520) this. width = 520; "align = absMiddle border = 0>

From the domain name query request sent to ns1.3322.net, we can see that the NOTEBOOK of the gray pigeon sent a request to ns1.3322.net for querying the domain name 65200.huigezi.org. The Query type is MX, that is, the mail exchange record, that is, the address of the host that the mail to the mail address someone@65200.huigezi.org will arrive (note that the MX record here is exactly the same as the original domain name, in fact, it can be completely different, if the MX record is 163.com, this email will be sent to the host 163.com ). So far, we can clearly see that the Reverse Domain Name of this gray pigeon is 65200.huigezi.org. I pinged it, I found that this is the same as the IP address of port 8000 of the iexplorer process connected to an IP address that I saw in ICESWORD when I started the system. It can be confirmed that the result is completely correct. The Reverse Domain Name is successfully obtained. However, here is a technical question: After nslookup, we found that the Domain Name Server of huigezi.org is ns1.3322.net, but why does it directly query the ns1.3322.net server? The domain name server I set should ask ns1.3322.net, then tell me the query results and cache the query results. I have no idea about this process, just as my Domain Name Server knows the answer, I guess it is a self-protection method for Trojans. If you have a better explanation, let me know. Thank you. After obtaining the domain name, I can do a lot of things next, and I will not give them one by one (in fact, the overall technical requirements for Domain Name Hijacking are very high, I don't have that level ...), But if you are really angry, for example, if the other party deletes important files on your hard disk, I can tell you, 110 contact the cyber police...
I encountered a lot of trouble during the entire listening process. For example, if there are other programs on the NOTEBOOK accessing the network, the terminal output on the PC may flash and cannot be viewed at all. If it is stored in a file, also dizzy, reboot the system countless times, etc... I always believe that technology can be used flexibly. The idea of innovation is particularly important and there may be unexpected results. Whether it is success or failure, I will always gain some experience to try it, I learned something. (here, the LOVEBOOM [DFCG] [FCG] [CUG] Guy decompiled the gray pigeon client to find the configuration information of the gray pigeon, including the reverse connection domain name, the technology is amazing. Well, if you encounter a Trojan and decompile it, you just need to-_-. I'm so fond of him ). In principle, the communication between listeners and domain name servers is effective for all Trojans. Therefore, I did not use reverse-connection Trojans, and I felt insecure long ago. If you have technical issues, you can study and discuss them with me.
Highlights: My gray pigeon is just like bleach000.exe, a jpg image icon (I removed the suffix option for displaying a known file name in the system). It's too late. I like heiqi too much.