Identification System "zombie" Service

Identification System "zombie" Service

Text/image: erratic

After a hacker intrude into a host, in order not to let the zombie fly off, it is often used to plant a Trojan on the zombie, and the trojan is usually in the startup Item or registry, to start with the system, but it is easy to expose yourself. Therefore, hackers have come up with a more sinister approach, that is, replacing a normal system service with a Trojan service. As new users generally do not thoroughly check system services, this may cause long-term control of the host. In this article, we will gain an in-depth understanding of this technology and teach you to find out the trojan service hidden in it.

What is system service?

In Windows 2000/XP/2003, a service is a program, routine, or process that executes a specific system function to support other programs, especially low-layer (close to hardware) programs. When services are provided through the network, services can be published in Active Directory, which facilitates service-centric management and use.
Therefore, if a trojan is started with a service, it is not only concealed, but also more stable and secure.

Hacker's "Let the dead" approach

Although some Trojans are started as services by default, one more service will increase the probability of exposure. Therefore, replacing the system with some services becomes the best choice for Trojan concealment. So how do hackers replace system services?
When it comes to replacing services, we have to mention SC, a famous service management tool that can perform almost all operations on services because of its powerful functions, therefore, it has become a favorite of hackers. Using it to replace system services is simply a piece of cake.
Find target service
To replace a service, you first need to find a target service, which must be a service that is not used by the user, so that the system will not cause problems after the service is replaced. Similar services include ClipBook and clipboard viewer, which are rarely used. Event Log and Log record services are also rarely used to view system logs, in addition, there are many services that we do not need. These are the targets of hacker replacement services.
Set the Service Startup Mode
After finding the target service, you can start it. Take the ClipBook Service as an example. Run SC at the "command prompt" and enter the command "SC qc ClipSrv". "ClipSrv" is the service name. Press enter to view the service information, in the "START_TYPE" column, the parameter is "DEMAND_START", indicating that the Service Startup method is "Manual". If you want to enable a Trojan with the system, you cannot manually, so let's change it to automatic. input the command "SC config clipsrv start = auto" and press enter to set the service to automatic when it is started.
Replace the executable file path
From the qc command of SC, we can know that the executable file path of the ClipBook Service is C: windowssystem32clipsrv.exe. We place the trojan file in the c: windowssystem32 directory, this aims to increase the concealment of Trojan Files. Return to the "command prompt" and enter the command "SC config clipsrv binpath =" c: winntsystem32muma.exe ". After the return, the executable file of the clipbookservice is replaced with muma.exe. We can use the qc command again to confirm. Now, the replacement of the system service is complete. (Figure 1)

Find the replaced System Service

If you don't know much about the service, it doesn't mean you can't do anything about the system service that hackers have replaced. With some security tools, we can still find the replaced service. Find the replaced service. We can use the "super patrol" security tool to install and run its main file. Then, click the Advanced button on the toolbar and switch to the "Service Management" tab, if a service is replaced in the system, a yellow entry will be marked here, so you can see at a glance which services have problems. Find the replaced Service, right-click it, select "Edit service", and change the executable file path back. Finally, do not forget to delete the trojan program hidden in the system.