Installation Package GHOST: in-depth analysis of the stealth means of rogue promoters and Trojans

Installation Package GHOST: in-depth analysis of the stealth means of rogue promoters and Trojans

I. Sample Information
Virus Type: Rogue promotion Trojan
File Name: setup_15.11.5.3.exe
MD5: 691e97d3f69fda172cf4c78d5c202069
File Size: 5,914,624 Bytes
Shelling type: None
Development tools: Easy language
II. Introduction to viruses
Recently, the anti-virus team in Chengdu 360 detected a batch of installation package viruses released by the official download site. This type of virus uses a series of technical means to avoid and interfere with security vendors. Currently, there are many anti-virus software in China that cannot be used to kill the virus. Therefore, we conduct a detailed analysis on these installation packages and remind security vendors to pay attention to enhanced detection.
These installation package viruses mainly involve game, player, and utility installation programs. After analysis, the virus author made a trojan program and a normal installation package into a pseudo installation package to induce user execution. The virus sample information is as follows:
　　

　　

Figure 1 virus file of the installation package
We carefully analyzed a pseudo-installation package named "setup_15.11.5.3.exe. The hacker will be added with some random data to interfere with cloud detection and removal of anti-virus software. After the hacker is replaced, the execution is no longer started. The virus hides itself and interferes with the user, and also affects the virus detection and removal by the antivirus software. The related virus module information is as follows:
　　

Figure 2 virus Module
Complete installation package virus execution process:
　　

Figure 3 virus Flowchart
Iii. Detailed Analysis
1. Virus installation package
. When releasing the virus clmanager.exe, a random number will be generated and filled at the end of the file. This will make the MD5 of each released file different from each other and interfere with the removal of cloud scanning and removal.
　　

Figure 4 random number generation
2、CLManager.exe
After the virus is started, execute 1.dllin the memory for decryption. 1. dll is mainly responsible for connecting to the network, obtaining the configuration file from the cloud, and decrypting it to get a URL link hao123.030000.cc/666.jpg. this link points to a jpg file.
　

Figure 5 download link obtained from the cloud
After the virus downloads the jpg file, extract the xger. dll module of the virus from the file and load it for execution.
3. xger. dll
To better interfere with and hide data.
　　

Figure 6 replaced clmanager.exe
Function thread 1:
Thread 1 checks the user's execution environment and determines whether the DLL is running in the packaged virus body through the process name. If not, it exits.
　　

Figure 7 check whether the parent process name is valid
Xger will also determine the COMPUTER name. If the program contains "COMPUTER" and "KS-", it will exit:
　　

Figure 8 check whether the computer name is valid
After the above virus running environment check, the virus began to collect system information, soft installation information and whether in the Internet cafe, and upload the information to the remote server http://hao123.5ama.com/test8.asp? Number = ddd.
Function thread 2:
Thread 2 further judges the computer running environment, mainly for whether the user installs 360 and whether the Internet cafe environment is different.
Check the process name ZhuDongFangYu and 360SD to check whether the computer has 360 guard and 360 antivirus service running:
　　

Figure 9 detection 360
Find the process name wanxiang, yaoqianshu, and pubwin to determine whether the program is running in Internet cafes:
　　

Figure 10 Internet cafe environment judgment
After the environment is detected, thread 2 will be promoted based on whether there are 360 and whether there are Internet cafes:
　　

Figure 11 promotion by Environment
It should be noted that when a non-Internet cafe user does not have 360 installed in the system, xger will further download other virus modules for execution:
　　

Figure 12 download the virus submodule
Function thread 3:
Thread 3 checks whether the system environment is being installed to kill software and tries to force the destruction:
　　

Figure 13 virus detection soft Processes
At the same time, thread 3 will delete shortcuts, Desktop shortcuts, and uninstallation programs for some software in the Start Menu. Speculation is to prevent the software to be promoted from being uninstalled and hide the software to be promoted by itself.
　　

Figure 14 virus deleted content
4. lua51.dll
When the supervisor is running, lua51.dll is loaded for execution.
After lua51.dllis started, release the white file kzmount.exeand the virus running chs_lang.dll, and add kzmount.exe to the system startup Item.
　　

Figure 15 other virus modules released by lua51
When the system is started, kzmount.exe is automatically executed and chs_lang.dllis ignored. chs_lang.dllcreates the svchost.exeimport to run the code in the svchost.exe process.
. Worker.
　　

Figure 16 execute a false svchost
52.16abc.jpg
Virus extracts the core code from the abc.jpg module and injects it into the svchost process for execution.
Puppet svchost will promote Baidu Browser:
　　

Figure 17 download and install Baidu Browser
After that, the virus stops the browser process that has been started by the system, and then starts the Baidu browser with the promotion parameters. If the startup fails, the promotion parameters are used to start the new IE browser process, to achieve the purpose of promotion.
Finally, the virus uses the xger module to report promotion information and delete local uninstall programs and shortcuts for hiding purposes.
4. Preventive suggestions
1. Download and install software from the official website or other secure and reliable channels.
2. If the computer encounters exceptions such as automatic installation of unfamiliar software and tampering of the home page, Trojan Horses should be detected and killed in a timely manner;
3. enable professional security software protection. Do not turn off the security software misled by the trojan website.