Restless chess and card games

Restless chess and card games
Preface

Games have gradually penetrated into our lives, and game Trojans have gradually penetrated into our lives. Various Trojans are waiting for us to click. Then we steal our data, our equipment, and our money. Trojans for card and board games are also a wave after wave. This article will reveal the Trojan horse spread by card and board games. Only by recognizing how this trojan steals our data information can we fundamentally prevent it.

0x00 self disguise

The trojan author adopts the bidding ranking promotion to make the fake Game Center webpage appear in the front of the search results (in general, we will think that the first place is the official website, however, these fake game center web pages are often the first few false. Although the website is followed by real-name authentication, it reminds users that real-name authentication is not always correct when using search .) The trojan author also highly imitates the official website to create a fake address,

Figure 1

0x01 audio/video

The overall page layout of the website with a Trojan Horse is the same as that of the official website in terms of visual effects. We can easily make a move without looking at it.

Figure 2

0x02 self-hiding

After analysis and comparison, it is found that the installation package downloaded from a non-official website has complete functions and has not changed anything except a dll. The program has all the functions of the normal program. The trojan author renamed the original WHSocket. dll file oriWHSocket. dll and named its own dll with malicious behaviors as WHSocket.

The trojan file WHSocket exports the same function as the original WHSocket, so that the game with a Trojan can be the same as the game downloaded from the official website. Figure 4 also shows the WHSocket. dll hijacking method.

0x03 WHSocket. dll Analysis

1. Shelling Protection

The trojan is started by hijacking the normal WHSocket. dll program in the game center of the official website. The original file is only 28kb in the original installation package, but the size of the original installation package with the trojan is 1.9 MB. The analysis found that the author wrote a shell to add to the file. The purpose here is to escape anti-virus detection and removal.

2. Obtain QQ number information

The dll obtains a string with the QQ account ID in the format of "qqexchangewnd_shortcut_prefix_QQ" by obtaining the unique class name "QQ". After obtaining the string, the trojan author takes "prefix _" as the boundary and obtains the QQ number through string copying.

The following shows why we can get our QQ number through the "5b383838f5-0c81-46d9-a4c0-6ea28ca3e942" class. This is because the title is "Publish success ".

The following code shows how to obtain the QQ number.

3. Obtain the Internet address of the controlled Terminal

It can be seen that the trojan author transmits data by establishing a TCP connection.

The trojan author writes the server address of the received data into a malicious dll in hexadecimal format, and obtains the server address through the hexadecimal data conversion string.

Then, you can interact with the server to obtain the Internet IP address of the controlled end.

4. Get the game user name and password

You can check the game homepage class "88w.game" to determine whether the user name we entered is valid. If a malicious dll is found on the game's main interface, the user's game account and password will be sent. If no game interface is found, the user will not be sent.

 

The trojan author uses the keyboard record to obtain the user name and password we entered.

Capture packets to the Internet address of the recipient and our user name and password. (O (Clerk □clerk) o, but the password is plain text)

6. Remote Control

Establish with remote control

Connect to Remote Desktop

0x04 Summary

Card and board games are more than 88369 Trojans, and many similar games have been processed by the same or similar means, for example, we have published an article about the collection number game, as well as Chen long game, fighting landlords, Three Kingdoms horse racing, Hong Kong-style five, killing Niu, fishing talents, and other games. Most of these dll hijacking methods are used to obtain the user name, password, and backdoor functions of game players. With a backdoor, he wants to do a lot of things.

0x05 Preventive Measures

1. When you click a website address, if it is intercepted by 360, there is a problem with that website. Users must be cautious. Unless you are particularly familiar with that website. Otherwise, do not easily continue accessing and downloading the above items

2. Before selecting download from the search page, check whether the website is abnormal. Whether it is a disguised website. Generally, malicious game URLs are registered and seemingly desired URLs on the official website. For example, you can write game as a qame or ganne. There must be a problem with such a website. Users should pay special attention when downloading it.

3. When selecting a game, we try to choose a game from a large manufacturer. Such game security is relatively more secure, and the official websites of large manufacturers are not easily squeezed out by malicious game websites. This ensures the security of the game source.

4. In many cases, we do not know if we have been planted with Trojans. Therefore, we 'd better use 360 security guard to operate on our computers from time to time.