Rogue software technology: Analysis of rogue software from a technical perspective

Source: Internet
Author: User

In the early days, when rogue software was not formally identified as a malicious program, the technology used by rogue software was relatively simple. It was often used to modify the home page so that users could log on to the browser as long as they had, it automatically jumps to the advertisement website provided by the rogue software, or after it is installed in the system, it collects user information privately and sends it out. Later, as interest-driven and rogue software were officially killed by antivirus vendors as malicious programs, the technologies used by rogue software were becoming more and more advanced. Now they have formed a confrontation with anti-virus software, the battle for the magic path is becoming increasingly fierce.
If you understand the technologies they use, you will have a clearer understanding of them. The following is the classic technology used by rogue software.
Secret sneak-The Hiding Technology of rogue software
Hiding is the nature of rogue software and a feature of viruses. Any rogue software is expected to be hidden from the user's computer, and hidden technologies are derived for hidden purposes.
First, hide the window. We know that in Windows, all programs are executed in the form of Windows, and each window has different properties. The purpose of rogue software is not to be known, therefore, during the running process, they will set the properties of their program window to "invisible", so that users will not be able to see the program window.
However, we know that even if the user sees a window while each program is running, a process is actually executed for the system. For a slightly professional user, although the window cannot be seen, however, the process generated by the program can be easily seen through the system's task manager to expose the rogue software. Therefore, the hidden process technology emerged.
The hidden process actually calls an undisclosed function of Microsoft and registers the rogue software as a service. In this way, the task manager of the system cannot display the processes of such programs, in this way, you can hide yourself.
For some careful users, the emergence of new files on the computer will lead to their suspicion, so the rogue software author uses the hidden file technology. They will copy themselves to the system directory during installation, and then set the file properties to hide. In this way, if you use the default system settings, you will not be able to see them.
However, these are basic hidden technologies. Users familiar with computers can use the tools provided by the system to find clues about these rogue software or install a firewall software, as long as a program accesses the network, an alarm is triggered immediately to reveal the whereabouts of rogue software.
I have your-rogue software thread Insertion Technology
To better hide itself, rogue software began to use thread Insertion Technology in large numbers.
As mentioned above, when a program enters the system, a file is generated first. When the file is running, a window is generated and a process is generated in the memory. A process is an activated program file. The process generates many threads.
A thread is a parallel processing mechanism provided by Windows for programs. It allows a program to establish different threads at the same time to complete different operations. In addition, in order to improve software reusability and reduce overhead for repeated development, the Windows operating system uses a dynamic link library mechanism to place some common programs in DLL files, the program does not need to include the Code. As long as the DLL files are called directly at runtime, various functions can be completed. Therefore, each executable program can be in addition to its own program, it also includes many external modules. If we use some memory viewing tools, we can see that each application contains a large number of DLL dynamic link library files.
Rogue software uses this point. Their executable programs are not in the EXE format, but in the DLL format. Such files are generally stored in the system and called by the executable program.
The rogue mode is to load the DLL file into the memory, and then insert it to the address space of a process by means of "thread insertion. Generally, if the streaming software wants to control the browser, it will inject the browser into the process space of the browser, and the rogue software will be automatically called as long as the browser runs.
Because the browser program itself calls a large number of DLL files, even if you use a third-party process to view the tool, you cannot tell which DLL is a rogue software. And because the rogue software using thread injection technology has been incorporated into the memory space of Normal programs, even firewall programs will not intercept, so that users can freely access and exit on their computers.
Disappear-RootKit Technology for rogue software
Thread insertion is hard to handle for common users or manual cleanup by users. However, these methods are very simple for anti-virus software. To avoid anti-virus software attacks, the expert of rogue software introduced RootKit Technology.
Originally, RootKit is a LINUX concept. It refers to a set of assembly that can be hidden in the system in a transparent manner and obtain the highest permissions of the LINUX system. Later, it was used by virus makers for reference. The virus RootKit Technology refers to the API calls that can bypass the operating system, directly use the underlying calls, and then take over the system's advanced API calls, when a program tries to find them, it returns false information to hide its own technology. Because the current anti-virus software directly calls the system API for virus scanning, the virus using this technology can easily escape anti-virus software, because of this, therefore, rogue software is increasingly adopting this method to protect itself.
However, anti-virus software also began to bypass API calls to combat this technology through more underlying applications.
Zombie-fragment Technology of rogue software
The reason why rogue software is rogue is that it is a huge benefit, and for the great benefit, rogue becomes more rogue. At present, most rogue software will adopt a popular technology, that is, fragment technology. The idea of this technology is actually very simple, that is, when you enter the user system, multiple or identical, or different fragment files are generated, in addition to the system directory and the root directory of some drive letters, these files are hidden in the directories of other software, temporary folders, and even the recycle bin.
These files are mutually protected. Once a file is deleted, other fragments will be restored again. As long as there is such a fragment file in the system, as long as one of these fragment files can be activated, the network can be upgraded when the user connects to the network, to restore the system to a complete rogue software system. Once upgraded, these new rogue software will also delete these fragment files and generate new fragment files, so as to be able to escape the detection and removal of anti-virus software to a certain extent.
Some rogue software has dozens of file fragments, which is almost impossible for manual cleanup users, even anti-virus software may not be able to identify dozens of types of fragment files one by one, so it may cause the problem of being unable to clean, even if there is only one fragment, rogue software may continue to be evil by upgrading and downloading zombie programs.
The above is the most widely used technology of rogue software. Of course, with the confrontation with various anti-virus software, they will adopt more and more underlying technologies, and some hooligans have begun to adopt the firmware writing method, transmitted through BIOS. With the development of rogue software, manual cleanup is increasingly impossible, and people will increasingly rely on professional rogue software cleanup tools.
Eight major symptoms of rogue software
1. Forced installation: automatic installation without the user's permission, or the installation is spoofed by the user without explicit prompts.
2. uninstallation failed: A normal uninstallation program is not provided, or the uninstallation fails when the user chooses to unmount the program.
3. Pop-up ad window: when a user accesses the Internet, the pop-up ad window is frequently displayed, disturbing the user's normal use of the computer
4. Homepage modification: the browser's default homepage is modified without the user's consent.
5. Modify the browser: add unnecessary buttons on the menu bar, add illegal content in the address bar of the browser, and automatically add menus.
6. Resource occupation: CPU resources are greatly occupied, and the system becomes slower and slower.
7. Cause the browser to crash: the rogue software often causes the browser to crash inexplicably due to the trust of the browser.
8. Interfering with software: rogue software always interferes with the normal operation of anti-virus software, which causes inexplicable errors to these software to survive for a long time.

Related Articles]

  • Rogue software product: a good tool to clear rogue software
  • Rogue Software Prevention: Prevention of judging and blocking rogue software
  • Rogue software technology: Analysis of rogue software from a technical perspective
  • Rogue Software Overview: The best dingtalk in security history"

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.