Rootkit Trojan: hiding the peak of Technological Development

Rootkit Trojan: hiding the peak of Technological Development

Since the "ghost of the World" pioneered the DLL Trojan age, the DLL Trojan and malicious programs used for thread injection have

It can be seen everywhere that apart from the widely used DLL loader program to run and load the DLL entity in the startup item, the "cover letter" also includes

It is a rare way to pass through the registry.
The "HKEY_LOCAL_MACHINE/software/Microsoft/WindowsNT/CurrentVersion/Windows/appinit_dlls" project loads the startup method of its own DLL. Compared with the previous methods, now there is a kind of Trojan program that directly uses the system service to start itself, which is really difficult!

"Service" is a core part of the Windows system. In the NT architecture system, a service refers to a program, routine, or process that executes the functions of the specified system to support other programs, especially underlying (close to hardware) programs. When services are provided through the network, services can be published in Active Directory, which facilitates service-centric management and use. A service is an application type that runs in the background. Service applications can provide users with functions locally and over the network, such as client/server applications, Web servers, database servers, and other server-based applications. The "service" itself is also a program. Because of its different fields and functions, the Service Program also has two forms: EXE and DLL. The service in the form of DLL is because dll can implement hook, this is a data exchange behavior required by some services, and the ntsung system executes the DLL loading process using a program called "svchost.exe". All service DLL files are loaded to the memory by this program according to specific groups. However, nowadays, more and more virus writers are accessing the system's built-in loaders, because they can never be killed.

The virus author writes the trojan subject as a service DLL module file that complies with the specifications of the Microsoft development documentation, then puts the trojan dll in the system directory through an installer, and in the Service Manager (SCM) register itself as one of the service DLL components loaded through svchost.exe. In order to improve concealment, the virus author even directly replaces some of the less important and enabled service loading code by default, for example, "Distributed Link Tracking Client", its default start command is "svchost-K netsvcs". If a virus replaces the start command with its own group "netsvsc ", that is, "svchost-K netsvsc". In this kind of social engineering offensive, even users with general drug detection experience cannot detect problems from service items in the first time, as a result, the virus successfully escaped from various types of detection and removal.

The advertisement program of Taobao is a typical example. It replaces the svchost startup Item of the "Distributed Link Tracking Client" service to survive normal manual detection and removal, and it is also a virus download tool, once the system is infected with this malicious program, various Trojans may come to your server.

To clean up DLL Trojans, you must use the "Find handle or DLL" function of the third-party process management tool "process Explorer" produced by sysinternals, you can quickly search for and terminate the information of the process attached to a DLL, so that the DLL can be successfully deleted after it loses its carrier. In order to avoid conflicts with the system DLL file name of the DLL Trojan, generally, they don't get too professional, and even have "safaf. DLL and EST. DLL, or a file name that does not appear in some systems, such as "kernel. DLL, rundll32.dll, etc. Besides
In addition to process explorer, you can also use icesword to forcibly uninstall the DLL module in a process to achieve the effect.
For service-oriented DLL, we still use "process Explorer" for scanning and killing. Because of its hierarchical structure, users can intuitively see the startup contact of the process, if a machine is infected with a stubborn trojan that cannot be killed, the first thing experienced users can do is to disable irrelevant or unimportant programs and services during startup, then, we can use process assumerole to observe the progress of each process. Although the DLL Trojan started by svchost.exe is tricky, when it releases the EXE file and runs it, everything is exposed: An svchost.exeservice executes an ad1.exe. Is it more obvious than this?

The svchost group information is located in the "HKEY_LOCAL_MACHINE/software/Microsoft/Windows NT/CurrentVersion/svchost" project in the registry. This is the group basis for svchost to load DLL, if you find a strange group information, you must be vigilant.

Hiding the peak of technological development: rootkit Trojan

With the development of security technology and the improvement of computer user base technology, the general Trojan and backdoor are becoming increasingly difficult to survive. Therefore, some capable webshell authors are focusing on the underlying system-RING 0. The system core module and various driver modules are located on the Ring 0 layer. Therefore, Trojans located on this layer also survive in the form of drivers, rather than general exe. The author of the backdoor writes the backdoor into a driver module that complies with the WDM specification (Windows Driver Model), and adds the driver module to the Registry to load the entry, thus achieving "no startup Item" operation. Generally, process viewers can only enumerate information about Executable File EXE, so that the backdoor program combined with the driver module and execution file can survive because it runs at the ring 0 level, it has the same level of permissions as the system core, so it can more easily hide itself, whether it is process information, file body, or even communication ports and traffic can also be hidden, in the face of such powerful hiding technology, whether it is the task manager, the System Configuration Utility, or even the built-in registry tool, the effect is lost. This Trojan is a color-changing rootkit.
To understand the principles of rootkit Trojans, we must start with the system principles. We know that the operating system consists of the kernel and shell, the kernel is responsible for all real work, including CPU task scheduling, Memory Allocation Management, device management, and file operations. The shell is an interface based on the interaction functions provided by the kernel, it is responsible for instruction delivery and interpretation. Because the kernel and the shell are responsible for different tasks and their processing environments are also different, the processor provides multiple different processing environments called the running level (ring ), the ring reduces the number of computer resources that can be accessed by program commands step by step to protect computers from Accidental damages-the kernel runs at the ring 0 level and has the most complete and lowest-level management functions, in the shell, it can only have three levels of ring, which has very few functions. Almost all commands need to be passed to the kernel to determine whether to execute them, once a command transmission that may cause damage to the system (for example, memory read/write beyond the specified range) is found, the kernel returns an "unauthorized" flag, the program that sends this command may be terminated, which is the source of most common "illegal operations". The purpose of this operation is to protect the computer from being damaged, if the operating level of the shell is the same as that of the kernel, a casual click may damage the entire system.

Due to the existence of the ring, except for programs loaded by the system kernel, the general programs called by the shell can only run at the Ring Level 3, that is, all their operation commands depend on Kernel authorization. General process viewing tools and anti-virus software are no exception. Due to the existence of this mechanism, the process we can see is actually "seen" in the kernel and commands through the relevant interfaces (remember the API ?) Feedback to the application, so that there is an inevitable data channel. Although it is difficult to be tampered with in general, it cannot avoid unexpected occurrence, rootkit is an unexpected program like "Manufacturing. Simply put, rootkit is essentially an application that is "Beyond authorization". It tries to make itself run at the same level as the kernel, or even enter the kernel space, in this way, it has the same access permissions as the kernel, so it can modify the kernel commands. The most common is to modify the API of the kernel enumeration process, let the data they return always "miss" the information of the rootkit's own process. The general process tool will naturally "see" the rootkit. More advanced rootkit also tamper with more APIs, so that users cannot see the process (process API is blocked) or files (file read/write API is blocked ), the opened port is invisible (the sock API of the network component is blocked), and the related network packets are not blocked (the ndis api of the network component is blocked, the system we use runs with the support of kernel functions. If the kernel becomes untrusted, can the programs that depend on it run trust it?
However, even rootkit, a type of horrible parasite, is not invincible. You must know that, since rootkit uses the kernel to cooperate with Ring 0, so we can also use the "unauthorized" check program to bypass the data provided by the API and directly read the process list from the kernel field, because it is impossible for all processes to hide themselves here, unless it is no longer running. That is to say, the kernel always has the most authentic process list and master right. As long as you can read the original process list and compare it with the process list enumerated by the process API, you can see the rootkit process, because such tools are "unauthorized", it is no longer difficult to scan and kill rootkit. Once the rootkit process is cleared, its own hidden measures will no longer exist, the kernel can "supply" it out, and the user will suddenly find that the rootkit program file that has been "not found" has been honestly in the File Manager view. There are already many such tools, such as icesword, patchfinder, and GDB.
As the mainstream rootkit detection tools have been able to detect the existence of many rootkit Trojans, some rootkit authors have switched to the operating detection algorithm mechanism of the rootkit detection tool, in this way, a new generation of Trojan-futo rootkit, which is more difficult to detect, is created.
Icesword, an excellent testing tool made in China, was defeated in front of futo, because the prototype of the testing tool developed by futo compiler is a black & Light, therefore, we can only use another rootkit detection tool, darkspy, and enable "strong mode" to scan and kill rootkit.
However, due to changes in the detection mechanism, to detect the existence of futo, darkspy must ensure that his driver is loaded and running ahead of futo, which involves priority issues, this is also a way to make the industry feel unsatisfied, because the consequences of this will lead to a decline in system operation efficiency, do not easily use this method in the case of an emergency, however, the current implementation principle of the "broken armor" technology promoted by the rstar card assistant is similar, and it will also have a certain impact on the system. Therefore, this is a choice between security and efficiency, which can only be left for the user to think about.