Several Remote Windows XP Backdoors

As we all know, to automatically activate any trojan in the system, it must be loaded to the memory to run. Currently, protection technologies of various media and security tools and software related to various Trojans are used to find the automatic loading channels of Trojans, it is nothing more than checking and monitoring common automatic running projects to discover the clues of Trojans. In reality, various Trojans Program The automatic loading of is basically no larger than the well-known automatic running methods. But in fact, Windows XP backdoors are far from being solved by several patches. The following are some new Backdoors that may be exploited by future Trojans or viruses, and security measures against these dangerous backdoors.

I. Introduction to dangerous Backdoors

The following are some potentially dangerous Backdoors that are rarely noticed and valued. The risk level is higher than that of others. For its security defense, some backdoor prevention measures are common, so this article will describe them in a unified manner later.

1. Windows Load
Severity:★★★★☆
Dangerous Description: This automatic running project bypasses the well-known run-related key values for automatic program loading, which can escape most security program checks and is not publicly introduced in most media, therefore, there is a high risk.
Backdoor analysis:
The following sub-item location in the registry:
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows]
This registry key is set to maintain compatibility with the old win. ini configuration file and supports multiple automatically loaded value items.
This field supports a string value of "LOAD". Its key value can be a variety of executable files, such as "C: \ WINDOWS \ notepad.exe. Malicious programs can use this key value for automatic loading (figure 1 ).

2. Windows run
Severity:★★★★☆
Dangerous Description: similar to the above, this automatic running project also bypasses well-known run-related key values for automatic program loading, which can escape the inspection of most security programs, which is highly risky.
Backdoor analysis:
Similarly, the following sub-item location in the registry:
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows]
This field supports a "run" string value. Its key value can be a variety of executable files, such as "C: \ WINDOWS \ notepad.exe. Malicious programs can use this key value for automatic loading (see figure 1 ).

3. Special 16-bit executable file type
Severity:★★★★☆
Dangerous Description: malicious programs can exploit this backdoor to escape various anti-virus software and quickly scan common sensitive file types. A Trojan or virus can create a special file type and use this backdoor for registration.
To tell the truth.
Backdoor analysis:
Still in the Registry's [HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows] location, the string key value named "program, the default content is "com EXE bat PIF cmd", which is a common 16-bit executable program file type (PIF cannot be a complete executable file, ). If a malicious program modifies the key value here, such as adding a "TST" file type, then the extension of the malicious program is changed. TST, there is no problem in executing this program from the command line! You can copy a notepad.exe file and change it to notepad. TST, and then execute notepad. TST on the command line. Is notepad opened ?!

4. Windows Shell
Severity:★★★★★
Dangerous Description: This is the most vulnerable backdoor! If a trojan or virus modifies the key value of the automatically loaded program, it is not easy to detect unless an experienced advanced user.
Backdoor analysis:
In the registry:
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon]
The parameter value is a parameter in the parameter shell.pdf. During installation, Windows has set its parameter value to "stronger.exe ". Explorer.exe is the default shell program of windows. It enables us to start the system and enter a desktop interface that everyone is familiar. The location of the assumer.exe file is in the Windows directory, because the system has set C: \ WINDOWS, C: \ WINDOWS \ system and other System directories are included in the default search path (the system-defined program search path is % SystemRoot % \ system32; % SystemRoot %; % SystemRoot % \ system32 \ WBEM. The Registry is located at the pathkey value in [HKEY_LOCAL_MACHINE \ SYSTEM \ controlset001 \ Control \ Session Manager \ environment.pdf. You only need to directly provide the program file named "cmder.exe, this is exactly the danger!
Assume that a trojan program is named "cmder.exe", copies itself to the windows \ system32 directory, and then modifies the key value of the "shell" string value item in the Registry to "C: \ windows \ system32 \ explorer.exe ", the program c: \ windows \ system32 \ explorer.exe used as a Trojan will be executed first when loading the system shell, the real system shell program c: \ windows \ assumer.exe can only be loaded as a parameter of the Trojan program!
Change environment to "C: \ windows \ system32 \ assumer.exe" (this is the absolute path) or "% SystemRoot % \ system32 \ assumer.exe" (reference environment variable. In this case, if the user tries to delete the key value after tracking its location, Windows will fail to boot to the desktop due to the loss of the command for loading the system shell, this brings more trouble to common users!
For further analysis, we will also find that the default search path for Windows XP is "% SystemRoot % \ system32; % SystemRoot %", that is, install the windows \ system32 directory for the Windows \ drivers Trojan Program (figure 2 )!

 

5. bootexecute
hazard level:★★★★★
dangerous Description: this is also a backdoor that is easily exploited! If a trojan or virus modifies the key value of the automatically loaded program, it is hard to find out unless experienced senior users are involved.
backdoor analysis:
the Registry location of the dangerous backdoor is as follows:
[HKEY_LOCAL_MACHINE \ SYSTEM \ controlset001 \ Control \ Session Manager]
under this registry value item, a multi-string value item "bootexecute" exists by default, its default key value is "autocheck autochk *", which is used for automatic checks during system startup. Some applications may also be placed in their own automatic running projects during installation. For example, the famous disk fragment software perfect diskwill include a character string named "pdboot.exe" here, in order to automatically fragment the special area of the disk at the beginning of the system boot.
the format of Multi-string values is that each command line acts as a separate line ,.
it can be imagined that if a trojan or virus is implanted into the system and then an automatically loaded command line is added here, what will happen?
more seriously, even the most well-known anti-virus software in the world, the automatic loading is also automatically loaded to the memory when Windows XP is loaded and enters the 32-bit graphical interface, that is to say, the priority of anti-virus software loading is lower than the loading priority of the program in the "bootexecute" value in the registry. Therefore, this method is more concealed and harmful to the infected system!

6. pendingfilerenameoperations
Severity:★★★★★
Dangerous Description: This is a backdoor that can be exploited by malicious programs but can be exploited in a slightly troublesome way. The Chinese meaning of "pendingfilerenameoperations" is "pending file rename operations ". When you install some applications, you must restart the computer after the installation program is executed to replace the files in use or lock and load services. In fact, the operation commands of the installer at the next Startup are generally not written to Common Run-related registry keys, instead, the project is automatically loaded using the Special Registry "pendingfilerenameoperations.
Backdoor analysis:
The location of the dangerous backdoor registry is as follows:
[HKEY_LOCAL_MACHINE \ SYSTEM \ controlset001 \ Control \ Session Manager]
Here, a registry value item named "pendingfilerenameoperations" is supported (Figure 4). However, this value item does not exist at any time and is generally automatically generated by the software installer, of course, it can also be implanted through other channels.
If a trojan or virus needs to be more concealed, You can temporarily use an extremely rare file name and extension when infecting the system to avoid scanning common sensitive file types by some anti-virus software, then, the "pendingfiler enameoperations" key value is used to rename the file, and the automatic loading is implemented with other auto-loading projects described above, so that the malicious program's original appearance can be revealed!

2. Security Prevention of dangerous Backdoors

1. modify the system's default shell loading Parameters
For example, the external shell of the system is ‑‑er.exe ", which is extremely dangerous and easy to prevent. In the Registry Editor, locate the following location:
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon]
Change the following "shell" key value to the absolute path of the system shell program, such as "C: \ WINDOWS \ assumer.exe ". In this way, the Windows Hosts file brings risks.

2. Set scan options for anti-virus software.
Anti-virus software can scan the system in multiple ways. To increase the scanning speed and reduce the usage of system resources, many anti-virus software uses intelligent scanning (or quick scanning) by default, different products), that is, scanning common file types that are vulnerable to virus infection, leaves a hidden risk for malicious programs to exploit the backdoor. Therefore, if the machine configuration permits or requires high security requirements, You Should manually modify the scan options of anti-virus software so that it can scan and monitor all types of files, this allows you to discover the cunning intruders (figure 5 ).

3. Use Registry Permissions to enhance security
The aforementioned windows load, run, program and other key values are dangerous. As many security tools do not monitor and check these items, this is a high-risk zone. Because [HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows] is mainly used with the old win. INI compatibility. In most cases, common users cannot use the key-value content here. We can set Registry Permissions to enhance security and prevent contents from being maliciously modified.
In the Registry Editor, find the preceding key, right-click the key, select the "permission" command in the shortcut menu (figure 6), and select all users in the subsequent dialog box, select "deny" in the permission settings.
Figure 6 set Registry Permissions

4. other security measures
knowing the locations of the above dangerous backdoors, we can take more preventive measures based on our own level capabilities and ease of operation, for example, programmers can write special programs to monitor and automatically restore these high-risk key values. Generally, users can export the registry at the above locations and save it as a backup file when the system is normal, you can also open the registry keys one by one, click the "favorites" menu to add them to favorites, and quickly enter these locations for manual check if necessary. This is not repeated because the content involved is too complex.