Summary by overseas security researchers: various methods to maintain Trojans for a long time

Summary by overseas security researchers: various methods to maintain Trojans for a long time

 

In this post, I will dig deeper into several common methods to maintain Trojans. Simply using the local resources of the infected Windows system, you can restart the system and cannot clear the Trojans. This list is not complete yet. I hope you can actively provide new methods that do not exist on the list.

From the Event Response perspective, viewing suspicious items started with the system is one of the best strategies for searching Trojans. In the past, you only had to check 2-3 locations to detect 99% of the infections. Today, there may be thousands of startup methods for Trojans. Common infections are automatically run when Windows is started (or when a user logs on), but some spoofed infections are triggered by other events.

Autoruns

I like to use the system tool Autoruns to maintain Trojans. In this section, I mainly quoted the official built-in help, but I found it quite interesting.

Some problems with the Autoruns tool are described in the annotations below: this tool can only run on real-time systems. However, I often encounter problems caused by dd images. Although VBoxManage can convert the dd image to the VirtualBox disk image format, I usually do not have time or storage space to do so. In this case, xmount can play a major role. Xmount can use memory to quickly convert the dd image/Encase image to Virtualbox format. You only need to connect the disk image to a new virtual machine and use it as the master boot hard disk, modify the CPU, disk, and controller settings until Windows does not crash and can start normally; in this way, you do not need to modify the original dd files one by one, and you can also guide the impact analysis. Another problem when analyzing Trojans in real-time systems is that a sly Trojan can easily cheat analysts.

To speed up, I usually filter out Microsoft entries and only search for executable files that are not audited (missing or invalid verification codes) for each user location and user location. Using this method, 90% of malware can be easily discovered. Especially purple or pink entries are highly suspicious. If you want to find other entries, you have to dig deeper.

 

Zeus will "hide" in a common random directory-check the forged Timestamp

To achieve "unattended monitoring", You need to regularly save Autoruns output results. These output results can greatly help time response. Click here for the operation guide.

Logon

"This entry scans the standard Automatic startup location, such as the current and all users's Sartup folders, Run registry key values, and the standard application startup location ."

At present, Autoruns has 42 registry entries/folders, which can be automatically started using Autoruns Trojans. The most common methods are the HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run and C: \ ProgramData \ Microsoft \ Windows \ Start Menu \ Programs \ Startup folders.

My favorite is file-independent Poweliks malware, which can achieve 100% infection. Typical ring3 code execution.

Explorer

"Select this option to view Resource Manager shell extensions, browser assistant objects, resource manager toolbar, active installation and execution, and shell execution hooks ". Oh, my God, the registry key of 71. Generally, these are not for Automatic startup of Trojans, but they can be hidden in some locations.

Internet Explorer

"This option displays browser help objects (BHO), Internet browser toolbar, and extensions ". There are 13 registry entries. If a malicious BHO is installed on your browser, you are almost done.

 

Scheduled tasks

"Tasks in the scheduler start at startup or login. ". Not commonly used, but you must take a look.

I always thought this self-starting entry was boring, but now I think this is the best way to hide Trojans. By default, there are so many items in this entry, some of which can trigger Trojan startup.

You only need to create a custom event to trigger Windows event logs. Do you know?

You can maintain Trojans for a long time by using Windows tools such as bitsadmin and Scheduler. Do you know?

Past schedulers

Current Scheduler

 

Service

HKLM \ System \ CurrentControlSet \ Services is a location where Trojans are often hidden. Check all the items carefully.

Driver

Same as the service. The location where Trojans are often hidden. Unfortunately, it is no longer interesting to sign drivers for 64-bit systems, because to sign these drivers, you must have a "software publisher certificate ". The starting position that ring0 Trojans often use.

Starting from Windows 10, all drivers must sign with the "Windows Hardware Developer Center Dasboard Portal" and EV certificate.

Codecs

22 registry items. Not very common, but there may be code execution.

Start execution

"Local images (rather than Windows images) Run as early as during startup ".

Five registry entries. A good place to hide Trojans.

Image hijacking

"Image File Execution options and command prompt will automatically start ". There are 13 registry items. I believe it is intended for debugging purposes.

Previously, sticky Trojans were often hidden in this location. This location is different from other locations because it provides backdoor permissions, but you can only use it on the local network (usually. In this case, as long as someone continuously clicks the SHIFT button, the code will be executed before the RDF login. The previous method was to replace sethc.exe, and the new method was to set a debugging program on sethc.

AppInit

"Its Autoruns will show that the DLL is registered as the application initialization DLL ". There are only three registry entries. In the past, malicious DLL is injected into the resource manager, browser, and so on. Fortunately, this method is almost outdated.

Known DLL

"The location of the DLL is displayed, and the DLL is loaded to the corresponding application in Windows ". There is only one registry entry. This project may be used to hijack some system DLL.

Winlogon

"Displays the DLL used for Winlogon logon Event Notification registration ". Seven registry entries. Sometimes, Trojan horses are used.

Winsock supplier

"Displays the registered Winsock protocol, including the Winsock service provider. Malware is often disguised as a Winsock service provider for installation, because there are several tools to delete them. Autoruns can disable but cannot delete them. Four registry entries. As far as I know, Trojans often used this method some time ago. However, it is still a good place to hide Trojans.

Print Monitor

"Displays the DLL loaded to the background printing service. The Trojan has been used for self-starting. One registry key. Some Trojans use unexpected methods to hide the maintenance module of the Trojan.

LSA supplier

"Display registered local security organization (LSA) authentication, notification and security package ". Five registry entries. A good place to hide passwords and steal Trojans.

Network provider

"Missing files ". If you have a good document, please comment.

WMI Filter

"Missing files ". Check Mandiant to view details.

Sidebar Tool

Thanks to God MS for disabling this feature :)

We miss you very much. You have a nightmare of resource occupation!

Common methods--but not self-starting

Now, let's take a look at some other methods to start the trojan. These methods will not appear in the Autoruns inside the system.

Backdoor program and executable file/DLL

You only need to change the code of an executable program, whether it is self-start or manual start. To avoid low-level errors, disable file updates... the backdoor Factory is a good source. But if you want to install a backdoor in the executable program/DLL listed in the Autoruns list, you need to crack the digital signature of the file. I suggest you sign the executable program. If you cannot steal a trusted certificate, you can also import your own CA to your trusted Certificate storage area (with user permissions ), disguise your CA as a trusted certificate. Note: Use "Microsoft Windows" as the CA code signatory so that your executable files can be mixed in.

It seems that rootkit.exe is legal and can be filtered out when analysts filter Windows projects.

Hijacking DLL Loading Sequence

Place your DLL in a directory, which must be searched before the original DLL is found. However, to avoid re-detection, use the valid proxy function to call the original DLL.

Mandiant and DLL hijacking Probes provide good resources.

Hijack desktop/Start Menu shortcuts

Never underestimate the role of a stupid method. You only need to create an executable file to call the original executable file and start your backdoor at the same time. Replace the link. OK! Don't be careless. Check the logo. I found that advertising software uses this method to hijack the browser.

IE hijacking starts with a http://tinyurl.com/2fcpre6

File Association hijacking

Select the user's favorite file type and use similar programs to replace the program originally responsible for opening the file!

COM Object hijacking

No matter whether there are some COM objects in the system, some COM objects will be scanned,
In addition, the COM object is automatically loaded after registration. See COMpfun for details.

Windows application compatibility-SHIM

Many people are not familiar with Windows application compatibility and operating principles. You can think of it as a Interlayer between the application and the OS. If the application meets certain conditions (such as the file name), some operations will be performed. For example, simulate directories, registry items, DLL injection, and so on. During my installation, there are 367 different compatibility patches (compatible "Simulated" types), and some of them can be customized.

Each time IE is started, a DLL is injected into IE.

Bootkits

Although bootkits can also be categorized into driver parts (because they may need drivers), I think bootkits is worth being separately listed as a section.

MBR-Master Boot Record

A Trojan can overwrite the master startup record, use its own code to start the boot process, or continue the original boot process. Trojans often forge the MBR Record Content and then display the original content. This means that the user only connects the infected hard disk to a clean system and compares the first 512 bytes (or more in some cases) with the uninfected system) or compare the display content of the infected system. SecureBoot can be used to prevent such trojans from being infected.

There is little difference between checking the MBR from the infected operating system and the clean operating system.

VBR-volume startup record

This is the next logical step where a Trojan can start its process. Some Trojans like to hide the startup code here. See

GrayFish for more details. SecureBoot can be used to prevent such trojans from being infected.

BIOS/UEFI Trojan

The old version of BIOS and the new version of UEFI can be tampered with, so that the Trojan can be started before the OS starts. Although UEFI is safer than BIOS, implementation and design errors often occur. Refer to the computer theft prevention rootkit to view details.

Virtual Machine monitor-Ring-1 Trojan

This kind of Trojan is special, because I believe that although the Trojan can run on this layer, it is generally impossible to maintain only on this layer of the physical device for a long time, because after the physical device restarts, the Trojan does not exist (refer to the instructions in Rutkowska in 2006 ). However, because the VM monitoring program can intercept restart events, the trojan writes itself to another layer (for example, installing a common kernel driver ), and then delete it after the restart.

SMM (System Management Mode) Trojan-ring 2 Trojan

It is associated with the previous attack type, but not many people know that the system management mode can be used to inject code into the OS. Check the DEITYBOUNCE Trojan to view details ). In addition, Intel dual-monitor mode (DMM) enables Untrusted code execution, and Intel dual-monitor mode (DMM) basically monitors the SMM mode.

Intel active management technology-ring-3 Trojan

According to Wikipedia, "Intel active management technology (AMT) is a hardware and firmware technology used to remotely manage personal computers and monitor, maintain, update, upgrade, and repair computers ". You may ask, what's the problem? See

Alexander Tereshkin and Rafal Wojtczuk, or Vassilios Ververis papers on AMT.

There are also many people who haven't clicked on the link to View Details. Let me talk about the terrible aspects of AMT:

Independent from the master CPU

Access host memory through DMA (limited)

Dedicated link to NIC for filtering

You can force the host operating system to restart at any time (and start the system from the virtual optical drive)

Start from S3 sleep!

Others

Create new users, update existing users, and hide Administrators

Hackers sometimes do not need to add malicious code to the system, because valid user creden。 are enough. Existing users can be used for this purpose, or new users can be created. For example, one method is to use a 500 RID Support Account-click here and click here for the metasploit tool.

Profound firmware Trojan

Almost none of the computers need a firmware to run. If the firmware is replaced with a malicious one, the Trojan can be started. For example, hard disk firmware (see GrayFish) and graphics card

Hidden Startup Device

Malware can be hidden in a startup device. The Startup Device needs to check before the OS is loaded and after the trojan is loaded. It also needs to load the affected OS.

Webshell

Consider the following scenario: each time the operating system is started, the backdoor loads additional data from the network. Backdoors can check for new software updates and Configuration updates. Every time a vulnerable software/configuration is updated, the trojan is injected into the response and executed. This level of maintenance is not foolproof, but it is still possible. Think about the recently discovered GPO MiTM attacks, Evilgrade tools, and even Xensploit tools, as well as the VM migration we are talking about.

Software Vulnerabilities

Almost any type of software vulnerability can be used as a persistent backdoor. In particular, it can be remotely accessed through the network without any vulnerabilities in user interaction. Previous MS08-067 ......

Built-in hardware Trojan on the chipset

I don't know what to write. Ask the local spyware Agency for more information. Good luck!

Recommended tools:

Sysinternals Autoruns

GMER

DLL hijack detector

PCHunter

Mandiant Redline

Volatility

Kansa