Technical analysis: How can I seduce you into handing over your password?

I. Basic Information

 

Figure 1 virus program icon

This is a hacker who focuses on the theft of Q coins and uses UPX as the shell.
Typical behavior:
1. on the machine that logs on to QQ, QQ will quit inexplicably;
2. Sometimes, a color abnormal logon prompt box is displayed on QQ, prompting you to enter the verification code;
3. The Bin directory of QQ contains files such as MSIMG32.dll and SVulStrong. dat.
4. If the stolen QQ contains qcoins and QPS, you can steal them. Otherwise, the system continues to hide.
5. Multiple different files released by a parent file steal qcoins or QPS. The structure of each virus component is shown in:

 

Figure 2 Structure of the Q virus stealing relationship

Ii. Overview

1. The virus uses Hook Technology to steal the user name and password of qq.
2. query the user's QQ account information. If the account balance is not 0, the account is stolen and the QQ account and password are sent to the virus server.

Third party, steal the QQ mother file -----21.exe

The parent file is relatively simple: detects qq, ends qq if it exists, and releases the virus file to the Bin directory of QQ, paving the way for stealing QQ and related property.
1. Create a mutex named "... TM345". If the creation fails, exit the process to prevent multiple instances from running and then release the mutex.
2. Create a path to view the progress history and find that the qq.exe‑tm.exe process is running.
3.If the qq.exe process is not found, use the registry to determine whether the current system has installed qq and try to obtain the QQ installation path through the registry.
Virus traversal registry key
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ ShellNoRoam \ MUICacheTo check whether the user has installed QQ and found the directory file. If the process is not found, the creation process will be continued as soon as possible to find the existence of the qq.exe process. If not found, the process will be traversed cyclically to find the QQ process.
4. Delete QQ-related records so that QQ cannot log on automatically. You need to manually enter the password. (The hacker uses this trick to trick the user into re-entering the QQ account password)
A.if you find the qq.exe process and check whether AutoLogin. dat and msimg32.dll exist in the bin directory of the QQ installation directory, delete the corresponding file.
B. if there is a file C: \ ProgramFiles \ Tencent \ QQ \ Users \ All Users \ QQ \ Registry. use the StgOpenStorage function to open the Registry. db file, obtain Main_LoginAccountList, and destroy the record. Therefore, you need to manually enter the password when logging on again.
5. Create the msimg32.dll (counterfeit System File) and SVulStrong. dat files under the bin directory of the QQ installation directory, and set the file attribute to system hiding.
Note: During QQ startup, msimg32.dll in its own directory will be started first.
6.search for qq.exe. if so, check for the qq.exe process and check whether the process has ended.
7. Create a process, delete the virus source file itself as a command line, and exit the process.
8. During QQ startup, load the msimg32.dll created by the trojan program.

4. Steal the QQ password and query QQ coin information ----- msimg32.dll

This module is the core module of viruses. Its main function is to steal QQ numbers and passwords and QQ coins and QPS of the corresponding QQ accounts.
This file is a forged system file. Releasing it to the qq installation directory will automatically load this file during qq running. After the user starts QQ, the forged msimg32.dll is loaded and run by QQ, and the following actions are performed:
1.Load the real msimg32.dll file of the system
2. Modify the files loaded by qq to hook key functions and obtain the account and password.
A. Use multiple methods to interfere with the normal operation of the QQ account protection module and intercept QQ accounts.
B. Search for the user-entered QQ password in the MSIMG32.dll memory block.

 

Figure 3 Woshimima is a successful screenshot of the sample QQ Login Password

3. Transmit the QQ account password to query qcoins and QPS information.
A. Check whether QQ is online successfully.
B. if the product is successfully launched, the current user's qcoin QPS will be detected.
The virus uses the URL method to access my wallet. After logging in, It queries the QQ coin information and downloads the required verification code to the local device. In this way, the user is defrauded of entering the verification code in a false abnormal login mode.
1) the virus is secretly accessing "my wallet" through a URL in the background ".
Under normal circumstances, QQ users access "my wallet" like this: Click the penguin icon in the lower left corner of the QQ main program interface-> all services-> tenpay-> my wallet. As shown in:

 

Figure 4 normal access to my wallet

The virus program MSIMG32.dll directly accesses "my wallet" through the following URL"
Http://ptlogin2.tenpay.com/clien .. s & ADUIN = % s & ADSESSIO
Https://wallet.tenpay.com/main/c .. n = % s & COOKIE_skey = % s

 

Figure 5 virus accessing my wallet through Url

2) query QQ coins and QQ points.
A. Through https://www.tenpay.com/cgi-bin/v1.0/getimage.cgi? T = 1320% picture of lu obtaining Verification Code

 

Figure 6 obtain the verification code through URl

B. After obtaining the verification code image, the system calls the SVulStrong. dat function of another virus file to trick the user into entering the verification code and then query the QQ coins and QQ points.

 

Figure 7 enter the verification code for querying qcoins

SVulStrong. dat is used to create a fake QQ exception dialog box to trick users into entering the verification code. (See the following analysis of the virus component SVulStrong. dat)
C. parse the XML file to obtain the qcoin qpoint information.
Specifically, you can obtain an XML file containing QQ account information such as qcoin QPS through the URL. By parsing the XML file, you can obtain the qcoin QPS and other information you want to know.
XML contains the following nodes: <jifen_balance> </jifen_balance> <strong/> <qb_balance> 0.00 </qb_balance> </qd_balance> <retcode> 00 </retcode> <retmsg> transaction successful </retmsg> If <retmsg> contains "successful words ", it indicates that information such as qcoin has been successfully returned, and then the information of the <qb_balance> (qcoin information) and <qb_balance> (qpoint) is read.
4. Send the QQ account password to the virus server.
A. if the result is returned successfully, check whether the QQ coins and QQ points are zero.
B. If it is not zero, send the QQ account and password to the virus server.
The server address is http: // 121.10.107.117: 8015/kkasdf1/lldfa1.asp,It has been verified that this IP address is a Disabled Persons' Federation in huai'an city. Hackers occupy this server to collect the stolen QQ account and password.

5. Create a counterfeit QQ abnormal login box and obtain the verification code

This file function is relatively simple, mainly pop up fake QQ exception box.
For details, refer to the "account exception" dialog box, where the color Verification Code image is false:

 

Figure 8 Comparison Between the QQ exception dialog box popped up by the virus and the normal dialog box

Vi. Analysis of Technical Points

1. Release the fake System File msimg32.dll to the qq directory so that QQ can automatically load and run viruses.
2. Then, the user's account and password are intercepted by keyboard input. At the same time, the QQ Security Protection Code is modified to damage the qq password protection mechanism.
3. After obtaining the account and password, the backend secretly queries the qcoins and QPS information, and then deceives the user into entering the verification code. Send the password of the account with a zero credit or a zero credit to the hacker server.
4. The virus broke through qq's password protection, which is rare in similar viruses.