Technical analysis: How Trojans tamper with boot passwords

Technical analysis: How Trojans tamper with boot passwords

After Mr. Duan from Jiangsu downloads a software called "Free q" in the QQ group, the computer will not be able to enter the system after it is started, and a prompt will pop up, "Please contact QQ ********* to obtain the boot password" and ask for the unlock fee of 15 yuan. This made Mr. Duan very depressed and had to seek help from netizens through Weibo.

After a friend gave me some advice, Mr. Duan knew that his computer was infected with a Trojan horse named "Hitting the bar". The hacker behind the scenes was the "free qcoin" software he downloaded. In an interview with 360, the security center was informed that the activity of the Trojan Horse "Hitting the bar" has increased significantly recently, reminding users that 360 security guards will not be involved, do not allow Trojans in spite of the security software alarm risk for the purpose of "refreshing qcoins.

According to engineer 360, Trojans that are sent via QQ groups and emails are often disguised as "CF free gun-free and non-toxic software" and "Free qcoin-free" and other tempting titles, once you click Run, the system login password will be tampered. Detailed technical analysis is as follows:

After encountering a trojan like the following, the following information appears during startup.

The analysis found that this type of Trojan mainly uses the net command to modify the Administrator's password, and then uses the information related to the Registry to notify the victim to contact the Trojan's author's QQ number.

However, this method was quickly intercepted and killed by security software, so the trojan author used the second method to set the login password by using the NetUserSetInfo api.

Breakpoint through the following function. It is broken twice. One is the name and the other is the password:

 

On msdn, we found:

1 NET_API_STATUS NetUserSetInfo (

2 LPCWSTR servername, // if it is Null, the local computer is used.

3 LPCWSTR username, // point to a string pointer. For example, 0016ACE0 points to the string "Administrator ".

4 DWORD level, // different level, indicating that the buf stores different data information

5 LPBYTE buf, // store data.

6 LPDWORD parm_err );

Level parameter description

Level

[In]

Specifies the information level of the data. This parameter can be one of the following values.

If the parameter in the level is 1011, Specifies The full name of the user. the buf parameter points to a USER_INFO_1011 structure.

1 typedefstruct _ USER_INFO_1011 {

2 LPWSTR usri1011_full_name;

3} USER_INFO_1011,

4 * PUSER_INFO_1011,

5 * LPUSER_INFO_1011;

Directly modify through the computer's "System Tools:

 

When The parameter in level is 1003, Specifies a user password. The buf parameter points to a USER_INFO_1003 structure.

 

1 typedefstruct _ USER_INFO_1003 {

2 LPWSTR usri1003_password;

3} USER_INFO_1003,

4 * PUSER_INFO_1003,

5 * LPUSER_INFO_1003;

The 00171820 fc24 points to such a structure, while the corresponds to the unicode: bu in the memory. It can be determined that the locked password is bu ".

After entering "bu", the computer is successfully logged in.

360 of Security Guard can fully intercept and kill the above Trojan Horse attack methods. Even if the hacker creates the latest Trojan variant, as long as it tamper with the system login password, 360, an alarm is issued, prompting the user to choose to stop:

Because some netizens did not use professional security software or took the risk of shutting down the security software to brush qcoins, 360 of engineers used reverse analysis to analyze Trojan samples for the victims of these Trojans, provide a trojan boot password query service (http://fuwu.360.cn/chaxun), if some netizens accidentally recruit, you can access this URL to try to unlock.