The hacker cannot hack rice-the author of the QQ account stealing trojan leaked his account and password information.

The hacker cannot hack rice-the author of the QQ account stealing trojan leaked his account and password information.

Recently, an interesting qq worm was found during the monitoring of qq Trojans. Unlike the previous qq sticks, the trojan will transmit the stolen private information in a special way.

After Trojans are spread through common methods such as qq groups, they are recruited and downloaded to the local computer for execution. After Trojans obtain user information, such as qq accounts, passwords, and local ip addresses, send the data out, capture the packet through wireshark, and observe the data. It is found that the data package is different from that of the previous qq worm data package. We can guess from the plaintext information that this is a mysql-related data packet.

After the first packet connection is established, the Server sends it to the local Server Greeting Pocket. The first three bytes are the package length, that is, 4a (decimal length 74 ), next is the package serial number of 1 byte, the first is 0, and the next is the MuSQL id, 5.5.27, in the current thread ending with 00. For more information, see MySQL Data Protocol package.

The second Packet is the verification package Login Packet for Trojan Login.

According to the login data packet protocol, username is the string "qq" starting from 37th bytes, and 40th bytes are the encrypted length of the password sha1 14 (corresponding to 10 to 20 ), then, from 41st to 61st, The sha1 value "d37e334c1401eda97033515ca72b6485404ffff6" after the password is encrypted. As the sha1 algorithm is used, it is difficult to find the login password here, in this case, we turn to the Trojan itself to find the login password.

The fourth data packet is the data packet for the client to perform operations, which can be intuitively seen in the text.

The trojan itself has an upx shell, which is analyzed by ida after shelling, so it is easy to find the login password.

The data obtained after hash of the password "c *** 14" with sha1 is inconsistent with that in the data packet. The password should also be verified during transmission.

However, the logon password is c *** 14, which should be correct.

Based on the login name and password, remotely log on to the database of the Trojan horse author,

The test table should be tested by the trojan author,

I guess the trojan author is doing this to save time. it is inconvenient to recruit a user machine to steal information and directly Insert the information into the database?

However, it is easy to figure out a trap for yourself, and your account and password are also leaked.

After leaving the Trojan server, the analysts cleared the relevant data and changed the Database Password to prevent further attacks.