This horse is amazing! Prevention and removal of gray pigeon

Occasionally, I got a gray pigeon 2.02 VIP version. After trying it for a long time, I even controlled more than 20 bots. I was excited and not only sincerely sighed-this horse is so powerful!

I. Highlights

Mairay is strong

The mainstream anti-virus software cannot find and kill the pigeons. I am using the latest version of a well-known anti-virus software in China. No alert is reported for this anti-virus software, whether it is a gray pigeon server program or a client program. Using the screen capture function of the gray pigeon, we found that the vast majority of the more than 20 bots under control run anti-virus software, which basically covers the Mainstream anti-virus software in China and internationally. I sent a text message to a controlled zombie, Which scared him to scan computers with anti-virus software and various anti-virus software, including the Trojan horse software, but unfortunately, till now, I still use the pigeons to control him.

Working principle of the port bounce Trojan: on the transport layer, the opposite is true of the traditional Trojan. The controlled terminal (server) executes the client command, but it does not listen to a port, instead of connecting to the server, the client initiates a port to listen to the connection from the server.

The firewall port rebounded, And the Skynet firewall is virtually empty.

I installed the latest version of Skynet firewall on my computer. When I was playing with the gray pigeon, I accidentally ran the gray pigeon server program on my computer. However, skynet firewall does not have any alarms.

Skynet firewall does not strictly manage requests from local applications to access the network, and does not trigger alarms for connections from trusted applications to the network. The gray pigeon is a port bounce Trojan. Unlike the traditional Trojan, it does not listen to a port and waits for the client to connect itself. Instead, it actively connects to the client as the IE browser, internet Explorer is the default trusted program of Skynet firewall, so it can easily "penetrate" Skynet firewall. The gray pigeon accesses the network as an Internet Explorer, and any firewall does not restrict the IE browser from browsing the Web page. Therefore, theoretically, the gray pigeon can "penetrate" any firewall, more than 20 bots under control have been confirmed by the monks.

⒊ Reverse connection, the controlled computer "automatically goes online"

The gray pigeon is a reverse connection Trojan, that is, the controlled computer will actively connect to the control computer. Traditional trojans such as Glacier and BO 2000 must inform the client of the IP address and port of the controlled computer to connect to the controlled computer. The gray pigeon is different. After the gray pigeon client is started, the controlled computer tries to connect to the client first. The gray pigeon uses the voice prompt function. When a controlled computer is connected to the client, a standard female voice will prompt: a host is online. Please note! After listening to this prompt, I watched the controlled computers automatically appear in the "automatically launched hosts" list (1). I was thinking: Jack is terrible!

Producer client program, which can customize the server.

The Server Installation Program of the gray pigeon is automatically generated by the client according to the custom settings. Projects that can be customized include: whether to delete the installer after the server is successfully installed, whether to hide the process in the task manager, and whether to add the startup key in the registry.

In addition, in Windows 2000/XP, you can choose to install a service that is automatically started. The service name (including the service display name) can be modified, you can also select the installer icon (the custom Server is an important feature of the gray pigeon, which will be mentioned in the following article ).

Figure 2 danger hidden under temptation

As shown in figure 2, this is the self-defined installation program for the gray pigeon server. On the surface, it is an e-book "e-book time and space", but in fact, if you double-click it, you can be controlled in the author's "automatic launch. I shared this e-Book with a P2P software. In less than one afternoon, the number of hosts that "automatically go online" reached 25.

The hidden elements make other backdoors inferior.

Compared with the glaciers and black holes of its predecessors, the gray pigeon is a collection of Trojans in China. Most Trojans use the following control functions:

1) The Windows resource manager can copy, paste, delete, rename, and remotely run the files on the controlled computer, and upload and download files or folders, which is easy to use;

2) You can view the system information of the controlled computer and the information on the clipboard. You can remotely operate the processes and services of the controlled computer; you can remotely disable the sharing of the controlled computer and create a new sharing. You can also set the controlled computer as a proxy server;

3) it not only captures remote computer screens, but also transfers local mouse and keyboard operations to the controlled computer to implement remote real-time control;

4) monitors cameras on controlled computers, as well as voice listening and sending functions, and enables voice conversations with controlled computers.

5) The gray pigeon can also simulate the Registry Editor. It is just as convenient to operate the Remote Registry as it is to operate the local registry;

6) command broadcasting, such as shutdown, restarting, or opening the webpage. By clicking a button, multiple machines can be shut down, restarted, or opened at the same time.

In addition to the above functions, the hidden and self-protection functions of gray pigeon are incomparable to other Trojans. Its files are hidden, and processes are hidden. You cannot find the trace in the task manager.

My friends, after the above introduction, do you feel as bad as me. Although anti-virus software and firewall have no way to use it, the computer still needs to use it, the network still needs to be installed, and the file still needs to be downloaded. Don't be afraid. Let's discover it and eradicate it.

2. Gray pigeons discovered

In terms of the current situation, basically all anti-virus software cannot immediately detect and kill the gray pigeons, while the gray pigeons are hidden files and processes are hidden, the only thing that can be seen is its service in the Windows "service" window, but its service name and display name can be customized by hackers. As shown in 3, this is the name of the service that the gray pigeon author mistakenly installed on his computer, whether it is the name of the gray pigeon file (the file name can also be customized by hackers), the service name or the description of the service, these services are very confusing. For general users who are not familiar with Windows Services, do not dare to disable or delete such services. Therefore, the existence of the gray pigeon cannot be determined by the general method.

Figure 3 custom gray pigeon process service

So how can we find the gray pigeon? The following is my experience:

According to the author's experience, we can find that the Skynet firewall is an effective method. Although Skynet fire prevention cannot intercept the communication between the gray pigeon and the outside, Skynet firewall can display all connections between the local machine and the outside. The IE browser communicates with port 80 of the server. Only when you open a web page will it connect to many servers to display resources on the web page, while the gray pigeon server is different, no matter whether you access the webpage or not, as long as the hacker starts the client and listens to a port (this port can also be customized by the hacker, the default listening port is 8000 ), it is always actively connected to this port as the IE browser (if the client is not started, it will try to connect once every other time ). Therefore, if you do not use IE to browse the Web page, and your IE browser has been connected to a port (4) of the same host for a long time, you can preliminarily determine that, it is definitely not Internet Explorer that initiates these connections.

Figure 4 View network connections with "Skynet"

The gray pigeon uses an auto-start service to load it when it is started. However, this service is different from other auto-start services, its service status is generally "started", but its service status is "STOPPED ". If you are able to preliminarily determine that you may be in the dark, and there is such a service in your computer, you can now determine that this service is registered by the dark pigeon.

Tip: in Windows, the vast majority of service projects are provided by Windows, and these service projects have been certified by Microsoft. Nowadays, many Trojans are loaded by an auto-starting service, but most of these service projects are not certified by Microsoft. Today, we recommend the tool Autoruns, which can scan for any Microsoft-certified service in the system. As shown in figure 5, the installation of the Service in your system suddenly becomes apparent.

Figure 5 startup items of gray pigeon

3. Clear gray pigeons

After you confirm that your computer has been implanted with a gray pigeon, you can clear it. Open the "service" Window of Windows, double-click the service name of the gray pigeon to open its properties dialog box, in the "executable file path" text box of the dialog box, you can view the Object Name and path of the object, and write down the Object Name and path, select "disabled" in "Boot type", click "OK", and restart the computer.

After the computer is restarted, the gray pigeon cannot be automatically loaded. Next, you can delete the gray pigeon File Based on the file name and path written down above. It should be noted that the gray pigeon (the installation program of the gray pigeon is the server program, during installation, he will copy himself to the pre-defined directory, after the copy is complete, according to the custom settings, sometimes the installer is deleted for "zombie"). The file is "hidden". You may not be able to find it when you delete it. In resource manager, select Tools> Folder Options to open the Folder Options dialog box, clear the hooks (6) in the "Hide protected operating system files" check box, and click OK, now you can see the gray pigeon file.

Figure 6 select this option to view hidden files

After deleting the gray pigeon file, you also need to finish the work, that is, to completely delete the gray Pigeon Service Project in the Windows "service" window.