All along, we think Trojan is the end of EXE executable file, as long as not run exe as a suffix of the file can be. But if the Trojan is so easy to distinguish, it can not be called a Trojan. In fact, there are many Trojans are not the suffix of EXE, such as the famous backdoor Trojan tool bits, is a DLL back door, the entire backdoor program has only one DLL file, but can achieve very scary effect. So how do DLL backdoor Trojans work? How do we clear the DLL back door? Please see this article.
★ Edit hints: The origin of DLL backdoor Trojan
DLL (dynamic link library) is the dynamically linked library file for the system. The DLL file itself is not available to run and requires application invocation. When the program runs, Windows loads the DLL files into memory and looks for the dynamic link library files that appear in the file. DLL Backdoor Trojan is actually the implementation of a Trojan Horse function code plus some special code written as a DLL file. We all know that the running program is not closed, and the DLL backdoor is inserted into the application's memory module, so the same can not be deleted, this is the DLL backdoor Trojan Smart place.
DLL Backdoor Trojan usually has only one file, relies on the dynamic link library, by an EXE as the carrier, or uses the Rundll32.exe to start, inserts into the system process, achieves hides itself the goal. Therefore, DLL backdoor Trojan in the hidden technology than the common Trojan has a qualitative leap, of course, the harm is greatly increased.
How to operate a DLL backdoor Trojan
DLL Backdoor Trojan's harm mainly divides into two aspects: 1. Concealment, because it can "host" the process of any application, including the system process, so we can hardly find its existence. 2. Difficult to delete: we mentioned above that the process of being inserted by a DLL backdoor Trojan is not complete, so it is not easy to clear it.
Let's take a practical look at the DLL backdoor use and operation process. Bits is a well-known DLL backdoor Trojan, which has a DLL backdoor Trojan all the characteristics, no process, also does not open the port, concealment is very strong, is the representative of the DLL backdoor Trojan.
BITS has only one DLL file--bits.dll. Click "Start" → "Run" and enter "Rundll32.exe Bits.dll,install <123456>" to successfully let bits in the system.
▲ Install Bits
Use of Bits
Assuming that the computer that is running BITS has an IP address of 192.168.0.1, hackers can use a network tool NC, and then enter the command "NC 192.168.0.1 80" after running NC in the command prompt. When you enter a carriage, you will find no echo, at which point we need to type "123456@dancewithdolphin[xell]:777" to command bits. The function of this command is to bind a shell to the local 777 port, at which point the hacker can then connect to the target host's 777 port to execute arbitrary commands on the target computer. General DLL Backdoor Trojans need similar installation and use, although more than ordinary Trojans to come trouble, but the power is quite large.
▲ Connect bits to open the back door
The cleanup of bits is relatively simple, run Registry Editor first, navigate to Hkey_local_machinesystemcurrentcontrolsetservicesrasautoparameters, and The ServiceDll key value changes to "%systemroot%system32rasauto.dll" and then deletes the Bits.dll under the System directory System32 folder.
▲ Erase Bits
Prevention of DLL Backdoor Trojan
1, when the system has problems, we can view the process of the DLL file, find hidden in which the DLL backdoor Trojan. To view the DLL files in the process, you can use the process management features of Windows Optimization Master, after clicking on the process, there will be the DLL files included in the process, and if the system process, then the publisher of its DLL file should be "Microsoft", otherwise it is very likely that the DLL backdoor Trojan. After finding the DLL backdoor Trojan will end the process, and then according to the path of the DLL backdoor Trojan removed.
2, timely update anti-virus software. DLL Backdoor Trojan Horse, although different from ordinary Trojans, but still is a trojan, or can be killed by antivirus software, as long as we upgrade anti-virus software virus in a timely manner, to prevent the DLL backdoor Trojan still has a great help.