With the improvement of people's safety awareness, the survival of the Trojan more and more become a problem, the Trojan growers of course not reconciled to the Trojan is so that people find, so they come up with many ways to disguise their behavior, using WinRAR bundled Trojan is one of the means. So how can we identify a trojan in it? This is the problem that this article tells.
Attackers can put Trojans and other executable files, such as Flash animation under the same folder, and then add the two files to the file, and make the file as an EXE-formatted self release file, so that when you double-click the self release file, Flash animation and other files will be launched at the same time quietly running Trojan files! This has reached the purpose of the Trojan growers, that is, running Trojan server program. And this effect is very good, make the other side difficult to detect, because there is no obvious signs exist, so the current use of this method to run the Trojan is very common. In order to debunk this camouflage, understand its production process, to know each other, the following we look at an example.
Let's take an example to learn about this bundled Trojan method. The goal is to have a Flash animation (1.swf) and Trojan server file (1.exe) bundled together, made from the release of the file, if you run the file, in the display of Flash animation will be in the Trojan! Put the two files in the same directory, holding down the CTRL key while selecting 1.SWF and 1.exe with the mouse and clicking the right mouse button, select "Add to Profile" in the pop-up menu (Figure 1), a dialog box titled "Profile Name and Parameters" appears in the dialog box, " File file name "Enter any file name in the column, for example stage comedy. exe (as long as it is easy to attract others to click). Note that the file name extension must be an. exe (that is, the "Create Self release Format profile" is checked), and by default,. rar, to be changed, otherwise the next step cannot be done (Figure 2)
(Figure 1)
(Figure 2)
Next click on the "Advanced" tab, and then click the "SFX Options" button (Figure 3), the Advanced Self Release Options dialog box appears, in the Release Path column of the dialog box, enter C:\Windows\temp (Figure 4), in fact, "release path" can be easily filled, It doesn't matter if the folder you set up doesn't exist, because the directory is created automatically when you self-extracting. Enter 1.exe in "Run after release", which is the name of the Trojan file that the attacker intends to run in stealth.
(Figure 3)
(Figure 4)
Next, click on the "Mode" tab and select "Hide All" and "Overwrite all Files" on the tab (Figure 5), which is not only safe but also hidden and not easily discovered. If you want, you can also change the window title and icon for this self release file. By clicking on "Text and Icons" (Figure 6), enter what you want to display in the "Self-release File window title" and "display text for the self-release file window" In this tab, which is more deceptive and more gullible. Finally, click on the "OK" button to return to the "Profile Name and Parameters" dialog box.
(Figure 5)
(Figure 6)
Below please click on the "Notes" tab, you will see the content shown in the figure (Figure 7), this is winrar according to your previous settings automatically added content, in fact, is the release script command. In which, C:\Windows\temp represents the self-extracting path, Setup=1.exe said that after the release run 1.exe files that Trojan server file. Silent and overwrite, respectively, represent hiding and overwriting files, and assigning 1 represents "Hide All" and "Overwrite all files." As a general rule, for the sake of hiding the Trojans, you will modify the above Self release script commands, for example, they will change the script to the following:
(Figure 7)
Program code
Path=c:\windows\temp
Setup=1.exe
Setup=explorer.exe 1.swf
Silent=1
Overwrite=1
Look carefully, in fact, is to add the Setup=explorer.exe 1.swf this line, click "OK" The button will generate a self-extracting file named stage comedy. EXE, now as long as someone double-clicks the file, it will open 1.swf this animation file, and when people enjoy the beautiful flash animation, Trojan Horse program 1.exe has been quietly running! More frightening is, can also in the WinRAR can be the self-extracting file default icon to replace, if you are familiar with the software icon, for everyone is not more dangerous?
The self-extracting file produced by WinRAR can not only be used to load the hidden Trojan server program, but also can be used to modify the other's registry. For example, an attacker could write a file named Change.reg. Then use the "example" method to make this file into a self-extracting file, save as a Del.exe file. Note in the production process to write the following in the notes:
Program code
Path=c:\windows
SETUP=REGEDIT/S Change.reg
Silent=1
Overwrite=1
When finished press "OK" button, will establish a winrar self-extracting program named Del.exe, double-click to run this file, there will be no prompt to import the registry (this is the regedit plus "s" parameter reason) to modify the registry key value, and copy the Change.reg to the C:\Windows folder. At this point your registry has been modified! Not only that, the attacker can also be the self-extracting file Del.exe and Trojan server program or hard disk bombs and other winrar bundled together, and then made into a self-extracting file, so the threat to everyone will be greater! Because it can not only destroy the registry, but also destroy the hard disk data, think about it is not very scary?
It's not hard to see from the example above that WinRAR's self-extracting function is so powerful that it makes it impossible for people who can't program to make very malicious programs in a short time. And for the containing Trojan or malicious program self-extracting file, at present many popular anti-virus software and Trojan killing software can not find out that there are problems! If you don't believe it, you can do an experiment and you'll know the result.
So how to identify with the WinRAR bundled with the Trojan? As long as you can find from the release of the file hidden inside a number of files, especially multiple executable files, you can determine that there are Trojans! So how do you know how many files are contained in a release file? A simple way to identify is to use the right mouse button to winrar the Self release file, select Properties in the pop-up menu, and in the Properties dialog box you will find two more tabs than the normal EXE file: "Profile" and "comment" (Figure 8), click on the "Notes" tab, and look at the comments. You will find that there are files in it, so you can know, this is the best way to identify the use of WinRAR bundled Trojan files.
(Figure 8)
Finally told everyone a precautionary approach, the problem is not directly run the self-extracting program, but select the right menu in the "Open with WinRAR", so you will find out what is in the file.
Theme 2, using WinRAR to analyze the bundling principle of Trojan horse
Today, my friend suddenly wanted to call me for help, saying that the legendary world of online games has been stolen, because friends are at home on the Internet, excluding the number in public places and passwords are other people to glance at the possibility. According to friends, in the first one hours before the theft, downloaded a photo of a netizen online, and opened the browse, but the appearance is indeed a photo of the netizen, and is used "Windows Picture and Fax Viewer" (Friend home is XP system) Open, this can certainly be a picture file. My friend also told me that the suffix name is. gif, apparently a picture file, a friend's computer does not have antivirus software installed, and the most important thing is that the file has not been deleted.
The author then let a friend of that file through QQ sent over, send the author in the QQ display file name found that file is not GIF file, but EXE file, filename is: my photos. Gif.exe, and its icon is also picture file icon, see Figure 1. The author thinks that a friend's computer should have the "Hide extensions of known file types" (you can set it in the "My Computer" menu, tools → folder options → view → advanced settings), see Figure 2, so tell me the suffix name is gif. The author accidentally right point down this file, found that you can use "WinRAR open", so the author opened with WinRAR, found that contains two documents-- My photos. gif and Server.exe, you can be sure that this server.exe is a trojan, that is, the legend of Friends of the world's biggest culprit.
Figure I
Figure II
Because it can be opened directly with WinRAR, the author concluded that it was made by WinRAR, and now the author began to decrypt its production process. First of all, there is the ICO (icon) file of the picture file (which can be extracted using other software, the author is not here to describe the detailed process), as shown in Figure 3. Select the picture files and Trojans, right, choose "Add to Profile" (WinRAR option), see Figure 4, in "File file name" that input compressed file name, For example: My photo. gif.exe, suffix if it is an. exe can be executed directly, if not. rar will open the WinRAR, so the final suffix here is. exe, select "Compression mode" according to your own needs, then click on "Advanced" tab, select "SFX option", see Figure 5, in the " Release path "to fill in the path you need to extract, the author here is"%Systemroot%\Temp "(excluding quotes), means that the solution to the system installation directory under the TEMP (temporary files) folder, and in the" installer "after the release of the" input "Server.exe (not including quotes), run before releasing, enter my photos. gif (excluding quotes).
Figure Three
Figure Four
Figure Five
This will open my photo before decompression. gif this file, resulting in a friend of the document to judge the illusion that it is a picture file, and after the release will automatically run Trojan horse (that is, Server.exe). In the Mode tab, in silent mode, select Hide all, overwrite by "Select Overwrite all Files", "Custom SFX icon" in the "Text and Icon" tab, load the ICO file of the picture file you just prepared, and click OK. This is the seamless production of a bundle of pictures of the Trojan. When you open this file, you will first run the picture file, and then automatically open the Trojan file, the middle will not appear any prompts.
Note: Hope that the majority of friends do not carry out illegal use here, decryption Trojan bundle is the hope that we understand its principle.
theme 3, using WinRAR to resolve the bundle of Trojans-Addendum
Friends See the "use of winrar analysis Trojan bundle" may have a question: sometimes encountered winrar self-extracting file, self-extracting after the simultaneous operation of multiple files (" Using WinRAR to analyze the bundle of Trojan Horse, the article introduces the self extracting and running a file at the same time. , for example, some Trojans run the client, but also run several destruction procedures, killing up also more trouble.
It is also simple to have multiple files running at the same time after self extracting. First according to the "use of winrar analysis Trojan bundle" after the production, then in the "Profile Name and Parameters" dialog box, select "Comments", and then enter:
program code
set Up=a.exe
Setup=b.exe
Setup=c.exe
(does not contain quotes). As pictured. )。 where "A.exe", "B.exe", "C.exe" is a self-extracting program that runs at the same time, but they must be in a self-extracting file package. Of course, can also not be a program, any file can be (than know: Image file ".jpg,.gif. bmp", animated file".swf", text file".txt", Web page file".htm,.html,.shtml", and so on. )。 Of course, do not limit the number of running files at the same time, as long as you want to run how many add a few "setup=" can be. Click "OK" to start making a self-extracting file.
can actually make multiple files (with shortcuts too!). Merged into the same self-extracting file, but run only a self-extracting file, but run a number of files at the same time, "lazy people" can try Oh, a prank is also good oh