1, background
As long as you plug in the Internet cable or connect WiFi, without any operation, the computer will soon be infected by the Trojan, is this possible? Recently, Tencent anti-virus laboratory intercepted a new variety of "dark ghost" Trojan horse, which has powerful functions and strange behaviors. This paper will analyze it in detail. The following are the main characteristics of the Trojan horse:
1) Trojans have powerful functions, mainly information and intelligence collection. They can monitor and monitor a large number of chat software, collect network access records, monitor Gmail, screen capture, monitor microphone and camera, etc.
2) Trojans have strong antagonism, can bypass almost all of the security software active defense, focus on domestic security software, can call the interface of security software itself to add Trojans to the white list, the author has invested a lot of energy in reverse research security software.
3) Trojans infect in a special way, mainly through network hijacking. They hijack the automatic update program of mainstream software. When these software download the update program online, they are replaced by Trojans on the network, resulting in the user's insensitivity to poisoning.
4) Trojan horse has a special way of communication. Trojan horse encapsulates data into a fixed packet head DNS protocol package and sends it to a large-scale website to realize data transmission. This method can bypass almost all firewalls. However, if a hacker wants to intercept these data, he must sniff and intercept on the only way of data package. Combined with the infection mode of Trojan horse, it can be inferred that there is a network link of the victim Hijacking.
5) Trojan horse attack has small scope, strong pertinence, and lasts for several years, which conforms to the characteristics of apt attack.
2. Overview of Trojan behavior
2.1 sources and transmission channels
After the analysis of a large number of infected users, we found that the Trojan originated from the unsafe network, no system vulnerabilities as long as the machine connected to these networks, it will infect the Trojan after a period of time, through the analysis found that the Trojan mainly through hijacking on the network to replace a large number of software automatic update program and then infect the computer. When the software installed on the computer is updated automatically, the update package is replaced by a Trojan horse, resulting in the computer being invaded. The Trojan propagation diagram is shown in Figure 1.
Figure 1. Schematic diagram of main propagation channels of Trojans
2.2 Trojan installation process
After the Trojan runs, it will judge the security software installed on the machine and detect up to 43 security related software. When different security software is detected, it will perform different installation methods to bypass the detection and interception of security software. It is found that there are three different ways to install the Trojan horse. The final way to install and start the Trojan horse is to release the core DLL to the same directory of explorer and hijack the DLL to start it. As shown in Figure 2, the three colors respectively represent three different installation methods. After testing, the Trojan can bypass the defense and interception of most of the current security software and finally install successfully.
Figure 2. Installation process of Trojan horse
2.3 function decomposition of Trojan
The main function of the Trojan horse is to steal all kinds of computer information, monitor and monitor the voice and text chat information of all kinds of commonly used chat software through plug-in, accept instructions for simple remote control, and package and send all kinds of information files collected automatically. As shown in Figure 3 is a list of Trojan functions.
Figure 3. Trojan function list
2.4 Trojan network communication
The network communication mode of the Trojan horse corresponds to the propagation mode of the Trojan horse. The Trojan horse packs all kinds of information collected into files, then encrypts and encapsulates them into DNS request packages, and sends these data packages to several famous website servers in China. This way of communication can bypass almost all firewalls and intrusion detection products. However, how can hackers obtain these packets to obtain stolen data? After analysis, it is found that all the DNS packets it encapsulates have the same and fixed packet headers, so we speculate that hackers will intercept and forward the packets to the hacker server on the only way to get the collected information, as shown in Figure 4 is the speculated delivery process of Trojan communication packets.
Figure 4. Prediction of Trojan network communication mode
3. Detailed analysis of Trojans
3.1 installation release
3.1.1 parent structure
The parent program of the Trojan horse is an EXE executable file, which is downloaded and executed by hijacking the update program of normal software through the network. The file contains five resource files, all of which are simple encrypted PE files, including 141 core DLLs of X86 version, 142 core DLLs of LSP hijacking, 146 core DLLs of x64 version, 150 core DLLs of white plus black and 151 white plus black and white files. The following will be analyzed in detail.
Figure 5. Parent resource information
3.1.2 adapt to multiple systems, different systems and different behaviors
Determine the operating system version, set global variables, and then perform a large number of different operations according to the global changes.
Figure 6. Determine the operating system version and set the flag
3.1.3 use system vulnerability to claim rights
Judge whether the current system is vista, win7, etc. if so, check whether the current process has administrator rights. If not, the Trojan will try to upgrade itself to administrator rights through cve-2011-1249. The vulnerability affects XP, vista, win7 and other operating systems.
3.1.4 DLL hijacking of Explorer
The security software installed in this machine is detected through the registry. When the target system does not install the security software, the Trojan will hijack and start the Explorer according to the operating system release hijacking DLL to% windir% directory. Under XP and other systems, the Trojan will release nthrui.dll, msls32.dll in win7 and aduioses.dll in win8 and other systems. Then start a New Explorer process to load the core DLL, which is the first way to install.
Figure 8. Trojan starts hijacking by releasing DLL to the same directory of Explorer
3.2 anti security software
3.2.1 temporary storage of core documents
If trend and other international security software are detected but domestic mainstream security software is not detected, the Trojan will release the core DLL to a subdirectory of% commonprogram files% for temporary storage.
Figure 9. Temporary storage of core DLL
3.2.2 release DLL and install LSP
At the same time, release LSP hijack DLL and add LSP. Through LSP, the DLL can be injected into all processes with network connection. In the process of injection, DLL files are moved to bypass the security software, which is the second way of installation.
Figure 10. Releasing LSP hijack DLL
Figure 11. Installing LSP
3.2.3 release white and black to resist killing soft
When there are mainstream security software in China, Trojans use white plus black technology to bypass the interception of LSP installation.
Figure 12. Trojan releases two files, white and black, ready to bypass the main defense
3.2.4 installing LSP through white and black
Trojans use white plus black technology and a series of complex techniques to bypass the active defense to install LSP. After testing, most of the active defense of security software is bypassed.
Figure 13. Bypass the main defense installation LSP by adding black and white
3.2.5 DLL hijacking of explorer by bypassing software kill
After LSP is installed, the related DLLs will be inserted into all networking processes by LSP hijacking, including svchost, browser, chat software, security software, etc. After DLL is loaded, judge the current process first. If it meets the conditions, move the previously backed up core DLL to the% windir% directory for hijacking (move after restart). This is the third installation method.
Figure 14. Moving core DLL to% windir% directory for hijacking
3.2.6 loading core DLL
Then the Trojan horse judges whether it is located in ie, svchost, kill software and other processes to perform different behaviors, and tries to load the core DLL directly (if not, the hijacking needs to wait for the system to restart before the core DLL is loaded).
Figure 15. Determine whether to load the core DLL immediately based on the current process name
3.2.7 kill soft white list for malicious operation, no killing
Trojans determine whether they are in various security software processes. If so, call the interface of security software itself to add the white list, and all Trojan file paths will be added to the white list. After testing, the security software involved can be added to the white list normally.
Figure 16. Adding related codes to a security software white list
3.2.8 LSP blocks security software networking and cloud search
Wspsend and wspsendto functions are filtered by LSP filter function. When judging that the employer is a security software process, the connection is closed directly, the networking is blocked, and cloud search is blocked.
Figure 17. Prevent cloud search of security software Networking
3.3 information collection
3.3.1 collect network card information
The collected network card information includes network card model, network card MAC, gateway IP, gateway Mac, etc.
Figure 18. Obtaining gateway MAC address by sending ARP packet
3.3.2 collect the list of software installed in the system
The Trojan obtains the list information of the software installed by the computer through the registry uninstall, writes the obtained information XOR 0 × 87 to the file C: \ windows \ temp \ {e53b9a13-f4c6-4d78-9755-65c029e88f02} \ software.prog, and the information obtained below is located in the directory without special instructions.
Figure 19. Getting the list of installed software
3.3.3 screenshots
Take the current screenshot, zip it and save it as a time(). V file.
Figure 20. Taking a screenshot
3.3.4 collect disk file directory
Obtain the disk drive information, including all file paths of the whole disk, and zip it to the drive. D file.
Figure 21. Obtaining disk file information
3.3.5 collect IE history
Get browser history information through COM and store it in ie.his
Figure 22. Getting browser access records
3.3.6 collecting equipment information
Traverse the system devices, determine whether there are three devices: notebook power adapter, camera and microphone, and encrypt the results into the time(). HD file.
Figure 23. Traverse system device
Figure 24. Determine if there is a designated device
3.3.7 keyboard recording for browser
Install wh GetMessage global hook. Theoretically, all processes with message loop will load this DLL after installation, and call the hook function. In the hook callback, judge whether the current process is iexplorer.exe, 360se.exe and sogouexplorer.exe. If so, record the keyboard, including key information and window title. Use imm32.dll as the method It can also record Chinese input and save the recorded information as (date + time). K file.
Figure 25. Installing the hook
Figure 26. Only keyboard input for the specified browser process is recorded
3.3.8 collecting Gmail information
When recording the keyboard, when it is judged that the above browser window contains Gmail characters, a thread will be started to collect Gmail information, relevant plug-ins will be loaded, and all files on the server will be downloaded through the IMAP protocol.
Figure 27. Determine if you are logging in to Gmail
Figure 28. Try to collect data through IMAP protocol through plug-in
3.3.9 loading plug-ins to collect various im related information
Judge the instant chat and voice chat software such as skype.exe, cc.exe, raidcall.exe, yy.exe and aliim.exe by the process name, and load relevant plug-ins to monitor such chat software.
Figure 29. Loading related plug-ins according to IM software process name
Figure 30. Through the plug-in interface, we can guess that the plug-in is mainly used to monitor chat information
Figure 31. Trojans monitor all common communication software
3.4 network communication
3.4.1 communication protocol
The most bizarre part of this trojan is the way of communication. There is no C & C server in this trojan. All the data are sent to port 53 or 8000 of the server where the domain name is www.baidu.com, www.sina.com or www.163.com disguised as DNS packets. In order to obtain these packets, hackers must carry out hijacking sniffing on the way from the local computer to these web servers.
Figure 32. Data packets of Trojans are sent to www.sina.com and other servers
Figure 33. The Trojan uses UDP protocol to communicate, and the target port is 53 or 8000
Figure 34. Trojans disguised as DNS protocol packets, each with a fixed packet header as a marker
Figure 35. The Trojan data embedded in DNS protocol is difficult to find exceptions even for professional network administrators
3.4.2 automatically upload collected files
All files automatically collected by Trojan and generated by Trojan plug-in will be packed and numbered regularly and sent out.
Figure 36. Read the related files regularly, send the package number, and delete the related files after sending
3.4.3 remote control
Trojans also bind to a local UDP port, and constantly try to receive instructions for remote control. The main remote control functions include cmdshell, file management, plug-in management, etc.
Figure 37. Binding a local UDP port
Figure 38. Continuous attempts to receive control commands
Figure 39. Remote control function
4. Trojan information
4.1 safety software
The Trojan detected up to 43 kinds of security software, covering all domestic security products and well-known foreign security products. From the perspective of security software, the Trojan is mainly aimed at domestic users.
Figure 40. List of security software for Trojan detection
4.2 other information
From the mutex and debugging information of Trojan horse, we can see that DCM should be the code of Trojan horse, but what's the abbreviation? I can't guess that.
Figure 41. String information in Trojan
5. Safety advice
Software manufacturer: try to use HTTPS and other secure and encrypted communication protocols to download the update program, and make signature verification for the downloaded file before loading and running.
User: try not to use the network with unknown security, such as public WiFi, hotel network, etc. if you suspect there is a problem with your own network, report it to the operator in time. In addition, the installation of security software can prevent such attacks to a certain extent. At present, the housekeeper has taken the lead in killing the Trojan and its variants.
*Contribution: Tencent Security Manager (enterprise account), reprint please indicate from freebuf hacker and geek (freebuf. Com)