First of all, let's look at what is a dynamic embedded Trojan horse, in order to be able to continue to hide under the NT system, process, Trojans, developers have begun to use DLL (Dynamic Link Library Dynamic Link Library) file, initially they only write their own Trojan horse DLL format to replace the system responsible for Win Socket1.x of the function call wsock32.dll (Win Socket2 from WS2_32.DLL in charge), so by convention the function of the operation and the forwarding of unknown function (DLL Trojan replace wsock32.dll pm it will be renamed in order to achieve a function of forwarding the future) to achieve the remote control functions. However, with the MS digital signature techniques and file recovery functions introduced, this DLL horse's vitality is increasingly weak, and thus in the development efforts of those who appeared in the mainstream nowadays Trojan - Dynamic embedded DLL Trojans, the Trojan DLL Embed to the running of the system in the process. explorer.exe, svchost.exe, smss.exe and other systems can not be the end of the key process is the DLL favorite horse, so that in the Task Manager will not appear inside of our DLL files, and DLL is the carrier of EXE files. Of course, by further processing DLL Trojan can also achieve some other, such as port hijack / re-use (that is, the so-called non-port), registered as a system service, open multi-threaded protection, and other functions. In short, that is, DLL Trojans to an unprecedented degree of secrecy.
So how do we find and remove Trojan DLL do?
First, the DLL file from the DLL Trojan to start, we know that system32 is a good place to hide and seek, and many Trojans have 削尖了脑袋 toward that fall in., DLL horse is no exception, to address this point we can install the system and necessary applications after its directory EXE and DLL files to make a record: Run CMD - convert directory to system32 - dir *. exe> exeback.txt & dir *. dll> dllback.txt, so that all of the EXE and DLL files names are recorded separately to the exeback.txt and dllback.txt in the future, such as unusual in the traditional way, but can not find the issue, they should consider whether or not the system has been infiltrated Trojan DLL. That is we use the same command Under the system32 recorded EXE and DLL files exeback1.txt and dllback1.txt another, and then run the CMD - fc exeback.txt exeback1.txt> diff.txt & fc dllback.txt dllback1.txt> diff.txt. (using the FC command twice more before and after the DLL and EXE files, and the results entered into the diff.txt middle), so that we can find some more out of DLL and EXE files, and then by looking at creation time, version, whether compressed and so on will be able to more easily determine not to patronize the Trojan has been DLL. Not be the best, if any, and do not fall directly to DLL, we should first move it to the Recycle Bin where, if the system does not thoroughly and then remove the abnormal reaction to, or submitted to the antivirus software company.
Second, some systems also mentioned above, the key process is the favorite type of Trojan, so once we suspect that the system had been stationed at the DLL Trojans, we of course want to focus on taking care of these key processes, how to take care of? Here to recommend a strong Shelling Tool tool can help you to see Procedump.exe the process, he called in the end those DLL files (Figure 1) However, due to some of the process of calling DLL file is very large, making a check on our own to change is not realistic, So we will use a shotgun to write a NT process / memory module viewer ps.exe, with the command ps.exe / a / m> nowdlls.txt the system call to all of the current name of the DLL file to save nowdlls.txt, and then We then fc will be backed up well in advance of the dllback.txt comparison, so that could also reduce the scope of investigation.
3, I still remember one of the characteristics Trojan Port Mody? All of the Trojan horse as long as the connection, as long as it is received / sent data is bound to open a port, DLL Trojan is no exception, which also found that they provided for us a clue, we can the process of using the port view foundstone tools Fport.exe to view and port corresponding to the process, so the scope can be narrowed to a specific process, and then combined to find the DLL Trojan Procedump relatively easy. Of course, like mentioned above, some of the Trojan will be hijacking or the port through the port reuse approach to communication, 139,80,1443, and other common Trojan ports are favorites. Because even if even if the user to use port scanning software to check their own port, found a similar TCP UserIP: 1026 ControllerIP: 80ESTABLISHED the situation a little bit negligent, you will be thought that his website (firewall would see it that way). So, looking at the port is not enough, we need to monitor the communications of the port, which is the fourth point I would like.
4, we can use sniffer to open ports in the end to understand what the transmission of data. By NIC promiscuous mode can be set to accept all of the IP packet, sniffer program can choose worthy of concern in the analysis, leaving nothing more than a document on the agreement in accordance with RFC decode. This can determine the ports used by Trojans, combined with Fport and Procedump we will be able to find the DLL trojan. As for recommending the use of sniffer IRIS, graphical interface, easy to use.
5, usually killing Trojan said that we will acquire the habit to go to the registry to try his luck, may be quite a previously effective, but if the hit is registered as system services of the Trojan (Principle: In NT/2K/XP these systems, the system boot-up the specified service program) at this time check: Start Unit / registry / autoexec.bat / win.ini / sysytem.ini / wininit.ini / *. inf (for example, autorun.inf) / config.sys, etc. file not found the slightest strange, this time we should look at the system service: the right-click My Computer - Manage - Services and Applications - service, then you will see more than 100 service, (MS is really, in which 75% of the pairs of individuals of no use, can be disabled.) slowly to find it, to see who dislike to put it Eurya out, of course, if you have previously used the service to export list functionality backed up, then use the file comparative approach will be very easy to find what the newcomers, then you can record the service that the file is loaded, and then use Resource Kits provided srvinstw.exe inside to remove the service and clear the loaded file.
Through the above five steps, the basic can be tricky to detect and remove the dynamics of the embedded DLL Trojans, and perhaps you also discovered that, if appropriate to do some backup, would the course of our search for Trojan great help, of course, will reduce the number of Oh the pressure of work.
No comments:
Post a Comment