Tencent Computer Butler · 2015/11/12 16:24
0 x00 overview
During the recent 11.11 shopping festival, countless web pages and software are flooded with “Shopping Double 11” advertisements. Would you consider it normal if there are several shortcuts related to double 11 on the desktop of the computer at this time, or the browser home page is locked as a navigation website pushing online shopping content? The truth is that your computer is likely to be compromised. Tencent in the near future anti-virus laboratory intercept rogue software “colorful notes” is massively promoting a disguise “Ali mother promotion program” Trojan, this Trojan strong fight to kill soft, malicious lock home page, harm is very serious.
0x01 Trojan Analysis
- File name: alimamaagent.exe
- MD5:7 c428f8759b9015409e87acfa50646c2
- Promotion channel: colorful notes
Behavior of parent alimamaAgent.exe
The Trojan host, disguised as an Alimom promotion program, contains three files in its resources. One is the real Alimom promotion program alimamaAgent.exe, one is a Trojan file, and the other is a configuration file. Mother run after the first judge how long the system started, if not more than 5 minutes, then release the Trojan and execute, and then release Ali mother promotion program; If it has been more than 5 minutes then only release Ali mother promotion program, do not release Trojan. This approach can bypass many unrestarted automated analysis systems, sandboxes, and so on. At the same time, the security software is weak during the first few minutes after the system is started. At this time, Trojan horses can often sneak in and perform sensitive operations.
Figure 1. Resource information of the Trojan horse’s parent
Figure 2. Trojan only runs within 5 minutes after startup, and is used to bypass security software master defense and automatic analysis systems
Figure 3. Release the real AlimamaAgent.exe and execute it. This file is the official promotion program of Alimamama and its main function is to release two shortcuts on the desktop for related promotion
Trojan sbffdm.exe behavior
Sbffdm.exe is the installation program of the Trojan horse. It releases the main function files of the Trojan horse and loads them. A total of three driver files, one EXE file and one DLL file will be released. At the same time, the Trojan will determine its own file name, if the rule does not meet, it will directly exit the program, may be used to bypass the analysis of automatic analysis software.
Figure 4. Judge the file name and exit if it doesn’t match the rule
Sys, secdrv2.sys, stisvc2.sys, zystatic. Exe, zyinstall. DLL. The Trojan checks the system type first
Figure 6. Call the interface of Zyinstall. DLL to load three driver files
Figure 7. Zyinstall.dll interface implementation, the main function is to load the driver as a service
Drive cmbatt2.sys behavior
Cmpbatt2. sys is mainly used to lock the browser home page by registering to create a process callback, comparing the CRC32 value of the process name in the callback function, and adding a command line to lock the home page if it is in a list (the Trojan horse has a built-in CRC32 list of various browser process names). This file is also responsible for cleaning up other files related to the protection of the home page.
Figure 8. Lock the home page by creating a callback
Figure 9. Perhaps to avoid killing, the Trojan does not have a browser name built in, but a list of CRC32 values
Figure 10. Home page locking by adding a command line
Figure 11. Using the FSD hook, make other files related to the home page protection inaccessible to monopolize the home page
Drive secdrv2.sys behavior
Secdrv2.sys protects the three driver files of the Trojan horse from being accessed or deleted through ATAPI hook.
Figure 12. Hook protection of three driver files
Drive the stisvc2.sys behavior
The main function of Stisvc2. Sys is to fight against security software through various key points of hook system, including:
1) FSD hook: Determine whether the query of Trojan directory ZyProtect comes from security software, and block it if it does. Filter all file creation operations and block if security software drivers are created. 2) Ssdthook: hook NtQueryInformationProcess, NtQuerySystemInformation NtReadfile, whether the operator for the security software process, if it is to stop.
Figure 13. Blocking security software from accessing the Trojan directory
Figure 14. Blocking the creation of files related to security software
Figure 15. The locking effect of the Trojan horse
0 x02 summary
Trojan horse is always through a variety of hot spots to spread, in the major websites and various circles are double 11 shopping festival screen, butler reminded users to protect computer security, pay attention to desktop ICONS, browser home page changes, Trojan horse may take the opportunity of double 11 in your computer. If you find that the home page is locked or an icon is added to the desktop, check the antivirus in time.