Tencent Computer Manager · 2016/02/03 18:49
0 x00 background
“Green software” usually refers to those small software that can be used without installation. These small software can be used directly after running, and will not leave any key values and files in the registry, system directory, etc., and can even be directly put into the U disk, CD and other mobile media, anytime and anywhere. At the same time because of its free installation, decompression can be used, but also give a person to the feeling of safety, so by the majority of users love. But is all this “green software” really safe?
0x01 Introduction to Trojan Horses
Tencent anti-virus laboratory recently captured a number of Trojan “green software” compression package, this kind of green software is usually small tools, through small download station spread, these flout “green software” compression package program contains Trojan. In addition, these tools are also uploaded to a large number of network disks, forums, social groups, the spread of a large number of. After the Trojan horse runs, it will not only tamper with the home pages of various browsers, but also download a large number of promotion programs and Trojan horse to local execution, which poses a serious threat to the computer security of users.
Figure 1. Decompressed “Green Software” directory
This Trojan mainly exists in various “green software” packages, directly replace the original main program, the original main program renamed mail.dll, after the Trojan will find the mail.dll file in the same directory, and run it, so that users are completely unaware. Then the Trojan will continue to tamper with the home page, download promotion software, close the firewall, close the system sound, background brush traffic.
0x02 Detailed Analysis of Trojan Horses
The Trojan is written in THE VB language, which compiles the program into an intermediate language rather than binary code, so it has a natural no-kill effect. Currently, less than one-third of the security software on VirusTotal can identify the Trojan.
Through VB decompiler software can be found after the sample is decompiled, in addition to the main function, there are more than one event is contained in a form, including three timer events, as well as the form of load and unload events, etc., in addition, through the code structure can be found that a called VB embedded on the sample page tabbed web browser control, This control is mainly used to access the specified navigation page and brush traffic.
Figure 2. General structure diagram of decomcompiled code and comparison with an open source VB control
Trojan running in the main function will first shut down the system’s own firewall, then immediately run with the directory under the main.DLL file, through the analysis of the software’s real main file. In addition, possibly to avoid analysis and feature detection, all the strings in the Trojan are split into small fragments and then spliced.
Figure 3. Codes related to the main functions of the Trojan horse
Main.dll is the main software program, change its extension to exe, you can see its real icon, Trojan just to leopard cat for prince of art will be the main program “switch”, run the main program after the main program to complete the software real function, Trojan is secretly running in the background.
Figure 4. After changing the main.dll extension to exe, its real icon is visible
In the loading function of the main form, the Trojan initializes part of the configuration information, mainly by accessing the following four URL links to obtain relevant configuration information, sending statistics information, and using the built-in Web browser to brush traffic.
- Homepage < www.dongzhiri.com/t/0.asp > (configuration)
- < www.dongzhiri.com/t/1.htm > (statistics)
-
(Third-party browser home page configuration)
- The < g.msnunion.com/exi/wj.htm > (jump to page navigation www8.1616.net/?un7783) brush flow
Timer 1 and timer 2 are then started, and timer 2 performs the main functions of the Trojan
Figure 5. The loading function related code of the main form of the Trojan horse
The main function of timer 1 is to continuously query the process list of the system to determine whether the main. DLL process exists. If it does not exist, it indicates that the user has closed the software.
Figure 6. Code related to timer 1’s main functions
Timer 2 is responsible for completing the main malicious activities of the Trojan. First, it changes the home pages of various browsers based on the initial configuration information. Currently, the home page of the Trojan is http://www8.1616.net/?un5794end
Figure 7. Modifying the Internet Explorer home page
Figure 8. Home page modification by modifying the registry
Figure 9. The current home page of the Trojan configuration is a navigation site
Figure 10. Modifying the home page of a third-party browser
Then the Trojan horse will download www.dongzhiri.com/t/j.txt configuration file to the local decryption, stored in the configuration file is mainly to promote software list, according to the key monitoring computer, change the configuration file for 1 minute time, every time a different file. This Trojan horse is still active.
Figure 11. Download the promotion list profile
Figure 12. Generalized list decryption function
Figure 13. Encrypted promotion list that changes every few minutes to promote different programs
Figure 14. Download and install the promoted software
The Trojan horse promotion program list is updated in minute level, the following is part of the Trojan horse promotion software, visible most of the game program, in addition to discover the Trojan horse promotion other Trojan horse program.
Figure 15. List of partial software promoted by Trojan horse
0x03 Transmission Channel
This Trojan through the label “green software”, packaged to a variety of small software toolkit, and uploaded to a large number of small download station, through incomplete statistics, the package has this Trojan on the network “green software” package total number in more than 1000, involving a variety of commonly used small tools. The following is a partial list of packaged Trojan “greenware”.
Figure 16. “Green software” partially packaged with Trojan horses
Figure 17. Communication channels
Figure 18. Communication channels
Figure 19. Communication channels
0 x04 epilogue
With the popularization and development of the Internet, the network black industry has penetrated more and more into every corner of the Internet. Once clean, safe and selfless sharing network resources have gradually disappeared. Just like some time ago Tencent anti-virus laboratory exposure in the ghost image of the additional “Surak” Trojan, the network has not been black production of the space is getting smaller and smaller. Sharing free resources on the Internet today is rarely secure.
In this housekeeper recommends that users, whether it is large software or small tools or operating systems, try to download from the official website, or use the software management of security software to download and install, try not to download resources from small and medium-sized websites that cannot determine security.