There was a domestic model before, and it had a nice name called "Guangwai Girl". This is the work of "Guangwai Girls" network group of Guangdong University of Foreign Studies. It can run on WIN98, WIN98SE, WINME, WINNT, WIN2000 or Win95/97 with Winsock2.0 installed. Compared with the past, it has the characteristics of smaller volume and more ingenious hiding. It can be expected that in the future, it will become another popular Trojan after the "Ice River".
Address quoted in this article: https://www.eepw.com.cn/article/201706/357346.htm.
Because the method of "Guangwai Girl" is typical, I will explain the research method of general Trojan through the detailed analysis process of this new Trojan. The following test environment is the Chinese version of Windows2000.
I. Tools needed
1.RegSnap v2.80 is the best tool for monitoring changes in the registry and system files.
2.fport v1.33 tools for viewing ports opened by programs.
3.FileInfo v2.45a tool for viewing file types.
4.ProcDump v1.6.2 Shelling tool
5.IDA v4.0.4 disassembly tool
Second, the analysis steps
All the tools are ready, and we begin to analyze this Trojan horse. Once the general Trojan horse runs, it will do some tricks on the registry and system files, so we should make a backup of the registry and system files before analysis.
First open RegSnap, select new from the file menu, and then click OK. In this way, we make a record of the current registry and system files, and if the Trojan horse modifies one of them later, we can analyze it. Save it as Regsnp1.rgs after the backup is completed.
Then we will run the "Guangwai Girl" terminal on our computer. Don’t be afraid, because we have made a detailed backup, and we can change the hands and feet it made as it is. Double-click gdufs.exe, and then wait a moment. If you are running Skynet or Kingsoft Internet Security, you should find that these two programs quit automatically. Is it strange? And listen to our analysis later. Now the Trojan horse is already in our system. Let’s take a look at what it has done to us. Re-open RegSnap, select new from the file menu, and then click OK to save the snap result as Regsnp2.rgs.
Select Compare from the file menu of RegSnap, open Regsnp1.rgs in the First snapshot, open Regsnp2.rgs in the Second snapshot, and select show modified key names and key values in the radio box below. Then press the OK button, so RegSnap will start to compare the two records, and what’s the difference? When the comparison is completed, it will automatically open the analysis result file Regsnp1-Regsnp2.htm.
Look at Regsnp1-Regsnp2.htm and pay attention to it:
It means that in the two records, the registry key was not deleted, 15 registries were modified and one registry was added. Look at the back:
The meaning of this passage is that a new file, diagcfg.exe, has been added under the directory C:WINNTSystem32. This file is very suspicious, because we only ran the Trojan named "Guangwai Girl" between two system information comparisons, so we have reason to believe that diagcfg.exe is the backdoor program that the Trojan left in the system. If you don’t believe me, open the task manager and have a look, and you will find that there is a process of DIAGCFG.EXE, which is the original body of the Trojan horse. But don’t delete DIAGCFG.EXE at this time, otherwise the system will not work normally.
Trojans usually set some key values in the registry so that they can run automatically every time the system restarts. Let’s take a look at which registry keys have changed in Regsnp1-Regsnp2.htm. With experience, we should pay attention to the following:
This key value was changed from the original %1 %* to C:WINNTSystem32DIAGCFG.EXE %1 %*, which is the most suspicious because it contains the Trojan horse DIAGCFG.EXE. So what does this registry key do?
It is the format of running executable file, which was changed to C:WINNTSystem32DIAGCFG.EXE %1. % * After that, run the program C:WINNTSystem32DIAGCFG.EXE every time you run any executable file.
It turns out that this Trojan horse has been tampered with here, so that it can run automatically. Its startup method is not the same as that of ordinary Trojans, which are in
Add a key value to the key, so that you can start yourself, but this method is well known by anti-virus software, so it is easy to be killed. The trojan horse of "Guangwai Girl" is more cunning, and it sets the startup item in another position.
Now that we have mastered the location of this Trojan horse and the startup items in the registry, it is also important to find out which port it is listening to. This can be easily achieved by using fport. Run fport.exe on the command line, and you can see:
We can clearly see that the Trojan horse program is listening on TCP port 6267. So far, we can say that we have mastered all the actions of the trojan horse "Guangwai Girl" in our system, and now we can easily kill it.
Third, killing
After the previous analysis, we have understood the working mode of the trojan horse "Guangwai Girls", and now we will clear it. The following is the method to completely remove the "girl students from Guangzhou". Note: the order of this step cannot be reversed, otherwise the Trojan horse may not be completely removed.
1. Press the Start menu, select Run, enter regedit, and press OK. Open the following key values:
But don’t modify it yet, because if you modify the registry at this time, the DIAGCFG.EXE process will still change it back immediately.
2. Open Task Manager, find the process of DIAGCFG.EXE, select it, and press "End Process" to close this process. Be careful, don’t close the process before opening the Registry Manager, otherwise DIAGCFG.EXE will be started when regedit.exe is executed.
Step 3 put
The key value of is changed from the original C:WINNTSystem32DIAGCFG.EXE %1 %* to %1 %*.
4. At this time, you can delete the DIAGCFG.EXE in the directory C:WINNTSystem32. Remember never to delete this file first, otherwise you will not be able to run any executable files in the system. Since we intend to further analyze this Trojan horse, we will not delete it now, but copy it to other directories for research.
Fourth, in-depth study
We already know the basic working principle, start-up process and how to get rid of it completely, but there is still one thing that we have not completely understood, that is, how it deals with Skynet or Kingsoft Internet Security. To understand this deeply, we must look at the code of "Guangwai Girl". This Trojan has not published the source code, but we can still take a look at it by disassembling it.
The end of "Guangwai Girl" is only 96K, which is obviously encrusted with compression software. We must first determine what shell it has added. It can be detected by using the small tool FileInfo. Now we will copy the DIAGCFG.EXE analyzed in front to the directory of FileInfo, then fi.exe at the command line, and then press Enter, and it will display:
FileInfo has detected that DIAGCFG.EXE has used ASPack v1.06b to shell. Knowing its encryption method, we can use ProcDump to shell it.
Run ProcDump, click the Unpack button, because we want to take off the shell of ASPack v1.06b, so we select Aspack108 in it, and then press OK. At this time, it will let you open the file to be shelled, so we will choose DIAGCFG.EXE and open it. Then wait a few seconds and press "OK". ProcDump will shell DIAGCFG.EXE, and then a dialog box will appear asking you to save the shelled file, and we will save it as gwns.exe.
Note: At this time, the Trojan horse runs on your system again, so it must be cleaned up again according to the previous cleaning steps. Since the cleaning method has been written before, I won’t repeat it here.
Well, now we have got the original file of this Trojan horse before it was shelled. Look at the shelled gwns.exe, which is as big as 194k, which is more than twice as big as the original program. This is the credit of the shelling software. Now you can use the disassembler to disassemble it, and then look at its assembler code.
Let’s use IDA to disassemble it. By the way, this IDA is a super disassembly tool, which is a necessary tool for cracker and Windows hacker. Let’s take a look at some of the disassembled code:
Trojan first loads kernel32.dll, and then uses GetProcAddress to get the address of the API RegisterServiceProcess. Trojan first needs to register itself as a system service, so it is not easy to be found by the task manager when running under Win9x. Then it will GetCommandLineA to get the running parameters, and if the parameters are executable files, it will call Winexec to run.
Then the Trojan will find the process of snfw.exe and kav9x.exe, that is, the process of Skynet or Kingsoft Internet Security, and then kill it.
Trojan will also modify the startup items of "Skynet Firewall" or "Kingsoft Internet Security" in the registry, so that it will not run automatically when the system is restarted next time.
The following is to modify the registry startup item of Trojan horse, namely
Item, so that it can start itself every time the system restarts. Next, the Trojan will initialize Winsock dll, bind the port, and wait for the connection of the Trojan client.
V. Summary
Up to now, we have completed the whole analysis process of the Trojan horse program "Guangwai Girl" and learned about the startup and operation mechanism of the Trojan horse. Of course, the purpose of writing this article is not simply to introduce the Trojan horse of "Guangwai Girl", but to introduce the analysis method of the general Trojan horse through the detailed analysis of this typical Trojan horse. Using the analysis method in this paper, you can completely analyze any unknown Trojan horse variety. Finally, let’s summarize the methods and steps of Trojan horse analysis:
First, the system registry and system files are backed up, then the Trojan server is run, and then the registry and system files that have been run by the Trojan are recorded, and the results of the two records are compared by using registry analysis tools, so that we can know what the Trojan has done in the system. Use fport to view trojan listening port. Then, using the obtained information, the method of removing Trojan horses is made.
If you want to analyze the Trojan deeply, you should also shell and disassemble the Trojan server. In this way, you can fully grasp any action of the Trojan horse. Of course, this requires you to have a good grasp of assembly language and a certain degree of patience, because the lengthy assembly code is not completely readable by ordinary novices.
If you want to further analyze the Trojan message format, use sniffer to monitor the Trojan port, and then make a comparative analysis. This analysis method is more complicated, so this article will not give an example.
Just reading the article is not enough. If you want to fully analyze a Trojan horse, you need to practice it! Good luck!