Tencent Computer Butler · 2015/08/13 17:53
Data reported by the vulnerability defense module of Tencent’s Computer Manager browser showed a sharp increase in the number of blocked horse-linked web addresses since July. Through further analysis, it is found that these trojans can not only install a large number of promotion software in the user’s computer, but also may steal numbers and other malicious acts, bringing risks to the user’s computer and account.
The use of browser vulnerability is the most commonly used attack means on the Internet. It exploits a legacy flaw in the development of browsers like Internet Explorer and can run malicious programs specified by attackers without the user’s knowledge. Since Microsoft stopped maintenance on Windows XP last April, this means that it will not issue any security updates for later public bugs, so some of the bugs that have been published will remain in XP for a long time. Because of this, vulnerability hogging has been used by many in the black industry to automate the execution of malicious programs on unpatched systems. We can get a glimpse into the black industry by combing through data recently intercepted by Tencent’s computer butler on horse-hanging web pages.
0x00 Impact range
Since July, the use of loopholes to hang horse web pages show an obvious growth trend, the current daily interception of the WEBSITE has exceeded 3000.
In terms of geographical distribution of users, more victims are in Guangdong, Shandong, Henan, Hebei, Jiangsu and other provinces.
0x01 Horse Mount Website
The exploit principle of most vulnerabilities is to use browser scripts to attack, so the first step is to ambush the corresponding attack script in the web page, and then wait for the user to visit the web page to trigger.
From the perspective of website types, attackers generally build some navigational or pornographic websites themselves to attract users to visit them actively. Some attackers buy AD space on large websites and then quietly trigger it while the user is viewing the AD.
Taking the data of one day, we can see the time distribution of malicious websites being intercepted within a day. The data of web pages being intercepted after 8 o ‘clock remained stable, and there were two peaks at 2 o ‘clock at noon and 11 o ‘clock at midnight:
0x02 Backdoor Trojan
After the user visits the compromised website, the VB script will automatically execute and download the malicious program from the specified location to run on the user’s computer. Take one of the largest trojans:
The Trojan is called calc.exe on the web (similar to the system program calc.exe) and putty.exe on hard disk (the same name as a well-known network connection tool).
The Trojan first uses taskkill, VirtualFreeEx process destruction, image hijacking and other methods to end security software in the computer.
Next, the Trojan horse will release a driver, the driver will resume atapi IdePortDispatchDeviceControl, IdePortDispatch two ioctl dispatch, to combat Internet cafe software. The SRB is then sent through the restore software to write itself to disk for permanent residence.
At the same time, the Trojan will visit a network address, get the Trojan file to download next, and so on. The purpose of using a network address is that the Trojan author can replace the contents at any time to achieve different control purposes, the actual effect is equivalent to a simple back door. When analyzing the Trojan, this address returns the following:
After analysis, the Trojan in these links will continue to steal numbers and other further malicious acts.
0x03 Number Theft Trojan Horse
We choose the previous link in a more characteristic theft Trojan for analysis.
After the Trojan starts, it first releases an executable file named randomly generated in the Windows directory.
Then end all processes related to QQ software, forcing users to restart QQ.
Then the Trojan entered an infinite loop, used to monitor the user to restart QQ operations. The loop enumerates the current process every 100 milliseconds. If a QQ process is found, it indicates that the user has restarted QQ, and immediately ends the real QQ process, and starts the executable file just released to replace it.
The executable uses a disguised QQ login window to trick users into entering their QQ id and password. You can see that this login window is really very realistic, a lot of details are also in place, with the real login window basic can not distinguish, users are easy to be fooled, think it is a real QQ login window.
When the user inputted QQ number password to click after landing, Trojan will quietly record the content, with the way of HTTP GET, upload Trojan author’s server. As shown in the figure, assume that enter QQ NUMBER: 111111111 password: 22222222:
It can be seen that the Windows directory under the executable file is the Trojan horse the most critical malicious behavior of the carrier, before the means including web page horse hanging, avoid killing soft, avoid restore software, stay and so on, are for this final Trojan clear obstacles. Visible now Trojan division of labor is extremely clear, each module has respective duty.
0x04 Advertising promotion
In addition, the role of the Trojan horse downloaded after some web pages is to promote software. After visiting these pages, a variety of software will appear on the computer after a while, and the Trojan author will make a profit by installing the software and charging the software author to promote the software. Below is the software shortcut and promotion software interface on the desktop after installing such Trojan horse for a period of time:
