The Trojan concealing technology- Taking advantage of System Services Case study
The definition of Trojan
Trojan in the computer world is a program that can permeate the whole system without victim’s awareness. The Trojan runs in the victim system, like a spy that sneaks into enemy and opens back door for other kinds of attacks. This is like the Trojan strategy in real war, so the program is called “Trojan Horse” or “Trojan”. Trojan usually includes two executable programs: client and server. The Trojan that hides in the victim system is the server, and the so-called “hacker” uses the client as the control terminal. Once the server runs, it will open one or more ports on the victim system, initiating contact with the client and receive orders from client. In this way, the hacker can steal information from the victim system, do harm to the system, or even destroy the whole system.
Trojan Concealing Technology
A good Trojan program must have a good ability to survive. In order to avoid being noticed, the Trojan
In windows operating system, if you register one process as system service, then the user cannot use Task Manager that the system provided to see the malicious process. So some Trojans easily accomplish the purpose of hiding themselves in running mode by registering themselves as system services.
In this paper, the Trojan whose family name is “TrojanDropper:Win32/Zegost” is analysed. Firsly, the Trojan will obtain all the processes which share the system service “svchost.exe”. Then the Trojan will try to locate the service that stops the first. Once the Trojan finds it, it will change the service name in order to load the Trojan duplicate. The details are as follows:
The Trojan call the function “ReqQueryValueExA...
... middle of paper ...
...rojan creates configuration file and import it into registry to change the value of registry entry “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesiasstart” to 2 and the value of registry entry “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesiasparametersserviceDLL” to “C:Program FilesStormII\%360SD%NNAME%yjxih.cip”（The name of the CIP file is five letters which are randomly generated. Here the name is “yjxih.cip”）. The values of the registry entries after modification are as follows:
picture 6 Registry entry 1
picture 7 registry entry 2
After the above-mentioned steps, the file “C:Program FilesStormII\%360SD%NNAME%yjxih.cip” which was created by the Trojan has been registered as system service successfully. Then it is called by system process “svchost.ext”. The screenshot is as follows:
picture 8 Trojan copy is called by “svchost.exe”