This post was last edited by Xi Liufang at 12:04 on February 11, 2011
First, let's talk about the background and purpose of writing this article. Now my beloved "Original Publishing Area" and "Boutique Software Area" are very popular, with a lot of software released. But there are also some villains who insert some small toys into the released software to become gray guests. It is also very difficult for the forum to send special personnel to check, because the workload is too heavy to check, so it is largely up to the users to identify, so this article comes into being. It should be noted that this article is mainly about quickly identifying normal files and viruses. I am not a professional myself. The method is summarized by myself. It is amateurish, but I think it is still useful. If you have a better way, please follow the post. The following text begins.
There are many ways to analyze whether a file is a virus, For example, using a debugger such as OD and HIPS can achieve the goal. Here we mainly discuss the method of quick judgment, which uses the shortest time and the least knowledge to judge whether a file is safe. First, let's talk about the necessary tools: Sandbox, PEiD, OD and your anti-virus software. For example, when I download a software released by someone else from the forum, the anti-virus software may report a virus. In this case, first look at the reported virus name. If you report a shell like "Win32/Packed. VMProtect. AAA Trojan", you can relax your vigilance slightly. Some shells cannot be removed by killing the soft ones. For convenience, they are treated as viruses. In addition, if it is a "Win32/Hupigon. NUK Trojan" or a "Win32/Parite. B Virus", it should be noted that this file may have been maliciously inserted into the Trojan or infected. From the virus name of the kill soft report, we can basically judge whether the file is really faulty or belongs to the false report of kill soft. However, there are some exceptions. For example, "Trojan. Win32. Generic.122E105A" is a virus analyzed by cloud security. There is no effective information, so it is impossible to judge whether it is a misjudgment by virus name. According to the information about killing software, you can have a preliminary understanding of the security of this file. I don't think anyone will completely trust the soft killer, but more trust themselves. Check the shell with PEiD. If it is a simple compression shell, run OD in the sand table, remove it, and analyze it. What we need to do now is not to follow it step by step, but to find the API called by this file. Right click in the disassembly window to find the name (label) in the current module.
Look at the API. There are some choices. For character functions and string processing functions, the past can be ignored; Pay more attention to registry functions and file functions. For example, if you see CreateFile, you can break up and down this function. Pay attention to whether you have written files to system sensitive locations. Similarly, viewing strings is an effective way. Generally, you can find some virus characteristics from the string. For example, some gray pigeons will have words such as "client installation succeeded", and find some email addresses and corresponding passwords. These are very suspicious. It is very difficult to take off some fierce shells with the help of a sand table.
Let the program run completely in the sandbox, and then terminate all programs.
Check what the program generates.
From the files generated by the program, we can basically determine whether it is a virus. Of course, there are also some sand tables for detection virtual machine Small things of. There is a link to online sand table at the top of the page in the virus sample area. The analysis results are very specific and can be used for reference. If you think manual detection is too troublesome, you can use the online sand table, which is fast and detailed.
Let's take an example http://www.52pojie.cn/viewthread.php?tid=58683 This is Xiaosheng's analysis of a poisonous plug-in. You can watch the video, which is very meaningful. Now I will do it according to the above method Check the shell first. It should be empty
At this time, I prefer to use PEiD's disassembly tool to look at strings. This function is very convenient
Note that the selected part is suspicious. It is a URL and points to an exe file. At this time, it should be suspected that the plug-in is a downloader Next, use OD to load it (in the sandbox or virtual machine). Take a look at the name (tag) in the current module. There is a URLDownloadToFileA. This function can realize the function of downloading a file on the network to the local. It is commonly used by common ShellCodes
Switch the breakpoint on the input function and run it to see the specific behavior After that, all we have to do is analyze the downloaded file (the address is still valid...)
Generally speaking, Microsoft's programs do not have such icons. However, it is strange for an external plug-in to download Microsoft's things for no reason. It can only be said that it is intended to cover up, so it can be killed directly Similarly, if you run directly in a sandbox, the file will eventually be extracted from the sandbox and found in the temporary directory. A hidden file will also be found in the external directory, which should be a clean external directory The hanging horse should have changed. It is different from the program in Xiaosheng's attachment If you think it is troublesome, you can directly throw it into the online sand table and let the machine analyze it for you For example, I think the nSPack shell of the downloaded file is difficult to remove, or I don't know Shelling , then open http://camas.comodo.com/cgi-bin/submit , select the file path, upload the file, wait for a few minutes, and then the results can be obtained. Other online sand tables are similar to each other
This time I had a lot of trouble finding examples. I didn't have the habit of saving samples. Those who sent trojans were blocked after they were detected, and their glorious attachments could not be found. There was no suitable example. Moreover, it was not realistic to test the real virus. I found the only remaining program in the forum after looking for it for a long time. I will use it as an example if I encounter trojans in the future^_^ |