Trojan disguised of the four magic-vulnerability warning-the black bar safety net

ID MYHACK58:6220066279
Type myhack58
Reporter 佚名
Modified 2006-01-11T00:00:00


The netizens world has introduced a very powerful Trojan horse, I believe everyone has to find their own“a thousand miles good horse”。 However, in the use of Trojan in the process, we often encounter a very substantive issues, that is, the Trojanserviceend of the anti-killing. Such asWebGod steal, gray dove, Guangdong University of Foreign Studies, etc. these famous Trojan horse, no wonder known to everybody, it is used in conjunction with ASPACK or UPX as they are added to the shell later, it will often be the antivirus software to detect. While some new shows are also not very famous wooden horse, before long soon is antivirus blacklisted.

Is there any way for Trojan mask to go to the edge, to avoid antivirus software killing? Of course or manually added shell! But we won't use ASPACK or UPX these packers as they are the most commonly used, but also the failure of the fastest, so we have to use some alternative uncommon plus housing software to for Trojan packers, get the latest antivirus cannot recognize Trojan. Here with me to challenge antivirus, tasting your own encryption Trojan in the process.

One, a phantom shell, a barrier method eye

“The Phantom”plus shell software is a Windows EXE,DLL,OCX. 3 2 bit can run a file encryption system. Software download address is: the. Originally as a software programmer for their software set up copyright protection, but in the even it seems, as a Trojan encryption only is it the most promising application: now we will use it to the Trojans with a layer of hard protective shell.

In for Trojans the client for the packers before, first make sure the Trojan has not been added through the shell, if the Trojan has been added through the shell but still is antivirus Avira, then to the first of the Trojans to the shelling, and then use the Phantom plus shell. It is assumed that there is already an understanding of the housing through the Trojan end“TheefServer.exe”with the trend antivirus which detects, appears as shown in Figure 1 of the virus alert prompt. Now we use the Phantom to which is applied the shell.

Figure 1

! Trojan disguised of the four magic

Tip: to detect Trojan original is added through the shell and shelling, you can use the Peid, the UPX, Aspack or the like of the software, as for how, here is not to make too much of the narrative, and before the Friends of the world ' has been introduced.

Run Phantom you can see the software interface is very simple, in the“encryption program”, browse to select just the“TheefServer.exe”the file, and then click on the toolbar of the“encryption”button, as shown in Figure 2, The Phantom began the first of the Trojan end the backup, the original file is renamed to“TheefServer. exe_bak”, then the program compression encryption, soon completed the shell work.

Figure 2

! Trojan disguised of the four magic

Now we then use the antivirus software to detect what the new generation of“TheefServer.exe”file, you can see the antivirus has been unable to detect the issue a virus alert. The Trojan has been successfully lied to by antivirus such as Figure 3)。 How, very simple to just let antivirus software fails?

Figure 3

! Trojan disguised of the four magic

Second, the YC protection experts, as a Trojan horse to provide protection

“YC protection specialist”is also a program protection tool, is to prevent the software is Softice and other tools to debug the hack, use it to for Trojan packers, also contrary to the developer intent, but GU not so much, look it up on the Trojan protection is more strong?

Or just“TheefServer.exe”the Trojan file, for example, to run the YC protection experts, and browse to select the Trojan client, in the Protection tab tick the following option“if modifying the resources is corrupted or exit”,“delete the PE file header”,“delete the introduction of information”, where the key is the latter two items, as shown in Figure 4)。 After setting click on“protect”button, and soon the Trojan file header information is changed, wherein the virus signature also natural changes, and the antivirus software cannot recognize the new generation of the Trojan file.

Figure 4

! Trojan disguised of the four magic

Third, anti-virus software does not identify the foreigner

WWWPack32 is a foreign compression packers of the tool, using the packers way with generally the software are different, therefore use WWWPack32 added through the shell of the Trojan is difficult to be antivirus software and identified, and we can set compression packers.

Run WWWPack32 after the first selection be added to the housing of the Trojan execution file, in the“Mask”select“PE Structure(EXE and DLL”(as shown in Figure 5, and then click on the toolbar on the“Setup”button to bring up the compression settings window, in the“Commpression Method”can be set the compression level as shown in Figure 6)。 Of course the compression the higher the level, spend more time, but is antivirus software to detect the probability is smaller. Exit the settings box, click on the toolbar of the“Fileinfo”button, you can see the Trojan program can be compresseddatainformation, as well as in the compression volume after the change as shown in Figure 7. The

Figure 5

! Trojan disguised of the four magic

Figure 6

! Trojan disguised of the four magic

Figure 7

! Trojan disguised of the four magic

After everything is set up, click on the toolbar of the“Pack”button, the Trojan is compressed packers, plus through the shell of the Trojan horse also not is antivirus easily identified.

Fourth, virus immunity, who is immune?

“App virus immunity”is a special program protect tool, it was meant to be used for the program plus a virus-immune head, the protection program is not virus destruction. However, the author try to use it to for Trojan virus compression plus a shell, but found it on the Trojan seems more“protective care”, through which compressed the Trojan actually does is antivirus identified.

Run the program interface as shown in Figure 8, Click on the“system settings”on the software to do some settings, but here we are with it protection Trojans, so these settings do but better. Click Next, select here to add shell protection to the Trojans, and set the processing mode as“normal user mode”button, shown in Figure 9. The Click Next, the setup forautorepair as shown in Figure 1 0; and in the next step you can set some program to fix the message, and finally click on next to finish the Trojan program protection process, as shown in Figure 1 1 in.

Figure 8

! Trojan disguised of the four magic

Figure 9

! Trojan disguised of the four magic

Figure 1 0

! Trojan disguised of the four magic

Figure 1 1

! Trojan disguised of the four magic

After the above operation, the General antivirus software and have been unable to accurately determine the Trojan, but the Trojan itself also has the virus the immune function. When the special case that the antivirus software found a Trojan and its isolation, will destroy its file headerdata, but since the Trojans have their own recovery function, so the virus isolation will be disabled, the Trojan still can run.