Trojan“add/shelling”implementation-vulnerability warning-the black bar safety net

ID MYHACK58:62200714320
Type myhack58
Reporter 佚名
Modified 2007-03-02T00:00:00


Why the“plus/shelling”for? For hackers, this technology is clearly applied to the disguised Trojan on the client, the purpose is to prevent is antivirus anti-tracking Avira and is tracking to debug, but also to prevent the algorithm of the program is the others for static analysis.

Used pe-scan to Trojans shelling

Trojan research enthusiasts cytkk the first time in a foreign country, a famous hacking Forum download to Latest the rebound ports-Trojan is as Trojan Z, is the desire to experience its powerful features, behold the is Norton Antivirus caught red-handed, depressing endless. cytkk attempt to use a packer UPX Ultra Packer For executable for it a simple wrapper to fool the antivirus software, which the material prompted the packers failed, detecting that Trojan Z has long been the author of the program with UPX compression, it is imperative to first remove this has been Norton Antivirus see through the“bad”shell.

cytkk run a named pe-scan 3.31 software. Click on“open”to open the Trojan Z to the client, in the center of the display box that the packers type of UPX, and then click the“unpack”→“start”, cytkk follow the prompts to set save directory and file name to complete the entire shelling operation. As a result you get a Trojan Z of the original client program.

Master pass through: after a complex of multiple packers, the detected result is not necessarily accurate, then you need to use“adv. scan the”advanced scan, the pe-scan will be analyzed by a variety of shell tools shell of possibilities.

Re-packers deceive the antivirus software

Next cytkk to do is give the Trojans the Z of the original client once the success of the packers, according to previous experience, this time with ASPack1. 1 2 is a wise move, it has a standard Windows interface, simple and intuitive operation. In order to ensure the packers after the integrity of the process, the cytkk give up the maximum possible compression, in the“option”to remove the“compress resources”tick and select the“retain extra data.”“ Compressed”option is very intuitive, there are two progress bars, the top one represents the compressed schedule, the following one is the compressed file size. The compression is completed, cytkk will not wait to click to the left of the“test”button to perform the integrity test. The results did not let cytkk disappointed, ASPack excellent performance make the to severe is known for the Norton Antivirus for the packers after the Trojan Z also turned a blind eye.

Below in the software package download: