当前位置:网站首页>The Evolutionary History of the "Double Gun" Trojan Horse Virus
The Evolutionary History of the "Double Gun" Trojan Horse Virus
2022-08-10 03:32:00 【Thousands of miles :)】
Since it was first discovered by 360 Security in 2017, the "Double Gun" Trojan virus has undergone multiple variants, infecting more than 100,000 computer devices. Until May 2020, 360 Security and Baidu have destroyed hundreds of thousands of"The botnet composed of "broiler chickens" let us know that the scale of the botnet is so huge that the confrontation between good and evil is always fierce in places we can't see.
Next, the editor will take stock of the three-generation evolutionary history of the "Double Gun" virus.
The first appearance of "Double Gun"
In July 2017, 360 Security analyzed the structure of the first "Double Gun" Trojan and updated the virus database in time.According to the article, the infection sign of the "Double Gun" Trojan is that the browser homepage has been tampered with a URL navigation station with a number of "18299-9999"., After the MBR is loaded and executed, it will further infect the VBR (Volume Boot Record). After the VBR is started, it will release a driver and download the Trojan driver from the Internet to change the home page, and this driver will further detect the status of the MBR. If the MBR is repaired or not infected successfullyThen write-back MBR repeat infection.This is the first new type of Trojan that serially infects MBR and VBR, hence the name "Double Gun".
In addition to changing and locking the homepage of all browsers of Zhongzhao Computer, the maliciously downloaded driver of "Double Gun" also has a strong Trojan protection function, which is a powerful confrontation with anti-virus software.For example, after it starts, it points the driver name to the white driver name, so as to avoid anti-virus software; it protects the underlying device of the MBR hooked disk and resists the repair of anti-virus software; it tampers with the driver object dispatch function of the NTFS file system, and opens theThe system thread ensures that the hook on NTFS is not repaired, so as to prevent the normal process from deleting its Trojan file; at the same time, since the driver will be started first, it also makes it more difficult to clear.
2 "Double Gun" 2, shot in the secret room
In March 2018, the 360 Security Center found that the new variant of "Double Gun" began to appear, and started a comprehensive analysis from its infection behavior.Different from "Double Gun", "Double Gun 2" is mainly spread through the download station. It increases the confrontation strategy with anti-virus, and will intercept the creation of anti-virus files; at the same time, it will also lock the system registry HIVE file,As a result, normal service items cannot be written, as if a closed crime environment was set up, and a "secret room shooting" was carried out on the Zhongzhao computer.
"Double Gun" 3, violence strikes
In June 2018, 360 Security Center monitored and found that the third generation of the "Double Gun" Trojan appeared. Compared with the previous version, this version significantly enhanced the malicious locking of HIVE files in the system, making it more difficult for anti-software services to write.Like the previous "Double Gun" in the first two generations, the main behavior of the "Double Gun" Trojan 3 is to modify the MBR and VBR, and then tamper with the user's homepage for profit.Malicious driver map:
"Dual Gun" Features:
The "Double Gun" Trojan virus has infected more than 100,000 people in three years, and its malicious behavior mainly includes the following three types:
1. The malicious function of sending advertisements and spam to users, hijacking the account on the user's device, and sending and spreading advertisements;
2. Hijack traffic from legitimate e-commerce websites and direct infected users to designated websites,
3. Disable network security software.
All along, "Double Gun" uses images uploaded to Baidu Tieba (steganography) to assign configuration files and malicious drivers to botnets, and also uses Alibaba Cloud Storage to host configuration files, Baidu's data analysis platformTongji to manage the behavior of infected hosts.
Originally, "Double Gun" spread the Trojan by luring users into installing game launch software from sketchy game portals that contained malicious code in the name of patches.Once the user downloads and installs the patch, it accesses the above configuration information to download a file called "cs.dll", after that, "cs.dll" it not only creates a bot ID and reports it to the attacker's controlserver, but also injects another driver, DADELn.sys, to hijack system processes.
边栏推荐
猜你喜欢
随机推荐
ArcGIS Advanced (1) - Install ArcGIS Enterprise and create an sde library
LeetCode 每日一题——1413. 逐步求和得到正数的最小值
State compression small experience
2022.8.9 Exam Unique Bid Auction--800 Question Solutions
控制台中查看莫格命令的详细信息
实例042:变量作用域
ImportError: Unable to import required dependencies: numpy
【二叉树-中等】1261. 在受污染的二叉树中查找元素
MySQL:日志系统介绍 | 错误日志 | 查询日志 | 二进制日志:bin-log数据恢复实践 | 慢日志查询
微生物是如何影响身体健康的
实例046:打破循环
Completion of the flag set in 2022
Open3D 网格均匀采样
如何编写一份优质的测试用例?
2022.8.8考试摄像师老马(photographer)题解
芯片加速器 Accelerator
状态压缩小经验
【QT】QT项目:自制Wireshark
mysql -sql编程
[Kali Security Penetration Testing Practice Course] Chapter 7 Privilege Escalation