Shulou(Shulou.com)05/31 Report--

This article will explain in detail what are the back doors of web security hidden in common tools and software. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Baidu Security Lab found a number of malware disguised as "decompression tools", "document readers" and other common software, but behind it secretly carried out remote code execution and profiteering by brushing traffic. Through the technical analysis of these camouflage software, it is found that they all originated from the same company in Chongqing. Malicious code writers bypass the detection of security software by registering multiple digital signatures, develop a variety of gadgets commonly used by netizens using the same framework, and spread them by using a large number of download stations and "official websites" with simple interfaces. One of the decompression software called "geek compression" has been downloaded as many as 3.08 million times in Tencent software management.

When users install these software, malicious modules and Lua scripts will be silently sent through the remote server and executed, and Lua scripts will skip the five major cities of "Beijing", "Shanghai", "Guangzhou", "Shenzhen" and "Zhuhai" in the execution process to evade capture and analysis by mainstream security vendors. Lua script machine can download any program and execute it silently, end the process, modify any registry, install APK to the connected mobile phone, modify the home page, raise rights locally, etc., which is shockingly powerful. It is worth warning that Lua scripts can be upgraded and updated at any time, and it does not rule out other malicious acts such as privacy theft by those behind this powerful backdoor, which has a very high security risk.

Take one of the software called "preferred PDF Reader" as an example:

First, behavior analysis

After the software is installed and started, it will call the "YouPdfUpdate.exe" process of the installation directory, pass in the parameter youp, and obtain the dynamic link library from the network, save it to the current path of the program, and name it update.yyp.

The file is encrypted, and the decrypted dynamic link library contains two export functions:

The main purpose of this module is to create a Lua virtual machine and execute the incoming Lua script, and the following Lua API is implemented in the module.

The above API can realize self-startup, modify UAC policy, install APK, download and execute files, execute scripts, process control, get arbitrary files from the network, and so on.

This module implements the use of event viewer vulnerabilities to bypass UAC defense, mainly by modifying the registry "HKEY_CURRENT_USER\ Software\ Classes\ mscfile\ shell\ open\ command".

When the program is running, it executes the ExecNetScipt function in Lua, that is, requests to download and execute the Lua script from "http://config.younoteba.top/src/youpdfu.html"." The decrypted script performs a series of initialization operations such as sending machine information to the author server and setting the exit time of the process itself, then downloads the XML configuration file and completes the operations such as modifying the home page, filtering process, software promotion and installation according to the obtained configuration.

Decrypted XML configuration file:

The main functions in the captured Lua script are as follows:

1 、 DoBiz

This function mainly completes testing the engine version, judging whether the configuration file is writable, judging whether the user butler downloads, judging that the user clicked on the feedback, downloading the configuration, executing the mini page, filtering process and region, executing rich media, and so on.

2 、 InstallCpa

This function mainly completes the related behaviors such as the installation condition detection, software download and installation of the promotion software.

3 、 SetHomepage

This function achieves the purpose of tampering with the browser home page by modifying the registry.

II. Homology analysis

Through the association analysis of "preferred PDF Reader", it is found that it is associated with multiple domain names and involves many kinds of software, but its behavior is basically similar.

1. Similar installation interface

The following is the preferred installation interface for PDF readers.

The following is the installation interface for the associated quick notes

2. Similar official website

These software have high similarity official website, page layout, language description and so on are highly similar.

The following is the official website of the preferred PDF reader and quick notes.

III. Summary

In recent years, there have been some tools and software that secretly use netizens' computers as money-making machines under the banner of "free". These software often deceive the trust of users on the surface, but malicious behavior is difficult to detect. Baidu Security Lab advises users to develop good Internet habits and use security software for security testing in a timely manner when computer anomalies are found. Government and enterprise institutions should strengthen the control of software downloads and upgrades, and strengthen the analysis and perception of network communication behavior. At the same time, it is also advocated that various software download stations and distribution channels can strengthen software audit and standardize services.

Appendix 1 list of related softwar

This is the end of the article on "what are the back doors of web security hidden in common tools and software". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it out for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.