Patient: I use antivirus software with proactive defense capabilities, can block trojan, can I recently email account or stolen, why is this so?
Doctor: This is actually quite normal, after all, antivirus software is not a panacea, can stop all current malicious programs. Your e-mail is likely to be stolen by Trojans that can break through active defense, such as the latest ByShell Trojan. This is a new type of Trojan, the biggest feature is the ability to easily break through anti-virus software active defense capabilities.
Used to bypass the active defense SSDT
Patient: ByShell such as Trojans, which is beyond the active defense of it?
Doctors: The earliest date for hackers to change the system to an earlier date, so antivirus software will automatically turn off all monitoring functions, of course, also active defense capabilities automatically lose the prevention and control capabilities. There are already many Trojans do not need to adjust the system time to take the initiative to successfully break through the defense function.
Windows systems have a SSDT table, SSDT stands for System Services Descriptor Table, the Chinese name for the "system service descriptor table." This table is the application layer commands transmitted to the system kernel of a channel.
All anti-virus software by modifying the active defense capabilities are SSDT table, so a malicious program can not run under normal circumstances, this can easily be intercepted on malicious programs. If you install active defense capabilities, including antivirus software, you can use Bingren the SSDT function to view, you will find marked in red SSDT table information to be modified.
The ByShel Trojan on the current system of SSDT table search, followed by the use of the original search system SSDT table, then the coverage is now before the SSDT table. Trojans can then perform the normal order, so that eventually the failure of active defense capabilities and complete it.
Tip: Byshell penetration by the world's leading technology, using the latest kernel drivers technology breakthrough anti-virus software, Active Defense. Including Kaspersky, Rising, trends, Norton anti-virus software and other domestic common, and their associated version of the latest antivirus software, can be successfully carried out Byshell Trojan breakthrough.
Active defense class clever Trojan removal
Patient: I understand the principle of such horse, but still do not know how to remove?
Doctor: Clear method is not difficult, and clear the way similar to the other Trojans. Here we have to clear a typical example to explain the specific operation ByShell Trojan.
The first step: First run security tools WSysCheck, click on "Process Management" tab to see the process more than pink, indicating that these processes have been inserted into the Trojan thread. Click on one of the pink IE browser process, including discovery of a suspicious Trojan module hack.dll (Figure 1). Of course, hackers will sometimes set up other names, then we see if there is no "paper company" information on the need to increase their vigilance.
Step two: Then click on the program, "Service Management" tab, you can see the same system services more than red, indicating that these services are not self-service system. View found a hack through the service called more suspicious, because its name and the name of the module the same Trojan.
Similarly, if the hacker to customize the services of other names, in the "Status" column to see labeled as "unknown" services, we will pay attention to, and preferably 11 to troubleshoot.
Step Three: Click the program's "File Manager" tab, the management of resources in the simulation window, the path module in accordance with the guidelines of suspicious and soon found that suspicious Trojan module file hack.dll, at the same time also found a and the module file with the same name of the executable file (Figure 3). It seems that the Trojan is mainly formed by the two documents.
Step Four: Now we begin the cleanup Trojan. In the "process management" in the first pink IE browser to find the process, select it by right after the "end of the process" command removed it. Then click on "Service Management" tab, select the service named after the hack, right-click menu "Remove the selected service" command to delete.
Then the selection process "document management" tab, on the Trojan file final cleanup. In the system's system32 directory to find hack.dll and hack.exe file, right-click menu in the "direct delete" command to complete the final blow to the Trojans. Now restart the system again to see, sure to be cleaned Trojan in it.
Step Five: As the Trojans destroyed the anti-virus software in the SSDT table of contents, so we had better take the initiative to use the software that comes with repair to repair, or simply re-install anti-virus software once.
Summary
Planted before the previous Trojan, hackers of the most important job is to avoid killing their operation, so that you can escape the anti-virus software is signature detection. In addition to the basic hackers now free to kill, but also wondering how to break through active defense capabilities. However, Trojan has been active defense can break through the future will be more and more of these Trojans, so we must strengthen their safety awareness.
没有评论:
发表评论