如何通过木马追踪黑客_追踪木马

如何通过木马追踪黑客

I'm not even a tenth as clever as Mark Russinovich in tracking these things down, but I got to play IT department a bit today. You're probably the IT department for your family as well. When Uncle Frank gets a virus, he calls you. In this case, I was called upon to track down a virus.

在追踪这些问题上，我什至不如马克·鲁西诺维奇( Mark Russinovich)聪明，但我今天必须在IT部门工作。 您可能也是家庭的IT部门。 弗兰克叔叔感染病毒后，他会打电话给您。 在这种情况下，我被要求追踪病毒。

With all due respect to Russia, there's very few things that regular folks need to be visiting in a .ru domain. In this case it was SMTP traffic and there's ZERO reason anyone should be sending mail in this way.

在充分尊重俄罗斯的情况下，普通人们几乎不需要在.ru域中进行任何访问。 在这种情况下，这是SMTP流量，并且出于零原因，任何人都应该以这种方式发送邮件。

He had ran all sorts of anti-virus, anti-spyware, and anti-malware applications and didn't find anything. A cursory glance for funky .exe's in Task Manager showed nothing obvious.

他曾经运行过各种反病毒，反间谍软件和反恶意软件应用程序，却一无所获。 在任务管理器中粗略浏览时髦的.exe并没有发现明显的问题。

I showed up and suggested we download the three horsemen: TCPView, Autoruns, and ProcessExplorer.

我出现并建议我们下载三个骑士： TCPView ， Autoruns和ProcessExplorer 。

First step was to find out what process was asking for the Russian sites. TCPView to the rescue. We can see from the first screenshot that the port is being opened by winlogon.exe, the Windows NT Login Manager - certainly a legitimate executable.

第一步是找出要求俄罗斯站点的程序。 抢救TCPView。 从第一个屏幕截图中我们可以看到，该端口正在由Windows NT登录管理器winlogon.exe打开-当然是合法的可执行文件。

There must be an evil DLL loaded inside of winlogon.exe. Next stop, Process Explorer.

必须在winlogon.exe中加载邪恶的DLL。 下一站，Process Explorer。

Looking at winlogon.exe within Process Explorer and changing the Lower View to show DLLs. Then I sorted by Company Name, just because it never seems that evil software writers are clever enough to include a Company Name, does it?

在Process Explorer中查看winlogon.exe并更改“下层视图”以显示DLL。 然后我按公司名称排序，只是因为似乎从来没有邪恶的软件编写者足够聪明地加入公司名称，对吗？

That hywklcsj.dll looks a smdge suspicious, no? Smells auto generated to me and that fact that there's no Google results for it confirmed it to me.

那个hywklcsj.dll看起来可疑，不是吗？ 自动产生的气味对我来说是没有Google结果的事实向我证实了这一点。

Now, Autoruns. Note the now-missing ddcyv DLL. Perhaps that was the bootstrapper that started this whole thing, but now it's run away.

现在，自动运行。 注意现在缺少的ddcyv DLL。 也许那是启动整个过程的引导程序，但是现在它已经消失了。

The BrowserHelperObject (BHO) section of Autoruns shows that this trojan also listens to IE and probably pops up porno ads while surfing.

“自动运行”的BrowserHelperObject(BHO)部分显示，该木马还收听IE，并且可能在冲浪时弹出色情广告。

After cleaning all this crap up and restarting, we're clean. No funky DLLs get loaded by explorer or winlogon and no suspicious traffic tries to get our of the computer.

清理所有这些废话并重新启动后，我们就清理了。 资源管理器或Winlogon不会加载任何时髦的DLL，也没有可疑的流量试图获取我们的计算机。

I'm sure this Trojan has a name, but I couldn't figure out what Google Terms I could use to find our which version it is. I suspect a Trojan.Vundo varient, but this one doesn't quite fit the profile.

我确定这个木马有一个名字，但是我不知道我可以用什么Google术语来查找它是哪个版本。 我怀疑这是Trojan.Vundo变体，但是这个不完全符合配置文件。

翻译自: https://www.hanselman.com/blog/tracking-down-a-trojan

如何通过木马追踪黑客