6.3. Backdoor Technology

6.3.1. Development Technology

  • Management and control function realization technology

    • System management: View basic system information, process management, service management

    • File management: copy/paste files, delete files/directories, download/upload files, etc.

    • Shell management

    • keystroke logging monitoring

    • screenshot

    • Audio monitoring

    • Video Surveillance

    • View private information

    • Dynamic Monitoring of Removable Disks

    • Remote uninstall

  • self-starting technology
    • Windows auto-start

      • Self-starting based on Windows startup directory

      • Registry-based auto-start

      • Service program-based self-start

      • Self-starting based on ActiveX control

      • Self-starting based on Scheduled Tasks

    • Linux self-starting

  • User mode process hiding technology
    • Process hiding based on DLL insertion

      • Remote Thread Creation Technology

      • Setting the Window Hook (HOOK) Technique

    • Process Hiding Based on SvcHost Shared Service

    • process memory replacement

  • Data Penetration and Avoidance Techniques

    • reverse port

    • protocol tunnel

      • HTTP

      • MSN

      • Google Talk

  • Kernel-Level Hidden Technology(Rootkit)

  • Disk boot-level hiding technology(Bootkit)

    • MBR

    • BIOS

    • NTLDR

    • boot.ini

  • Restoring software countermeasures

6.3.2. Backdoor avoid killing

  • Traditional static code detection

    • packer

    • Add flower instruction

    • Enter the form to avoid killing

  • Heuristic code detection

    • dynamic function call

  • Cloud killing

    • Dynamically increase its size

    • Change the domain name resolution address of the cloud killing server

    • disconnected

    • Bypassing Cloud “Whitelisting” Using Hash Collision

  • Attack the main antivirus software

    • Change system time

    • window message attack

    • Actively send IRP to control the main defense driver

  • Use certificate trust

    • Stealing and exploiting legal certificates

    • Forging certificates using hash collision

    • The “white and black” of the DLL hijacking problem with legitimate programs

6.3.3. Detection technology

  • Detection based on self-starting information

  • Detection based on process information

  • Detection based on data transmission

  • Rootkit/Bootkit Detection

6.3.4. Backdoor Analysis

  • Dynamic Analysis

  • static analysis

    • Antivirus engine scan

    • file format recognition

    • File packing recognition and unpacking

    • plaintext string lookup

    • Link library and import/export function analysis