How To: Detect a Binded Trojan Or FUD Trojan
Page 1 of 1
How To: Detect a Binded Trojan Or FUD Trojan
by Peace 28/12/2011, 21:57
Found something interesting regarding Fuds, thought id share this with you guys.
http://www.starthack.com/2011/08/23/how-to-detect-a-binded-trojan-or-fud-trojan/
FIRST METHOD:Right click it, if you got winrar
installed and you see
“open with winrar” then this
means it was binded with winrar
so def backdoored……
SECOND METHOD:
Open it with a resource editor such as
resource hacker/restorator/pe explorer and check the rcdata section
,if theres 1 & 2 entries in it
then its bindedTHIRD METHOD:
Open it with a hex editor ,
at the start of a PE header theres always this line “This program cannot be run in DOS mode” , search for it,if it
exists more then once then it might be binded
it depends on the specific app,for example its not unusual for
binders/crypters to have the stub file attached in the resources
also search for .exe and inspect the results,a binded file
drops the files to a temp folder before executing em , so if
you find somethin like this: %.t.e.m.p.%..x.x…e.x.e or file1.exe/file2.exe
then its def binded
FOURTH METHOD:Run it in sandboxie ,when a file is ran’d in sandboxie its isolated
(cant access your files/registry, first click the sandboxie tray icon to
open up its Window , then right click the file and click “run with sandboxie”
if you see another process name in the sandboxie
Window then its probably backdoored
(this doesnt include sandboxie rpcss/dcom launch processes,those are legit and
needed for some programs) , thats not all ,
the file may drop another when one of the buttons in the
program GUI is clicked or after you close it , so click all the buttons and close it
just to make sure ,
if you do see other processes then immdiatly click file>terminate all processes
from the sandboxie menu , if a file refuses to run in
sandboxie or its suppose to be a program and it runs
without GUI then it would probably be best to delete it
http://www.starthack.com/2011/08/23/how-to-detect-a-binded-trojan-or-fud-trojan/
FIRST METHOD:Right click it, if you got winrar
installed and you see
“open with winrar” then this
means it was binded with winrar
so def backdoored……
SECOND METHOD:
Open it with a resource editor such as
resource hacker/restorator/pe explorer and check the rcdata section
,if theres 1 & 2 entries in it
then its bindedTHIRD METHOD:
Open it with a hex editor ,
at the start of a PE header theres always this line “This program cannot be run in DOS mode” , search for it,if it
exists more then once then it might be binded
it depends on the specific app,for example its not unusual for
binders/crypters to have the stub file attached in the resources
also search for .exe and inspect the results,a binded file
drops the files to a temp folder before executing em , so if
you find somethin like this: %.t.e.m.p.%..x.x…e.x.e or file1.exe/file2.exe
then its def binded
FOURTH METHOD:Run it in sandboxie ,when a file is ran’d in sandboxie its isolated
(cant access your files/registry, first click the sandboxie tray icon to
open up its Window , then right click the file and click “run with sandboxie”
if you see another process name in the sandboxie
Window then its probably backdoored
(this doesnt include sandboxie rpcss/dcom launch processes,those are legit and
needed for some programs) , thats not all ,
the file may drop another when one of the buttons in the
program GUI is clicked or after you close it , so click all the buttons and close it
just to make sure ,
if you do see other processes then immdiatly click file>terminate all processes
from the sandboxie menu , if a file refuses to run in
sandboxie or its suppose to be a program and it runs
without GUI then it would probably be best to delete it
Peace- Member
- Posts : 18
Join date : 2011-01-02
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum|
|
|