впоследствии того, как пользователь нажмёт и отпустит левую кнопку мыши. Таким образом, в обычной виртуальной машине троян не покажет никакой активности, потому сколько там вся активность обычно автоматизирована и никто не работает с мышью.
Authors of harmful programs use various ways to hide from virtual cars where experts of the anti-virus companies try to search for their functionality. They check presence of processes with the certain names, certain values of the register, ports and so forth we Will assume, зловред Shylock in the elegant way defines connection presence in compliance with report RDP. Experts of company FireEye have found out trojan Upclicker what shows last trick: it traces activity of the mouse and begins work exclusively subsequently how the user will press and will release the left button of the mouse.
Thus, in the usual virtual car the trojan will not show any activity therefore how many there all activity is usually automated also nobody works with the mouse. For an illustration the code part in which function SetWinodwsHookExA with parametre 0Eh is caused is shown. Having looked in directory MSDN, it is permitted to be convinced, how many this function is responsible for mouse tracing. On the following illustration it is shown that subsequently pressing of the button of the mouse employment UnhookWindowsHookEx () and employment sub_401170 () which is responsible for start of a harmful code is caused.
Experts assume that harmful programs in the future will use even more often similar methods, tracing activity of the mouse, pressing of certain keys, movement of the mouse or collected run of the mouse, earlier than to start to show the basic functions.
Комментариев нет:
Отправить комментарий