卡巴斯基发现新型AutoCAD主页木马(转载)-茶余饭后-看雪-安全社区|安全招聘|kanxue.com

卡巴斯基发现新型AutoCAD主页木马(转载)

发表于: 2013-11-19 12:59 965

卡巴斯基发现新型AutoCAD主页木马(转载)

tczs

2013-11-19 12:59

965

新闻链接：53dK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4c8W2j5$3S2Q4x3X3g2U0j5$3W2V1L8X3g2@1i4K6u0W2j5$3!0E0i4K6u0r3j5i4u0@1i4K6u0r3x3e0p5H3x3W2)9J5c8U0t1H3x3e0x3I4x3e0p5^5i4K6u0r3y4e0t1#2y4o6p5$3z5g2)9#2k6U0q4Q4x3X3g2Z5N6r3#2D9
新闻时间：2013.11.19 05:36
新闻正文：

【赛迪网-IT技术讯】本周卡巴斯基发现了两个在AutoCAD平台上传播的新木马：Trojan-Downloader.Acad.Qfas.b和Trojan.Acad.Qfas.o，它们旨在修改浏览器主页地址、弹出广告页面。目前只有卡巴斯基的安全解决方案能够检测出此种新型木马。

AutoCAD是世界流行的建筑制图工具，利用这个平台的病毒不少，但修改主页的木马还是第一次出现。该木马运行时会将用户IE内核的浏览器首页修改，重定向到新网站，从而制造有大批流量的假象。根据卡巴斯基安全网络分析（KSN）显示，这种威胁主要出现在中国、印度和越南。波及浏览器包括：遨游、360和搜狗。

这两个木马使用AutoLISP编写，并被编译成.fas文件。而目前还没有通用的.fas文件的反编译器，这就使得对木马的逆向分析更为困难，所以这两个木马成功逃避了除卡巴斯基外的所有反病毒软件的检测。

木马工作原理

Trojan-Downloader.Acad.Qfas.b负责下载Trojan.Acad.Qfas.o并将其运行。而Trojan.Acad.Qfas.o负责改变浏览器主页，运行浏览器，访问其他广告网站。

1.Trojan-Downloader.Acad.Qfas.b下载Trojan.Acad.Qfas.o。它通常被命名为acad.fas并打包进许多建筑制图压缩包中诱使相关用户下载运行。当AutoCAD执行这个文件，它会将自身复制为shxfont.fas并从1c2K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8W2)9J5b7g2)9J5b7g2)9J5b7g2)9J5k6h3W2K6k6s2g2F1i4K6u0W2j5$3!0E0i4K6u0r3K9X3u0T1k6%4S2X3i4K6u0r3i4K6y4r3k6W2)9K6c8s2A6&6k6s2A6Q4c8e0c8Q4b7U0S2Q4z5p5u0Q4c8e0S2Q4b7V1c8Q4b7V1c8f1M7X3!0B7j5h3&6Q4x3X3g2m8j5$3q4V1i4K6u0W2f1h3k6S2M7#2)9J5k6h3!0Q4c8e0y4Q4z5o6m8Q4z5o6t1`.

2.Trojan.Acad.Qfas.o运行后会遍历系统进程列表，寻找IE、QQ、360、搜狗、遨游等浏览器进程。找到后，该木马会提取浏览器中地址栏的URL，看看它是否包含hao123.com，如果没有，这个木马会让浏览器跳转到cefK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3S2S2L8K6p5J5x3#2)9J5k6h3y4G2L8g2)9J5c8W2)9K6c8Y4c8F1i4K6y4p5i4K6u0m8i4K6u0m8i4K6u0m8z5o6t1$3z5e0q4Q4y4h3k6Z5j5h3!0Q4y4h3k6H3k6#2!0q4x3#2)9^5x3q4)9^5x3W2!0q4z5q4!0m8c8W2!0m8y4g2!0q4y4W2)9&6b7#2!0m8z5q4!0q4z5g2!0m8z5g2!0m8b7#2!0q4z5q4!0n7c8W2)9&6z5q4!0q4y4q4!0n7b7#2)9&6b7g2!0q4y4g2!0m8c8g2)9&6b7g2!0q4y4W2)9&6b7#2)9&6c8W2!0q4y4W2)9^5z5g2)9&6x3#2!0q4y4g2!0n7b7#2)9^5x3q4!0q4y4q4!0n7z5q4)9^5x3q4!0q4y4q4!0n7z5q4!0m8b7g2!0q4y4W2)9&6y4W2!0n7x3q4!0q4y4W2!0n7y4g2)9^5c8W2!0q4z5q4!0m8y4#2)9^5z5q4!0q4y4g2)9&6z5g2!0m8z5q4!0q4z5q4!0n7c8W2)9&6b7W2!0q4y4#2!0m8z5q4)9^5b7W2!0q4c8W2!0n7b7#2)9^5b7#2!0q4z5q4!0m8c8g2!0n7c8W2!0q4z5g2)9&6y4#2!0m8c8h3S2@1N6s2m8Q4x3@1q4Q4x3V1k6Q4x3V1k6Q4x3V1q4Q4x3V1q4Q4x3X3g2*7k6i4q4B7i4K6u0W2K9h3&6X3L8#2)9J5c8Y4A6D9i4K6u0W2K9s2c8E0i4@1f1K6i4K6R3H3i4K6R3J5i4@1f1%4i4K6R3@1i4@1t1$3i4@1f1#2i4K6V1H3i4K6S2q4i4@1f1@1i4@1u0r3i4@1q4q4i4@1f1$3i4K6V1@1i4@1t1&6i4@1f1$3i4@1t1K6i4@1p5^5i4@1f1#2i4K6R3$3i4K6S2o6i4@1f1^5i4@1p5I4i4@1p5^5i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1$3i4K6V1@1i4@1t1&6i4@1f1#2i4K6S2r3i4K6V1^5i4@1f1$3i4@1t1#2i4K6S2r3i4@1f1^5i4@1p5%4i4K6R3^5i4@1f1#2i4K6V1&6i4@1p5^5i4@1f1@1i4@1t1^5i4@1u0n7i4@1f1&6i4@1p5I4i4@1t1#2i4@1f1@1i4@1t1^5i4@1u0m8K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3S2S2L8K6p5J5x3#2)9J5k6h3y4G2L8g2)9J5c8W2)9K6c8Y4c8F1i4K6y4p5i4K6u0m8i4K6u0m8i4K6u0m8z5o6t1$3z5e0q4Q4y4h3k6Z5j5h3!0Q4y4h3k6H3k6#2!0q4x3#2)9^5x3q4)9^5x3W2!0q4y4q4!0n7z5q4!0n7b7g2!0q4y4q4!0n7b7g2)9^5y4W2!0q4y4W2)9&6y4q4!0n7z5g2!0q4y4g2)9^5c8W2)9&6z5q4!0q4y4W2)9&6x3q4)9&6b7#2!0q4y4#2)9^5b7W2)9&6y4#2!0q4y4W2!0n7y4g2)9^5c8W2!0q4z5q4!0m8y4#2)9^5z5q4!0q4y4g2)9&6z5g2!0m8z5q4!0q4y4#2)9&6b7g2)9^5y4q4!0q4y4q4!0n7z5q4!0n7b7W2!0q4z5g2!0m8x3g2!0n7y4g2!0q4c8W2!0n7b7#2)9^5b7#2!0q4y4W2)9&6b7#2!0m8z5q4!0q4z5g2!0m8z5g2!0m8b7#2!0q4z5q4!0n7c8W2)9&6z5q4!0q4y4q4!0n7b7#2)9&6b7g2!0q4y4q4!0n7c8W2!0m8c8g2!0q4y4W2)9&6y4q4!0n7z5g2!0q4y4W2)9&6x3q4)9&6b7#2!0q4y4#2)9^5b7W2)9&6y4#2!0q4y4W2!0n7y4g2)9^5c8W2!0q4z5q4!0m8y4#2)9^5z5q4!0q4y4g2)9&6z5g2!0m8z5q4!0q4y4#2)9&6b7g2)9^5y4q4!0q4z5g2)9^5y4g2)9^5c8q4!0q4y4#2!0n7c8q4!0m8c8g2!0q4y4W2)9&6y4W2)9^5y4#2!0q4y4q4!0n7b7W2!0n7y4W2)9J5y4i4g2K6k6i4u0H3M7X3!0X3K9h3I4W2i4K6t1#2i4K6g2o6j5i4m8H3k6r3q4@1j5g2)9#2b7#2y4G2N6h3N6G2N6h3g2^5M7r3I4G2M7X3g2J5i4K6g2o6j5$3!0F1k6X3W2Y4i4K6u0W2P5r3#2D9i4@1f1K6i4K6R3H3i4K6R3J5i4@1f1^5i4K6R3H3i4K6S2o6i4@1f1@1i4@1t1^5i4K6V1@1i4@1f1#2i4@1q4q4i4K6R3K6i4@1f1^5i4@1u0r3i4K6V1^5i4@1f1@1i4@1u0o6i4K6W2m8i4@1f1$3i4K6W2r3i4@1p5#2i4@1f1%4i4K6W2o6i4K6S2n7i4@1f1$3i4K6W2r3i4K6V1H3i4@1f1@1i4@1u0m8i4K6W2n7K9r3W2H3M7#2!0q4z5q4!0n7c8q4!0m8c8W2!0q4y4q4!0n7b7W2!0n7y4W2!0q4y4W2)9^5z5q4)9&6y4W2!0q4y4W2!0n7x3W2)9&6z5g2!0q4y4#2)9&6b7W2)9&6x3W2!0q4z5q4!0n7c8q4!0m8c8W2!0q4y4q4!0n7b7W2!0n7y4W2!0q4y4#2)9&6b7g2)9^5y4q4!0q4z5q4!0n7c8W2)9&6b7W2!0q4y4#2!0m8z5q4)9^5b7W2!0q4y4W2)9&6z5q4!0m8c8W2!0q4y4g2)9&6x3q4!0m8y4W2!0q4y4g2!0m8c8q4)9&6z5q4!0q4y4g2)9&6b7#2!0m8z5q4!0q4x3#2)9^5x3q4)9^5x3W2!0q4y4g2!0m8y4W2)9^5x3W2!0q4y4W2)9&6c8g2)9&6b7#2!0q4y4g2!0m8c8q4)9&6z5q4!0q4y4g2)9&6b7#2!0m8z5q4!0q4c8W2!0n7b7#2)9^5b7#2!0q4y4g2)9^5z5q4)9&6z5g2!0q4y4q4!0n7b7#2)9&6b7g2!0q4y4g2)9^5z5q4!0m8x3q4!0q4z5g2)9&6z5g2!0m8y4q4!0q4z5q4)9^5y4#2!0m8b7g2!0q4z5q4!0n7b7g2!0m8b7W2!0q4x3#2)9^5x3q4)9^5x3R3`.`.

3.eb3K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3S2S2L8K6p5J5x3#2)9J5k6h3y4G2L8g2)9J5c8W2)9K6c8Y4c8F1i4K6y4p5i4K6u0m8i4K6u0m8i4K6u0m8z5o6t1$3z5e0q4Q4y4h3k6Z5j5h3!0Q4y4h3k6H3i4@1f1@1i4@1t1^5i4@1q4p5i4@1f1%4i4K6W2m8i4K6R3@1i4K6u0m8i4K6u0m8i4K6u0m8z5o6t1$3z5e0q4Q4y4h3k6Z5j5h3!0Q4y4h3k6H3i4@1f1$3i4K6V1^5i4@1q4r3i4@1f1$3i4K6W2r3i4K6V1H3K9r3q4G2x3e0t1K6i4K6u0W2j5$3!0E0i4@1f1%4i4K6W2m8i4K6R3@1i4@1f1$3i4K6S2q4i4@1p5^5i4@1f1#2i4@1t1&6i4@1u0r3i4@1f1@1i4@1u0m8i4@1u0m8i4@1f1%4i4K6W2m8i4K6R3@1d9f1c8Q4c8e0y4Q4z5o6m8Q4z5o6u0Z5j5h3)9I4x3U0y4Q4x3X3g2U0L8$3#2Q4c8e0c8Q4b7V1y4Q4z5f1q4Q4c8e0k6Q4z5p5y4Q4z5o6W2Q4c8e0N6Q4z5o6g2Q4b7e0N6Q4c8e0k6Q4b7f1c8Q4b7e0c8Q4c8e0k6Q4z5p5g2Q4b7e0S2Q4c8e0g2Q4b7U0W2Q4b7V1k6Q4c8e0c8Q4b7V1q4Q4b7V1q4Q4c8e0c8Q4b7U0S2Q4b7V1q4Q4c8e0N6Q4b7V1c8Q4z5e0q4Q4c8e0N6Q4b7f1u0Q4z5e0W2Q4c8e0g2Q4b7U0S2Q4b7e0k6Q4c8e0k6Q4z5f1c8Q4b7e0g2Q4c8e0N6Q4z5f1q4Q4z5o6c8Q4c8e0k6Q4b7U0g2Q4z5o6q4Q4c8e0W2Q4z5o6N6Q4z5p5k6Q4c8e0g2Q4z5e0u0Q4z5p5y4Q4c8e0k6Q4b7f1c8Q4b7e0c8Q4c8e0k6Q4z5p5g2Q4b7e0S2Q4c8e0g2Q4b7U0W2Q4b7V1k6Q4c8e0c8Q4b7V1q4Q4b7V1q4Q4c8e0g2Q4z5o6S2Q4z5o6k6Q4c8e0k6Q4z5o6S2Q4z5e0m8Q4c8e0y4Q4z5o6m8Q4z5o6u0Z5N6s2c8H3i4K6y4m8i4K6u0r3i4K6u0r3i4K6u0m8i4K6u0m8i4K6u0W2P5X3g2I4K9W2)9J5k6h3W2F1k6X3!0Q4x3V1k6*7L8q4)9J5k6h3S2@1L8g2!0q4y4g2)9^5z5q4)9&6z5g2!0q4y4W2)9&6b7W2!0n7y4q4!0q4y4W2)9&6b7#2)9^5z5g2!0q4y4W2)9^5y4q4)9^5c8W2!0q4y4W2)9^5x3q4)9&6c8q4!0q4c8W2!0n7b7#2)9^5b7#2!0q4y4g2!0m8c8g2)9^5x3#2!0q4y4q4!0n7b7#2)9&6b7g2!0q4y4g2)9^5z5q4!0n7y4#2!0q4y4W2)9&6y4W2!0n7x3q4!0q4y4W2!0n7y4g2)9^5c8W2!0q4z5q4!0m8y4#2)9^5z5q4!0q4y4g2)9&6z5g2!0m8z5q4!0q4y4q4!0n7c8q4!0n7c8W2!0q4y4q4!0n7z5g2)9^5b7W2!0q4z5q4!0n7y4#2!0n7x3#2!0q4z5q4!0n7c8q4!0m8b7#2!0q4y4g2)9^5z5q4!0n7x3r3S2@1N6s2m8Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2K6L8$3S2#2N6s2k6Q4x3V1q4Q4x3V1q4Q4x3V1p5H3x3e0u0Q4x3X3g2C8j5h3&6Y4j5$3q4Q4x3X3g2U0L8$3#2Q4x3V1k6Q4c8e0u0Q4z5o6m8Q4b7e0k6Q4c8e0y4Q4z5o6m8Q4z5o6u0Q4c8e0N6Q4z5o6c8Q4b7U0k6Q4c8e0g2Q4z5e0m8Q4z5p5g2Q4c8e0g2Q4z5o6k6Q4z5p5c8Q4c8e0S2Q4b7U0N6Q4b7U0y4Q4c8e0g2Q4z5o6S2Q4b7U0m8%4k6h3&6&6K9h3&6Y4i4K6u0m8i4K6u0m8i4K6u0m8i4K6u0W2j5$3!0E0i4@1f1K6i4K6R3H3i4K6R3J5i4@1f1$3i4K6W2o6i4K6R3H3i4@1f1#2i4K6V1H3i4K6S2q4N6$3g2F1P5h3W2F1k6#2)9J5b7g2)9J5b7g2)9J5b7g2)9J5k6h3y4G2L8g2!0q4y4q4!0n7b7#2)9&6b7g2!0q4y4W2)9&6z5q4!0n7c8g2!0q4y4#2!0m8y4q4!0n7b7g2!0q4y4g2!0n7z5g2!0n7c8W2!0q4y4g2)9&6x3g2)9^5b7g2!0q4z5g2!0m8x3g2!0n7y4g2!0q4c8W2!0n7b7#2)9^5b7#2!0q4y4W2!0m8c8W2)9&6y4q4!0q4y4g2!0m8y4W2)9^5x3W2!0q4c8W2!0n7b7#2)9&6b7b7`.`.

AutoCAD使用非常广泛，AutoLISP语言也已经足够强大，加上编译后的.fas文件没有反编译器很难分析，这使得AutoCAD对于编写传播恶意软件十分理想。黑客们在想尽一切办法编写传播恶意程序、逃避安全软件查杀，只有依靠强大可靠的安全解决方案才能免受威胁。

(责任编辑：钼铁)

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

#资讯

收藏・0

免费・0

支持