这是一篇木马分析文章,这篇文章的内容紧接着:悠悠鸟影视论坛(uuniao)主站被黑,并被“黑客”植入网马挂马!

dd01.css 这个木马信息如下:

大小:24.5 KB (25,088 字节)

MD5:A43EAC1037D1EE14BD3F1FC632DF1EBC

加壳:UPX 0.89.6 - 1.02 / 1.05 - 1.22 -> Markus & Lazlo

直接脱壳: 

File size       Ratio    Format   Name
--------------  -------  --------  --------
48640 <- 25088  51.58%   win32/pe  dd01.css

Unpacked 1 file.

脱壳后:

大小:47.5 KB (48,640 字节)

MD5:BE8EA2ED75EB0E4914759CEA80524695

Unidentified Packer. *

木马运行后会首先检测主流杀毒软件,列表如下: 

ASCII "avp.EXE"         //卡巴斯基杀毒软件
ASCII "egui.exe"        //Eset NOD32 Antivirus
ASCII "360rp.exe"       //360杀毒软件
ASCII "360sd.exe"       //360杀毒软件
ASCII "kavstart.EXE"    //金山毒霸杀毒软件
ASCII "RsTray.exe"      //瑞星卡卡上网安全助手
ASCII "RavMonD.exe"     //瑞星杀毒软件

并在临时文件目录创建六位随机数字名字的dll,在系统目录创建六位随机数字名字的exe。

并调用批处理进行自删除,具体的就不写了,在线程序行为分析结果见:

http://camas.comodo.com/cgi-bin/submit?file=8ca6b87ff54fbbe6089e777d32ec9cb01e798e1b9e9a870a332d692d55eab81e

http://anubis.iseclab.org/?action=result&task_id=1dc9b871da00d8cf439efff55da61744d&format=html

上线地址:ad.ddnc.net:8832 --> 58.221.36.210 --> 江苏省南通市 电信

和之前的 huandan4.8866.org [58.221.36.212] 是同段服务器!

并且这个 IP 已经有很长时间挂马历史了,上了很多黑名单。

例如:http://www.kafan.cn/article-3462-1.html

挂马者有相当多免费域名,但端口无一例外都是:8832

挂马者至少拥有数台服务器,并且分工明确,一看就是专业挂马的,并且规模相当大。

这年头居然还专业挂马户,尼玛挂的还是国内的!不想活了!

那个谁有兴趣的话,去日了他服务器,把小马换成自己的,绝对超多肉鸡,黑吃黑不解释……

╭∩╮(︶︿︶)╭∩╮

● File Info
Name Value
Size 48640
MD5 df743cc353cf89601932eb66d6a7cb67
SHA1 3a1ebd480ca42b40bbbe087090a06c96cedd3b60
SHA256 8ca6b87ff54fbbe6089e777d32ec9cb01e798e1b9e9a870a332d692d55eab81e
Process Active
● Keys Created
● Keys Changed
● Keys Deleted
● Values Created
● Values Changed
● Values Deleted
● Directories Created
● Directories Changed
● Directories Deleted
● Files Created
Name Size Last Write Time Creation Time Last Access Time Attr
C:\Documents and Settings\User\Local Settings\Temp\234812.dll 14848 2009.01.09 10:37:33.593 2009.01.09 10:37:33.531 2009.01.09 10:37:33.531 0x20
● Files Changed
● Files Deleted
● Directories Hidden
● Files Hidden
● Drivers Loaded
Base Size Flags Image Name
0xfa0dd000 0x1000 0x9104000 \??\C:\WINDOWS\fonts\pci.sys
● Drivers Unloaded
● Processes Created
PId Process Name Image Name
0x4b4 rundll32.exe C:\WINDOWS\system32\rundll32.exe
● Processes Terminated
● Threads Created
PId Process Name TId Start Start Mem Win32 Start Win32 Start Mem
0x2b0 lsass.exe 0x4c0 0x7c810856 MEM_IMAGE 0x77e76bf0 MEM_IMAGE
0x3f4 svchost.exe 0x40c 0x7c810856 MEM_IMAGE 0x762cf0a3 MEM_IMAGE
0x3f4 svchost.exe 0x674 0x7c810856 MEM_IMAGE 0x7529edb3 MEM_IMAGE
0x3f4 svchost.exe 0x678 0x7c810856 MEM_IMAGE 0x7529e44b MEM_IMAGE
0x3f4 svchost.exe 0x6ac 0x7c810856 MEM_IMAGE 0x75219a1e MEM_IMAGE
0x3f4 svchost.exe 0x6ec 0x7c810856 MEM_IMAGE 0x762cf0a3 MEM_IMAGE
0x4b4 rundll32.exe 0x5d0 0x7c810867 MEM_IMAGE 0x1001bdc MEM_IMAGE
● Modules Loaded
PId Process Name Base Size Flags Image Name
0x3f4 svchost.exe 0x73d30000 0x17000 0x800c4004 C:\WINDOWS\system32\wbem\wbemcons.dll
● Windows Api Calls
PId Image Name Address Function ( Parameters ) | Return Value
0x4b4 C:\WINDOWS\system32\rundll32.exe 0x9223e1 CreateServiceA(hSCManager: 0x9b410, lpServiceName: "acde", lpDisplayName: "acde", dwDesiredAccess: 0x10, dwServiceType: 0x1, dwStartType: 0x3, dwErrorControl: 0x0, lpBinaryPathName: "C:\WINDOWS\fonts\pci.sys", lpLoadOrderGroup: "(null)", lpdwTagId: 0x0, lpDependencies: 0x0, lpServiceStartName: "(null)", lpPassword: 0x0)|0x9b110
● DNS Queries
DNS Query Text
ad.ddnc.nett IN A +
● HTTP Queries
● Verdict
Auto Analysis Verdict
Suspicious+
● Description
Suspicious Actions Detected
Creates system services or drivers
Load system drivers
● Mutexes Created or Opened
PId Image Name Address Mutex Name
0x4ac C:\TEST\sample.exe 0x4022d9 TGmae...
0x4e0 C:\WINDOWS\system32\241562.exe 0x400f4e XETTETT......
0x4e0 C:\WINDOWS\system32\241562.exe 0x76ee3a34 RasPbFile
0x4e0 C:\WINDOWS\system32\241562.exe 0x771ba3ae _!MSFTHISTORY!_
0x4e0 C:\WINDOWS\system32\241562.exe 0x771bc1f9 WininetConnectionMutex
0x4e0 C:\WINDOWS\system32\241562.exe 0x771bc23d WininetProxyRegistryMutex
0x4e0 C:\WINDOWS\system32\241562.exe 0x771bc2dd WininetStartupMutex
0x4e0 C:\WINDOWS\system32\241562.exe 0x771d96e1 c:!documents and settings!user!cookies!
0x4e0 C:\WINDOWS\system32\241562.exe 0x771d96e1 c:!documents and settings!user!local settings!history!history.ie5!
0x4e0 C:\WINDOWS\system32\241562.exe 0x771d96e1 c:!documents and settings!user!local settings!temporary internet files!content.ie5!
0x4e0 C:\WINDOWS\system32\241562.exe 0x91a3ae _!MSFTHISTORY!_
0x4e0 C:\WINDOWS\system32\241562.exe 0x91c21c WininetConnectionMutex
0x4e0 C:\WINDOWS\system32\241562.exe 0x91c23d WininetProxyRegistryMutex
0x4e0 C:\WINDOWS\system32\241562.exe 0x91c2dd WininetStartupMutex
0x4e0 C:\WINDOWS\system32\241562.exe 0x939710 c:!documents and settings!user!cookies!
0x4e0 C:\WINDOWS\system32\241562.exe 0x939710 c:!documents and settings!user!local settings!history!history.ie5!
0x4e0 C:\WINDOWS\system32\241562.exe 0x939710 c:!documents and settings!user!local settings!temporary internet files!content.ie5!
● Events Created or Opened
PId Image Name Address Event Name
0x4b4 C:\WINDOWS\system32\rundll32.exe 0x77de5f48 Global\SvcctrlStartEvent_A3752DX
0x4e0 C:\WINDOWS\system32\241562.exe 0x769c4ec2 Global\userenv: User Profile setup event
0x4e0 C:\WINDOWS\system32\241562.exe 0x77de5f48 Global\SvcctrlStartEvent_A3752DX

留言评论(旧系统):

【匿名者】 @ 2012-07-26 23:12:29

该木马检测主流杀毒软件的作用可以说一下吗

本站回复:

通过遍历进程判断杀毒软件,可以执行对应绕过方式,稍微高级一点的木马都有此功能。