울지않는벌새 : Security, Movie & Society

MSN 쪽지를 통해 유포되는 악성코드

벌새::Analysis

MSN 계정이 탈취되는 형태를 취하여 등록된 친구들에게 쪽지를 통해 특정 사이트를 링크를 클릭하게 하는 수법으로 악성코드를 유포한다는 내용을 확인하였습니다.

해당 링크를 접속할 경우 위와 같은 동영상 업로드 사이트를 통해 최근 제로데이 공격으로 알려진 윈도우 보안 취약점, Adobe Flash 취약점을 이용하여 악성코드를 다운로드 시키는 것으로 보입니다.

hxxp://www.sofec.21s.fr/blog/index.htm
 - hxxp://www.sofec.21s.fr/blog/fl.htm
  -> hxxp://www.sofec.21s.fr/blog/i1.htm <MS IE>
   ->> hxxp://www.sofec.21s.fr/blog/flash/ii115.swf <AhnLab-V3 : Win-Trojan/Exploit-SWF.Gen>
   ->> hxxp://www.sofec.21s.fr/blog/flash/i47.swf <AhnLab-V3 : Win-Trojan/Exploit-SWF.Gen>
   ->> hxxp://www.sofec.21s.fr/blog/flash/i16.swf <AhnLab-V3 : Win-Trojan/Exploit-SWF.Gen>
   ->> hxxp://www.sofec.21s.fr/blog/flash/i45.swf <AhnLab-V3 : Win-Trojan/Exploit-SWF.Gen>
   ->> hxxp://www.sofec.21s.fr/blog/flash/i64.swf <AhnLab-V3 : Win-Trojan/Exploit-SWF.Gen>
   ->> hxxp://www.sofec.21s.fr/blog/flash/i28.swf <AhnLab-V3 : Win-Trojan/Exploit-SWF.Gen>
  -> hxxp://www.sofec.21s.fr/blog/f2.htm <Firefox>
   ->> hxxp://www.sofec.21s.fr/blog/flash/flash/ff115.swf <차단>
   ->> hxxp://www.sofec.21s.fr/blog/flash/flash/f28.swf <차단>
   ->> hxxp://www.sofec.21s.fr/blog/flash/flash/f16.swf <차단>
   ->> hxxp://www.sofec.21s.fr/blog/flash/flash/f45.swf <차단>
   ->> hxxp://www.sofec.21s.fr/blog/flash/flash/f64.swf <차단>
   ->> hxxp://www.sofec.21s.fr/blog/flash/flash/f47.swf <차단>
 - hxxp://www.sofec.21s.fr/blog/index2.htm <AhnLab-V3 : JS/Mult>
 - hxxp://www.sofec.21s.fr/blog/hker.htm <McAfee : Exploit-ObscuredHtml>

* 해당 링크는 컴퓨터를 감염시킬 수 있으므로 주의하시기 바랍니다.

감염된 사이트에서는 MS IE 웹 브라우저로 접속시와 Firefox 웹 브라우저까지 고려하여 악성코드를 다운로드 시킬 정도로 철저해 보입니다.

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.01 -
AhnLab-V3 2008.12.31.0 2009.01.02 Win-Trojan/Exploit-SWF.Gen
AntiVir 7.9.0.45 2009.01.01 EXP/Flash.Gen
Authentium 5.1.0.4 2009.01.01 -
Avast 4.8.1281.0 2009.01.01 SWF:CVE-2007-0071
AVG 8.0.0.199 2009.01.01 -
BitDefender 7.2 2009.01.02 Exploit.SWF.Gen
CAT-QuickHeal 10.00 2009.01.02 -
ClamAV 0.94.1 2009.01.02 -
Comodo 859 2009.01.01 -
DrWeb 4.44.0.09170 2009.01.02 -
eTrust-Vet 31.6.6287 2009.01.01 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.01 -
F-Secure 8.0.14470.0 2009.01.02 -
Fortinet 3.117.0.0 2009.01.02 -
GData 19 2009.01.02 Exploit.SWF.Gen
Ikarus T3.1.1.45.0 2009.01.02 -
K7AntiVirus 7.10.572 2008.12.31 -
Kaspersky 7.0.0.125 2009.01.02 -
McAfee 5481 2009.01.02 -
McAfee+Artemis 5481 2009.01.01 -
Microsoft 1.4205 2009.01.01 Exploit:Win32/APSB08-11.gen!A
NOD32 3731 2009.01.01 -
Norman 5.80.02 2009.01.01 -
Panda 9.0.0.4 2009.01.01 -
PCTools 4.4.2.0 2009.01.01 -
Prevx1 V2 2009.01.02 -
Rising 21.10.22.00 2008.12.31 -
SecureWeb-Gateway 6.7.6 2009.01.02 Exploit.Flash.Gen
Sophos 4.37.0 2009.01.02 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2009.01.02 -
TheHacker 6.3.1.4.204 2009.01.02 -
TrendMicro 8.700.0.1004 2009.01.01 -
VBA32 3.12.8.10 2009.01.01 -
ViRobot 2008.12.30.1540 2008.12.31 -
VirusBuster 4.5.11.0 2009.01.01 -
Additional information
File size: 1786 bytes
MD5...: af9d17aa87b305eb54cf371bc7bca3bd
SHA1..: 984582b66af820403d3c8d17dac60027516234f1

다운로드를 시도하는 swf 파일은 Adobe Flash 취약점 버전을 사용하는 사용자를 노리고 있습니다.

[index2.htm]

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.01 Exploit.JS.Mult!IK
AhnLab-V3 2008.12.31.0 2009.01.02 JS/Mult
AntiVir 7.9.0.45 2009.01.01 HTML/Shellcode.Gen
Authentium 5.1.0.4 2009.01.01 -
Avast 4.8.1281.0 2009.01.01 JS:XMLParse-A
AVG 8.0.0.199 2009.01.01 -
BitDefender 7.2 2009.01.02 Trojan.JS.Downloader.BFL
CAT-QuickHeal 10.00 2009.01.02 -
ClamAV 0.94.1 2009.01.02 -
Comodo 859 2009.01.01 -
DrWeb 4.44.0.09170 2009.01.02 -
eTrust-Vet 31.6.6287 2009.01.01 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.01 -
F-Secure 8.0.14470.0 2009.01.02 -
Fortinet 3.117.0.0 2009.01.02 -
GData 19 2009.01.02 JS:XMLParse-A
Ikarus T3.1.1.45.0 2009.01.02 Exploit.JS.Mult
K7AntiVirus 7.10.572 2008.12.31 -
Kaspersky 7.0.0.125 2009.01.02 -
McAfee 5481 2009.01.02 Exploit-ObscuredHtml
McAfee+Artemis 5481 2009.01.01 Exploit-ObscuredHtml
Microsoft 1.4205 2009.01.01 Exploit:JS/Mult.AI
NOD32 3731 2009.01.01 -
Norman 5.80.02 2009.01.01 -
Panda 9.0.0.4 2009.01.01 -
PCTools 4.4.2.0 2009.01.01 -
Prevx1 V2 2009.01.02 -
Rising 21.10.22.00 2008.12.31 -
SecureWeb-Gateway 6.7.6 2009.01.02 Script.Shellcode.Gen
Sophos 4.37.0 2009.01.02 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2009.01.02 -
TheHacker 6.3.1.4.204 2009.01.02 -
TrendMicro 8.700.0.1004 2009.01.01 -
VBA32 3.12.8.10 2009.01.01 -
ViRobot 2008.12.30.1540 2008.12.31 -
VirusBuster 4.5.11.0 2009.01.01 -
Additional information
File size: 14405 bytes
MD5...: 0e3e07aa501a9149b10138f36602d538
SHA1..: 010475bb1289b6d7ea67ae5c76258a993320e5e3

최근 MS IE XML 파싱 관련 제로 데이 취약점을 이용한 악성코드입니다.

[hker.htm]

Antivirus Version Last Update Result
a-squared 4.0.0.73 2008.12.31 -
AhnLab-V3 2008.12.31.0 2009.01.02 -
AntiVir 7.9.0.45 2009.01.01 HTML/Malicious.ActiveX.Gen
Authentium 5.1.0.4 2009.01.01 -
Avast 4.8.1281.0 2009.01.01 VBS:Obfuscated-gen
AVG 8.0.0.199 2008.12.31 JS/Downloader.Agent
BitDefender 7.2 2009.01.02 -
CAT-QuickHeal 10.00 2009.01.02 -
ClamAV 0.94.1 2009.01.02 -
Comodo 851 2008.12.31 -
DrWeb 4.44.0.09170 2009.01.02 VBS.Psyme.239
eTrust-Vet 31.6.6287 2009.01.01 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2008.12.30 -
F-Secure 8.0.14470.0 2009.01.02 -
Fortinet 3.117.0.0 2009.01.02 -
GData 19 2008.12.31 VBS:Obfuscated-gen
Ikarus T3.1.1.45.0 2009.01.02 -
K7AntiVirus 7.10.572 2008.12.31 -
Kaspersky 7.0.0.125 2009.01.02 -
McAfee 5481 2009.01.02 Exploit-ObscuredHtml
McAfee+Artemis 5479 2008.12.30 Exploit-ObscuredHtml
Microsoft 1.4205 2009.01.01 TrojanDownloader:HTML/Adodb.gen!A
NOD32 3725 2008.12.31 -
Norman 5.80.02 2009.01.01 -
Panda 9.0.0.4 2009.01.01 -
PCTools 4.4.2.0 2008.12.31 -
Prevx1 V2 2009.01.02 -
Rising 21.10.22.00 2008.12.31 -
SecureWeb-Gateway 6.7.6 2008.12.31 Script.Malicious.ActiveX.Gen
Sophos 4.37.0 2009.01.02 Mal/ObsHTML-A
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.31 -
TheHacker 6.3.1.4.204 2009.01.02 -
TrendMicro 8.700.0.1004 2008.12.31 -
VBA32 3.12.8.10 2009.01.01 -
ViRobot 2008.12.30.1540 2008.12.31 -
VirusBuster 4.5.11.0 2009.01.01 -
Additional information
File size: 6667 bytes
MD5...: 63492606c54e8c5eeb0317465ed06e9d
SHA1..: 8ac74d309e1e29a2a0134ad77e6e1da757146703


각종 취약점을 이용한 악성코드는 최종적으로 exe 파일을 다운로드하여 컴퓨터에 추가적인 악성코드로 감염을 시킵니다.

hxxp://www.sofec.21s.fr/blog/test2.exe <AhnLab-V3 : Win-Trojan/Downloader.6144.UG>
 - hxxp://www.haola123123.com/000262.htm <NOD32 : Win32/TrojanDownloader.Agent.ONH>
  -> hxxp://www.haola123123.com/000f1.htm <NOD32 : Win32/Agent.OMX>
  -> hxxp://www.haola123123.com/000f2.htm <NOD32 : Win32/Agent.OMX>

* 해당 링크는 컴퓨터를 감염시킬 수 있으므로 주의하시기 바랍니다.

[test2.exe]

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.01 Win32.SuspectCrc!IK
AhnLab-V3 2008.12.31.0 2009.01.02 Win-Trojan/Downloader.6144.UG
AntiVir 7.9.0.45 2009.01.01 TR/Downloader.Gen
Authentium 5.1.0.4 2009.01.01 -
Avast 4.8.1281.0 2009.01.01 Win32:Trojan-gen {Other}
AVG 8.0.0.199 2009.01.01 Downloader.Generic7.BEDD
BitDefender 7.2 2009.01.02 Generic.Malware.dld!!.24F79490
CAT-QuickHeal 10.00 2009.01.02 TrojanDownloader.Small.aibm
ClamAV 0.94.1 2009.01.02 -
Comodo 859 2009.01.01 -
DrWeb 4.44.0.09170 2009.01.02 DLOADER.Trojan
eTrust-Vet 31.6.6287 2009.01.01 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.01 -
Fortinet 3.117.0.0 2009.01.02 PossibleThreat
GData 19 2009.01.02 Generic.Malware.dld!!.24F79490
Ikarus T3.1.1.45.0 2009.01.02 Win32.SuspectCrc
K7AntiVirus 7.10.572 2008.12.31 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.01.02 Trojan-Downloader.Win32.Small.aibm
McAfee 5481 2009.01.02 Generic Downloader.x
McAfee+Artemis 5481 2009.01.01 Generic Downloader.x
Microsoft 1.4205 2009.01.01 TrojanDownloader:Win32/Sunacha.A
NOD32 3731 2009.01.01 Win32/TrojanDownloader.Small.OJV
Norman 5.80.02 2009.01.01 W32/DLoader.MAIC
Panda 9.0.0.4 2009.01.01 Suspicious file
PCTools 4.4.2.0 2009.01.01 Trojan-Downloader.Agent.TMW
Rising 21.10.22.00 2008.12.31 Trojan.DL.Win32.Small.zpa
SecureWeb-Gateway 6.7.6 2009.01.02 Trojan.Downloader.Gen
Sophos 4.37.0 2009.01.02 Troj/Dload-ES
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2009.01.02 -
TheHacker 6.3.1.4.204 2009.01.02 -
TrendMicro 8.700.0.1004 2009.01.02 Possible_DLDER
VBA32 3.12.8.10 2009.01.01 Win32.TrojanDownloader.Small.OJV
ViRobot 2008.12.30.1540 2008.12.31 -
VirusBuster 4.5.11.0 2009.01.01 -
Additional information
File size: 6144 bytes
MD5...: 3658de0c69ff92ceb495e41cc5d7a8ad
SHA1..: f41abef14a75b62464656c20cf496445c295c168


해당 트로이목마는 추가적으로 특정 서버에 접속하여 또 다른 악성코드를 다운로드 하는 것으로 확인이 되었습니다.

[000262.htm]

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.01 Trojan-Downloader.Win32.Sunacha!IK
AhnLab-V3 2008.12.31.0 2009.01.02 -
AntiVir 7.9.0.45 2009.01.01 HEUR/Malware
Authentium 5.1.0.4 2009.01.01 -
Avast 4.8.1281.0 2009.01.01 -
AVG 8.0.0.199 2009.01.01 Downloader.Generic7.BEDF
BitDefender 7.2 2009.01.02 -
CAT-QuickHeal 10.00 2009.01.02 -
ClamAV 0.94.1 2009.01.02 -
Comodo 859 2009.01.01 -
DrWeb 4.44.0.09170 2009.01.02 Trojan.DownLoader.origin
eTrust-Vet 31.6.6287 2009.01.01 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.01 -
F-Secure 8.0.14470.0 2009.01.02 W32/Downloader
Fortinet 3.117.0.0 2009.01.02 -
GData 19 2009.01.02 -
Ikarus T3.1.1.45.0 2009.01.02 Trojan-Downloader.Win32.Sunacha
K7AntiVirus 7.10.572 2008.12.31 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.01.02 -
McAfee 5481 2009.01.02 -
McAfee+Artemis 5481 2009.01.01 Generic!Artemis
Microsoft 1.4205 2009.01.01 TrojanDownloader:Win32/Sunacha.B
NOD32 3731 2009.01.01 Win32/TrojanDownloader.Agent.ONH
Norman 5.80.02 2009.01.01 W32/Downloader.SYH
Panda 9.0.0.4 2009.01.01 Suspicious file
PCTools 4.4.2.0 2009.01.01 Trojan-Downloader.Agent.TMW
Prevx1 V2 2009.01.02 -
Rising 21.10.22.00 2008.12.31 -
SecureWeb-Gateway 6.7.6 2009.01.02 Heuristic.Malware
Sophos 4.37.0 2009.01.02 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2009.01.02 -
TheHacker 6.3.1.4.204 2009.01.02 -
TrendMicro 8.700.0.1004 2009.01.02 -
VBA32 3.12.8.10 2009.01.01 Win32.TrojanDownloader.Agent.ONH
ViRobot 2008.12.30.1540 2008.12.31 -
VirusBuster 4.5.11.0 2009.01.01 -
Additional information
File size: 26112 bytes
MD5...: c5d36a2aab3202030a73858f2937cfd0
SHA1..: f39d280e0a94f57e71f5f3453b79d78853c5862c

%System%\Ps3rm32.exe %System%\Su32pn2.exe 파일 생성 및 추가적인 파일 다운로드

[000f1.htm]

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.01 Win32.SuspectCrc!IK
AhnLab-V3 2008.12.31.0 2009.01.02 -
AntiVir 7.9.0.45 2009.01.01 TR/Spy.Gen
Authentium 5.1.0.4 2009.01.01 -
Avast 4.8.1281.0 2009.01.01 Win32:Spyware-gen
AVG 8.0.0.199 2009.01.01 Downloader.Generic_r.CN
BitDefender 7.2 2009.01.02 Generic.Malware.Sdld.95EF8932
CAT-QuickHeal 10.00 2009.01.02 -
ClamAV 0.94.1 2009.01.02 -
Comodo 859 2009.01.01 -
DrWeb 4.44.0.09170 2009.01.02 DLOADER.Trojan
eTrust-Vet 31.6.6287 2009.01.01 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.01 -
F-Secure 8.0.14470.0 2009.01.02 -
Fortinet 3.117.0.0 2009.01.02 -
GData 19 2009.01.02 Win32:Spyware-gen
Ikarus T3.1.1.45.0 2009.01.02 Win32.SuspectCrc
K7AntiVirus 7.10.572 2008.12.31 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.01.02 -
McAfee 5481 2009.01.02 -
McAfee+Artemis 5481 2009.01.01 Generic!Artemis
Microsoft 1.4205 2009.01.01 TrojanDownloader:Win32/Sunacha.C
NOD32 3731 2009.01.01 Win32/Agent.OMX
Norman 5.80.02 2009.01.01 -
Panda 9.0.0.4 2009.01.01 Suspicious file
PCTools 4.4.2.0 2009.01.01 Trojan-Downloader.Agent.TMW
Prevx1 V2 2009.01.02 -
Rising 21.10.22.00 2008.12.31 Backdoor.Win32.IRCbot.wyy
SecureWeb-Gateway 6.7.6 2009.01.02 Trojan.Spy.Gen
Sophos 4.37.0 2009.01.02 Mal/Behav-004
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2009.01.02 -
TheHacker 6.3.1.4.204 2009.01.02 -
TrendMicro 8.700.0.1004 2009.01.02 PAK_Generic.001
VBA32 3.12.8.10 2009.01.01 Trojan-Downloader.Win32.Agent.tmw
ViRobot 2008.12.30.1540 2008.12.31 -
VirusBuster 4.5.11.0 2009.01.01 -
Additional information
File size: 33280 bytes
MD5...: f875f492db1186ab81434c1487d0f799
SHA1..: 5ca3ce514d8919ab93a457081aebeb2df3b58c55


[000f2.htm]

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.01 Trojan-Downloader.Win32.Sunacha!IK
AhnLab-V3 2008.12.31.0 2009.01.02 -
AntiVir 7.9.0.45 2009.01.01 TR/Spy.Gen
Authentium 5.1.0.4 2009.01.01 W32/OnlineGames.AJ.gen!Eldorado
Avast 4.8.1281.0 2009.01.01 Win32:Spyware-gen
AVG 8.0.0.199 2009.01.01 Downloader.Generic_r.CN
BitDefender 7.2 2009.01.02 -
CAT-QuickHeal 10.00 2009.01.02 -
ClamAV 0.94.1 2009.01.02 -
Comodo 859 2009.01.01 -
DrWeb 4.44.0.09170 2009.01.02 -
eTrust-Vet 31.6.6287 2009.01.01 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.01 W32/OnlineGames.AJ.gen!Eldorado
F-Secure 8.0.14470.0 2009.01.02 -
Fortinet 3.117.0.0 2009.01.02 -
GData 19 2009.01.02 Win32:Spyware-gen
Ikarus T3.1.1.45.0 2009.01.02 Trojan-Downloader.Win32.Sunacha
K7AntiVirus 7.10.572 2008.12.31 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.01.02 -
McAfee 5481 2009.01.02 Generic.dx
McAfee+Artemis 5481 2009.01.01 Generic.dx
Microsoft 1.4205 2009.01.01 TrojanDownloader:Win32/Sunacha.C
NOD32 3731 2009.01.01 Win32/Agent.OMX
Norman 5.80.02 2009.01.01 -
Panda 9.0.0.4 2009.01.01 Suspicious file
PCTools 4.4.2.0 2009.01.01 Trojan-Downloader.Agent.TMW
Prevx1 V2 2009.01.02 -
Rising 21.10.22.00 2008.12.31 -
SecureWeb-Gateway 6.7.6 2009.01.02 Trojan.Spy.Gen
Sophos 4.37.0 2009.01.02 Mal/Behav-004
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2009.01.02 -
TheHacker 6.3.1.4.204 2009.01.02 -
TrendMicro 8.700.0.1004 2009.01.02 PAK_Generic.001
VBA32 3.12.8.10 2009.01.01 Trojan-Downloader.Win32.Agent.tmw
ViRobot 2008.12.30.1540 2008.12.31 -
VirusBuster 4.5.11.0 2009.01.01 -
Additional information
File size: 33792 bytes
MD5...: c084c7aa46d80554fa5410e7f88e7ada
SHA1..: acb3296690b58819ad6ef95a763f777d9fd02a7a

<레지스트리 생성>

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MyId
 IDValue = "{6FCBE89F-45C6-454D-91D2-65ACBA756E4D}"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
 SUNHELP = "%System%\Ps3rm32.exe"

<레지스트리 수정>

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
 load = "%System%\Su32pn2.exe"

특정 포트 오픈 및 특정 사이트 연결

위와 같은 다량의 악성코드 감염 및 추가적인 재감염을 예방하기 위해서는 기본적으로 윈도우, 각종 응용 프로그램의 취약점 패치를 반드시 하시기 바랍니다.

또한 메신저를 통해 비록 친구 관계일지라도 수상한 파일이나 링크를 제공 받을 경우 절대로 해당 링크를 클릭하여 감염되는 일이 없도록 주의하시기 바랍니다.