[转载]分析网银大盗
信息来源:JAce的BLOG网银大盗是一种以盗取用户银行账户密码为目的的病毒,它不但给染毒用户造成的损失更大,更直接,也给各网上银行造成更大的安全威胁和信任危机。现在就让我们开始认识它。
网友提供的病毒文件名称为dllreg.exe,正常的windows操作系统是应该没有这个文件的,所以基本认定这是个不正常的文件。打开peid进行查壳
[img]http://emona.port5.com/peid.jpg[/img]
从peid显示的信息,说明该病毒是用upx加的密。它的壳虽然基本上是用Upx内核,但略微变化,使用upx本身解密功能或者挂Gui界面的Upx解密工具都不能正常解压,本人手工脱壳最后修复入口点并且link资源,最后放在VM上,一切正常。O.K~!
顺手用Language2k察看Pe的信息,显示是Borland Delphi编写的,用UE检查也反映这种情况,
[img]http://emona.port5.com/UE.JPG[/img]
一般病毒基本也只如此了,但而后的分析却让我推翻这种论断,打开IDA,却找到了BC的copyright,以及xx.cpp得倒入,以及C语言的特征
[img]http://emona.port5.com/IDA1.JPG[/img]
既然是熟悉的C language 那么倒杯咖啡,慢慢欣赏
这就是程序的入口点:
BRAT0:004011AC start proc near
BRAT0:004011AC jmp short loc_4011BE ; sub_4011AC
BRAT0:004011AC ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
BRAT0:004011AE dd 433A6266h, 4F482B2Bh, 0E9904B4Fh, 431098h
BRAT0:004011BE ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
BRAT0:004011BE
BRAT0:004011BE loc_4011BE: ; CODE XREF: start j
BRAT0:004011BE mov eax, ds:dwTlsIndex
BRAT0:004011C3 shl eax, 2
BRAT0:004011C6 mov ds:dword_43108F, eax
BRAT0:004011CB push edx
BRAT0:004011CC push 0 ; lpModuleName
BRAT0:004011CE call GetModuleHandleA
BRAT0:004011D3 mov edx, eax
BRAT0:004011D5 call nullsub_2
BRAT0:004011DA pop edx
BRAT0:004011DB call nullsub_1
BRAT0:004011E0 call nullsub_3
BRAT0:004011E5 push 0
BRAT0:004011E7 call __ExceptInit
BRAT0:004011EC pop ecx
BRAT0:004011ED push offset off_431034
BRAT0:004011F2 push 0 ; lpModuleName
BRAT0:004011F4 call GetModuleHandleA
BRAT0:004011F9 mov ds:dword_431093, eax
BRAT0:004011FE push 0
BRAT0:00401200 jmp __startup
BRAT0:00401200 start endp
查找string,发现它主要的传播手段是spam(伪装成垃圾邮件)
这是他的邮件格式
From: [email]gr54ty54y@mail.ru[/email] //发信人
To: [email]65y6hghrtgr@mail.ru[/email] //收信人
X-Spam: Probable Spam //spam的种类 =。=
Return-path: [email]gr54ty54y@mail.ru[/email] //回信地址
SUBJECT: 001800022004002300010009_Customer_ //主题,因受感染机器而各有不同
Content-Type: text/html //内容种类
这是他的感染部分
BRAT1:00438CBC aGreogikreoto_0 db ‘[email]greogikreotorit@mail.ru[/email]‘,0 ; DATA XREF: sub_401C6C+22 o
BRAT1:00438CD4 aTo_0 db 0Dh,0Ah ; DATA XREF: sub_401C6C+35 o
BRAT1:00438CD4 db ‘To: ‘,0
BRAT1:00438CDB a4t5t4t5tyy@m_0 db ‘[email]4t5t4t5tyy@mail.ru[/email]‘,0 ; DATA XREF: sub_401C6C+48 o//虚假mail发信地址l
BRAT1:00438CEE aXSpamProbabl_0 db 0Dh,0Ah ; DATA XREF: sub_401C6C+5B o//设置为普通的spam
BRAT1:00438CEE db ‘X-Spam: Probable Spam‘,0
BRAT1:00438D06 aReturnPath_0 db 0Dh,0Ah ; DATA XREF: sub_401C6C+6E o
BRAT1:00438D06 db ‘Return-path: ‘,0
BRAT1:00438D16 aGreogikreoto_1 db ‘[email]greogikreotorit@mail.ru[/email]‘,0 ; DATA XREF: sub_401C6C+81 o
BRAT1:00438D2E aSubject00180_0 db 0Dh,0Ah ; DATA XREF: sub_401C6C+94 o
BRAT1:00438D2E db ‘SUBJECT: 001800022004002300010009_Customer_‘,0
BRAT1:00438D5C asc_438D5C db 0Dh,0Ah,0 ; DATA XREF: sub_401C6C+BB o
BRAT1:00438D5F aMimeVersion1_0 db ‘MIME-Version: 1.0‘,0Dh,0Ah ; DATA XREF: sub_401C6C+CE o
BRAT1:00438D5F db ‘Content-Type: multipart/mixed;‘,0Dh,0Ah
BRAT1:00438D5F db 9,‘boundary="x1234"‘,0Dh,0Ah
BRAT1:00438D5F db 0Dh,0Ah
BRAT1:00438D5F db ‘--x1234‘,0Dh,0Ah
BRAT1:00438D5F db ‘Content-Type: text/html; charset=us-ascii‘,0Dh,0Ah
BRAT1:00438D5F db 0Dh,0Ah
BRAT1:00438D5F db ‘‘,0
BRAT1:00438DE4 aBrIpAddress db ‘
‘,0Dh,0Ah ; DATA XREF: sub_401C6C+E1 o
BRAT1:00438DE4 db ‘IP address: ‘,0
BRAT1:00438DF7 aBr db ‘
‘,0Dh,0Ah,0 ; DATA XREF: sub_401C6C+108 o
BRAT1:00438DFE aBank_log db ‘\bank.log‘,0 ; DATA XREF: sub_401C6C+12C o//病毒盗取密码的log
BRAT1:00438E08 aRundllx_sys db ‘\rundllx.sys‘,0 ; DATA XREF: sub_401C6C+1AE o
BRAT1:00438E15 aImgSrcCid00005 db ‘
‘,0Dh,0Ah//插入病毒图片
接着是它的自我保护机能
BRAT1:00439251 aLoad32_exe db ‘\load32.exe‘,0 ; DATA XREF: WinMain+7B o
BRAT1:0043925D aSoftwareMicros db ‘Software\Microsoft\Windows\CurrentVersion\Run‘,0
BRAT1:0043925D ; DATA XREF: WinMain+AC o
BRAT1:0043928B aLoad32 db ‘load32‘,0 ; DATA XREF: WinMain+D1 o
BRAT1:00439292 aSoftwareMicr_0 db ‘Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Fol‘
BRAT1:00439292 ; DATA XREF: WinMain+F3 o
BRAT1:00439292 db ‘ders‘,0
BRAT1:004392D3 aStartup db ‘Startup‘,0 ; DATA XREF: WinMain+11E o
BRAT1:004392DB aRundllw_exe db ‘\rundllw.exe‘,0 ; DATA XREF: WinMain+135 o
BRAT1:004392E8 aDllreg_exe db ‘\dllreg.exe‘,0 ; DATA XREF: WinMain+16C o
BRAT1:004392F4 aWindows db ‘windows‘,0 ; DATA XREF: WinMain+1A3 o
BRAT1:004392FC aRun db ‘run‘,0 ; DATA XREF: WinMain+19E o
BRAT1:00439300 aWin_ini db ‘win.ini‘,0 ; DATA XREF: WinMain+192 o
BRAT1:00439308 aVxdmgr32_exe db ‘\vxdmgr32.exe‘,0 ; DATA XREF: WinMain+1BE o
BRAT1:00439316 aExplorer_exe db ‘explorer.exe ‘,0 ; DATA XREF: WinMain+1E4 o
BRAT1:00439324 aBoot db ‘boot‘,0 ; DATA XREF: WinMain+219 o
BRAT1:00439329 aShell db ‘shell‘,0 ; DATA XREF: WinMain+214 o
复制自身load32.exe ,rundllw.exe,dllreg.exe, ,vxdmgr32.exe并将自己加到Software\Microsoft\Windows\CurrentVersion\Explorer\ Sheelfol”设置本身和IE的关联,做到一打开Ie病毒就开始工作, Software\Microsoft\Windows\CurrentVersion\Run,系统本身启动时做到病毒自启动
他成为系统进程之后
会不断检查浏览器是否连接
[url]http://ibank.barclays.co.uk/fp/[/url]
[url]http://lloydstsb.co.uk/customer.ibc[/url]
[url]http://lloydstsb.co.uk/logon.ibc[/url]
如有连接则会做键盘纪录
并且将自己写入windows 启动时自动加载的win,ini
system.ini,bank.log,wave1.bmp,wave2.bmp,wave3.bmp,wave4.bmp,sock64.dll也皆为病毒生成的文件
病毒本身会纪录银行会员名和会员密码,在交易时纪录银行账号ID和密码以及5位数字操作密码。:)并且将结果记录到bank.log。
到此你是否对网银大盗有所了解呢?本人分析的该版本至此还未被杀毒软件查杀(Norton)真让人担忧。
页:
[1]