Select Browser Mobile | Continue

Silic Group Froum Archive - Silic Security

 Forgot Password?
 Join Us
Search
Show: 11882|Reply: 56

[原创] 盗号一时爽, 全家火葬场

    [Copy URL]
Uing07 The user has been deleted
Posted 2013-5-1 03:08:36 | Show all replies |Read Mode
样本: http://pan.baidu.com/share/link?shareid=496137&uk=704677280
解压密码: 233
那天, 三石一如既往的去userporn.com逛了一圈回来, 还带回了一只不明生物:
不明生物的监测报告:
virustotal: https://www.virustotal.com/zh-cn ... 00213dcfa/analysis/
virusscan: http://r.virscan.org/ac65695fb4c8bd203c8d200cdebcfb1f
基本上, 过了主流的杀软(其实360和金山报毒, 甚至QQ管家也报毒...呵呵)

001.png

从行为上看, 加载了一堆系统的dll, 在Temp下新建了个tmp文件就没了...哦, 还有, 运行了没界面;
关于那个*.tmp文件, WinHex看了下, 不是PE头, 略;

000.png

PEiD: PECompact 2.x -> Jeremy Collake
百度说ESP定律脱: OD载入 -> 否 -> F7两次 -> Ctrl+G到ESP -> 下硬件访问断点 -> 一路F8到OEP;
照做: OD载入 -> 否 -> F7两次 -> Ctrl+G到ESP -> 下硬件访问断点 -> 一路F8....没到OEP.....
然后用神器z8进行跟踪分析:
OD载入 -> 否 -> F7到这:

002.png

Ctrl+G到0045C508看到:
0045C508 B8 8DB245F0 mov eax, F045B28D
0045C50D 8D88 9E120010 lea ecx, dword ptr [eax+1000129E]
得到地址: 1|0045C52B
Ctrl+G到0045C52B, F2下断, F9运行到断点, 一路F8到jmp eax, F7一次到达OEP:

003.png

dump出来扔IDA, 找到这个流程:

004.png

钛合金F5一次:

005.png
006.png

目测可知: if(eax==2) {弹出一个神奇的窗口;}
-------
回到OD, bp Sleep和bp SetTimer:

008.png

009.png

Sleep有个30秒的Alertable False时间, 然后后面的SetTimer, 每隔200ms或者300ms就干啥一次, 可能是遍历窗口句柄或者进程啥的, 不明觉厉;
然后, 假如运行着QQ, 那么就会关闭所有回话窗口, 最小化主界面, 然后弹出这个神奇的窗口:
010.png
随便输个密码, 点登录会显示密码错误, 再输入再登录就会弹浏览器了:
011.png
URL中明文传输Q号和获取的密码....
目测了下收信服务器, 美国的云主机, 3389可连(爆破的随意), WVS扫只有一个IIS短文件名爆路径的洞, 毛用没有:
012.png
-------
回过头来看之前释放的*.tmp:

013.png
呃, 算了, 看不懂, 编不下去不编了...






(三石, 你丫下次再让我分析屏保, 老纸就要你菊花不保)
left The user has been deleted
Posted 2013-5-1 05:36:02 | Show all replies
沙了个发。。。
07黑阔果然逆向大牛。。。
jkryanchou The user has been deleted
Posted 2013-5-1 08:10:18 | Show all replies
嘿嘿~~~~~~支持一下。
xwei The user has been deleted
Posted 2013-5-1 09:36:29 | Show all replies
厉害~~虽然自己看不懂....但是一路下来的分析流程很清晰~~不愧逆向牛
cleverelie The user has been deleted
Posted 2013-5-1 11:03:39 | Show all replies
膜拜吧
784055837 The user has been deleted
Posted 2013-5-1 11:30:38 | Show all replies
=精彩的-
anycn The user has been deleted
Posted 2013-5-1 14:56:45 | Show all replies
userporn.com  上边的视频感兴趣。。
p01356 The user has been deleted
Posted 2013-5-1 15:07:39 | Show all replies
膜拜 7神
lxsky The user has been deleted
Posted 2013-5-1 15:31:15 | Show all replies
只有膜拜了呢
习科你妹 The user has been deleted
Posted 2013-5-1 15:38:19 | Show all replies
7妹,果然厉害,禽兽,亮点非常
miss冰 The user has been deleted
Posted 2013-5-1 15:40:22 | Show all replies
userporn.com 亮了我的钛合金眼
禁iF The user has been deleted
Posted 2013-5-1 16:29:56 | Show all replies
我了个擦  果然是大牛啊
coolboy The user has been deleted
Posted 2013-5-1 17:30:53 | Show all replies
逆向大牛呀  看不懂
michale The user has been deleted
Posted 2013-5-1 22:35:19 | Show all replies
好久都没接触汇编 逆向了 有时间回顾一下 感触很大!
Wood The user has been deleted
Posted 2013-5-1 23:52:46 | Show all replies
7锅V5
jkryanchou The user has been deleted
Posted 2013-5-2 08:19:08 | Show all replies
userporn.com 亮了。~
华崽 The user has been deleted
Posted 2013-5-2 10:09:37 | Show all replies
userporn.com擦  还是收费的  有钱人看的
siyuan The user has been deleted
Posted 2013-5-2 11:40:21 | Show all replies
习科因你更精彩  
qjf541502724 The user has been deleted
Posted 2013-5-2 12:33:15 | Show all replies
其实我更好奇那马儿怎么传上去的
BB鸟儿 The user has been deleted
Posted 2013-5-2 13:50:04 | Show all replies
看了!!!!
You need to login before reply! Login | Join Us

Credit Rules of This Forum

Close

公告Privious /1 Next

小黑屋|手机版|Archiver|Silic Security

GMT+8, 2020-8-16 01:11

© 2001-2014 Silic Corp.

Quick Reply Top Return List