Original address: http://blog.nsfocus.net/nssock2-dll-module-malicious-code-analysis-report/
Netsarang is a company offering secure connectivity solutions that mainly include Xmanager, Xmanager, Xshell, Xftp and XLPD. Recently, the official release of the software on July 18, 2017 was found to have malicious backdoor code, the malicious backdoor code exists in a legally signed Nssock2.dll module. From the back door code analysis, the code is due to the attacker's intrusion of the developer's host or compile the system and into the source code to insert the backdoor caused. The backdoor code can cause the user to remotely log on information disclosure, and possibly even remote code execution. VirusTotal Online Detection: By the analysis results can be known, Nssock2.dll has been a number of anti-virus software identified as a malicious program,
Related address:https://www.netsarang.com/news/security_exploit_in_july_18_2017_build.htmlhttps:// Www.virustotal.com/#/file/462a02a8094e833fd456baf0a6d4e18bb7dab1a9f74d5f163a8334921a4ffde8/detection
The affected version
- Xshell Build 1322
- Xshell Build 1325
- Xmanager Enterprise Build 1232
- Xmanager Build 1045
- Xmanager Build 1048
- Xftp Build 1218
- Xftp Build 1221
- XLPD Build 1220
Non-affected versions
- Xmanager Enterprise Build 1236
- Xmanager Build 1049
- Xshell Build 1326
- Xftp Build 1222
- XLPD Build 1224
Download of software
There is a backdoor software in the domestic download situation:
Technical Analysis Overview
The main software version of Netsarang found that the Nssock2.dll module was implanted with malicious backdoor code in the official source. It is reported that the hacker penetrated into the development of the machine, and then in the code to add malicious code to the official source, the following is the malicious code analysis. Reference: Https://www.virustotal.com/#/user/jumze/comments
Transmission and infection
User direct download or software bundle download.
Sample Analysis
Analysis environment
System |
Windows 7, 32bit |
Using tools |
Processmonitor, Xuetr, Wireshark, ollydbg, IDA, CuteFTP |
TAC Test Results:
Figure TAC Test Results
Protection Solutionsuser Self-examination
Users can determine whether this impact is affected by viewing the version of Nssock2.dll:
Locate the Nssock2.dll file in the Software installation directory, right-click the file to view the properties, and if the version number is 5.0.0.26, there is a backdoor code:
Official Solutions
The user can view the version number of the Nssock2.dll to determine whether to use a software version that contains a backdoor, and if the user is using the affected software version above, upgrade to the latest version. The backdoor code has been removed by the official in the latest version of the software, the latest software versions are:
- Xmanager Enterprise Build 1236
- Xmanager Build 1049,
- Xshell Build 1326
- Xftp Build 1222
- XLPD Build 1224.
Official as follows:
Https://www.netsarang.com/download/software.html
Nssock2.dll module embedded in Netsarang software analysis and protection scheme of malicious code technology