Together, let's take a look at the Trojan horse using the NB Exploit Kit attack.
1. Cause
I saw a post about computer virus infection and asking for help on the Internet during a security forum.
Out of my professional habits, I opened the url mentioned in the article in the virtual machine. I did not find anything suspicious at the beginning, but it looked like a promotion or phishing website, think that this is a common phishing attack.
As a result, I found that my IP address was detected by the APT network warning platform device in the company during the audit log:
2. Analysis: analyze the infection process
The warning information can be used for webpage overflow attacks (also known as Trojan attacks). You can use the tool to download the warning webpage and analyze the indexing index.htm to find that it uses the RES protocol ("res: //") for local file detection.
The probe targets include:
360
Kingsoft
Kaspersky
When the above software is not installed on the user's computer, the browser will load a page named "win.html"
Analyze "win.html"
After the download, I found that all its code was obfuscated and encrypted, which looked a headache.
The code is formatted and analyzed to prevent crawlers from crawling the page, and the userAgent is judged and processed. To prevent multiple infections, the cookie value is specified.
This is a common method in the classic Exploit kit (overflow Toolkit), and the suspicious "nb vip" string is found in the code, which is probably NB or CK Exploit kit.
Further analysis showed that it contained attacks against different versions of java. In a jar call, it found the famous pinyin "woyouyizhixiaomaol" and "conglaiyebuqi ". That is, "I never ride a donkey"
The decompiled jar package also contains similar information:
In addition, there are different Payload attacks for Flash, Silverligh, and IE versions, but the link is invalid during the download and cannot be downloaded normally.
After analyzing the entire code process, the author makes a flowchart:
Once successful, the system downloads and runs a malicious file named "“calc.exe.
In a virtual machine, you can use a browser to open a malicious page and use a packet capture tool to capture packets. The whole process is reproduced: But the packet capture result shows that it also downloads other exe programs, therefore, the author analyzes the Downloaded Program.
Malicious program calc.exe Analysis
Analysis found that calc.exe is mainly used to collect user computer information and send remote server statistics.
Attackers can read remote configuration files, download and run malicious programs in the configuration files.
This process is the same as what we see during packet capture.
Analysis of iexplore.exe
After the trojan is run, it decrypts an encrypted url in the memory. In fact, the ip address is the ip address resolved by the malicious domain name.
Note: After the URL "<|>", it is an exe program, and each of them exists on the server.
Next, it will retrieve the process every second to determine whether there is the same program as the decryption data. If so, it will splice the url and download the program and run it. That is:
The programs in the url are all Trojans of various games. There are many classes in total. There are more than 40, basically all of which are shelled and the files will be released after each malicious program runs.
Examples of malicious qq.exe simple programs.
Fake qq.exe will shut down the running qq after running, and download a disguised QQ login from Baidu Image
Create fake qq login programs for spoofing attacks
Finally, the user's entered QQ number and password are sent to the following malicious address: http: // 14. ***. ***. 227:8 ***/xx/fen/ly01/lin. asp
Analyze smss.exe
It is a vb program. After running the program, it collects user computer information, links a mssql database, reads remote server data (url) using SQL statements, and downloads and runs the program.
Due to the hard-coded username and password of the program, the author successfully logged on to the database server using the tool:
The data stored in the database is malicious URLs and statistical URLs, which are consistent with our analysis results.
0x03 Summary
The anheng research team found that all samples contain a large number of Chinese codes, which must be called by the Chinese hacker group in China. Today, as network security threats are becoming increasingly serious, overflow attacks become more and more frequent, rather than being attacked as an important target, therefore, our enterprise needs a good product to protect your enterprise. If you have any questions, please contact anheng information (400-605-9110 ), assist customers in solving the problem at any time.