這次心情很沉重!因為這個間諜軟體居然和咱們中國又有著聯絡!聯想到前些日子的Goolge對中國說不做惡,指責中國如何如何的,這些就不重複了,結果是那些外國老大粗門都認為中國人會做病毒,會通過木馬盜取他們的私人資訊,還有專門的駭客學校,甚至認為病毒都是中國造的等等,而這些意味著什麼嗎?意味著在他們眼裡中國人就是evil. 因為他們大多數都是粗人,腦子直,聽風就是雨,而且糞青情節很重,對他們解釋什麼都沒有用,他們一方面絕對信任自己的媒體,一方面要把自己平時不滿的發泄找到出路。很不幸,中國人成為了他們又一個發泄對象。
這些就不多說了,迴歸本題,這裡之所以說:和咱們中國又有著聯絡,也就是我不想妄加定論,雖然通過下面的技術分析的確是和杭州的一個伺服器有關,但是我寧願相信那是一個肉雞,其實直接指向自己的伺服器的做法,無疑是愚蠢的,自投羅網。如果真是肉雞,那麼大家真的要對電腦和網路安全增加重視,增強防範意識和措施,否則真成了被人賣了還替人數錢的傻瓜了。中國人都不傻,可能有的人被眼前的金錢誘惑,就把自己賣了。我說,下次把自己賣個好價錢,至少兩輩子不用發愁吃穿住行,好不好?!
2. 技術
上面都是感慨,不願聽願意看技術的請從這裡開始:
首先說說如何比較徹底地移除這個間諜軟體,執行下面的命令就可以了:sudo launchctl unload -w /Library/LaunchDaemons/PremierOpinion.plist<br />sudo rm /private/tmp/poinstaller<br />sudo rm /private/tmp/script.sh<br />sudo rm -rf /private/tmp/installtmp<br />sudo rm -rf /private/tmp/autoupgrade<br />sudo rm -rf /private/tmp/tapinstaller<br />sudo rm -rf /Applications/PremierOpinion<br />sudo rm /private/var/db/.AccessibilityAPIEnabled
下面
說是如何尋找來龍去脈的
下載MishInc FLV To MP3 converter是一個.jar檔案,unpack安裝後,有一個同意條款頁就是那個Premier * Opinion的,一旦你同意,它會產生下面兩個檔案/private/tmp
: script.sh和一個可執行檔poinstaller, 一旦你串連上網,它會下載兩個目錄installtmp
and tapinstaller,每個目錄都儲存有相同的內容PremierOpinion
, installtmp
裡有一個不同檔案大小的poinstaller和tapinstaller,包括upgrade.xml檔案,這個檔案指向伺服器post.securestudies.com
的rule14.xml
檔案,而這個檔案指向
PremierOpinion.zip
檔案,這個就是最新的間諜軟體的下載。
如果仔細查看poinstaller,它裡面還包括這個網站it.kingroutecn.com,同樣是rule14.xml檔案,裡面卻指向另外一個網占PermissionResearch。而無論
Permission Research還是
Premier
Opinion,都在
ComScore
公司的位址範圍內, 而且是同一個公司。這個可以通過whois來確認如下:
Registrant:<br />TMRG, INC.<br /> 11950 Democracy Dr.<br /> Suite 600<br /> Reston, VA 20190<br /> US<br /> Domain Name: SECURESTUDIES.COM<br /> Administrative Contact, Technical Contact:<br /> Administrator, Domain<br /> TMRG, INC.<br /> 11950 Democracy Dr.<br /> Suite 600<br /> Reston, VA 20190<br /> US<br /> 703-438-2000 fax: 512-727-3144<br /> Record expires on 17-Aug-2010.<br /> Record created on 17-Aug-2005.<br /> Domain servers in listed order:<br /> DNS01.IAD.COMSCORE.COM 66.119.41.13<br /> DNS01.ORD.COMSCORE.COM 4.79.208.231<br /> DNS02.IAD.COMSCORE.COM 66.119.41.25<br /> DNS02.ORD.COMSCORE.COM 4.79.208.232
重點
在這裡而it.kingroutecn.com網站的地址是218.108.8.85(不要使用ping,而是dig或者Windows的nslookup)
, kingroutecn.com網域名稱是通過美國的一個網域名稱公司
bluehost.com
註冊的,
反向尋找
它指向hidden-master.hzman.net伺服器,再尋找地址可以找到下面資訊,其中明確指出,地址公司連絡人等等,如果誰可以聯絡到這家公司,請他們注意安全。
218.108.8.85 is from China(CN) in region Southern and Eastern Asia<br />Whois query for 218.108.8.85...<br />Results returned from whois.arin.net:<br />OrgName: Asia Pacific Network Information Centre<br />OrgID: APNIC<br />Address: PO Box 2131<br />City: Milton<br />StateProv: QLD<br />PostalCode: 4064<br />Country: AU<br />ReferralServer: whois://whois.apnic.net<br />NetRange: 218.0.0.0 - 218.255.255.255<br />CIDR: 218.0.0.0/8<br />NetName: APNIC4<br />NetHandle: NET-218-0-0-0-1<br />Parent:<br />NetType: Allocated to APNIC<br />NameServer: NS1.APNIC.NET<br />NameServer: NS3.APNIC.NET<br />NameServer: NS4.APNIC.NET<br />NameServer: NS-SEC.RIPE.NET<br />NameServer: TINNIE.ARIN.NET<br />Comment: This IP address range is not registered in the ARIN database.<br />Comment: For details, refer to the APNIC Whois Database via<br />Comment: WHOIS.APNIC.NET or http://wq.apnic.net/apnic-bin/whois.pl<br />Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry<br />Comment: for the Asia Pacific region. APNIC does not operate networks<br />Comment: using this IP address range and is not able to investigate<br />Comment: spam or abuse reports relating to these addresses. For more<br />Comment: help, refer to http://www.apnic.net/apnic-info/whois_search2/abuse-and-spamming<br />RegDate: 2000-12-07<br />Updated: 2009-10-08<br />OrgTechHandle: AWC12-ARIN<br />OrgTechName: APNIC Whois Contact<br />OrgTechPhone: +61 7 3858 3188<br />OrgTechEmail: search-apnic-not-arin@apnic.net<br /># ARIN WHOIS database, last updated 2010-06-03 20:00<br /># Enter ? for additional hints on searching ARIN's WHOIS database.<br />#<br /># ARIN WHOIS data and services are subject to the Terms of Use<br /># available at https://www.arin.net/whois_tou.html<br />Results returned from whois.apnic.net:<br />% [whois.apnic.net node-2]<br />% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html<br />inetnum: 218.108.0.0 - 218.109.255.255<br />netname: WASU<br />descr: WASU TV & Communication Holding Co.,Ltd.<br />descr: 6/F, Jian Gong Building, NO.20 Wen San Road, Hangzhou,<br />descr: Zhejiang province, P.R.China 310012<br />country: CN<br />admin-c: XZ1291-AP<br />tech-c: TF142-AP<br />status: ALLOCATED PORTABLE<br />mnt-by: MAINT-CNNIC-AP<br />mnt-lower: MAINT-CNNIC-AP<br />mnt-routes: MAINT-CNNIC-AP<br />changed: hm-changed@apnic.net 20080123<br />source: APNIC<br />person: Xianlong Zeng<br />nic-hdl: XZ1291-AP<br />e-mail: allon@chinahcn.com<br />address: No.9 ShuGuang Road,HangZhou City,ZheJiang Province<br />phone: +86-0571-28958852<br />fax-no: +86-0571-85214455<br />country: CN<br />changed: ipas@cnnic.cn 20071123<br />mnt-by: MAINT-CNNIC-AP<br />source: APNIC<br />person: Tao Feng<br />nic-hdl: TF142-AP<br />e-mail: fengtao@chinahcn.com<br />address: No.9 ShuGuang Road,HangZhou City,ZheJiang Province<br />phone: +86-0571-28958888-8108<br />fax-no: +86-0571-85214455<br />country: CN<br />changed: ipas@cnnic.cn 20100513<br />mnt-by: MAINT-CNNIC-AP<br />source: APNIC<br />
網路安全不是不丟孩子,搞不好會丟人。
Tony Liu, June 3, 2010深夜12:59am
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
