ãã®ãããç¶æ³ïŒãã«ãŠã§ã¢ã®çããããå¥åŠãªãã¡ã€ã«ããããŸããã VirusTotalã®ãããªæ¢åã®ãã«ãã¹ãã£ããŒã¯æ å ±ãæäŸããŸããã ã©ãããïŒ
ãªã³ã©ã€ã³SANDS
ãããã¯ãŒã¯ã«ã¯ãã³ãŒããå®è¡ããããã«åå¥ã«åäœããä»®æ³åã·ã¹ãã ãšããŠãœãªã¥ãŒã·ã§ã³ãå®è£ ãããã®åŸã«è¡ããã倿Žã®åæãè¡ããå€ãã®æ å ±ã»ãã¥ãªãã£ãããžã§ã¯ãããããŸãã ååãšããŠããããã®ãããžã§ã¯ãã«ã¯ãç¡æã§äœ¿çšã§ãããã®ãããªã·ã¹ãã ã®ãªã³ã©ã€ã³ããŒãžã§ã³ããããŸãã çããããã¡ã€ã«ãå®å šã«ããŠã³ããŒããããã°ãããããšãã·ã¹ãã ã§å®è¡ãããŠãããšãã®åäœã«é¢ããå®å šãªæ å ±ãååŸã§ããŸãã
Threatexpert
ThreatExpertã·ã¹ãã ã¯ãèµ·åååŸã®ã·ã¹ãã ã¹ãããã·ã§ãããæ¯èŒããã³ãŒãå®è¡äžã«äžéšã®APIãã€ã³ã¿ãŒã»ããããŸãã ãã®çµæãæ¬¡ã®æ å ±ãå«ãã¬ããŒããååŸããŸãïŒ
â¢ã³ãŒãã®å®è¡äžã«äœæãããæ°ããããã»ã¹ããã¡ã€ã«ãã¬ãžã¹ããªããŒããã¥ãŒããã¯ã¹ã
â¢æ¥ç¶ããããã¹ããšIPãããã³äº€æããŒã¿ã®16é²ããã³ASCIIãã³ããæäŸãããŸãã
â¢ãã¡ã€ã«ãšå®è¡äžã«äœæããããã¡ã€ã«ã«éä¿¡ããã人æ°ã®ã¢ã³ããŠã€ã«ã¹ãæ€åºããããã«ããŠãã ããã
â¢ã³ãŒãã§èŠã€ãã£ãèšèªãªãœãŒã¹ããã³ãã®ä»ã®ãã¬ãŒã¹ã«åºã¥ããŠãã³ãŒãã®å¯èœãªåç£åœã¯äœã§ããã
â¢èããããè åšã«ããŽãªïŒããŒãã¬ãŒãããã¯ãã¢ãªã©ïŒãšãã®ã¬ãã«ã
â¢å®è¡æã«æ°ãããŠã£ã³ããŠã®ã¹ã¯ãªãŒã³ã·ã§ããïŒååšããå ŽåïŒã衚瀺ãããŸããã
ãµã€ããžã®ç»é²ãå¯èœã§ãããã®å Žåããã¹ãŠã®åæã®å±¥æŽãä¿åããããã€ã§ãåŒã³åºãããšãã§ããŸãã æåºã¢ãã¬ããããã°ã©ã ãã€ã³ã¹ããŒã«ãããšã¯ã¹ãããŒã©ãŒã®ã³ã³ããã¹ãã¡ãã¥ãŒããåæçšã®ãã¡ã€ã«ãèªåçã«éä¿¡ããããšãã§ããŸãã
CWSandboxã¯ããã®ã·ã¹ãã ã販売ãããã³ãã€ã 倧åŠã«ããéçºã§ãã ãã ããåæã¯ãªã³ã©ã€ã³ã§ç¡æã§è¡ãããšãã§ããŸãã
ãã®ãµã³ãããã¯ã¹ã®æ©èœã¯ãå®è¡å¯èœã³ãŒãã«ãµã³ãããã¯ã¹ã©ã€ãã©ãªãæ¿å ¥ãããã¹ãŠã®APIåŒã³åºããã€ã³ã¿ãŒã»ããããããšã«ãã£ãŠåæãå®è¡ãããããšã§ãã ã³ãŒã«ã®ãã€ãã£ãAPIãŸãã¯ã«ãŒãã«ã¢ãŒãã§äœæ¥ãè¡ãéã«ããµã³ãããã¯ã¹ãåäœããŠããªãããšã¯æããã§ãã ãã ããå®éã«æ©èœãããã¡ã€ã«ã®åæã«ãããCWSandboxã¯ä»ã®èª°ãããå€ãã®æ å ±ãæäŸããå ŽåããããŸãã
ç¡æã®ãªã³ã©ã€ã³ããŒãžã§ã³ã«ã¯ãåçšããŒãžã§ã³ãšæ¯èŒããŠããã€ãã®å¶éããããŸãã
â¢PEãã¡ã€ã«ã®åæã®ã¿ãå¯èœã§ãã ææçã§ã¯ãBHOãzipã¢ãŒã«ã€ããMicrosoft Officeããã¥ã¡ã³ããåæã§ããŸãã
â¢ç¡æçã§ã¯ãWebã€ã³ã¿ãŒãã§ãŒã¹ããã®ããŠã³ããŒãã®ã¿ãå¯èœã§ãã ææã§ã¯ãåæãã¡ã€ã«ãã¡ãŒã«ããããŒããããªã©ã§ã³ã¡ã³ãããããšãã§ããŸãã
â¢ææçã§ã¯ãä»®æ³ç°å¢ã§åæããããå®éã®ã·ã¹ãã ã§åæããããéžæã§ããŸãã
â¢åçšçã«ã¯ãã³ãŒãå®è¡äžã«ããŠã³ããŒãããããã¡ã€ã«ãã·ã¹ãã ãã©ã«ããŒã«äœæããããã¡ã€ã«ããŸãã¯ä»ã®ããã»ã¹ã«æ¿å ¥ããããã¡ã€ã«ã®åæãå«ãŸããŸãã
ã¢ããã¹
Anubisã¯æãäžè¬çãªãµã³ãããã¯ã¹ãªãã·ã§ã³ã®1ã€ã§ãããå æ¬çãªã¬ããŒãã³ã³ãã³ããšå¿çé床ã§äººæ°ããããŸãã ãã®ã·ã¹ãã ã®ããã€ãã®æ©èœïŒ
â¢æªæã®ãããã¡ã€ã«èªäœã®ä»£ããã«URLãæå®ããæ©èœã ãã®å Žåãã·ã¹ãã ã¯æå®ãããURLãInternet Explorerã«ããŒãããã·ã¹ãã ã®åäœãåæããŸãã
â¢ãã¹ããã¡ã€ã«ãšäžç·ã«ã远å ã®ã©ã€ãã©ãªãããŠã³ããŒãã§ããŸãïŒzipã¢ãŒã«ã€ãå ã«ãã¹ã¯ãŒããªããŸãã¯ãã¹ã¯ãŒããææãããïŒã ãã®ææ³ã¯ãæªæã®ããåçã©ã€ãã©ãªãåæããã®ã«éåžžã«äŸ¿å©ã§ãïŒãããåæ§ã«è峿·±ãå Žåã¯ãã³ã¡ã³ãã§ç»é²ãè§£é€ããŠãã ãããå¥ã®èšäºãäœæããããšãã§ããŸãïŒã
â¢ã¬ããŒãã¯ãHTMLãXMLããã¬ãŒã³ããã¹ããPDFãªã©ã®ããŸããŸãªåœ¢åŒã§æäŸãããŸãããŸããåæäžã«åä¿¡ããå®å šãªãããã¯ãŒã¯ãã³ããããŠã³ããŒãããããšãã§ããŸãã
â¢ããªãã¯ïŒããªããã¢ã³ããŠã€ã«ã¹ãããã·ããããã¯ããå Žåã«äŸ¿å©ïŒSSLçµç±ã§ã¢ããã¹ã®ãã¡ã€ã«ãããŠã³ããŒãããããšãã§ããŸãã
ãžã§ãŒããã¯ã¹
ãããŠæåŸã«ã圌ã Joeboxãã°ã¬ãŒããšã²ã©ãã§ãã Stefan Buhlmannã®ç ç©¶ã®çµæãç§ã®æèŠã§ã¯ãJoeboxã¯æã匷åãªåæã·ã¹ãã ã§ãã ãã®ã·ã¹ãã ã®ç¹åŸŽã¯ããã¡ã€ã«åæäžã«SSDTããã³EATã«ãŒãã«ãååããå¯äžã®ã·ã¹ãã ã§ããããšã§ãã äžæ¹ã§ãããã«ããããããã¬ãã«ã³ãŒã«ã®å°éã®æ å ±ã倱ãããŸãïŒããšãã°ãShellExecuteãŸãã¯WinExecã䜿çšããŠæ°ããããã»ã¹ãäœæããïŒããäžæ¹ã§ã¯ããã€ãã£ãAPIãŸãã¯ã«ãŒãã«ã¢ãŒãã§åäœããæªæã®ãããã¡ã€ã«ã調ã¹ãããšãã§ããŸãã ããã«ãJoeboxã¯æ¬¡ã®åææ©èœãæäŸããŸãã
â¢Joeboxã¯ãå®è¡å¯èœãã¡ã€ã«ãDLLãã«ãŒãã«ãã©ã€ããŒãMicrosoft WordææžãPDFãã¡ã€ã«ãªã©ã®åäœã®ããŠã³ããŒããšèª¿æ»ããµããŒãããŠããŸãã
â¢ã©ã³ã¿ã€ã ç°å¢ãéžæã§ããŸãïŒWindows XPãWindows VistaããŸãã¯Windows 7ã
â¢ããªãã¯ãä»®æ³ç°å¢ãŸãã¯å®éã®ã·ã¹ãã äžã§ã³ãŒããå®è¡ããããšãéžæã§ããŸãïŒåŸè ã¯å®è£ ãããŠããFOGã«åºã¥ããœãªã¥ãŒã·ã§ã³ã ïŒ
â¢åæäžã«èç©ããããããã¯ãŒã¯ãã©ãã£ãã¯ã®å®å šãªãã³ããåãåãããšãã§ããŸãã
â¢äººæ°ã®ããamunããã³nepenthesãµã³ãããã¯ã¹ã¢ãžã¥ãŒã«ã®ãµããŒãããããæ°ãããµã³ãããã¯ã¹ãµã³ãã«ãJoeboxã«èªåçã«ããŠã³ããŒãããŸãã
â¢Joeboxã§å¶åŸ¡ã©ã³ã¿ã€ã æªè³ªãªãã¡ã€ã«ã®æŽçã®ããã«ããAutoIT19ã¹ã¯ãªããã®ãµããŒãã
ç§ã®æèŠã§ã¯ãç¹ã«éèŠãªã®ã¯ãã¹ã¯ãªããèšèªã®ãµããŒãã§ãã ãããžã§ã¯ãã®ãŠã§ããµã€ãã«ã¯ãå¯èœãªæ©èœãšãã®è§£éã®èª¬æãå«ãŸããŠããŸãããæã人æ°ã®ãããã®ã®ã¿ãææããŸãã
1.æªæã®ããã³ãŒãããã¡ã€ã«ã®ãããã¹ããã§ãã¯ããããã¹ãå Žæã§èŠã€ãã£ãå Žåã«ã®ã¿å®è¡ããããšããŸãã ç°¡åãªã¹ã¯ãªããã§è§£æ±ºãããŸãã
Script
_JBSetSystem(âxpâ)
; Windows XP
_JBStartAnalysis()
;
_JBStartSniffer()
;
$NewFile = @SystemDir & â/â & âmalware.exeâ
FileCopy(âc:\malware.exeâ, $NewFile, 1)
;
FileDelete(âc:\malware.exeâ)
;
Run($NewFile, @TempDir, @SW_HIDE)
;
Sleep(120)
; 120
_JBStopSniffer()
;
_JBStopAnalysis()
;
EndScript
2.æªæã®ããã©ã€ãã©ãªã®ç°¡åãªåæãè¡ãå¿ èŠãããå Žåã¯ã次ã®ã¹ã¯ãªããã䜿çšã§ããŸãïŒãã®å Žåãæ°ããInternet Explorerããã»ã¹ãžã®ã€ã³ãžã§ã¯ã·ã§ã³ã䜿çšãããŸãïŒã
Script
#include <IE.au3>
; IE
_JBSetSystem(âxpâ)
_JBStartAnalysis()
_JBStartSniffer()
$NewFile = @SystemDir & â/â & âmalware.dllâ
FileCopy(âc:\malware.dllâ, $NewFile, 1)
RegWrite(
âHKLM\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windowsâ,
âAppInit_DLLsâ, âREG_SZâ, âmalware.dllâ)
; AppInit_DLLs
$oIE = _IECreate(âhttp://www.sbrf.ruâ)
;
Sleep(120)
; done with IE now
_IEQuit ($oIE)
_JBStopSniffer()
_JBStopAnalysis()
EndScript
åãæ¹æ³ã§ãBHOãåæã§ããŸã-å¿ èŠãªããŒãã¬ãžã¹ããªã«ç»é²ããã ãã§ãã ãã ããåé¡ãé »ç¹ã«çºçããŸããAppInit_DLLsã¯æ°ããäœæãããããã»ã¹ã«å¯ŸããŠã®ã¿æå¹ã§ããexplorer.exeã§ã€ã³ãžã§ã¯ã·ã§ã³ãå®è¡ããå¿ èŠãããå Žåã¯ã©ããªããŸããïŒ æ¬¡ã®ã¹ã¯ãªãããããã«é©ããŠããŸãã
Script
Func KillProcess($process)
Local $hproc
Local $pid = ProcessExists($process)
If $pid = 0 Then
Return
EndIf
$hproc = DllCall(
âkernel32.dllâ, âhwndâ, âOpenProcessâ,
âdwordâ, BitOR(0x0400,0x0004,0x0001),
âintâ, 0, âdwordâ, $pid)
If UBound($hproc) > 0 Then
If $hproc[0] = 0 Then Return
Else
Return
EndIf
$hproc = $hproc[0]
Local $code = DllStructCreate(âdwordâ)
$ret = DllCall(
âkernel32.dllâ, âintâ, âTerminateProcessâ,
âhwndâ, $hproc, âuintâ, DllStructGetData($code,1))
Return
EndFunc
_JBSetSystem(âxpâ)
_JBStartAnalysis()
_JBStartSniffer()
$NewFile = @SystemDir & â/â & âmalware.dllâ
FileCopy(âc:\malware.dllâ, $NewFile, 1)
RegWrite(
âHKLM\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windowsâ,
âAppInit_DLLsâ, âREG_SZâ, âmalware.dllâ)
KillProcess(âexplorer.exeâ)
; , winlogon.exe
Sleep(10000)
_JBStopSniffer()
_JBStopAnalysis()
EndScript
3.ç¹å®ã®åœãããããã¯ãŒã¯ã«ã¢ã¯ã»ã¹ããå¿ èŠãããå Žåãå®è¡äžã®Joeboxç°å¢ã§ãããã·ãæ§æã§ããŸãã
Script
_JBSetSystem(âxpâ)
_JBStartAnalysis()
_JBStartSniffer()
$ProxyServer = â1.2.3.4:8080â
;
RegWrite(
âHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settingsâ,
âProxyServerâ, âREG_SZâ, $ProxyServer)
RegWrite(
âHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settingsâ,
âProxyEnableâ, âREG_DWORDâ, 1)
;
_JBLoadProvidedBin()
Sleep(10000)
_JBStopSniffer()
_JBStopAnalysis()
ãã¡ããããã®ãããªæè»æ§ãšè±å¯ãªæ©äŒãå©çšã§ãããããJoeboxã¯æã人æ°ã®ãããµã³ãããã¯ã¹ã®1ã€ã«ãªããŸããããã¯ææªã®åŽé¢ã§ãã åæã®çµæãåºããŸã§æ°æ¥åŸ ããªããã°ãªããªãããšããããŸããã ãŸããèè ã¯ãã®çŽ æŽããããµã³ãããã¯ã¹ã®ã³ããŒãèªåã§è³Œå ¥ããããšãç³ãåºãŠããŸãããããªãé«äŸ¡ã§ãã ãã¡ã€ã«ãç¹å®ã®è²»çšãªãã§åæããããã®ç¬èªã®ã·ã¹ãã ãæ§ç¯ããæ¹æ³-ããã¯ããã¡ãããHabrastvoããã®äœåãæ¿èªããç§ã®ã«ã«ããå®å šã«æº¶ããªãå Žåãæ¬¡ã®èšäºã§èª¬æããŸã;ïŒ
PSä»ã®ãªã³ã©ã€ã³ãµã³ãããã¯ã¹ã®äŸïŒ
* BitBlaze
* Comodoã€ã³ã¹ã¿ã³ããã«ãŠã§ã¢åæ
* ãŠãŒãªã«
* ããŒãã³ãµã³ãããã¯ã¹
ãªãã€ã³ããŒããéãããã ãããããšãããããŸãahtox74 ã
UPDïŒ Joeboxã¯å¿ é ã®ç»é²ãå°å ¥ããŸããããã®ãªã³ã©ã€ã³ãµã³ãããã¯ã¹ã®ãµãŒãã¹ãç¡æã§äœ¿çšããå Žåã¯ãinfo @ joebox.orgã«è±èªã§æ¬¡ã®æ å ±ãèšèŒããã¡ãŒã«ãéä¿¡ããŠãã ããã
1.ãåå
2.ç»é²ã®ç®çãšãJoeboxã§æ¢çŽ¢ããå 容ã®ç°¡åãªèª¬æ
ç ç©¶ã«é¢ããã¬ããŒããéä¿¡ãã3. Eã¡ãŒã«ïŒããã¯æåã®ãã£ãŒã«ããªã¯ãšã¹ãã«è¡šç€ºãããŠãããŸãïŒã
ç³è«æžãæåºããåŸã圌ãã¯æå®ãããããã¯ã¹ãžã®ã¢ã¯ã»ã¹ãéãããšãçŽæããŸãã
UPD-UPDïŒ ããã«èšäºã®ç¬¬äºéš ã