穿破 comodo ，webcam logger

gd8888

对于DW来说，只是小菜一碟，完美防御。以下是日志：


DefenseWall log file

02.18.2013  17:05:34, 模块 C:\Program Files\Internet Explorer\IEXPLORE.EXE, Attempt to set value Favorites within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

02.18.2013  17:05:34, 模块 C:\Program Files\Internet Explorer\IEXPLORE.EXE, Attempt to delete service (服务)

02.18.2013  17:05:34, 模块 C:\Program Files\Internet Explorer\IEXPLORE.EXE, Attempt to set value Cache within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

02.18.2013  17:05:34, 模块 C:\Program Files\Internet Explorer\IEXPLORE.EXE, Attempt to create new file C:\Documents and Settings\GDFS\Local Settings\Temporary Internet Files\desktop.ini (文件 )

02.18.2013  17:05:34, 模块 C:\Program Files\Internet Explorer\IEXPLORE.EXE, Attempt to set value Directory within the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\ (注册表)

02.18.2013  17:05:34, 模块 C:\Program Files\Internet Explorer\IEXPLORE.EXE, Attempt to set value Cookies within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

02.18.2013  17:05:34, 模块 C:\Program Files\Internet Explorer\IEXPLORE.EXE, Attempt to set value History within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

02.18.2013  17:05:34, 模块 C:\Program Files\Internet Explorer\IEXPLORE.EXE, Attempt to set value Desktop within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

02.18.2013  17:04:42, 模块 C:\Program Files\Internet Explorer\IEXPLORE.EXE, Attempt to set value Favorites within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

02.18.2013  17:04:42, 模块 C:\Program Files\Internet Explorer\IEXPLORE.EXE, Attempt to delete service (服务)

02.18.2013  17:04:42, 模块 C:\Program Files\Internet Explorer\IEXPLORE.EXE, Attempt to set value Cache within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

02.18.2013  17:04:42, 模块 C:\Program Files\Internet Explorer\IEXPLORE.EXE, Attempt to create new file C:\Documents and Settings\GDFS\Local Settings\Temporary Internet Files\desktop.ini (文件 )

02.18.2013  17:04:42, 模块 C:\Program Files\Internet Explorer\IEXPLORE.EXE, Attempt to set value Directory within the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\ (注册表)

02.18.2013  17:04:42, 模块 C:\Program Files\Internet Explorer\IEXPLORE.EXE, Attempt to set value Cookies within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

02.18.2013  17:04:42, 模块 C:\Program Files\Internet Explorer\IEXPLORE.EXE, Attempt to set value History within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

02.18.2013  17:04:42, 模块 C:\Program Files\Internet Explorer\IEXPLORE.EXE, Attempt to set value Desktop within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

02.18.2013  17:04:10, 模块 C:\WINDOWS\system32\rundll32.exe, Attempt to delete service (服务)

02.18.2013  17:03:47, 模块 C:\WINDOWS\system32\rundll32.exe, Attempt to open process C:\WINDOWS\system32\ctfmon.exe (进程)

02.18.2013  17:03:47, 模块 C:\WINDOWS\system32\rundll32.exe, Attempt to open process C:\WINDOWS\system32\ctfmon.exe (进程)

02.18.2013  17:03:41, 模块 C:\WINDOWS\system32\rundll32.exe, Attempt to delete service (服务)

02.18.2013  17:03:25, 模块 C:\Program Files\WinRAR\WinRAR.exe, Attempt to set value AppData within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

02.18.2013  17:03:25, 模块 C:\Program Files\WinRAR\WinRAR.exe, Attempt to delete service (服务)

02.18.2013  17:03:24, 模块 C:\Program Files\WinRAR\WinRAR.exe, 2:Process is running untrusted now (进程)

a256886572008

DW 的重點攔截如下，因為紅色阻止病毒鎖屏，所以無法測試能否攔截 webcam logger

02.18.2013  17:38:08, module C:\WINDOWS\system32\rundll32.exe, Attempt to create new file C:\Documents and Settings\Roger\「開始」功能表\程式集\啟動\runctf.lnk (File )

02.18.2013  17:38:12, module C:\WINDOWS\system32\rundll32.exe, Attempt to switch to another desktop (Screen)

02.18.2013  17:38:13, module C:\WINDOWS\system32\ctfmon.exe, 2:Attempt to bring window of the process C:\WINDOWS\system32\ctfmon.exe to the top (Screen)

黑暗的背叛者

firefox3 发表于 2013-2-18 14:14
确实，一旦锁住，根本不容得你点选

有办法使弹窗不能被盖住吗，或者有的倒计时后自动处理。总之，回滚系统一旦出问题就直接悲剧了。

firefox3

黑暗的背叛者 发表于 2013-2-18 20:09
有办法使弹窗不能被盖住吗，或者有的倒计时后自动处理。总之，回滚系统一旦出问题就直接悲剧了。

没有。入沙还好办，毕竟所有行为发生在沙盘内，大不了重启，或者注销一下，木马未能添加启动项，窗口盖不盖住也没关系。别的就杯具了。

黑暗的背叛者

firefox3 发表于 2013-2-18 20:14
没有。入沙还好办，毕竟所有行为发生在沙盘内，大不了重启，或者注销一下，木马未能添加启动项，窗口盖不 ...

感觉LZ的DW没报全，这东西带KeyboardControl，带后门，注入好几个进程，它注册服务用的不是常规方法，加了驱。现在貌似已经有不少入库了，数字入库挺快，但没云基本废了，正在测SSTS中，几天内应该就能在国内区发结果了。我传了沙箱分析：https://anubis.iseclab.org/?acti ... 145&format=html

GFI SandBox Analysis
Digital Behavior Traits
Injected Code        NO
More than 5 Processes        NO
Copies to Windows        NO
Windows/Run Registry Key Set        NO
Makes Network Connection        YES
Creates EXE in System        NO
Starts EXE in System        YES
Starts EXE in Documents        NO
Deletes File in System        NO
Hooks Keyboard        YES
Creates Hidden File        YES
Creates DLL in System        NO
Creates Mutex        YES
Alters Windows Firewall        NO
Checks For Debugger        YES
Could Not Load        NO
Opens Physical Memory        NO
Modifies Local DNS        NO
Starts EXE in Recycle        NO
Creates Service        NO
Modifies File in System        NO
Deletes Original Sample        NO
VirusTotal Results
Last Scanned:        2013-02-18 01:48:36
MicroWorld-eScan        Trojan.Generic.KD.863237
nProtect        Not Detected
CAT-QuickHeal        Not Detected
McAfee        Not Detected
Malwarebytes        Trojan.Ransom
K7AntiVirus        Not Detected
TheHacker        Not Detected
Agnitum        Not Detected
F-Prot        Not Detected
Symantec        Suspicious.Cloud.5
Norman        Not Detected
TotalDefense        Not Detected
TrendMicro-HouseCall        TROJ_GEN.R47H1BH
Avast        Win32:Malware-gen
eSafe        Not Detected
ClamAV        Not Detected
Kaspersky        Trojan-Ransom.Win32.Foreign.acev
BitDefender        Trojan.Generic.KD.863237
NANO-Antivirus        Not Detected
SUPERAntiSpyware        Not Detected
Sophos        Troj/Zbot-DXS
Comodo        Not Detected
F-Secure        Not Detected
DrWeb        Not Detected
VIPRE        Not Detected
AntiVir        Not Detected
TrendMicro        Not Detected
McAfee-GW-Edition        Not Detected
Emsisoft        Gen:Trojan.Heur.LP.fC4@a4OgAiji (B)
Jiangmin        Not Detected
Antiy-AVL        Not Detected
Kingsoft        Not Detected
Microsoft        Not Detected
ViRobot        Not Detected
AhnLab-V3        Not Detected
GData        Trojan.Generic.KD.863237
Commtouch        Not Detected
ByteHero        Not Detected
VBA32        Not Detected
PCTools        Not Detected
ESET-NOD32        a variant of Win32/Kryptik.AUOS
Rising        Not Detected
Ikarus        Not Detected
Fortinet        W32/Agent.AKM!tr
AVG        Not Detected
Panda        Not Detected

a256886572008

黑暗的背叛者 发表于 2013-2-18 20:52
感觉LZ的DW没报全，这东西带KeyboardControl，带后门，注入好几个进程，它注册服务用的不是常规方法，加了 ...

請問您用什麼工具把那個 .dll 變成 .exe 的？

firefox3

黑暗的背叛者 发表于 2013-2-18 20:52
感觉LZ的DW没报全，这东西带KeyboardControl，带后门，注入好几个进程，它注册服务用的不是常规方法，加了 ...

哈哈哈，你慢慢玩吧

黑暗的背叛者

a256886572008 发表于 2013-2-18 20:56
請問您用什麼工具把那個 .dll 變成 .exe 的？

沙盘里是网站转的。我自己一般用命令行加载DLL。但你要的话给你一个python脚本可以将DLL转为EXE。如需将dll注入到特定进程可以用RemoteDLL。类外附赠三个：rundll32ex.exe(允许在其它进程中运行，导出函数并传递参数）、install_svc.bat(安装动态分析服务DLL的批处理)、install_svc.py（这个脚本与bat相比可以选择参数）。其中rundllex有个演示传优酷了：http://v.youku.com/v_show/id_XNTE1ODQyNTEy.html

Candygu

a256886572008 发表于 2013-2-18 17:47
DW 的重點攔截如下，因為紅色阻止病毒鎖屏，所以無法測試能否攔截 webcam logger

Partially Limited能防住锁屏吗？

a256886572008

Candygu 发表于 2013-2-18 22:28
Partially Limited能防住锁屏吗？

那個不是重要動作，partially limited不攔截。