本帖最后由 Hacker29cn 于 2011-4-8 09:30 编辑
Threads Created | PId | Process Name | TId | Start | Start Mem | Win32 Start | Win32 Start Mem | | 0x348 | svchost.exe | 0x784 | 0x7c810856 | MEM_IMAGE | 0x7c910760 | MEM_IMAGE | | 0x420 | svchost.exe | 0xdc | 0x7c810856 | MEM_IMAGE | 0x77df9981 | MEM_IMAGE |
• Modules Loaded• Windows Api Calls• DNS Queries | DNS Query Text | | www.cyzjy.com IN A + |
• HTTP Queries | HTTP Query Text | | www.cyzjy.com GET /a/ad.txt HTTP/1.1 |
• Mutexes Created or Opened | PId | Image Name | Address | Mutex Name | | 0xd8 | C:\TEST\sample.exe | 0x771ba3ae | _!MSFTHISTORY!_ | | 0xd8 | C:\TEST\sample.exe | 0x771bc21c | WininetConnectionMutex | | 0xd8 | C:\TEST\sample.exe | 0x771bc23d | WininetProxyRegistryMutex | | 0xd8 | C:\TEST\sample.exe | 0x771bc2dd | WininetStartupMutex | | 0xd8 | C:\TEST\sample.exe | 0x771d9710 | c:!documents and settings!user!cookies! | | 0xd8 | C:\TEST\sample.exe | 0x771d9710 | c:!documents and settings!user!local settings!history!history.ie5! | | 0xd8 | C:\TEST\sample.exe | 0x771d9710 | c:!documents and settings!user!local settings!temporary internet files!content.ie5! |
• Events Created or Opened | PId | Image Name | Address | Event Name | | 0xd8 | C:\TEST\sample.exe | 0x77a89422 | Global\crypt32LogoffEvent |
我们发现这个程序触发了Global\crypt32LogoffEvent事件,同时读取了有关c:!documents and settings!user!cookies!的内容,而crypt32LogoffEvent本身就是后门的基础
以下是来自微软的报告
Based on my research, I don't think the "crypt32LogoffEvent" event is
related with locking system. For more information, you may refer to the
following information:
When AuditBaseObjects is enabled, the operating system attaches a default
System Access Control List (SACL) to the object. SACLs are used by Windows
to audit access to files, registry keys, and other objects. When
AuditBaseObjects is disabled, no SACL is attached to newly created system
objects.
When a process requests a handle to an object, the caller must provide a
set of security credentials and a bitmask representing the type of access
required. If the security identity provided by the caller doesn't have the
access rights requested in the call, then the object access fails with
Access Denied. In the failure response, however, the operating system also
returns a bit mask telling the caller what permissions it does have. The
caller can request access again -- this time with a modified access mask --
and get a handle to the object.
This pattern can be seen in the audit logs if both Success and Failure
audits are recorded for object access, and looks similar to the following
events. First, a failure audit is logged:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 10/26/2002
Time: 13:53:01
User: RESKIT\Administrator
Computer: SEA-FS-01
Description:
Object Open:
Object Server: Security
Object Type: Event
Object Name: \BaseNamedObjects\crypt32LogoffEvent
New Handle ID: -
Operation ID: {0,156054}
Process ID: 1320
Primary User Name: Administrator
Primary Domain: RESKIT
Primary Logon ID: (0x0,0xB4BE)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
Query event state
Modify event state
Privileges -
This is followed immediately by a success audit:
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 10/26/2002
Time: 13:53:01
User: RESKIT\Administrator
Computer: SEA-FS-01
Description:
Object Open:
Object Server: Security
Object Type: Event
Object Name: \BaseNamedObjects\crypt32LogoffEvent
New Handle ID: 392
Operation ID: {0,156057}
Process ID: 1320
Primary User Name: Administrator
Primary Domain: RESKIT
Primary Logon ID: (0x0,0xB4BE)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses SYNCHRONIZE
Privileges -
In this example, an application with the Process ID of 1320 and running in
the security context of the domain administrator attempted to access the
object \BaseNamedObjects\crypt32LogoffEvent. In the first attempt, the
process requested DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER,
SYNCHRONIZE, "Query event state", and "Modify event state" access. This
request failed because the process had insufficient permissions on this
object. Process 1320 immediately requested another
handle to the same object, but this time it requested only SYNCHRONIZE
access. This request succeeded. Note that the two events occurred within
the same second.
Audit events that match this pattern should be considered by design.
Failure audits that do not match this pattern may indicate that a running
process is attempting access system objects inappropriately. It is
impossible, however, to determine this unless both Success and Failure
object access auditing is enabled in the computer's effective audit policy.
Microsoft recommends that AuditBaseObjects be enabled only if stringent
security requirements of a particular server require this level of
auditing. This setting can be resource intensive in the amount of disk
space required to adequately store the security logs, and also add an
increased administrative burden.
Hope this helps!
Have a nice day!
Sincerely,
Tom Che
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
注意红字部分,那是 改变文件读写和访问方式的基础……有鉴于此,我们认为这是一个后门程序的可疑程度很大
再加上金山的病毒报告,建议谨慎使用!
|
楼主: 至高神
发表于 2011-4-4 02:02:57
楼主
