FIGUREhkcmd.exe
hkcmd.exe 时间:2021-04-14 阅读:(
)
TrendMicroIncorporatedResearchPaper2013FAKEMRATMalwareDisguisedasWindowsMessengerandYahoo!
MessengerBy:NartVilleneuveJessadelaTorreContentsIntroduction.
1Distribution.
2Installation.
3Backdoor.
3NetworkTrafficEncryption.
5Infrastructure.
7Conclusion.
81|FAKEMRATIntroductionTheperpetratorsoftargetedattacksaimtomaintainpersistentpresenceinatargetnetworkinordertoextractsensitivedatawhenneeded.
Tomaintainpersistentpresence,attackersseektoblendinwithnormalnetworktrafficanduseportsthataretypicallyallowedbyfirewalls.
Asaresult,manyofthemalwareusedintargetedattacksutilizetheHTTPandHTTPSprotocolstoappearlikewebtraffic.
However,whilethesemalwaredogiveattackersfullcontroloveracompromisedsystem,theyareoftensimpleandconfiguredtocarryoutafewcommands.
AttackersoftenuseremoteaccessTrojans(RATs),whichtypicallyhavegraphicaluserinterfaces(GUIs)andremotedesktopfeaturesthatincludedirectorybrowsing,filetransfer,andtheabilitytotakescreenshotsandactivatethemicrophoneandwebcameraofacompromisedcomputer.
AttackersoftenusepubliclyavailableRATslikeGh0st,PoisonIvy,Hupigon,andDRAT,and"closed-released"RATslikeMFCHunterandPlugX.
1However,thenetworktraffictheseRATsproduceiswell-knownandeasilydetectablealthoughattackersstillsuccessfullyusethem.
2Attackersalwayslookforwaystoblendtheirmalicioustrafficwithlegitimatetraffictoavoiddetection.
WefoundafamilyofRATsthatwecall"FAKEM"thatmaketheirnetworktrafficlooklikevariousprotocols.
SomevariantsattempttodisguisenetworktraffictolooklikeWindowsMessengerandYahoo!
Messengertraffic.
AnothervarianttriestomakethecontentofitstrafficlooklikeHTML.
WhilethedisguisestheRATsusearesimpleanddistinguishablefromlegitimatetraffic,theymaybejustgoodenoughtoavoidfurtherscrutiny.
1Gh0st:http://download01.
norman.
no/documents/ThemanyfacesofGh0stRat.
pdfandhttp://www.
mcafee.
com/ca/resources/white-papers/foundstone/wp-know-your-digital-enemy.
pdf;PoisonIvy:https://media.
blackhat.
com/bh-eu-10/presentations/Dereszowski/BlackHat-EU-2010-Dereszowski-Targeted-Attacks-slides.
pdf;Hupigon:http://www.
f-secure.
com/v-descs/backdoor_w32_hupigon.
shtml;DRAT:http://blog.
trendmicro.
com/trendlabs-security-intelligence/watering-holes-and-zero-day-attacks/;MFCHunter:http://blog.
trendmicro.
com/trendlabs-security-intelligence/japan-us-defense-industries-among-targeted-entities-in-latest-attack/;andPlugX:http://about-threats.
trendmicro.
com/us/webattack/112/Pulling+the+Plug+on+PlugX2http://www.
trendmicro.
com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.
pdf2|FAKEMRATDistributionAllthreeversionsoftheFAKEMRATthatweinvestigatedweredistributedviaspear-phishingemailsusingsocialengineeringtoluretargetsintoexecutingamaliciousattachment.
Whileweobservedtheuseofdifferentthemes,thecontentoftheemailswerealwaysinterestingtopotentialtargets.
FIGURE1:Samplespear-phishingemailswithattachmentsthatdropFAKEMRATThemaliciousattachmentsweremostoftenMicrosoftWorddocumentswithcodethatexploitsthefollowingvulnerabilities:CVE-2010-3333:RTFStackBufferOverflowVulnerabilityaddressedinMicrosoftSecurityBulletinMS10-087.
3CVE-2012-0158:MSCOMCTL.
OCXRCEVulnerabilityaddressedinMicrosoftSecurityBulletinMS12-027.
4WealsofoundaMicrosoftExcelfilethatexploitsCVE-2009-3129,theExcelFeatheaderRecordMemoryCorruptionVulnerabilityaddressedinMicrosoftSecurityBulletinMS09-067.
5Wealsosawsamplesthatweresimplyexecutable(.
EXE)files.
3http://technet.
microsoft.
com/en-us/security/bulletin/MS10-0874http://technet.
microsoft.
com/en-us/security/bulletin/ms12-0275http://technet.
microsoft.
com/en-us/security/bulletin/MS09-0673|FAKEMRATInstallationAfterexploitation,an.
EXEfilepackedwithUPXisdropped.
6Afterinitiallydroppingthemaliciousfilenamedhkcmd.
exetothe%Temp%folder,themalwaretypicallycopiesitselfusingthename,tpframe.
exe,tothe%System%folder.
Itthenaddsthefollowingregistryentrytoenableitsautomaticexecutionateverysystemstartup:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\runtpbar="%System%\tpframe.
exe"BackdoorThenetworktrafficthemalwareproducesisdesignedtolooklikeWindowsMessengertraffic.
MalwareofthistypewerediscussedonTwitter,notedbySonicWALL,andfoundtohavebeenactiveasfarbackasSeptember2009.
7However,itremainsunclearifalltheattacksthatusedthismalwarewereconnected.
ThemalicioustrafficbeginswithheaderssimilartoactualWindowsMessengertraffic:MSG5N130MIME-Version:1.
0However,beyondthis,youwillseethatthetrafficisnotvalidWindowsMessengertrafficbutmaybesufficientlydisguisedassuchtoescapefurtherscrutiny.
6UPXisafreetoolthatcompressesexecutablefiles.
However,itiscommonlyusedtopackmalwarefiles,seehttp://upx.
sourceforge.
net/formoredetails.
7https://twitter.
com/mikko/status/232851667446538241,https://www.
mysonicwall.
com/sonicalert/searchresults.
aspxev=article&id=464,andhttps://twitter.
com/diocyde/statuses/2328730236513361924|FAKEMRATFIGURE4:MalicioustrafficdisguisedasYahoo!
MessengertrafficFIGURE3:LegitimateWindowsMessengertrafficFIGURE2:MalicioustrafficdisguisedaslegitimateWindowsMessengertrafficComparedwithactualWindowsMessengertrafficshowninFigure3,itiseasytodistinguishthemalicioustrafficshowninFigure2.
Duringourinvestigationofthefake"WindowsMessenger"RAT,wefoundanotherversionthatattemptstodisguiseitsnetworktrafficasYahoo!
Messengertraffic.
ThenetworkcommunicationthisversionusesbeginswithYMSG,theYahoo!
Messengertrafficheader.
FIGURE5:LegitimateYahoo!
MessengertrafficHowever,thenetworktrafficshowninFigure4doesnotresemblelegitimateYahoo!
Messengertrafficbeyondtheuseoftheheader,YMSG.
ComparedwiththelegitimateYahoo!
MessengertrafficshowninFigure5,itiseasytodistinguishbetweenthetwo.
AthirdversionoftheFAKEMRATattemptstodisguisethenetworktrafficitproducesasHTML.
Themalicioustrafficbeginswithstringslike1.
.
56or12356.
88ThisvariantwasreferencedduringanincidentdocumentedbyAlienVaultinMarch2012inhttp://labs.
alienvault.
com/labs/index.
php/2012/alienvault-research-used-as-lure-in-targeted-attacks/.
5|FAKEMRATFIGURE6:MalicioustrafficdisguisedasHTMLtrafficThisisafairlyrudimentarydisguiseandoddbecauseyouwouldexpectHTMLtobetheresultofarequesttoawebserverandnotassomethingaclientwouldsendtoawebserver.
NetworkTrafficEncryptionThenetworkcommunicationbetweenthecompromisedcomputerandtheRATcontrollerisencrypted.
Theencryptionisthesameacrossvariantsanddoneatthebitlevel.
EachbyteisXOR-edbyeveryletterinthestring,YHCRA,androtated3bitstotherightaftereveryXORoperation.
Encryptingthecommunicationensuresthatthesuspiciousdatapassedbetweenthecompromisedhostandtheattackerscannotbeeasilyviewedinplaintext.
Thecommunicationcomesin1024-byteblobsofdatathatstartwiththe32-byteheader.
Itappearsthatattackersmayspecifyanykindoffakeheaderswithinthefirst32bytesinordertodisguisethesubsequentnetworktraffic.
Thefollowingbitsofinformationareinitiallysentbythecompromisedhostwhenthecommunicationstarts:UsernameComputernameOEMcodepageidentifierWhatlookslikeacampaigncodebutonlyforsomesamplesThecommandsarenotpreconfiguredasthemalwarereliesonthedatasentbytheserver.
Forinstance,whenaclientreceivesthecommand,0211,thissignifiesthatitshouldexecutetheaccompanyingdatainmemory.
6|FAKEMRATThefollowingarethecommandstheserverissuesandtheirmeanings:0211:Executecode.
0212:Reconnecttoreceivedata.
0213:Sleep,closesocket,andreconnect.
0214:Exit.
TodeterminetheRAT'scapabilities,weallowedtheattackerstoinfiltrateahoneypotcomputerandcapturedallofthenetworktrafficitgenerated.
Wedecryptedthenetworktrafficanddeterminedthecommandstheattackersused,whichinclude:CmdMana:CommandManagerallowsattackerstoexecuteshellcommands.
FileMan:FileManagerallowstheattackerstobrowsedirectories.
HostIn:HostInformationprovidesinformationaboutthecompromisedcomputer.
ProcMan:ProcessManagergivesattackersaccesstorunningprocesses.
RegMana:RegistryManagergivesattackersaccesstotheWindowsregistry.
Scree:Screentakesasnapshotofthedesktop.
ServiceMa:ServiceManagerallowsaccesstoservices.
Passwo:PasswordaccessesstoredpasswordslikethosesavedinInternetExplorer(IE).
UStea:Uploadsfilesfromacompromisedcomputer.
7|FAKEMRATInfrastructureTheWindowsMessengersamplesweanalyzedwereclusteredintofivegroupsthatdidnothaveoverlappinglinkages.
Fouroftheclusterswererelativelysmallandfocusedonfourdifferentdomains:vcvcvcvc.
dyndns.
orgzjhao.
dtdns.
netavira.
suroot.
com*.
googmail.
comThevcvcvcvc.
dyndns.
orgdomainisparticularlyinterestingbecausewealsofounditbeingusedasacommand-and-control(C&C)serverforProtux—awell-knownmalwarefamilythathasbeenusedinmanytargetedattacksovertheyears.
Wealsofoundthattheavira.
suroot.
comdomainusedasaC&Cserverforyetanothermalwarefamilywecall"cxgid.
"The*.
googmail.
comdomainwasslightlylargerandincludednameslikeapple12.
crabdance.
comandapple12.
co.
cc.
However,thelargestclusterrevolvedaroundthe*.
yourturbe.
orgdomainandoverlappedwiththeHTMLvariant.
WealsofoundsmallclustersoftheHTMLvariantthatrevolvedaroundthedomain,endless.
zapto.
org,whichwasdownloadedasasecond-stagemalwarebyProtux.
FIGURE7:FAKEMdomainsassociatedwiththeWindowsMessengerandHTMLvariants8|FAKEMRATMeanwhile,theYahoo!
Messengersamplesweanalyzedallaccessedfreeavg.
sytes.
net—adomainnamethatfrequentlyresolvedtodifferentIPaddresses.
FIGURE8:FAKEMdomainsassociatedwiththeYahoo!
MessengervariantThevarioussampleswecollectedappeartobelongtogroupsthatoverlappedalittle.
Thissuggeststhatratherthanbeingassociatedwithaparticularcampaign,theuseofvariousFAKEMRATscouldbedistributedamongmultiplethreatactors.
ConclusionKnowledgeoftheattacktools,techniques,andinfrastructureofadversariesiscriticalfordevelopingdefensivestrategies.
ThisresearchpaperexaminedthreevariantsofaRAT—FAKEM—thatattempttodisguisethenetworktraffictheyproducetostayundertheradar.
NowthatpopularRATslikeGh0standPoisonIvyhavebecomewell-knownandcaneasilybedetected,attackersarelookingformethodstoblendinwithlegitimatetraffic.
WhileitispossibletodistinguishthenetworktrafficFAKEMRATvariantsproduceforthelegitimateprotocolstheyaimtospoof,doingsointhecontextofalargenetworkmaynotbenoteasy.
TheRAT'sabilitytomaskthetrafficitproducesmaybeenoughtoprovideattackersenoughcovertosurvivelongerinacompromisedenvironment.
Fortunately,solutionslikeTrendMicroDeepDiscoverycanhelpnetworkadministratorsprotecttheirorganizationsfromattacksthatusetheFAKEMRATbydetectingthetrafficitsvariantsproduce.
TRENDMICROINCORPORATEDTrendMicroIncorporated(TYO:4704;TSE:4704),aglobalcloudsecurityleader,createsaworldsafeforexchangingdigitalinformationwithitsInternetcontentsecurityandthreatmanagementsolutionsforbusinessesandconsumers.
Apioneerinserversecuritywithover20years'experience,wedelivertop-rankedclient,serverandcloud-basedsecuritythatfitsourcustomers'andpartners'needs,stopsnewthreatsfaster,andprotectsdatainphysical,virtualizedandcloudenvironments.
Poweredbytheindustry-leadingTrendMicroSmartProtectionNetworkcloudcomputingsecurityinfrastructure,ourproductsandservicesstopthreatswheretheyemerge—fromtheInternet.
Theyaresupportedby1,000+threatintelligenceexpertsaroundtheglobe.
TRENDMICROINCORPORATED10101N.
DeAnzaBlvd.
Cupertino,CA95014U.
S.
tollfree:1+800.
228.
5651Phone:1+408.
257.
1500Fax:1+408.
257.
2003www.
trendmicro.
com2013byTrendMicroIncorporated.
Allrightsreserved.
TrendMicroandtheTrendMicrot-balllogoaretrademarksorregisteredtrademarksofTrendMicroIncorporated.
Allotherproductorcompanynamesmaybetrademarksorregisteredtrademarksoftheirowners.
老薛主机,虽然是第一次分享这个商家的信息,但是这个商家实际上也有存在有一些年头。看到商家有在进行夏季促销,比如我们很多网友可能有需要的香港VPS主机季度及以上可以半价优惠,如果有在选择不同主机商的香港机房的可以看看老薛主机商家的香港VPS。如果没有记错的话,早年这个商家是主营个人网站虚拟主机业务的,还算不错在异常激烈的市场中生存到现在,应该算是在众多商家中早期积累到一定的用户群的,主打小众个人网站...
易速互联怎么样?易速互联是国人老牌主机商家,至今已经成立9年,商家销售虚拟主机、VPS及独立服务器,目前商家针对美国加州萨克拉门托RH数据中心进行促销,线路采用BGP直连线路,自带10G防御,美国加州地区,100M带宽不限流量,月付299元起,有需要美国不限流量独立服务器的朋友可以看看。点击进入:易速互联官方网站美国独立服务器优惠套餐:RH数据中心位于美国加州、配置丰富性价比高、10G DDOS免...
萤光云怎么样?萤光云是一家国人云厂商,总部位于福建福州。其成立于2002年,主打高防云服务器产品,主要提供福州、北京、上海BGP和香港CN2节点。萤光云的高防云服务器自带50G防御,适合高防建站、游戏高防等业务。目前萤光云推出北京云服务器优惠活动,机房为北京BGP机房,购买北京云服务器可享受6.5折优惠+51元代金券(折扣和代金券可叠加使用)。活动期间还支持申请免费试用,需提交工单开通免费试用体验...
hkcmd.exe为你推荐
approachflash操作httpfilezillaserver如何使用filezilla serveroutlookexpressoutlook express 是什么?360邮箱360免费申请邮箱在那里sqlserver2000挂起SQL server2000 安装为什么老是提示挂起?温州商标注册温州注册公司在哪里注册缤纷网缤纷的意思是什么billboardchina美国Billboard公告牌年度10大金曲最新华丽合辑美国独立美国独立时不是只有13个洲吗?后来的领土都是怎么得来的。
万网免费域名 腾讯云盘 美国主机评论 sugarsync 2014年感恩节 ubuntu更新源 好看的桌面背景图 嘉洲服务器 个人空间申请 美国十次啦服务器 howfile idc资讯 100m空间 美国网站服务器 in域名 中国电信网络测速 云服务器比较 免费赚q币 学生机 湖南铁通 更多