FIGUREhkcmd.exe

hkcmd.exe  时间:2021-04-14  阅读:()
TrendMicroIncorporatedResearchPaper2013FAKEMRATMalwareDisguisedasWindowsMessengerandYahoo!
MessengerBy:NartVilleneuveJessadelaTorreContentsIntroduction.
1Distribution.
2Installation.
3Backdoor.
3NetworkTrafficEncryption.
5Infrastructure.
7Conclusion.
81|FAKEMRATIntroductionTheperpetratorsoftargetedattacksaimtomaintainpersistentpresenceinatargetnetworkinordertoextractsensitivedatawhenneeded.
Tomaintainpersistentpresence,attackersseektoblendinwithnormalnetworktrafficanduseportsthataretypicallyallowedbyfirewalls.
Asaresult,manyofthemalwareusedintargetedattacksutilizetheHTTPandHTTPSprotocolstoappearlikewebtraffic.
However,whilethesemalwaredogiveattackersfullcontroloveracompromisedsystem,theyareoftensimpleandconfiguredtocarryoutafewcommands.
AttackersoftenuseremoteaccessTrojans(RATs),whichtypicallyhavegraphicaluserinterfaces(GUIs)andremotedesktopfeaturesthatincludedirectorybrowsing,filetransfer,andtheabilitytotakescreenshotsandactivatethemicrophoneandwebcameraofacompromisedcomputer.
AttackersoftenusepubliclyavailableRATslikeGh0st,PoisonIvy,Hupigon,andDRAT,and"closed-released"RATslikeMFCHunterandPlugX.
1However,thenetworktraffictheseRATsproduceiswell-knownandeasilydetectablealthoughattackersstillsuccessfullyusethem.
2Attackersalwayslookforwaystoblendtheirmalicioustrafficwithlegitimatetraffictoavoiddetection.
WefoundafamilyofRATsthatwecall"FAKEM"thatmaketheirnetworktrafficlooklikevariousprotocols.
SomevariantsattempttodisguisenetworktraffictolooklikeWindowsMessengerandYahoo!
Messengertraffic.
AnothervarianttriestomakethecontentofitstrafficlooklikeHTML.
WhilethedisguisestheRATsusearesimpleanddistinguishablefromlegitimatetraffic,theymaybejustgoodenoughtoavoidfurtherscrutiny.
1Gh0st:http://download01.
norman.
no/documents/ThemanyfacesofGh0stRat.
pdfandhttp://www.
mcafee.
com/ca/resources/white-papers/foundstone/wp-know-your-digital-enemy.
pdf;PoisonIvy:https://media.
blackhat.
com/bh-eu-10/presentations/Dereszowski/BlackHat-EU-2010-Dereszowski-Targeted-Attacks-slides.
pdf;Hupigon:http://www.
f-secure.
com/v-descs/backdoor_w32_hupigon.
shtml;DRAT:http://blog.
trendmicro.
com/trendlabs-security-intelligence/watering-holes-and-zero-day-attacks/;MFCHunter:http://blog.
trendmicro.
com/trendlabs-security-intelligence/japan-us-defense-industries-among-targeted-entities-in-latest-attack/;andPlugX:http://about-threats.
trendmicro.
com/us/webattack/112/Pulling+the+Plug+on+PlugX2http://www.
trendmicro.
com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.
pdf2|FAKEMRATDistributionAllthreeversionsoftheFAKEMRATthatweinvestigatedweredistributedviaspear-phishingemailsusingsocialengineeringtoluretargetsintoexecutingamaliciousattachment.
Whileweobservedtheuseofdifferentthemes,thecontentoftheemailswerealwaysinterestingtopotentialtargets.
FIGURE1:Samplespear-phishingemailswithattachmentsthatdropFAKEMRATThemaliciousattachmentsweremostoftenMicrosoftWorddocumentswithcodethatexploitsthefollowingvulnerabilities:CVE-2010-3333:RTFStackBufferOverflowVulnerabilityaddressedinMicrosoftSecurityBulletinMS10-087.
3CVE-2012-0158:MSCOMCTL.
OCXRCEVulnerabilityaddressedinMicrosoftSecurityBulletinMS12-027.
4WealsofoundaMicrosoftExcelfilethatexploitsCVE-2009-3129,theExcelFeatheaderRecordMemoryCorruptionVulnerabilityaddressedinMicrosoftSecurityBulletinMS09-067.
5Wealsosawsamplesthatweresimplyexecutable(.
EXE)files.
3http://technet.
microsoft.
com/en-us/security/bulletin/MS10-0874http://technet.
microsoft.
com/en-us/security/bulletin/ms12-0275http://technet.
microsoft.
com/en-us/security/bulletin/MS09-0673|FAKEMRATInstallationAfterexploitation,an.
EXEfilepackedwithUPXisdropped.
6Afterinitiallydroppingthemaliciousfilenamedhkcmd.
exetothe%Temp%folder,themalwaretypicallycopiesitselfusingthename,tpframe.
exe,tothe%System%folder.
Itthenaddsthefollowingregistryentrytoenableitsautomaticexecutionateverysystemstartup:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\runtpbar="%System%\tpframe.
exe"BackdoorThenetworktrafficthemalwareproducesisdesignedtolooklikeWindowsMessengertraffic.
MalwareofthistypewerediscussedonTwitter,notedbySonicWALL,andfoundtohavebeenactiveasfarbackasSeptember2009.
7However,itremainsunclearifalltheattacksthatusedthismalwarewereconnected.
ThemalicioustrafficbeginswithheaderssimilartoactualWindowsMessengertraffic:MSG5N130MIME-Version:1.
0However,beyondthis,youwillseethatthetrafficisnotvalidWindowsMessengertrafficbutmaybesufficientlydisguisedassuchtoescapefurtherscrutiny.
6UPXisafreetoolthatcompressesexecutablefiles.
However,itiscommonlyusedtopackmalwarefiles,seehttp://upx.
sourceforge.
net/formoredetails.
7https://twitter.
com/mikko/status/232851667446538241,https://www.
mysonicwall.
com/sonicalert/searchresults.
aspxev=article&id=464,andhttps://twitter.
com/diocyde/statuses/2328730236513361924|FAKEMRATFIGURE4:MalicioustrafficdisguisedasYahoo!
MessengertrafficFIGURE3:LegitimateWindowsMessengertrafficFIGURE2:MalicioustrafficdisguisedaslegitimateWindowsMessengertrafficComparedwithactualWindowsMessengertrafficshowninFigure3,itiseasytodistinguishthemalicioustrafficshowninFigure2.
Duringourinvestigationofthefake"WindowsMessenger"RAT,wefoundanotherversionthatattemptstodisguiseitsnetworktrafficasYahoo!
Messengertraffic.
ThenetworkcommunicationthisversionusesbeginswithYMSG,theYahoo!
Messengertrafficheader.
FIGURE5:LegitimateYahoo!
MessengertrafficHowever,thenetworktrafficshowninFigure4doesnotresemblelegitimateYahoo!
Messengertrafficbeyondtheuseoftheheader,YMSG.
ComparedwiththelegitimateYahoo!
MessengertrafficshowninFigure5,itiseasytodistinguishbetweenthetwo.
AthirdversionoftheFAKEMRATattemptstodisguisethenetworktrafficitproducesasHTML.
Themalicioustrafficbeginswithstringslike1.
.
56or12356.
88ThisvariantwasreferencedduringanincidentdocumentedbyAlienVaultinMarch2012inhttp://labs.
alienvault.
com/labs/index.
php/2012/alienvault-research-used-as-lure-in-targeted-attacks/.
5|FAKEMRATFIGURE6:MalicioustrafficdisguisedasHTMLtrafficThisisafairlyrudimentarydisguiseandoddbecauseyouwouldexpectHTMLtobetheresultofarequesttoawebserverandnotassomethingaclientwouldsendtoawebserver.
NetworkTrafficEncryptionThenetworkcommunicationbetweenthecompromisedcomputerandtheRATcontrollerisencrypted.
Theencryptionisthesameacrossvariantsanddoneatthebitlevel.
EachbyteisXOR-edbyeveryletterinthestring,YHCRA,androtated3bitstotherightaftereveryXORoperation.
Encryptingthecommunicationensuresthatthesuspiciousdatapassedbetweenthecompromisedhostandtheattackerscannotbeeasilyviewedinplaintext.
Thecommunicationcomesin1024-byteblobsofdatathatstartwiththe32-byteheader.
Itappearsthatattackersmayspecifyanykindoffakeheaderswithinthefirst32bytesinordertodisguisethesubsequentnetworktraffic.
Thefollowingbitsofinformationareinitiallysentbythecompromisedhostwhenthecommunicationstarts:UsernameComputernameOEMcodepageidentifierWhatlookslikeacampaigncodebutonlyforsomesamplesThecommandsarenotpreconfiguredasthemalwarereliesonthedatasentbytheserver.
Forinstance,whenaclientreceivesthecommand,0211,thissignifiesthatitshouldexecutetheaccompanyingdatainmemory.
6|FAKEMRATThefollowingarethecommandstheserverissuesandtheirmeanings:0211:Executecode.
0212:Reconnecttoreceivedata.
0213:Sleep,closesocket,andreconnect.
0214:Exit.
TodeterminetheRAT'scapabilities,weallowedtheattackerstoinfiltrateahoneypotcomputerandcapturedallofthenetworktrafficitgenerated.
Wedecryptedthenetworktrafficanddeterminedthecommandstheattackersused,whichinclude:CmdMana:CommandManagerallowsattackerstoexecuteshellcommands.
FileMan:FileManagerallowstheattackerstobrowsedirectories.
HostIn:HostInformationprovidesinformationaboutthecompromisedcomputer.
ProcMan:ProcessManagergivesattackersaccesstorunningprocesses.
RegMana:RegistryManagergivesattackersaccesstotheWindowsregistry.
Scree:Screentakesasnapshotofthedesktop.
ServiceMa:ServiceManagerallowsaccesstoservices.
Passwo:PasswordaccessesstoredpasswordslikethosesavedinInternetExplorer(IE).
UStea:Uploadsfilesfromacompromisedcomputer.
7|FAKEMRATInfrastructureTheWindowsMessengersamplesweanalyzedwereclusteredintofivegroupsthatdidnothaveoverlappinglinkages.
Fouroftheclusterswererelativelysmallandfocusedonfourdifferentdomains:vcvcvcvc.
dyndns.
orgzjhao.
dtdns.
netavira.
suroot.
com*.
googmail.
comThevcvcvcvc.
dyndns.
orgdomainisparticularlyinterestingbecausewealsofounditbeingusedasacommand-and-control(C&C)serverforProtux—awell-knownmalwarefamilythathasbeenusedinmanytargetedattacksovertheyears.
Wealsofoundthattheavira.
suroot.
comdomainusedasaC&Cserverforyetanothermalwarefamilywecall"cxgid.
"The*.
googmail.
comdomainwasslightlylargerandincludednameslikeapple12.
crabdance.
comandapple12.
co.
cc.
However,thelargestclusterrevolvedaroundthe*.
yourturbe.
orgdomainandoverlappedwiththeHTMLvariant.
WealsofoundsmallclustersoftheHTMLvariantthatrevolvedaroundthedomain,endless.
zapto.
org,whichwasdownloadedasasecond-stagemalwarebyProtux.
FIGURE7:FAKEMdomainsassociatedwiththeWindowsMessengerandHTMLvariants8|FAKEMRATMeanwhile,theYahoo!
Messengersamplesweanalyzedallaccessedfreeavg.
sytes.
net—adomainnamethatfrequentlyresolvedtodifferentIPaddresses.
FIGURE8:FAKEMdomainsassociatedwiththeYahoo!
MessengervariantThevarioussampleswecollectedappeartobelongtogroupsthatoverlappedalittle.
Thissuggeststhatratherthanbeingassociatedwithaparticularcampaign,theuseofvariousFAKEMRATscouldbedistributedamongmultiplethreatactors.
ConclusionKnowledgeoftheattacktools,techniques,andinfrastructureofadversariesiscriticalfordevelopingdefensivestrategies.
ThisresearchpaperexaminedthreevariantsofaRAT—FAKEM—thatattempttodisguisethenetworktraffictheyproducetostayundertheradar.
NowthatpopularRATslikeGh0standPoisonIvyhavebecomewell-knownandcaneasilybedetected,attackersarelookingformethodstoblendinwithlegitimatetraffic.
WhileitispossibletodistinguishthenetworktrafficFAKEMRATvariantsproduceforthelegitimateprotocolstheyaimtospoof,doingsointhecontextofalargenetworkmaynotbenoteasy.
TheRAT'sabilitytomaskthetrafficitproducesmaybeenoughtoprovideattackersenoughcovertosurvivelongerinacompromisedenvironment.
Fortunately,solutionslikeTrendMicroDeepDiscoverycanhelpnetworkadministratorsprotecttheirorganizationsfromattacksthatusetheFAKEMRATbydetectingthetrafficitsvariantsproduce.
TRENDMICROINCORPORATEDTrendMicroIncorporated(TYO:4704;TSE:4704),aglobalcloudsecurityleader,createsaworldsafeforexchangingdigitalinformationwithitsInternetcontentsecurityandthreatmanagementsolutionsforbusinessesandconsumers.
Apioneerinserversecuritywithover20years'experience,wedelivertop-rankedclient,serverandcloud-basedsecuritythatfitsourcustomers'andpartners'needs,stopsnewthreatsfaster,andprotectsdatainphysical,virtualizedandcloudenvironments.
Poweredbytheindustry-leadingTrendMicroSmartProtectionNetworkcloudcomputingsecurityinfrastructure,ourproductsandservicesstopthreatswheretheyemerge—fromtheInternet.
Theyaresupportedby1,000+threatintelligenceexpertsaroundtheglobe.
TRENDMICROINCORPORATED10101N.
DeAnzaBlvd.
Cupertino,CA95014U.
S.
tollfree:1+800.
228.
5651Phone:1+408.
257.
1500Fax:1+408.
257.
2003www.
trendmicro.
com2013byTrendMicroIncorporated.
Allrightsreserved.
TrendMicroandtheTrendMicrot-balllogoaretrademarksorregisteredtrademarksofTrendMicroIncorporated.
Allotherproductorcompanynamesmaybetrademarksorregisteredtrademarksoftheirowners.

VPSDime7美元/月,美国达拉斯Windows VPS,2核4G/50GB SSD/2TB流量/Hyper-V虚拟化

VPSDime是2013年成立的国外VPS主机商,以大内存闻名业界,主营基于OpenVZ和KVM虚拟化的Linux套餐,大内存、10Gbps大带宽、大硬盘,有美国西雅图、达拉斯、新泽西、英国、荷兰机房可选。在上个月搞了一款达拉斯Linux系统VPS促销,详情查看:VPSDime夏季促销:美国达拉斯VPS/2G内存/2核/20gSSD/1T流量/$20/年,此次推出一款Windows VPS,依然是...

ParkInHost - 俄罗斯VPS主机 抗投诉 55折,月付2.75欧元起

ParkInHost主机商是首次介绍到的主机商,这个商家是2013年的印度主机商,隶属于印度DiggDigital公司,主营业务有俄罗斯、荷兰、德国等机房的抗投诉虚拟主机、VPS主机和独立服务器。也看到商家的数据中心还有中国香港和美国、法国等,不过香港机房肯定不是直连的。根据曾经对于抗投诉外贸主机的了解,虽然ParkInHost以无视DMCA的抗投诉VPS和抗投诉服务器,但是,我们还是要做好数据备...

青云互联19元/月,美国洛杉矶CN2GIA/香港安畅CN2云服务器低至;日本云主机

青云互联怎么样?青云互联美国洛杉矶cn2GIA云服务器低至19元/月起;香港安畅cn2云服务器低至19元/月起;日本cn2云主机低至35元/月起!青云互联是一家成立于2020年的主机服务商,致力于为用户提供高性价比稳定快速的主机托管服务。青云互联本站之前已经更新过很多相关文章介绍了,青云互联的机房有香港和洛杉矶,都有CN2 GIA线路、洛杉矶带高防,商家承诺试用7天,打死全额退款点击进入:青云互联...

hkcmd.exe为你推荐
involving网易yeah曲目ios2828商机网千元能办厂?28商机网是真的吗?颁发的拼音发字的多音字组词青岛网通测速网通,联通,长城这三个宽带哪个网速最快?我是青岛的艾泰科技闻泰科技是做什么的啊?有人能告诉我吗?dedecms采集织梦后台怎么采集图片oscommerceOscommerce,Magento, Zen-cart 比较,哪个好一点!discuz7.2求解答Discuz!7.2 论坛怎么设置discuzx2DISCUZ X2是PHP还是ASP的?
域名空间购买 godaddy域名解析教程 lamp安装 便宜域名 sugarsync mediafire下载 表单样式 ssh帐号 tightvnc 云鼎网络 新天域互联 静态空间 中国网通测速 台湾谷歌 最漂亮的qq空间 香港亚马逊 空间登入 沈阳主机托管 全能空间 服务器防火墙 更多