FIGUREhkcmd.exe

hkcmd.exe  时间:2021-04-14  阅读:()
TrendMicroIncorporatedResearchPaper2013FAKEMRATMalwareDisguisedasWindowsMessengerandYahoo!
MessengerBy:NartVilleneuveJessadelaTorreContentsIntroduction.
1Distribution.
2Installation.
3Backdoor.
3NetworkTrafficEncryption.
5Infrastructure.
7Conclusion.
81|FAKEMRATIntroductionTheperpetratorsoftargetedattacksaimtomaintainpersistentpresenceinatargetnetworkinordertoextractsensitivedatawhenneeded.
Tomaintainpersistentpresence,attackersseektoblendinwithnormalnetworktrafficanduseportsthataretypicallyallowedbyfirewalls.
Asaresult,manyofthemalwareusedintargetedattacksutilizetheHTTPandHTTPSprotocolstoappearlikewebtraffic.
However,whilethesemalwaredogiveattackersfullcontroloveracompromisedsystem,theyareoftensimpleandconfiguredtocarryoutafewcommands.
AttackersoftenuseremoteaccessTrojans(RATs),whichtypicallyhavegraphicaluserinterfaces(GUIs)andremotedesktopfeaturesthatincludedirectorybrowsing,filetransfer,andtheabilitytotakescreenshotsandactivatethemicrophoneandwebcameraofacompromisedcomputer.
AttackersoftenusepubliclyavailableRATslikeGh0st,PoisonIvy,Hupigon,andDRAT,and"closed-released"RATslikeMFCHunterandPlugX.
1However,thenetworktraffictheseRATsproduceiswell-knownandeasilydetectablealthoughattackersstillsuccessfullyusethem.
2Attackersalwayslookforwaystoblendtheirmalicioustrafficwithlegitimatetraffictoavoiddetection.
WefoundafamilyofRATsthatwecall"FAKEM"thatmaketheirnetworktrafficlooklikevariousprotocols.
SomevariantsattempttodisguisenetworktraffictolooklikeWindowsMessengerandYahoo!
Messengertraffic.
AnothervarianttriestomakethecontentofitstrafficlooklikeHTML.
WhilethedisguisestheRATsusearesimpleanddistinguishablefromlegitimatetraffic,theymaybejustgoodenoughtoavoidfurtherscrutiny.
1Gh0st:http://download01.
norman.
no/documents/ThemanyfacesofGh0stRat.
pdfandhttp://www.
mcafee.
com/ca/resources/white-papers/foundstone/wp-know-your-digital-enemy.
pdf;PoisonIvy:https://media.
blackhat.
com/bh-eu-10/presentations/Dereszowski/BlackHat-EU-2010-Dereszowski-Targeted-Attacks-slides.
pdf;Hupigon:http://www.
f-secure.
com/v-descs/backdoor_w32_hupigon.
shtml;DRAT:http://blog.
trendmicro.
com/trendlabs-security-intelligence/watering-holes-and-zero-day-attacks/;MFCHunter:http://blog.
trendmicro.
com/trendlabs-security-intelligence/japan-us-defense-industries-among-targeted-entities-in-latest-attack/;andPlugX:http://about-threats.
trendmicro.
com/us/webattack/112/Pulling+the+Plug+on+PlugX2http://www.
trendmicro.
com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.
pdf2|FAKEMRATDistributionAllthreeversionsoftheFAKEMRATthatweinvestigatedweredistributedviaspear-phishingemailsusingsocialengineeringtoluretargetsintoexecutingamaliciousattachment.
Whileweobservedtheuseofdifferentthemes,thecontentoftheemailswerealwaysinterestingtopotentialtargets.
FIGURE1:Samplespear-phishingemailswithattachmentsthatdropFAKEMRATThemaliciousattachmentsweremostoftenMicrosoftWorddocumentswithcodethatexploitsthefollowingvulnerabilities:CVE-2010-3333:RTFStackBufferOverflowVulnerabilityaddressedinMicrosoftSecurityBulletinMS10-087.
3CVE-2012-0158:MSCOMCTL.
OCXRCEVulnerabilityaddressedinMicrosoftSecurityBulletinMS12-027.
4WealsofoundaMicrosoftExcelfilethatexploitsCVE-2009-3129,theExcelFeatheaderRecordMemoryCorruptionVulnerabilityaddressedinMicrosoftSecurityBulletinMS09-067.
5Wealsosawsamplesthatweresimplyexecutable(.
EXE)files.
3http://technet.
microsoft.
com/en-us/security/bulletin/MS10-0874http://technet.
microsoft.
com/en-us/security/bulletin/ms12-0275http://technet.
microsoft.
com/en-us/security/bulletin/MS09-0673|FAKEMRATInstallationAfterexploitation,an.
EXEfilepackedwithUPXisdropped.
6Afterinitiallydroppingthemaliciousfilenamedhkcmd.
exetothe%Temp%folder,themalwaretypicallycopiesitselfusingthename,tpframe.
exe,tothe%System%folder.
Itthenaddsthefollowingregistryentrytoenableitsautomaticexecutionateverysystemstartup:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\runtpbar="%System%\tpframe.
exe"BackdoorThenetworktrafficthemalwareproducesisdesignedtolooklikeWindowsMessengertraffic.
MalwareofthistypewerediscussedonTwitter,notedbySonicWALL,andfoundtohavebeenactiveasfarbackasSeptember2009.
7However,itremainsunclearifalltheattacksthatusedthismalwarewereconnected.
ThemalicioustrafficbeginswithheaderssimilartoactualWindowsMessengertraffic:MSG5N130MIME-Version:1.
0However,beyondthis,youwillseethatthetrafficisnotvalidWindowsMessengertrafficbutmaybesufficientlydisguisedassuchtoescapefurtherscrutiny.
6UPXisafreetoolthatcompressesexecutablefiles.
However,itiscommonlyusedtopackmalwarefiles,seehttp://upx.
sourceforge.
net/formoredetails.
7https://twitter.
com/mikko/status/232851667446538241,https://www.
mysonicwall.
com/sonicalert/searchresults.
aspxev=article&id=464,andhttps://twitter.
com/diocyde/statuses/2328730236513361924|FAKEMRATFIGURE4:MalicioustrafficdisguisedasYahoo!
MessengertrafficFIGURE3:LegitimateWindowsMessengertrafficFIGURE2:MalicioustrafficdisguisedaslegitimateWindowsMessengertrafficComparedwithactualWindowsMessengertrafficshowninFigure3,itiseasytodistinguishthemalicioustrafficshowninFigure2.
Duringourinvestigationofthefake"WindowsMessenger"RAT,wefoundanotherversionthatattemptstodisguiseitsnetworktrafficasYahoo!
Messengertraffic.
ThenetworkcommunicationthisversionusesbeginswithYMSG,theYahoo!
Messengertrafficheader.
FIGURE5:LegitimateYahoo!
MessengertrafficHowever,thenetworktrafficshowninFigure4doesnotresemblelegitimateYahoo!
Messengertrafficbeyondtheuseoftheheader,YMSG.
ComparedwiththelegitimateYahoo!
MessengertrafficshowninFigure5,itiseasytodistinguishbetweenthetwo.
AthirdversionoftheFAKEMRATattemptstodisguisethenetworktrafficitproducesasHTML.
Themalicioustrafficbeginswithstringslike1.
.
56or12356.
88ThisvariantwasreferencedduringanincidentdocumentedbyAlienVaultinMarch2012inhttp://labs.
alienvault.
com/labs/index.
php/2012/alienvault-research-used-as-lure-in-targeted-attacks/.
5|FAKEMRATFIGURE6:MalicioustrafficdisguisedasHTMLtrafficThisisafairlyrudimentarydisguiseandoddbecauseyouwouldexpectHTMLtobetheresultofarequesttoawebserverandnotassomethingaclientwouldsendtoawebserver.
NetworkTrafficEncryptionThenetworkcommunicationbetweenthecompromisedcomputerandtheRATcontrollerisencrypted.
Theencryptionisthesameacrossvariantsanddoneatthebitlevel.
EachbyteisXOR-edbyeveryletterinthestring,YHCRA,androtated3bitstotherightaftereveryXORoperation.
Encryptingthecommunicationensuresthatthesuspiciousdatapassedbetweenthecompromisedhostandtheattackerscannotbeeasilyviewedinplaintext.
Thecommunicationcomesin1024-byteblobsofdatathatstartwiththe32-byteheader.
Itappearsthatattackersmayspecifyanykindoffakeheaderswithinthefirst32bytesinordertodisguisethesubsequentnetworktraffic.
Thefollowingbitsofinformationareinitiallysentbythecompromisedhostwhenthecommunicationstarts:UsernameComputernameOEMcodepageidentifierWhatlookslikeacampaigncodebutonlyforsomesamplesThecommandsarenotpreconfiguredasthemalwarereliesonthedatasentbytheserver.
Forinstance,whenaclientreceivesthecommand,0211,thissignifiesthatitshouldexecutetheaccompanyingdatainmemory.
6|FAKEMRATThefollowingarethecommandstheserverissuesandtheirmeanings:0211:Executecode.
0212:Reconnecttoreceivedata.
0213:Sleep,closesocket,andreconnect.
0214:Exit.
TodeterminetheRAT'scapabilities,weallowedtheattackerstoinfiltrateahoneypotcomputerandcapturedallofthenetworktrafficitgenerated.
Wedecryptedthenetworktrafficanddeterminedthecommandstheattackersused,whichinclude:CmdMana:CommandManagerallowsattackerstoexecuteshellcommands.
FileMan:FileManagerallowstheattackerstobrowsedirectories.
HostIn:HostInformationprovidesinformationaboutthecompromisedcomputer.
ProcMan:ProcessManagergivesattackersaccesstorunningprocesses.
RegMana:RegistryManagergivesattackersaccesstotheWindowsregistry.
Scree:Screentakesasnapshotofthedesktop.
ServiceMa:ServiceManagerallowsaccesstoservices.
Passwo:PasswordaccessesstoredpasswordslikethosesavedinInternetExplorer(IE).
UStea:Uploadsfilesfromacompromisedcomputer.
7|FAKEMRATInfrastructureTheWindowsMessengersamplesweanalyzedwereclusteredintofivegroupsthatdidnothaveoverlappinglinkages.
Fouroftheclusterswererelativelysmallandfocusedonfourdifferentdomains:vcvcvcvc.
dyndns.
orgzjhao.
dtdns.
netavira.
suroot.
com*.
googmail.
comThevcvcvcvc.
dyndns.
orgdomainisparticularlyinterestingbecausewealsofounditbeingusedasacommand-and-control(C&C)serverforProtux—awell-knownmalwarefamilythathasbeenusedinmanytargetedattacksovertheyears.
Wealsofoundthattheavira.
suroot.
comdomainusedasaC&Cserverforyetanothermalwarefamilywecall"cxgid.
"The*.
googmail.
comdomainwasslightlylargerandincludednameslikeapple12.
crabdance.
comandapple12.
co.
cc.
However,thelargestclusterrevolvedaroundthe*.
yourturbe.
orgdomainandoverlappedwiththeHTMLvariant.
WealsofoundsmallclustersoftheHTMLvariantthatrevolvedaroundthedomain,endless.
zapto.
org,whichwasdownloadedasasecond-stagemalwarebyProtux.
FIGURE7:FAKEMdomainsassociatedwiththeWindowsMessengerandHTMLvariants8|FAKEMRATMeanwhile,theYahoo!
Messengersamplesweanalyzedallaccessedfreeavg.
sytes.
net—adomainnamethatfrequentlyresolvedtodifferentIPaddresses.
FIGURE8:FAKEMdomainsassociatedwiththeYahoo!
MessengervariantThevarioussampleswecollectedappeartobelongtogroupsthatoverlappedalittle.
Thissuggeststhatratherthanbeingassociatedwithaparticularcampaign,theuseofvariousFAKEMRATscouldbedistributedamongmultiplethreatactors.
ConclusionKnowledgeoftheattacktools,techniques,andinfrastructureofadversariesiscriticalfordevelopingdefensivestrategies.
ThisresearchpaperexaminedthreevariantsofaRAT—FAKEM—thatattempttodisguisethenetworktraffictheyproducetostayundertheradar.
NowthatpopularRATslikeGh0standPoisonIvyhavebecomewell-knownandcaneasilybedetected,attackersarelookingformethodstoblendinwithlegitimatetraffic.
WhileitispossibletodistinguishthenetworktrafficFAKEMRATvariantsproduceforthelegitimateprotocolstheyaimtospoof,doingsointhecontextofalargenetworkmaynotbenoteasy.
TheRAT'sabilitytomaskthetrafficitproducesmaybeenoughtoprovideattackersenoughcovertosurvivelongerinacompromisedenvironment.
Fortunately,solutionslikeTrendMicroDeepDiscoverycanhelpnetworkadministratorsprotecttheirorganizationsfromattacksthatusetheFAKEMRATbydetectingthetrafficitsvariantsproduce.
TRENDMICROINCORPORATEDTrendMicroIncorporated(TYO:4704;TSE:4704),aglobalcloudsecurityleader,createsaworldsafeforexchangingdigitalinformationwithitsInternetcontentsecurityandthreatmanagementsolutionsforbusinessesandconsumers.
Apioneerinserversecuritywithover20years'experience,wedelivertop-rankedclient,serverandcloud-basedsecuritythatfitsourcustomers'andpartners'needs,stopsnewthreatsfaster,andprotectsdatainphysical,virtualizedandcloudenvironments.
Poweredbytheindustry-leadingTrendMicroSmartProtectionNetworkcloudcomputingsecurityinfrastructure,ourproductsandservicesstopthreatswheretheyemerge—fromtheInternet.
Theyaresupportedby1,000+threatintelligenceexpertsaroundtheglobe.
TRENDMICROINCORPORATED10101N.
DeAnzaBlvd.
Cupertino,CA95014U.
S.
tollfree:1+800.
228.
5651Phone:1+408.
257.
1500Fax:1+408.
257.
2003www.
trendmicro.
com2013byTrendMicroIncorporated.
Allrightsreserved.
TrendMicroandtheTrendMicrot-balllogoaretrademarksorregisteredtrademarksofTrendMicroIncorporated.
Allotherproductorcompanynamesmaybetrademarksorregisteredtrademarksoftheirowners.

麻花云-香港CN2云服务器,安徽BGP线路,安徽移动大带宽!全系6折!

一、麻花云官网点击直达麻花云官方网站二、活动方案优惠码:专属优惠码:F1B07B 享受85折优惠。点击访问活动链接最新活动 :五一狂欢 惠战到底 香港云主机 1.9折起香港特价体验云主机CN2 云服务器最新上线KVM架构,,默认40G SSD,+10G自带一个IPv4,免费10Gbps防御,CPU内存带宽价格购买1核1G1M19元首月链接2核2G 2M92元/3个月链接2核4G3M112元/3个月...

MechanicWeb免费DirectAdmin/异地备份

MechanicWeb怎么样?MechanicWeb好不好?MechanicWeb成立于2008年,目前在美国洛杉矶、凤凰城、达拉斯、迈阿密、北卡、纽约、英国、卢森堡、德国、加拿大、新加坡有11个数据中心,主营全托管型虚拟主机、VPS主机、半专用服务器和独立服务器业务。MechanicWeb只做高端的托管vps,这次MechanicWeb上新Xeon W-1290P处理器套餐,基准3.7GHz最高...

HostKvm 黑色星期五香港服务器终身六折 其余机房八折

HostKvm商家我们也不用多介绍,这个服务商来自国内某商家,旗下也有多个品牌的,每次看到推送信息都是几个服务商品牌一起推送的。当然商家还是比较稳定的,商家品牌比较多,这也是国内商家一贯的做法,这样广撒网。这次看到黑五优惠活动发布了,针对其主打的香港云服务器提供终身6折的优惠,其余机房服务器依然是8折,另还有充值50美元赠送5美元的优惠活动,有需要的可以看看。HostKvm是一个创建于2013年的...

hkcmd.exe为你推荐
邮箱企业支持ipadoutlookexpressOUTLOOK EXPRESS作用是什么?我想删除它会不会影响系统申请支付宝账户怎么申请支付宝的账号?期刊eset易名网易名网交易域名是怎么收费的免费代理加盟免费加盟代销怎么回事,能具体介绍下么如何发帖子网上怎么发帖子?qq头像上传失败我怎么总是QQ上传头像失败,oscommerceOscommerce,Magento, Zen-cart 比较,哪个好一点!
香港服务器租用 台湾服务器租用 万网域名解析 西安服务器 mach5 info域名 空间出租 新睿云 raid10 360云服务 百度云加速 秒杀品 独立主机 服务器论坛 锐速 SmartAXMT800 ncp 时间服务器 alexa搜 美国达拉斯 更多