close
**高度危險網站:常常被植入惡意連結或遭駭**
繼華視網站遭駭後,他們沒有找出安全漏洞,所以,現在首頁又被植入惡意連結。請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息。(此惡意程式應該也會偷使用者帳號與密碼)
**請幫忙通知他們,謝謝**
在首頁很難找到惡意連結,似乎是指向:
看不太出來吧 (如果有錯,請告知我),因為它應該是與資料庫系統結合在一起,透過查詢方式執行一個微軟影音檔 (很恐怖吧),此影音檔被動過手腳,會連至其他的網站,詳細流程,所下圖所示:
執行之後,有下面的行為 (與「手機王網頁又被植入惡意連結」是一樣的):
[Added process]
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\svchost.exe
[DLL injection]
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\svchost.exe (注入 svchost.exe 的執行程序)
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\CiKE.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\taskmgr.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\b0(29)[1].swf
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\cike[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\dvbbs[1].mdb
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\2006692151148920[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\cike2[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\cike1[1].htm
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\eCompress.fne
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\eImgConverter.fne
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\eLIB.fne
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\HideProc.dll
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\internet.fne
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\krnln.fnr
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\Nhook.dll
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\shell.fne
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\svchost.exe
[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
Value=svchost,Data=C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\svchost.exe
到目前為止,下面的防毒軟體可以偵測到這些惡意檔案:
Nhook.dll:
[ Trend ], "TROJ_AGENT.KPF"
shell.fne:
[ Trend ], "TSPY_LEGMIR.AMJ"
dvbbs[1].mdb:
[ Trend ], "TROJ_Generic"
eImgConverter.fne:
[ Trend ], "TROJ_PWSTEALER.W"
eLIB.fne:
[ Trend ], "TROJ_AGENT.KPD"
internet.fne:
[ Trend ], "TROJ_FLYST.D"
krnln.fnr:
[ Kaspersky ], "PAK:NSPack"
[ Fortinet ], "suspicious"
[ HBEDV ], "W32/Wutau.A"
svchost.exe:
[ Kaspersky ], "Trojan-Downloader.Win32.Agent.bgz"
[ Nod32 ], "Win32/TrojanDownloader.Agent.BGZ trojan"
[ Fortinet ], "W32/Agent.BGZ!tr.dldr"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/Hupigon.gen7"
[ Ewido ], "Downloader.Agent.bgz"
taskmgr.exe:
[ Alpha_Gen ], "TEST_Downloader1"
[ Symantec ], "Trojan.KillAV"
[ Kaspersky ], "Trojan-Downloader.Win32.Agent.aqy"
[ Nod32 ], "Win32/Delf.AG worm"
[ Fortinet ], "W32/Agent.AQY!tr.dldr"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/Hupigon.gen7"
[ Ikarus ], "Backdoor.Win32.Hupigon.BV"
[ Ewido ], "Downloader.Agent.aqy"
[ Grisoft ], "Trojan horse Generic3.AIS"
b0(29).swf:
[ Kaspersky ], "PAK:Swf2Swc, Trojan-Clicker.SWF.Small.b"
2006692151148920[1].gif:
[ Alpha_Gen ], "TEST_Downloader1"
[ Symantec ], "Trojan.KillAV"
[ Kaspersky ], "Trojan-Downloader.Win32.Agent.aqy"
[ Nod32 ], "Win32/Delf.AG worm"
[ Fortinet ], "W32/Agent.AQY!tr.dldr"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/Hupigon.gen7"
[ Ikarus ], "Backdoor.Win32.Hupigon.BV"
[ Ewido ], "Downloader.Agent.aqy"
[ Grisoft ], "Trojan horse Generic3.AIS"
eCompress.fne:
[ Sophos ], "Mal/Packer"
[ HBEDV ], "HEUR/Crypted"
HideProc.dll:
[ Nod32 ], "Win32/HideProc.A application"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/Hupigon.gen7"
[ Ewido ], "Trojan.Agent.agf"
另外,OpenBlue 也有針對華視網站遭駭所做的分析,如果各位有興趣的話,請參考「(案例分析)手機王與華視網站遭駭被植入惡意程式」。
繼華視網站遭駭後,他們沒有找出安全漏洞,所以,現在首頁又被植入惡意連結。請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息。(此惡意程式應該也會偷使用者帳號與密碼)
**請幫忙通知他們,謝謝**
在首頁很難找到惡意連結,似乎是指向:
看不太出來吧 (如果有錯,請告知我),因為它應該是與資料庫系統結合在一起,透過查詢方式執行一個微軟影音檔 (很恐怖吧),此影音檔被動過手腳,會連至其他的網站,詳細流程,所下圖所示:
執行之後,有下面的行為 (與「手機王網頁又被植入惡意連結」是一樣的):
[Added process]
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\svchost.exe
[DLL injection]
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\svchost.exe (注入 svchost.exe 的執行程序)
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\CiKE.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\taskmgr.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\b0(29)[1].swf
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\cike[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\dvbbs[1].mdb
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\2006692151148920[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\cike2[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\cike1[1].htm
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\eCompress.fne
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\eImgConverter.fne
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\eLIB.fne
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\HideProc.dll
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\internet.fne
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\krnln.fnr
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\Nhook.dll
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\shell.fne
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\svchost.exe
[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
Value=svchost,Data=C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\svchost.exe
到目前為止,下面的防毒軟體可以偵測到這些惡意檔案:
Nhook.dll:
[ Trend ], "TROJ_AGENT.KPF"
shell.fne:
[ Trend ], "TSPY_LEGMIR.AMJ"
dvbbs[1].mdb:
[ Trend ], "TROJ_Generic"
eImgConverter.fne:
[ Trend ], "TROJ_PWSTEALER.W"
eLIB.fne:
[ Trend ], "TROJ_AGENT.KPD"
internet.fne:
[ Trend ], "TROJ_FLYST.D"
krnln.fnr:
[ Kaspersky ], "PAK:NSPack"
[ Fortinet ], "suspicious"
[ HBEDV ], "W32/Wutau.A"
svchost.exe:
[ Kaspersky ], "Trojan-Downloader.Win32.Agent.bgz"
[ Nod32 ], "Win32/TrojanDownloader.Agent.BGZ trojan"
[ Fortinet ], "W32/Agent.BGZ!tr.dldr"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/Hupigon.gen7"
[ Ewido ], "Downloader.Agent.bgz"
taskmgr.exe:
[ Alpha_Gen ], "TEST_Downloader1"
[ Symantec ], "Trojan.KillAV"
[ Kaspersky ], "Trojan-Downloader.Win32.Agent.aqy"
[ Nod32 ], "Win32/Delf.AG worm"
[ Fortinet ], "W32/Agent.AQY!tr.dldr"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/Hupigon.gen7"
[ Ikarus ], "Backdoor.Win32.Hupigon.BV"
[ Ewido ], "Downloader.Agent.aqy"
[ Grisoft ], "Trojan horse Generic3.AIS"
b0(29).swf:
[ Kaspersky ], "PAK:Swf2Swc, Trojan-Clicker.SWF.Small.b"
2006692151148920[1].gif:
[ Alpha_Gen ], "TEST_Downloader1"
[ Symantec ], "Trojan.KillAV"
[ Kaspersky ], "Trojan-Downloader.Win32.Agent.aqy"
[ Nod32 ], "Win32/Delf.AG worm"
[ Fortinet ], "W32/Agent.AQY!tr.dldr"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/Hupigon.gen7"
[ Ikarus ], "Backdoor.Win32.Hupigon.BV"
[ Ewido ], "Downloader.Agent.aqy"
[ Grisoft ], "Trojan horse Generic3.AIS"
eCompress.fne:
[ Sophos ], "Mal/Packer"
[ HBEDV ], "HEUR/Crypted"
HideProc.dll:
[ Nod32 ], "Win32/HideProc.A application"
[ HBEDV ], "TR/Crypt.NSPM.Gen"
[ Norman ], "Trojan W32/Hupigon.gen7"
[ Ewido ], "Trojan.Agent.agf"
另外,OpenBlue 也有針對華視網站遭駭所做的分析,如果各位有興趣的話,請參考「(案例分析)手機王與華視網站遭駭被植入惡意程式」。
全站熱搜
留言列表
