景誠音響網站被植入惡意連結,此惡意程式為 Lineage 和 Agent 的變種,最近有瀏覽這個網頁的網友,應該要盡速檢查自己的電腦。請各位暫時不要瀏覽這個網站,以免中毒,等確認他們已經修復後,會在此更新訊息 (此惡意程式應該會偷帳號與密碼)。另外,此惡意程式是利用微軟所公佈的安全漏洞 (Vulnerability in Windows Animated Cursor Handling) (此為零時差攻擊)。對此有興趣的網友,可以在 VMWare 上測試一下,然後,回報修復的情形,而且,順便通知他們。(Credit: 東東東)
**請幫忙通知他們,謝謝**
惡意連結是放置在首頁中的:
惡意程式碼的一部份為:
當執行此惡意程式後,會產生一個應用程式錯誤的訊息:
執行之後,有下面的行為:
[DLL injection]
C:\WINDOWS\Debug\UserMode\32BB5B6.dll (注入某些執行程序如檔案總管、IE 等)
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\gz002.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.vbs
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\help[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\click[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\gh02[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\gh1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\gtai[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\mian[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\gh[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\gh[2].htm
C:\WINDOWS\Debug\UserMode\32BB5B6.dll
C:\WINDOWS\Debug\UserMode\32BB5B6.exe
[Added COM/BHO]
{F2319AD4-D519-45AC-86A7-02FE9B851F37}-C:\WINDOWS\debug\userMode\32BB5B6.dll
到目前為止 (2007/4/13 @ 20:57),下面的防毒軟體可以偵測到這些惡意檔案:
32BB5B6.dll:
[ Trend ], “TSPY_LINEAGE.FFU”
[ Symantec ], “Infostealer.Lineage”
[ McAfee ], “PWS-Lineage.dll”
[ Sophos ], “Mal/GamePSW-C”
[ Panda ], “Trj/Lineage.DAO”
32BB5B6.exe:
[ Trend ], “TSPY_LINEAGE.FFT”
[ Symantec ], “Infostealer.Lineage”
[ Kaspersky ], “PAK:FSG”
[ McAfee ], “[0000a200.EXE]:PWS-Lineage.dll”
[ Sophos ], “Mal/Packer”
gh02[1].exe:
[ Trend ], “TSPY_LINEAGE.FFT”
[ Symantec ], “Infostealer.Lineage”
[ Kaspersky ], “PAK:FSG”
[ McAfee ], “[0000a200.EXE]:PWS-Lineage.dll”
[ Sophos ], “Mal/Packer”
[ Ikarus ], “Maybe A Virus”
gh[1].htm:
[ Trend ], “VBS_PSYME.AKW”
gz002.exe:
[ Trend ], “TSPY_LINEAGE.FFT”
[ Symantec ], “Infostealer.Lineage”
[ Kaspersky ], “PAK:FSG”
[ McAfee ], “[0000a200.EXE]:PWS-Lineage.dll”
[ Sophos ], “Mal/Packer”
[ Ikarus ], “Maybe A Virus”
mian[1].jpg:
[ Trend ], “EXPL_ANICMOO.GEN”
[ AhnLab-V3 ], “Win-Trojan/Exploit-ANI.B”
[ AntiVir ], “EXP/Ani.Gen”
[ Avast ], “CVE-2007-0038〃
[ AVG ], “Exploit”
[ BitDefender ], “Exploit.Win32.MS05-002.Gen”
[ CAT-QuickHeal ], “Exploit.MS05-002〃
[ ClamAV ], “Exploit.W32.MS05-002〃
[ DrWeb ], “Exploit.ANIFile”
[ eTrust-Vet ], “Win32/MS07-017!exploit”
[ Fortinet ], “W32/ANI07.A!exploit”
[ F-Prot ], “CVE-2007-1765〃
[ McAfee ], “Exploit-ANIfile.c”
[ NOD32v2 ], “a variant of Win32/TrojanDownloader.Ani.Gen”
[ Panda ], “Exploit/LoadImage”
[ Sophos ], “Exp/Animoo-A”
[ Sunbelt ], “Trojan-Exploit.Anicmoo.ax (v)”
[ Symantec ], “Trojan.Anicmoo”
[ VBA32 ], “suspected of Exploit.Signature”
[ VirusBuster ], “Exploit.ANIFile.L”
[ Webwasher-Gateway ], “Exploit.Win32.MS05-002.gen”
gtai[1].htm:
[ McAfee ], "Exploit-MS06-014"
[ Nod32 ], "VBS/TrojanDownloader.Agent.E trojan"
[ Rising ], "Trojan.DL.VBS.Agent.cll"
[ Ewido ], "Downloader.Agent.e"
svchost.vbs:
[ Kaspersky ], "Trojan.VBS.Starter.k"
[ Fortinet ], "VBS/Starter.K!tr"
[ Ewido ], "Trojan.Starter.k"
**請幫忙通知他們,謝謝**
惡意連結是放置在首頁中的:
惡意程式碼的一部份為:
當執行此惡意程式後,會產生一個應用程式錯誤的訊息:
執行之後,有下面的行為:
[DLL injection]
C:\WINDOWS\Debug\UserMode\32BB5B6.dll (注入某些執行程序如檔案總管、IE 等)
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\gz002.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.vbs
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\456J8TAJ\help[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\click[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\gh02[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\gh1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\gtai[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DEV01Y7\mian[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\gh[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDI3K1MF\gh[2].htm
C:\WINDOWS\Debug\UserMode\32BB5B6.dll
C:\WINDOWS\Debug\UserMode\32BB5B6.exe
[Added COM/BHO]
{F2319AD4-D519-45AC-86A7-02FE9B851F37}-C:\WINDOWS\debug\userMode\32BB5B6.dll
到目前為止 (2007/4/13 @ 20:57),下面的防毒軟體可以偵測到這些惡意檔案:
32BB5B6.dll:
[ Trend ], “TSPY_LINEAGE.FFU”
[ Symantec ], “Infostealer.Lineage”
[ McAfee ], “PWS-Lineage.dll”
[ Sophos ], “Mal/GamePSW-C”
[ Panda ], “Trj/Lineage.DAO”
32BB5B6.exe:
[ Trend ], “TSPY_LINEAGE.FFT”
[ Symantec ], “Infostealer.Lineage”
[ Kaspersky ], “PAK:FSG”
[ McAfee ], “[0000a200.EXE]:PWS-Lineage.dll”
[ Sophos ], “Mal/Packer”
gh02[1].exe:
[ Trend ], “TSPY_LINEAGE.FFT”
[ Symantec ], “Infostealer.Lineage”
[ Kaspersky ], “PAK:FSG”
[ McAfee ], “[0000a200.EXE]:PWS-Lineage.dll”
[ Sophos ], “Mal/Packer”
[ Ikarus ], “Maybe A Virus”
gh[1].htm:
[ Trend ], “VBS_PSYME.AKW”
gz002.exe:
[ Trend ], “TSPY_LINEAGE.FFT”
[ Symantec ], “Infostealer.Lineage”
[ Kaspersky ], “PAK:FSG”
[ McAfee ], “[0000a200.EXE]:PWS-Lineage.dll”
[ Sophos ], “Mal/Packer”
[ Ikarus ], “Maybe A Virus”
mian[1].jpg:
[ Trend ], “EXPL_ANICMOO.GEN”
[ AhnLab-V3 ], “Win-Trojan/Exploit-ANI.B”
[ AntiVir ], “EXP/Ani.Gen”
[ Avast ], “CVE-2007-0038〃
[ AVG ], “Exploit”
[ BitDefender ], “Exploit.Win32.MS05-002.Gen”
[ CAT-QuickHeal ], “Exploit.MS05-002〃
[ ClamAV ], “Exploit.W32.MS05-002〃
[ DrWeb ], “Exploit.ANIFile”
[ eTrust-Vet ], “Win32/MS07-017!exploit”
[ Fortinet ], “W32/ANI07.A!exploit”
[ F-Prot ], “CVE-2007-1765〃
[ McAfee ], “Exploit-ANIfile.c”
[ NOD32v2 ], “a variant of Win32/TrojanDownloader.Ani.Gen”
[ Panda ], “Exploit/LoadImage”
[ Sophos ], “Exp/Animoo-A”
[ Sunbelt ], “Trojan-Exploit.Anicmoo.ax (v)”
[ Symantec ], “Trojan.Anicmoo”
[ VBA32 ], “suspected of Exploit.Signature”
[ VirusBuster ], “Exploit.ANIFile.L”
[ Webwasher-Gateway ], “Exploit.Win32.MS05-002.gen”
gtai[1].htm:
[ McAfee ], "Exploit-MS06-014"
[ Nod32 ], "VBS/TrojanDownloader.Agent.E trojan"
[ Rising ], "Trojan.DL.VBS.Agent.cll"
[ Ewido ], "Downloader.Agent.e"
svchost.vbs:
[ Kaspersky ], "Trojan.VBS.Starter.k"
[ Fortinet ], "VBS/Starter.K!tr"
[ Ewido ], "Trojan.Starter.k"
文章標籤
全站熱搜
COMMENT: 我知道不該po在這...但.. 請 ROGER 大幫說句話 !!! http://www.ithome.com.tw/itadm/article.php?c=42931 真是受夠了..至少要官網鎖關鍵字做得到吧!?? 我們親眼看過警局用過... -----
COMMENT: 謝謝。我的看法是這些被植入惡意連結的網站,大部分都沒有檢查系統或軟體漏洞,如果有,也是隨便查查,因為他們根本就不懂,所以,只能敷衍了事囉。期待各位加入此行列,不要讓你的權益睡著了,也不要讓這些賺錢的廠商繼續這樣下去...繼續爆料囉。
COMMENT: 對不起...都我害的..這篇變成都在討論FOXY...
COMMENT: 沒關係。 對於特別的單位,不要使用這類的軟體,這是最基本的資安觀念,難道這些單位都不懂嗎?等問題發生了,再追究這些單位的責任,有用嗎? 那受害者怎麼辦呢?難道沒辦法嗎?絕對有辦法,只要這些單位想做的,哪有辦不到的事呢?不要在欺騙一般人了。 資訊不對等所造成的結果就是,資料外洩的單位,想要封鎖消息,而受害者永遠是最後知道的人。 至於我為什麼要報中毒網站,簡單的說因為他們根本不重視消費者權益,對資安而言,我想大部分單位都是玩假的。
COMMENT: Dear Roger: 我想請教您一件事。 最近Foxy的事鬧得蠻大的:Foxy公司保證,使用他們的軟體,除了自設的分享目錄之外,不會有任何檔案被外流;但警察又說只要使用Foxy,所有的目錄都會被分享出去。 我想請教的就是說,我們這些小老百姓要怎麼測出Foxy到底有沒有把分享目錄以外的檔案分享出去? 或者這樣問比較清楚: 我們要怎麼知道自己電腦上有哪些目錄或檔案"正在"被人存取? 還記得小弟上次跟您提過的Winpooch嗎? 它好像可以監控這個,不過據小弟測試的結果,只要有程式碰觸到它正在監控的目錄,它馬上就會crash..... 我雖然不太相信警方的話(也許他們在打壓讓他們顏面盡失的Foxy),但也覺得毛毛的...
COMMENT: 有網友說它的預設值是全部分享,不過,我可能要試一下囉 (今天要參加資安展,晚一點再回答你的問題)。至於Winpooch,最好不要用,之後會寫一篇文章介紹此工具。另外,你可以使用Sysinternals出的免費工具file monitor,就知道有哪些檔案或目錄被存取。
COMMENT: 就我所知,在一般使用上是可以簡單的方式看出來(但是若有用特殊工具者除外) 系統管理工具-->電腦管理-->共用資料夾-->開啟檔案..這可以知道誰在開那個 folder 但是foxy不知道耶,因為不想用... 不過據瞭解foxy那是他們設定不好吧,我朋友用foxy, 其他人也看不到那無分享的東東 .
COMMENT: 沒錯,預設值是全部分享...
COMMENT: Roger 大不必費神試了~我們學會試過了... ...[中華民國網路安全自治學會]http://www.dick168.com/nisaa/viewthread.php?tid=1747&highlight=foxy 現在的問題不是在user(難道要重現MP3事件!?去抓所有下載的人??), 在F公司吧! 真的不能先鎖關鍵字嗎 ????? 我今天再試過..災情毫無改善!有網友還批評是我們助長了這種趨勢! ---這好比指責[大砲開講]是在幫有毒網站廣告, 害了更多人中毒 !??? 今天報載漢光演習機密外流---沒錯,該軟體也抓的到! 台灣的公務機關+公務員+軍+警...全都沒有資安觀念 !! 難怪我國是網路最毒國前3名!