病毒介紹
病毒名稱:Ba ckdoor.Win32.VB.xl(ipxsrv.exe) Backdoor.Win32.VB.xl(nwlink.exe)
病毒類型: WINDOWS下的木馬程式
危害等級:高
檔案長度: nwlink.exe 160,256 位元組 Ipxsrv.exe 160,256 位元組
感染系統: WINDOWS NT以上 版本
編寫語言: Visual Basic 5.0/6.0
病毒描述
病毒圖示和本地連線的圖示類似,藉以欺騙用戶。 ipxsrv.exe 及 nwlink.exe 不開放連線埠,從功能上分析類似 IRCBOT 後門控制手法 ,需要滿足某種條件後才可被激活,感染後 在 %Windir%\ System32\ 中生成 nwlink.exe( 160,256 位元組 ) 和 Ipxsrv.exe( 160,256 位元組 ) 兩個檔案。開啟 NWLink IPX Compatible Transport Protocol 服務。可進行拒絕服務攻擊,在進程中增加 nwlink.exe 和 Ipxsrv.exe ,利用客戶端可實現,掃描功能,上傳檔案,下載檔案功能,服務端版本升級,獲得服務端作業系統版本及語言,處理器型號信息, url 信息,以及 HTTP , SMTP , SCAN 的相關操作,修改註冊表檔案。 HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
行為分析:
1、 IRCX 功能
命令 S- ping/pong/IRCX/JOIN/MODE/Creat/join/i/privmsg/kick/nick/app/-close-multi/name
部分命令解釋:
IRCX 命令來獲知伺服器是否支持 IRCX, 一些帶有擴展功能的 IRCX 命令會包含一些額外的參數特別是 /mode 命令帶有附加模式,只有 IRCX 伺服器才能支持 也可查詢伺服器與 IRCX 的兼容性
/Create /create 創建一個新的閒聊室,並設定其屬性
/Join /Join [] 創建或加入閒聊室
/Kick /Kick [] 用於閒聊室的主持人將用戶由特定的閒聊室驅逐出去
/motd /MOTD 在“狀態”視窗顯示今天伺服器中的訊息
/Nick /Nick 更改別名
/Privmsg 與 /Msg 命令相同
/Privmsg {,} 如果你使用別名,則將訊息作為耳語向一個或多個用戶傳送;
如果你指定閒聊室名,則作為常規訊息向你所在閒聊室的所有聊客傳送
i 設定非邀請莫入的閒聊室模式。 Sets invitation-only room mode.
2、 下載檔案功能
執行下載時需要滿足一些條件,如:執行形式在 0 到 6 之間選擇,需要提供要執行的檔案名稱
以 "." 表示結束
Failed to execute file [ ]. 檔案執行失敗提示:
File name is requirement. 報錯提示
Try deleted file [ ] failed. 刪除檔案失敗提示
Delete file [ ]has succeed. 刪除檔案成功提示
ERR: Source file name and Destination file name are requirement. 檔案重命名失敗提示
Rename [ ] => [ ] has succeed. 檔案重命名成功提示
Failed: Source file [ ] is not exist. 失敗 : 源檔案 [ ] 不存在提示 .
Try remove files( ) has completed. 清除檔案成功提示
其他信息: Execute style mode is requirement
Execute file name is requirement
Execute style mode must between 0 to 6
3、蒐集計算機相關信息及部分命令
-comtupername 計算機名
-cpu cpu 信息
-localtime -t 服務端的時間
-localip -ip 服務端的 ip 地址
-memory -mem 記憶體信息
-sysdir system folders 系統檔案
-sysver system version 系統版本
-username -u 服務端的用戶名
-windir windows 檔案
-irc irc 服務
-pop pop3 服務
-port 連線埠號
-proc 進程
-install . 安裝後具有 service 功能
halt 掛起
download 下在檔案
-localtime 服務端的本地時間
-localip 服務端的本地 ip
-memory 獲得記憶體大小
-user 獲得用戶
-windir 列出 win 目錄
-tcpd 可用來進行 DNS 反向解析
-kill killedid
-list 進程列表
-reg 註冊表功能
-start 開啟服務
-task -task-list task 編號
admissive( 允許的 ) -boot -check
-m 列出 \winnt\ 或 \windows\ 下的檔案
4、 傳送功能 : (目前判斷此功能用來進行 HTTP FLOOD )
POST /
Content-Type: application/x-www-form-urlencoded
Content-Length:
Cache-Control: no-cache
5、 終止進程命令
Killed: [ ] processess killed. 結束
- list 列出進程表
Failed: [ ] isn't in processes list. 進程不存在
Failed: PID isn't in processes list. PID 不再進程列表中
6、判斷服務端所用語言功能,內置語言種類如下 :
Process Default Language
"Afrikaans"
"Albanian"
"Arabic (Saudi Arabia)"
"Arabic (Iraq)"
"Arabic (Egypt)"
"Arabic (Libya)"
"Arabic (Algeria)"
"Arabic (Morocco)"
"Arabic (Tunisia)"
"Arabic (Oman)"
"Arabic (Yemen)"
"Arabic (Syria)"
"Arabic (Jordan)"
"Arabic (Lebanon)"
"Arabic (Kuwait)"
"Arabic (U.A.E.)"
"Arabic (Bahrain)"
"Arabic (Qatar)"
"Windows 2000: Armenian. This is Unicode only."
"Windows 2000: Assamese. This is Unicode only."
"Azeri (Latin)"
"Azeri (Cyrillic)"
"Basque"
"Belarussian"
"Windows 2000: Bengali. This is Unicode only."
"Bulgarian"
"Burmese"
"Catalan"
"Chinese (Taiwan Region)"
"Chinese (PRC)"
"Chinese (Hong Kong SAR, PRC)"
"Chinese (Singapore)"
"Chinese (Macau)"
"Croatian"
"Czech"
"Danish"
"Dutch (Netherlands)"
"Dutch (Belgium)"
"English (United States)"
"English (United Kingdom)"
"English (Australian)"
"English (Canadian)"
"English (New Zealand)"
"English (Ireland)"
"English (South Africa)"
"English (Jamaica)"
"English (Caribbean)"
"English (Belize)"
"English (Trinidad)"
"English (Zimbabwe)"
"English (Philippines)"
"Estonian"
"Faeroese"
"Farsi"
"Finnish"
"French (Standard)"
"French (Belgian)"
"French (Canadian)"
"French (Switzerland)"
"French (Luxembourg)"
"French (Monaco)"
"Windows 2000: Georgian. This is Unicode only."
"German (Standard)"
"German (Switzerland)"
"German (Austria)"
"German (Luxembourg)"
"German (Liechtenstein)"
"Greek"
"Windows 2000: Gujarati. This is Unicode only."
"Hebrew"
"Windows 2000: Hindi. This is Unicode only."
"Hungarian"
"Icelandic"
"Indonesian"
"Italian (Standard)"
"Italian (Switzerland)"
"Japanese"
"Windows 2000: Kannada. This is Unicode only."
"Kashmiri (India)"
"Kazakh"
"Windows 2000: Konkani. This is Unicode only."
"Korean"
"Korean (Johab)"
"Latvian"
"Lithuanian"
"Lithuanian (Classic)"
"Macedonian"
"Malay (Malaysian)"
"Malay (Brunei Darussalam)"
"Windows 2000: Malayalam. This is Unicode only."
"Manipuri"
"Windows 2000: Marathi. This is Unicode only."
"Windows 2000: Nepali (India). This is Unicode only."
"Norwegian (Bokmal)"
"Norwegian (Nynorsk)"
"Windows 2000: Oriya. This is Unicode only."
"Polish"
"Portuguese (Brazil)"
"Portuguese (Standard)"
"Windows 2000: Punjabi. This is Unicode only."
"Romanian"
"Russian"
"Windows 2000: Sanskrit. This is Unicode only."
"Serbian (Cyrillic)"
"Serbian (Latin)"
"Sindhi"
"Slovak"
"Slovenian"
"Spanish (Traditional Sort)"
"Spanish (Mexican)"
"Spanish (Modern Sort)"
"Spanish (Guatemala)"
"Spanish (Costa Rica)"
"Spanish (Panama)"
"Spanish (Dominican Republic)"
"Spanish (Venezuela)"
"Spanish (Colombia)"
"Spanish (Peru)"
"Spanish (Argentina)"
"Spanish (Ecuador)"
"Spanish (Chile)"
"Spanish (Uruguay)"
"Spanish (Paraguay)"
"Spanish (Bolivia)"
"Spanish (El Salvador)"
"Spanish (Honduras)"
"Spanish (Nicaragua)"
"Spanish (Puerto Rico)"
"Sutu"
"Swahili (Kenya)"
"Swedish"
"Swedish (Finland)"
"Windows 2000: Tamil. This is Unicode only."
"Tatar (Tatarstan)"
"Windows 2000: Telugu. This is Unicode only."
"Thai"
"Turkish"
"Ukrainian"
"Urdu (Pakistan)"
"Urdu (India)"
"Uzbek (Latin)"
"Uzbek (Cyrillic)"
"Vietnamese"
"Unknown New Language"
7、 升級服務端
-updata 通過 80 連線埠
-r fail to run[ ].
exec 進程信息描述 PID
-l local:
-d
-e
-o
提示信息:
ERR: Unknown downloading status, client will close
Downloading... OVERWRITE
Downloading... bytes/remote:
Downloading... bytes/sec
Download completed.
Failed: Response file length is different than content length.
ERR: Socket error( )
Failed: Download client didn't ready.
Failed: No parameters found.
ERR: Protocal name doesn't found.
ERR: Environ [ ] doesn't exist.
ERR: Illegal local file name. [ ].
ERR: has been exist.
ERR: Socket did not ready.
8、 獲得服務端作業系統的版本信息,內置版本信息入下
Windows 32s
Windows NT
Windows 95
Windows9x
Windows NT 4
WindowsNT
Windows NT 5.0
Windows2000
Windows NT 5.1
WindowsXP
Windows NT 5.2
Windows2003
9、 獲得服務端處理器型號,內置型號信息如下 :
"Intel 386 Processor"
"Intel 486 Processor"
"Intel Pentium Processor"
"MIPS R4000 Processor"
"DEC Alpha 21064 Processor"
10、獲得服務端瀏覽器版本號,內置瀏覽器版本如下 :
"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 5.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 5.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 5.5; Wind"...
"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 5.01; Win"...
"Mozilla/4.0 (compatible; MSIE 6.0b; Win"...
"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 5.5; Wind"...
"Mozilla/4.0 (compatible; MSIE 6.0b; Win"...
"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
11、 SCAN 功能: Scan port, start ipaddr, end ipaddr, all are requirement
連線掃描 connected.
Scan [ ] to [ ] has completed.
ip#s will scan( clients ).
錯誤掃描 ERR: illegal port number [ ].
ERR: illegal start ipaddr [ ].
ERR: illegal end paddr [ ]
ERR: You must make lesser IP address forward.
停止掃描 Stop scan [ ].
No active scaning
12、用戶代理功能 :
User-Agent:
Host:
Connection: Keep-Alive
13、幫助功能
Index 索引
Number 幫助選項
Description 功能描述
Scode 伺服器代碼
Source 來源
HelpFile 幫助檔案
HelpContext 關聯幫助
CancelDisplay 取消顯示
14 、 ICMP FLOOD
調用 IcmpSendEcho ,通過打開的句柄傳送 ICMP 請求,在逾時或接收到應答報文後返回
包含如下信息: Stop sending to 停止傳送數據
Start sending to 開始傳送數據
No active ICMP working 無活動的 ICMP
Stop tcp to(clients) / start tcp to(clients)
No active tcp in working.
Stop flood port on (clients) and start flood port on (clients)
No active flood port working.
Stop full port on
start full port on
No active full port working.
15 、 使用 SMTP 服務功能傳送新建:可重置,可獲得 smtp 郵件伺服器的域名,
使用 hello 命令 參數 \n\r
伺服器應答: 220 服務已準備好
250 所請求的郵件操作已進行完畢
354 開始郵件輸入,以單行“ . ”號結束。
Helo 命令存在安全問題,如 helo hostname 從客戶端打開問候信息,使用 SMTP 伺服器識別客戶機的身份,但客戶機可隨意修改這個 hostname
包含如下信息: smtp 服務關閉
smtp 服務數據到達
smtp 服務錯誤
16 、開啟 / 停止 對 SMTP 伺服器發啟 DDOS 攻擊
包含如下信息: Start / Stop smtp sending to
Start / Stop smtp sending to
Start / Stop ending to
Error start sending to [ ] is an illegal port.
No active UDP working.
No active smtp send working.
Can't resolve name.
Failed: Target port is requirement.
Failed: Target host/ipaddr is requirement.
Failed: Illegal web host name []
Failed: Illegal smtp host/ip []
Failed: Illegal smtp domain name.
Failed: Can't resolve ip address by name [
Failed: Can't resolve smtp host [
Failed: Smtp mail domain is requirement.
Failed: Smtp host/ip is requirement.
GET / 命令 相關參數 /c/s/n/u/h ( 此參數同樣懷疑被用來進行 HTTP FLOOD)
連線埠 80
單位 KBytes/sec KB/Sec
:// ERR: Protocal name doesn't found.
http Failed: [ ] protocol does not support.
http:// Can';t resolve name.
/n/r/p 客戶端具有刷新和停止刷新功能
ERR: Unknown http type [ ].
ERR: URL is requirement.
17 、傳送郵件功能
MAIL FROM: < 郵件來自於某處
RCPT TO: < smtp 命令,用來標識接收方 , 可能包含客戶端用戶的 email 地址
DATA 傳送的數據
總結:這是一個功能比較強大的後門,但是限於目前的測試條件,暫時無法確定是如何激活後門自身,所以對以上的分析基本都是基於靜態分析結果。
目前我們認為該後門可能存在這幾種激活方式:
18、是後門在特定時間,主動連線 IRC 伺服器,執行 IRC 腳本。
19、 後門在特定條件下傳送 IP 通知郵件,等待服務端主動連線。
後門需要一個客戶端來進行控制,傳送特定的驗證字元串,使得後門激活。