恆春鎮公所全球資訊網被植入惡意程式碼
2008 年 04 月 25 日 – 17:34:58恆春鎮公所全球資訊網被植入惡意連結,此惡意程式為 TSPY_ONLINEG.IA,最近有瀏覽這個網頁的網友,請要盡速檢查自己的電腦是否有中毒的情形。(Credit: Google)
對此網址,McAfee SiteAdvisor、趨勢科技網頁信譽評等(Web Reputation Service)查詢結果,都顯示正常,證明此種技術並非Web安全威脅的完美解決分案,換言之,資訊安全絕對無法做到百分百的安全。
惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的:
Google Search查詢結果(發現異狀),如下圖所示:
McAfee SiteAdvisor查詢結果(未發現異狀),如下圖所示:
趨勢科技網頁信譽評等查詢結果(未發現異狀),如下圖所示:
執行之後,有下面的行為:
[Added process]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp96.tmp
[DLL injection]
C:\Program Files\Internet Explorer\PLUGINS\Nt_Sys32.Sys
C:\WINDOWS\124327MM.DLL
C:\WINDOWS\system32\anistio.dll
C:\WINDOWS\system32\ayCBDCBD1046.dll
C:\WINDOWS\system32\dbhlp32.dlL
C:\WINDOWS\system32\dionpis.dll
C:\WINDOWS\system32\fiosectc.dll
C:\WINDOWS\system32\fmsbbqi.dll
C:\WINDOWS\system32\fmsiocps.dll
C:\WINDOWS\system32\fmsjhif.dll
C:\WINDOWS\system32\genqpelr.dll
C:\WINDOWS\system32\mfchlp64.dll
C:\WINDOWS\system32\msosdohs00.dll
C:\WINDOWS\system32\msosping00.dll
C:\WINDOWS\system32\ticisms.dll
C:\WINDOWS\system32\ttABCABC1023.dll
C:\WINDOWS\system32\ttBAIBAI1061.dll
C:\WINDOWS\system32\ttHADHAD1065.dll
C:\WINDOWS\system32\ttNNBNNB1050.dll
C:\WINDOWS\system32\txWLVWLV1010.dll
[Added service]
NAME: dohs
DISPLAY: dohs
FILE: \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpA1.tmp
NAME: mnsf
DISPLAY: mnsf
FILE: \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpB7.tmp
NAME: msfpfis64
DISPLAY: msfpfis64
FILE: \??\C:\WINDOWS\system32\drivers\msosmsfpfis64.sys
NAME: ping
DISPLAY: ping
FILE: \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp9D.tmp
NAME: pop
DISPLAY: pop
FILE: \??\C:\WINDOWS\system32\DRIVERS\pop.sys
[Added file]
C:\Program Files\Internet Explorer\PLUGINS\Nt_Sys32.Sys
C:\Program Files\Internet Explorer\PLUGINS\Nt_Win32.Jmp
C:\WINDOWS\124327M.exe
C:\WINDOWS\124327MM.DLL
C:\WINDOWS\anistio.exE
C:\WINDOWS\dbhlp32.exe
C:\WINDOWS\dionpis.exe
C:\WINDOWS\fiosectc.exe
C:\WINDOWS\fmsbbqi.exe
C:\WINDOWS\fmsiocps.exe
C:\WINDOWS\fmsjhif.exe
C:\WINDOWS\mfchlp64.exe
C:\WINDOWS\qfqfbrkq.exe
C:\WINDOWS\system32\anistio.dll
C:\WINDOWS\system32\ayCBDCBD1046.dll
C:\WINDOWS\system32\ayCBDCBD1046.exe
C:\WINDOWS\system32\dbhlp32.dlL
C:\WINDOWS\system32\dionpis.dll
C:\WINDOWS\system32\drivers\msosmsfpfis64.sys
C:\WINDOWS\system32\drivers\pop.sys
C:\WINDOWS\system32\fiosectc.dll
C:\WINDOWS\system32\fmsbbqi.dll
C:\WINDOWS\system32\fmsiocps.dll
C:\WINDOWS\system32\fmsjhif.dll
C:\WINDOWS\system32\genqpelr.dll
C:\WINDOWS\system32\mfchlp64.dll
C:\WINDOWS\system32\msosdohs.dat
C:\WINDOWS\system32\msosdohs00.dll
C:\WINDOWS\system32\msosmhfp.dat
C:\WINDOWS\system32\msosmhfp00.dll
C:\WINDOWS\system32\msosmnsf.dat
C:\WINDOWS\system32\msosmnsf00.dll
C:\WINDOWS\system32\msosping.dat
C:\WINDOWS\system32\msosping00.dll
C:\WINDOWS\system32\ticisms.dll
C:\WINDOWS\system32\ttABCABC1023.dll
C:\WINDOWS\system32\ttABCABC1023.exe
C:\WINDOWS\system32\ttBAIBAI1061.dll
C:\WINDOWS\system32\ttBAIBAI1061.exe
C:\WINDOWS\system32\ttHADHAD1065.dll
C:\WINDOWS\system32\ttHADHAD1065.exe
C:\WINDOWS\system32\ttNNBNNB1050.dll
C:\WINDOWS\system32\ttNNBNNB1050.exe
C:\WINDOWS\system32\txWLVWLV1010.dll
C:\WINDOWS\system32\txWLVWLV1010.exe
C:\WINDOWS\ticisms.exe
太多…省略…
[Modified file]
C:\WINDOWS\system32\drivers\etc\hosts
C:\WINDOWS\win.ini
[Added COM/BHO]
{0e24b300-a508-4625-823e-c80892a2c28d}-ttHADHAD1065.dll
{23323f58-17d8-4fed-8148-b666cde959ca}-ttBAIBAI1061.dll
{398C9B84-4EF7-47B5-9862-DE29543B3C42}-C:\Program Files\Internet Explorer\PLUGINS\Nt_Sys32.Sys
{5674d794-70bd-4e1d-8e4c-6417b7d3b2ec}-txWLVWLV1010.dll
{7a170d6e-7afb-4596-8252-f6606c0c594e}-ayCBDCBD1046.dll
{8bb02914-8bfb-4a17-8f60-93e7d085e159}-ttABCABC1023.dll
{ccb8b5b7-0b58-40a5-a697-a92c81e7250a}-ttNNBNNB1050.dll
[Added registry ]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=dionpis
Data=C:\WINDOWS\dionpis.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=fiosectc
Data=C:\WINDOWS\fiosectc.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=dbhlp32
Data=C:\WINDOWS\dbhlp32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=ticisms
Data=C:\WINDOWS\ticisms.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=anistio
Data=C:\WINDOWS\anistio.exE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=rqefrqef
Data=C:\WINDOWS\qfqfbrkq.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=WinSysM
Data=C:\WINDOWS\124327M.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=fmsbbqi
Data=C:\WINDOWS\fmsbbqi.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=fmsiocps
Data=C:\WINDOWS\fmsiocps.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=fmsjhif
Data=C:\WINDOWS\fmsjhif.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=mfchlp64
Data=C:\WINDOWS\mfchlp64.exe
到目前為止 (2008/4/25 @ 11:35),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
ttBAIBAI1061.dll:
[ Trend ], "TSPY_ONLINEG.GRA"
ttBAIBAI1061.exe:
[ Trend ], "TSPY_ONLINEG.CXY"
ttNNBNNB1050.exe:
[ IntelliTrap ], "PAK_Generic.006″
[ Alpha_Gen ], "AP_MALPK-2″
[ Beta_Gen ], "AP_MALPK-2″
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack, Trojan-PSW.Win32.OnLineGames.abcl"
[ McAfee ], "PWS-WoW.gen.a"
[ McAfee_Beta ], "PWS-WoW.gen.a"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ CAV ], "Win32/PerroldStealer!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.PBQ trojan"
[ Fortinet ], "suspicious"
[ HBEDV ], "TR/PSW.OnlineGames.abcl"
[ Norman ], "Trojan W32/OnLineGames.AWRK"
[ Rising ], "[>>upack0.39]:Trojan.PSW.Win32.GameOL.mnt"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.abcl"
[ Ewido ], "Trojan.OnLineGames.zhy"
[ Grisoft ], "Trojan horse PSW.OnlineGames.ALMN"
[ eAladdin ], "Suspicious File [104]"
[ quickheal ], "TrojanPSW.OnLineGames.zfe"
[ vba32 ], "Trojan-PSW.Win32.OnLineGames.abcl"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.PSW.OnlineGames.abcl"
[ bitdefender ], "Dropped:Generic.Malware.SBdld.7236E0E4″
txWLVWLV1010.dll:
[ IntelliTrap ], "PAK_Generic.001″
[ Alpha_Gen ], "Possible_Crypt-6″
[ Beta_Gen ], "Cryp_Upack"
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "PAK:UPack, Trojan-PSW.Win32.OnLineGames.abxf"
[ Sophos ], "Mal/EncPk-BW"
[ CAV ], "Win32/PerroldStealer!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.PBQ trojan"
[ Fortinet ], "W32/OnlineGames.SOU!tr.pws"
[ HBEDV ], "TR/Spy.Gen"
[ Norman ], "Trojan W32/OnLineGames.AXQW"
[ Rising ], "[>>upack0.34]:Trojan.PSW.Win32.GamesOnline.tv"
[ Ikarus ], "Trojan-PWS.Win32.Small.br"
[ Grisoft ], "Trojan horse PSW.OnlineGames.AMCC"
[ eAladdin ], "Win32.Looked.gen"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Spy.Gen"
[ bitdefender ], "Generic.Malware.SBdld.B7A18DF6″
txWLVWLV1010.exe:
[ IntelliTrap ], "PAK_Generic.006″
[ Alpha_Gen ], "AP_MALPK-2″
[ Beta_Gen ], "AP_MALPK-2″
[ Symantec ], "Infostealer.Gampass"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack, Trojan-PSW.Win32.OnLineGames.abda"
[ McAfee ], "PWS-WoW.gen.a"
[ McAfee_Beta ], "PWS-WoW.gen.a"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Trj/Lineage.BZE"
[ CAV ], "Win32/PerroldStealer!generic"
[ Nod32 ], "a variant of Win32/PSW.OnLineGames.PBQ trojan"
[ Fortinet ], "W32/Agent.DRP!tr.pws"
[ HBEDV ], "TR/Spy.Gen"
[ Norman ], "Trojan W32/OnLineGames.AXQW"
[ Rising ], "[>>upack0.39]:Trojan.PSW.Win32.GameOnlines.h"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.abda"
[ Grisoft ], "Trojan horse PSW.OnlineGames.ALNO"
[ eAladdin ], "Suspicious File [104]"
[ vba32 ], "Trojan-PSW.Win32.OnLineGames.abda"
[ Sunbelt ], "VIPRE.Suspicious"
[ WebWasher ], "Trojan.Spy.Gen"
[ bitdefender ], "Dropped:Generic.Malware.SBdld.B7A18DF6″
太多…省略…
“恆春鎮公所全球資訊網被植入惡意程式碼” 目前有 2 迴響
勞保局的網站似乎也中了這個~
連進去登入後~電腦出現一堆相同的檔案~
By minglin on 2008 年 05 月 2 日 - 14:52:52
可以提供網址嗎?謝謝。
By Roger on 2008 年 05 月 2 日 - 15:28:28