支持台灣加入世界衛生組織網站被植入惡意連結
2008 年 04 月 25 日 – 18:03:41恆春鎮公所全球資訊網被植入惡意連結,此惡意程式為 TROJ_DROPPER.WQ (此惡意程式具有鍵盤側錄功能),最近有瀏覽這個網頁的網友,請要盡速檢查自己的電腦是否有中毒的情形。(Credit: Google)
對此網址,McAfee SiteAdvisor、趨勢科技網頁信譽評等(Web Reputation Service)查詢結果,都顯示正常,證明此種技術並非Web安全威脅的完美解決分案,換言之,資訊安全絕對無法做到百分百的安全。
惡意連結/程式碼是放置在首頁 (其他頁面可能要仔細檢查一下囉) 中的 (連結檔案放置在亞美利佳顧問有限公司網站上):
Google Search查詢結果(發現異狀),如下圖所示:
McAfee SiteAdvisor查詢結果(未發現異狀),如下圖所示:
趨勢科技網頁信譽評等查詢結果(未發現異狀),如下圖所示:
執行之後,有下面的行為:
[DLL injection]
C:\WINDOWS\system32\cert2app.dll
C:\WINDOWS\system32\cert2dll.dll
C:\WINDOWS\system32\cert2prt.dll
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\help.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\real[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\help[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\real[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\picode[1].exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Mse\nt.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Mse\os.dat
C:\error.log
C:\WINDOWS\sxlkl.inf
C:\WINDOWS\system32\cert2app.dll
C:\WINDOWS\system32\cert2dll.dll
C:\WINDOWS\system32\cert2exe.exe
C:\WINDOWS\system32\cert2prt.dll
到目前為止 (2008/4/25 @ 12:16),下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考):
css.htm:
[ Alpha_Gen ], "Possible_EncScr"
[ Beta_Gen ], "Possible_EncScr"
[ Sophos ], "Mal/Psyme-B"
[ HBEDV ], "VBS/Dldr.Agent.HL"
[ quickheal ], "VBS/Agent.HL"
[ WebWasher ], "Script.Dldr.Agent.HL"
nt.dat:
[ WebWasher ], "BlockReason.46 (suspicious)"
os.dat:
[ WebWasher ], "BlockReason.46 (suspicious)"
real[1].htm:
[ Alpha_Gen ], "Heur_Infrm-1″
[ Norman ], "Trojan HTML/Exploit!IFrame.G"
[ Clamav ], "Exploit.Iframe-1″
real[1].txt:
[ Kaspersky ], "Trojan-Downloader.JS.Psyme.uy"
[ Ikarus ], "Trojan-Downloader.JS.Psyme.uy"
1[1].htm:
[ Alpha_Gen ], "Possible_EncScr"
[ Beta_Gen ], "Possible_EncScr"
[ Kaspersky ], "Trojan-Downloader.VBS.Small.bv"
[ Sophos ], "JS/Psyme-FI"
[ HBEDV ], "VBS/Dldr.Agent.HL"
[ Rising ], "Trojan.VBS.Agent.b"
[ Clamav ], "VBS.Psyme-11″
[ Grisoft ], "Virus identified VBS/Psyme.N"
[ quickheal ], "VBS/Agent.HL"
[ WebWasher ], "Script.Dldr.Agent.HL"
cert2dll.dll:
[ Trend ], "TROJ_DROPPER.WQ"
cert2exe.exe:
[ Trend ], "TROJ_DROPPER.WQ"
cert2prt.dll:
[ Trend ], "TROJ_AGENT.TBS"
help.exe:
[ Trend ], "TROJ_AGENT.GUT"
help[1].exe:
[ Trend ], "TROJ_AGENT.GUT"
picode[1].exe:
[ Trend ], "TROJ_DROPPER.WQ"
cert2app.dll:
[ Trend ], "TROJ_AGENT.TBS"
