大砲開講

教育部北區英語教學資源中心網站被植入惡意連結

2008 年 06 月 11 日 – 00:03:06

教育部北區英語教學資源中心網站被植入惡意連結，此惡意程式為 Trojan-PSW.Win32.OnLineGames.alse，最近有瀏覽這個網頁的網友，請要盡速檢查自己的電腦是否有中毒的情形。(Credit: Google)

惡意連結/程式碼是放置在上述網址 (其他頁面，可能要仔細檢查一下囉) 中的：

Google Search查詢結果(發現異狀)，如下圖所示：

McAfee SiteAdvisor查詢結果(未發現異狀)，如下圖所示：

趨勢科技網頁信譽評等查詢結果(發現異狀)，如下圖所示：

執行之後，有下面的行為：

[Added process]
C:\WINDOWS\system32\zwturo.exe

[DLL injection]
C:\WINDOWS\system32\wininnet.nls

[Added service]
NAME: ffdayy
DISPLAY: ffdayy
FILE: \??\C:\WINDOWS\system32\ffdayy

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\orz.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\0000050458_000000000000000595810[1].swf
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\014[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\1660620[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\1876325[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\4561[1].swf
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ie[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\shan[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\stat[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\s[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\vip[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\014[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\014[2].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\1153797[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\c[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\g3[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\0014[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\014[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\A7168FCC208D44ADB35851E1611[1].swf
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\bd[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\dap[2].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\e[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\s[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\t1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\w6[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\014[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\14[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\1897033[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\6619038[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\cn[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\huai5[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\index[1].htm
C:\WINDOWS\system32\config.ini
C:\WINDOWS\system32\wininnet.nls
C:\WINDOWS\system32\zwturo.exe
C:\_uninsep.bat

到目前為止 (2008/6/10 @ 08:19)，下面的防毒軟體可以偵測到這些惡意檔案 (僅提供參考)：

014[1].js:
[ Kaspersky ], "Trojan-Downloader.VBS.Agent.oa"
[ HBEDV ], "TR/Dldr.Agent.OA.1″
[ Authentium ], "JS/Psyme.FE"
[ WebWasher ], "Trojan.Dldr.Agent.OA.1″
c[1].htm:
[ Authentium ], "HTML/IFrame"
6619038[1].htm:
[ Panda ], "Exploit/iFrame"
[ Panda_Beta ], "Exploit/iFrame"
[ Ikarus ], "Trojan.IFrame.AW"
[ Authentium ], "HTML/IFrame"
[ bitdefender ], "Trojan.IFrame.AW"
0000050458_000000000000000595810[1].swf:
[ Kaspersky ], "PAK:Swf2Swc"
zwturo.exe:
[ IntelliTrap ], "PAK_Generic.006″
[ Alpha_Gen ], "AP_MALPK-2″
[ Beta_Gen ], "AP_MALPK-2″
[ Microsoft ], "[->(Upack)]:TrojanDropper:Win32/Idicaf.B"
[ Kaspersky ], "PAK:PE_Patch, PAK:UPack, Trojan-PSW.Win32.OnLineGames.alse"
[ McAfee ], "New Malware.aj !!"
[ McAfee_Beta ], "New Malware.aj !!"
[ Sophos ], "Mal/Packer"
[ Panda ], "Suspicious file"
[ Panda_Beta ], "Suspicious file"
[ Fortinet ], "W32/OnLineGames.ALSE!tr.pws"
[ HBEDV ], "TR/PSW.OnlineGames.alse"
[ Norman ], "Trojan W32/Suspicious_U.gen"
[ Rising ], "[>>upack0.39]:Trojan.Win32.AvKiller.bz"
[ Ikarus ], "Trojan-PWS.Win32.OnLineGames.alse"
[ eAladdin ], "Suspicious File [104]"
[ quickheal ], "TrojanPSW.OnLineGames.alse"
[ vba32 ], "Trojan-PSW.Win32.OnLineGames.alse"
[ WebWasher ], "Trojan.PSW.OnlineGames.alse"
[ bitdefender ], "Trojan.PWS.OnLineGames.YZA"
[ drweb ], "Trojan.AVKill.425″
index[1].htm:
[ Sophos ], "Mal/ObfJS-X"
[ HBEDV ], "HEUR/HTML.Malware"
[ Norman ], "Trojan JS/Agent.I"
[ WebWasher ], "BlockReason.46 (suspicious)"
4561[1].swf:
[ Kaspersky ], "PAK:Swf2Swc, Trojan-Downloader.SWF.Small.bt"
[ HBEDV ], "TR/Dldr.SWF.Small.BT"
[ WebWasher ], "Trojan.Dldr.SWF.Small.BT"