对勒索病毒样本的研究 - 〖系统安全〗

z3960

级别: 茶馆馆主

发帖: 770867

飞翔币: 207694

威望: 215657

飞扬币: 2511641

信誉值: 8

只看楼主更多操作 0 发表于: 2021-07-26

样本分析准备基础知识：1.需要具备一定的开发能力2.熟悉汇编语言3.PE文件结构的掌握工具使用：熟练掌握以下常用工具的功能，基于以下工具展开详细分析，可以对病毒样本进行一个详细流程和功能分析，从而分析还原出关键的病毒功能，及研究对应的对抗方案。<img id="aimg_2310761" aid="2310761" src="https://attach.52pojie.cn/forum/202107/14/093644ygnzh8m78gmohgoa.png" zoomfile="https://attach.52pojie.cn/forum/202107/14/093644ygnzh8m78gmohgoa.png" file="https://attach.52pojie.cn/forum/202107/14/093644ygnzh8m78gmohgoa.png" class="zoom" width="760" inpost="1" "="" lazyloaded="true" height="262" style="overflow-wrap: break-word; cursor: pointer; max-width: 100%;">样本分析流程<img id="aimg_2310762" aid="2310762" src="https://attach.52pojie.cn/forum/202107/14/093731ep0jfvbz10v5zjgd.png" zoomfile="https://attach.52pojie.cn/forum/202107/14/093731ep0jfvbz10v5zjgd.png" file="https://attach.52pojie.cn/forum/202107/14/093731ep0jfvbz10v5zjgd.png" class="zoom" width="657" inpost="1" "="" lazyloaded="true" _load="1" style="overflow-wrap: break-word; cursor: pointer; max-width: 100%;">对一个病毒样本或者软件详细分析，一般可以通过五个步骤进行分析样本功能：样本基本属性、样本结构、样本静态分析、样本功能行为监控、样本动态分析。基于以上的五个步骤基本上可以分析出详细的样本功能实现。样本基本信息通过PEID、ExeInfoPE工具分析出样本的几个基本属性。通过Hasher工具可以分析出样本的MD5、sha1、CRC32的属性值。PEID、ExeInfoPE两个工具原理：通过解析PE文件结构解析出样本的区段信息、通过匹配征码方式匹配出样本是否加壳、加什么壳，样本开发语言和开发工具。 <img id="aimg_2310763" aid="2310763" src="https://attach.52pojie.cn/forum/202107/14/093733izb1yq2pwybr1ybj.png" zoomfile="https://attach.52pojie.cn/forum/202107/14/093733izb1yq2pwybr1ybj.png" file="https://attach.52pojie.cn/forum/202107/14/093733izb1yq2pwybr1ybj.png" class="zoom" width="785" inpost="1" "="" lazyloaded="true" _load="1" style="overflow-wrap: break-word; cursor: pointer; max-width: 100%;"> <img id="aimg_2310764" aid="2310764" src="https://attach.52pojie.cn/forum/202107/14/093735jljt69x499lfzlp4.png" zoomfile="https://attach.52pojie.cn/forum/202107/14/093735jljt69x499lfzlp4.png" file="https://attach.52pojie.cn/forum/202107/14/093735jljt69x499lfzlp4.png" class="zoom" width="573" inpost="1" "="" lazyloaded="true" _load="1" style="overflow-wrap: break-word; cursor: pointer; max-width: 100%;">样本功能分析病毒样本功能可以从几个维度分析：自启动(服务器，注册表)、释放文件、网络通信、加密解密。主要通过静态IDA分析和动态OllyDbg分析相结合，通过IDA分析出样本中的流程结构（也重点关注下导入表信息，字符串信息），然后再针对每个函数进行分析，函数中的参数传递和返回值信息通过ollydbg工具附加下断点进行动态调试分析。以下流程图是整个病毒样本的功能流程，主要就是进行系统服务操作，利用微软的SMB漏洞进行445端口漏洞的尝试、释放真正的勒索病毒样本。<img id="aimg_2310765" aid="2310765" src="https://attach.52pojie.cn/forum/202107/14/093751ofpvvvo7168bjkv7.png" zoomfile="https://attach.52pojie.cn/forum/202107/14/093751ofpvvvo7168bjkv7.png" file="https://attach.52pojie.cn/forum/202107/14/093751ofpvvvo7168bjkv7.png" class="zoom" width="542" inpost="1" "="" lazyloaded="true" _load="1" style="overflow-wrap: break-word; cursor: pointer; max-width: 100%;">样本在IDA工具中的main函数的流程结构<img id="aimg_2310766" aid="2310766" src="https://attach.52pojie.cn/forum/202107/14/093902u7tnfthrf7l2ffj3.png" zoomfile="https://attach.52pojie.cn/forum/202107/14/093902u7tnfthrf7l2ffj3.png" file="https://attach.52pojie.cn/forum/202107/14/093902u7tnfthrf7l2ffj3.png" class="zoom" width="1042" inpost="1" "="" lazyloaded="true" _load="1" style="overflow-wrap: break-word; cursor: pointer; max-width: 100%;">样本入口函数的关键功能函数实现的解析<img id="aimg_2310767" aid="2310767" src="https://attach.52pojie.cn/forum/202107/14/093934ozeawctb4t00blkw.png" zoomfile="https://attach.52pojie.cn/forum/202107/14/093934ozeawctb4t00blkw.png" file="https://attach.52pojie.cn/forum/202107/14/093934ozeawctb4t00blkw.png" class="zoom" width="845" inpost="1" "="" lazyloaded="true" _load="1" style="overflow-wrap: break-word; cursor: pointer; max-width: 100%;">恶意代码功能解析 <img id="aimg_2310768" aid="2310768" src="https://attach.52pojie.cn/forum/202107/14/093936s0z1uucgz4gu1zcn.png" zoomfile="https://attach.52pojie.cn/forum/202107/14/093936s0z1uucgz4gu1zcn.png" file="https://attach.52pojie.cn/forum/202107/14/093936s0z1uucgz4gu1zcn.png" class="zoom" width="779" inpost="1" "="" lazyloaded="true" _load="1" style="overflow-wrap: break-word; cursor: pointer; max-width: 100%;">开始对445端口漏洞尝试功能解析<img id="aimg_2310769" aid="2310769" src="https://attach.52pojie.cn/forum/202107/14/093938z4sk4s5c3gs57prw.png" zoomfile="https://attach.52pojie.cn/forum/202107/14/093938z4sk4s5c3gs57prw.png" file="https://attach.52pojie.cn/forum/202107/14/093938z4sk4s5c3gs57prw.png" class="zoom" width="804" inpost="1" "="" lazyloaded="true" _load="1" style="overflow-wrap: break-word; cursor: pointer; max-width: 100%;">进行内网445端口漏洞尝试功能实现解析<img id="aimg_2310770" aid="2310770" src="https://attach.52pojie.cn/forum/202107/14/093940quxx8s8fphoho1ho.png" zoomfile="https://attach.52pojie.cn/forum/202107/14/093940quxx8s8fphoho1ho.png" file="https://attach.52pojie.cn/forum/202107/14/093940quxx8s8fphoho1ho.png" class="zoom" width="681" inpost="1" "="" lazyloaded="true" _load="1" style="overflow-wrap: break-word; cursor: pointer; max-width: 100%;">进行外网445端口漏洞尝试功能实现解析 <img id="aimg_2310771" aid="2310771" src="https://attach.52pojie.cn/forum/202107/14/093942vnv20fs85ozop2jo.png" zoomfile="https://attach.52pojie.cn/forum/202107/14/093942vnv20fs85ozop2jo.png" file="https://attach.52pojie.cn/forum/202107/14/093942vnv20fs85ozop2jo.png" class="zoom" width="771" inpost="1" "="" lazyloaded="true" _load="1" style="overflow-wrap: break-word; cursor: pointer; max-width: 100%;">漏洞尝试的效果展示<img id="aimg_2310772" aid="2310772" src="https://attach.52pojie.cn/forum/202107/14/093945qnbjyzijg9x9qnzb.png" zoomfile="https://attach.52pojie.cn/forum/202107/14/093945qnbjyzijg9x9qnzb.png" file="https://attach.52pojie.cn/forum/202107/14/093945qnbjyzijg9x9qnzb.png" class="zoom" width="879" inpost="1" "="" lazyloaded="true" _load="1" style="overflow-wrap: break-word; cursor: pointer; max-width: 100%;">释放真正的勒索病毒文件通过从应用程序的资源部分进行释放出病毒样本exe和dll模块，并将样本的exe和dll模块释放到C盘的windows目录下，以伪装成为系统程序。<img id="aimg_2310773" aid="2310773" src="https://attach.52pojie.cn/forum/202107/14/093947kdbbbjzcmod1xbc7.png" zoomfile="https://attach.52pojie.cn/forum/202107/14/093947kdbbbjzcmod1xbc7.png" file="https://attach.52pojie.cn/forum/202107/14/093947kdbbbjzcmod1xbc7.png" class="zoom" width="774" inpost="1" "="" lazyloaded="true" _load="1" style="overflow-wrap: break-word; cursor: pointer; max-width: 100%;">释放样本文件效果展示通过procmon工具，并进行针对病毒样本进程进行监控，可以实际监控到样本释放文件的操作。<img id="aimg_2310774" aid="2310774" src="https://attach.52pojie.cn/forum/202107/14/093949fluzuorbbgudie22.png" zoomfile="https://attach.52pojie.cn/forum/202107/14/093949fluzuorbbgudie22.png" file="https://attach.52pojie.cn/forum/202107/14/093949fluzuorbbgudie22.png" class="zoom" width="788" inpost="1" "="" lazyloaded="true" _load="1" style="overflow-wrap: break-word; cursor: pointer; max-width: 100%;">释放勒索病毒功能梳理<img id="aimg_2310775" aid="2310775" src="https://attach.52pojie.cn/forum/202107/14/093951w4wt81z8t1846tv4.png" zoomfile="https://attach.52pojie.cn/forum/202107/14/093951w4wt81z8t1846tv4.png" file="https://attach.52pojie.cn/forum/202107/14/093951w4wt81z8t1846tv4.png" class="zoom" width="850" inpost="1" "="" lazyloaded="true" _load="1" style="overflow-wrap: break-word; cursor: pointer; max-width: 100%;">释放出来的样本在IDA中展示main函数的流程结构（直接用拖入方式即可） <img id="aimg_2310776" aid="2310776" src="https://attach.52pojie.cn/forum/202107/14/093953mifksud8quskmmmm.png" zoomfile="https://attach.52pojie.cn/forum/202107/14/093953mifksud8quskmmmm.png" file="https://attach.52pojie.cn/forum/202107/14/093953mifksud8quskmmmm.png" class="zoom" width="631" inpost="1" "="" lazyloaded="true" _load="1" style="overflow-wrap: break-word; cursor: pointer; max-width: 100%;">样本main函数流程中的关键函数进行解析<img id="aimg_2310777" aid="2310777" src="https://attach.52pojie.cn/forum/202107/14/093955j0vn94496mmnek50.png" zoomfile="https://attach.52pojie.cn/forum/202107/14/093955j0vn94496mmnek50.png" file="https://attach.52pojie.cn/forum/202107/14/093955j0vn94496mmnek50.png" class="zoom" width="893" inpost="1" "="" lazyloaded="true" _load="1" style="overflow-wrap: break-word; cursor: pointer; max-width: 100%;">样本中将比特币账号采用硬编码方式直接写在代码中<img id="aimg_2310778" aid="2310778" src="https://attach.52pojie.cn/forum/202107/14/093958m458kcdww5hfk5hc.png" zoomfile="https://attach.52pojie.cn/forum/202107/14/093958m458kcdww5hfk5hc.png" file="https://attach.52pojie.cn/forum/202107/14/093958m458kcdww5hfk5hc.png" class="zoom" width="746" inpost="1" "="" lazyloaded="true" _load="1" style="overflow-wrap: break-word; cursor: pointer; max-width: 100%;">采用微软的加解密算法，通过调用系统CryptDecrypt和CryptDecrypt函数用于进行加解密ZIP文件。<img id="aimg_2310779" aid="2310779" src="https://attach.52pojie.cn/forum/202107/14/094000ar7tage53lwga4vg.png" zoomfile="https://attach.52pojie.cn/forum/202107/14/094000ar7tage53lwga4vg.png" file="https://attach.52pojie.cn/forum/202107/14/094000ar7tage53lwga4vg.png" class="zoom" width="782" inpost="1" "="" lazyloaded="true" _load="1" style="overflow-wrap: break-word; cursor: pointer; max-width: 100%;">动态释放模块进行判断释放出来的文件是否是标准PE文件（判断PE文件的DOS头部分“MZ”，在进行判断NT头的PE签名信息“PE”） <img id="aimg_2310780" aid="2310780" src="https://attach.52pojie.cn/forum/202107/14/094002embip80bp80zawp0.png" zoomfile="https://attach.52pojie.cn/forum/202107/14/094002embip80bp80zawp0.png" file="https://attach.52pojie.cn/forum/202107/14/094002embip80bp80zawp0.png" class="zoom" width="780" inpost="1" "="" lazyloaded="true" _load="1" style="overflow-wrap: break-word; cursor: pointer; max-width: 100%;">勒索病毒对以下所有后缀文件进行加密，这些后缀文件基本覆盖所有类型的文件。<img id="aimg_2310781" aid="2310781" src="https://attach.52pojie.cn/forum/202107/14/094004n3tbu2jhn69cftt6.png" zoomfile="https://attach.52pojie.cn/forum/202107/14/094004n3tbu2jhn69cftt6.png" file="https://attach.52pojie.cn/forum/202107/14/094004n3tbu2jhn69cftt6.png" class="zoom" width="818" inpost="1" "="" lazyloaded="true" _load="1" style="overflow-wrap: break-word; cursor: pointer; max-width: 100%;">（仅分享样本大概功能流程，还有如核心的加解密算法相关的功能没有进行分析）对勒索病毒的一点思考1.预防中病毒通用方案