Elderwood APT:攻击行动评估 - By nEINEI Time:2012-09-06 1) 利用IE/PDF/FLASH0day漏洞等方式安装特种木马。 2 使用水坑攻击或是钓鱼邮件,针对目标包括,国防及各种国防供应链制造商,NGO组织,IT服务商。 Symptoms The Trojan may arrive on the computer by exploiting the following vulnerability: Adobe Flash Player CVE-2012-0779 Object Type Confusion Remote Code Execution Vulnerability (CVE-2012-0779) The Trojan may also arrive as a specially-crafted Microsoft Word document, which exploits the Microsoft Office RTF File Stack Buffer Overflow Vulnerability (CVE-2010-3333). When the Trojan is executed, it creates the following file: C:\Documents and Settings\Administrator\Application Data\updatesvc.dll It may also create the following files: %UserProfile%\Application Data\Microsoft\Internet Explorer\IEXPL0RE.EXE %Temp%\perf[FOUR OR FIVE RANDOM CHARACTERS].dat %SystemDrive%\RECYCLER\thumb.dat %Windir%\system\MSMAPI32.SRG %Windir%\system\lock.dat %System%\STREAM.SYS Next, the Trojan creates the following registry entry so that it executes whenever Windows starts: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"rundll32.exe" = "rundll32.exe "C:\Documents and Settings\Administrator\Application Data\updatesvc.dll",start" The Trojan then downloads and executes a file from the following location: [http://]download.symantec-sync.com/images/pagerr[REMOVED] The following file is then dropped on to the compromised computer: %UserProfile%\Application Data\mstime.dll The following registry entry is created so that the above file executes whenever Windows starts: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"rundll32.exe" = "rundll32.exe "%UserProfile%\Application Data\mstime.dll",start" Next, the Trojan downloads a file from the following location, which contains a .zip file: [http://]69.197.14.111/images/imag[REMOVED] The .zip file contains a file named ok.exe, which drops the following file: %CurrentFolder%\adobe.dll It then installs a service so that the above file runs whenever the computer starts. The Trojan may then connect to the following locations: 221.6.135.123 59.188.196.183 61.132.74.68 [http://]80.224.32.4/test[REMOVED] [http://]hao.te00.com/lts/woi[REMOVED] [http://]update.windowsautoupdate.com:443/index0000[REMOVED] [http://]www.satinfo.es/test[REMOVED] sysinformation.dyndns-server.com 相关样本信息: 10b0eca343b65eb6684dc1682679ed5c 3f40788542ac824a9c80558c0b59d0e0 最小闭合的攻击样本: 没有找到利用的母体文件 相关的特种木马文件,2786c36b2cff72337027997ff07f74f1cb5531a6d58aa166e3bce5678b64db21,size = 110080 攻击能力计算: K = 2 (正常安全认知范围) a = 3 (无交互) s = 1 (邮件发送或是水坑攻击) m = 3 (代码注入,特种木马,特定目标感) p = 1 (攻击1种平台) x = 5+5 (拥有非常多的0day漏洞储备,例如(CVE-2012-0779,CVE-2012-1875,CVE-2012-1889,CVE-2012-1535,CVE-2010-0249 ,CVE-2011-0611)等,故此处评估给予2个0day的能力); 攻击能力 = (a+s+m+p)^(k) * (1+x)^ 2 + c AT = (3 + 1 + 3 + 1) ^ 2 * (1 + 5 + 5) ^ 2 + (110080/1024) = 8^2 * (11^2)+ 108 = 7744 + 1923 = 9667 ==> 9667*1000/613623(1T攻击力单位) = 7.554T 参考引用: 1.http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf 2.https://www.symantec.com/security-center/writeup/2012-051515-2843-99 3.《论高级威胁的本质及攻击能力的量化研究》- www.vxjump.net/files/aptr/aptr.txt