Miniduke:攻击行动评估
                - By nEINEI

Time：2013-02-12	

				
1) 该次攻击行动被定义为政府机构制作的间谍工具。
2) 恶意程序样本被高度混淆，并有多态技术来编译，使得短时间内可以产生大量非具有固定签名的变种，使用0day进行攻击。 
3）有比利时，巴西，保加利亚，捷克共和国，格鲁吉亚，德国，匈牙利，爱尔兰，以色列，日本，拉脱维亚，黎巴嫩，立陶宛，黑山，葡萄牙，罗马尼亚，俄罗斯联邦，斯洛文尼亚，西班牙，土耳其，乌克兰，英国和美国的独特的相关人员受到攻击。

Symptoms
	 

相关样本信息：
	6bc34809e44c40b61dd29e0a387ee682
	3668b018b4bb080d1875aee346e3650a action_plan.pdf (Country: Belgium)
	88292d7181514fda5390292d73da28d4 ASEM_seminar.pdf (Country: Hungary)
	3f301758aa3d5d123a9ddbad1890853b EUAG_report.pdf (Country: Luxembourg)
	0cdf55626e56ffbf1b198beb4f6ed559 report.pdf (Country: Spain)
	cf5a5239ada9b43592757c0d7bf66169 EUAG_report.pdf (Country: Belgium)
	c03bcb0cde62b3f45b4d772ab635e2b0 The 2013 Armenian Economic Association.pdf (Country: Belgium)
	3e71a9f492101bde28cf9f024d87b496 bg_aefk.gif
	a4ad6b55b1bc9e16123de1388f6ef9bf bg_aefk.gif.dec
	92a2c993b7a1849f11e8a95defacd2f7 bg_afvd.gif
	297ef5bf99b5e4fd413f3755ba6aad79 bg_afvd.gif.dec
	06def6c642dcbd58d0291ac110a57274 bg_dafd.gif
	2679e112f908fbf4ac96d87f7fdc46ca bg_dafd.gif.dec
	afe0190820b3edc296daefe6d1611051 bg_dasfs.gif
	e196fa056d1a728d9ba9654fbc482777 bg_dasfs.gif.dec
	7049aa581874752093bb98850ff45dac bg_dfdsh.gif
	441ee6a307e672c24d334d66cd7b2e1a bg_dfdsh.gif.dec
	e975e87bec844c882bf6d60604fc996b bg_dfell.gif
	a58e8e935341b6f5cc1369c616de3765 bg_dfell.gif.dec
	0a2da3c2c6b94c925459bc5e32bbb03c bg_dfesik.gif
	d2f39019bfa05c7e71748d0624be9a94 bg_dfesik.gif.dec
	0a5c9055c2b35bee78c911dfc29fe1a4 bg_dfeu.gif
	ecd349138a6ef7d7ca40b9ce70dbb575 bg_dfeu.gif.dec
	21f16767e53da7fef8a1b5d4159256a9 bg_dfew.gif
	935892bb70d954efdc5ee1b0c5f97184 bg_dfew.gif.dec
	bba6b0d31553cd8df0c45b85c0495816 bg_dfews.gif
	48bbce47e4d2d51811ea99d5a771cd1a bg_dfews.gif.dec
	b47b36484cfb0ab38ef481e23275fafb bg_dflj.gif
	b68677e04fcc9103560bb0a5e5c7303f bg_dflj.gif.dec
	5e757aa35087ca7c479c82d0d5502f51 bg_dfoiu.gif
	27212d5e5d40a5e5c1742aac58dc59a8 bg_dfoiu.gif.dec
	4193796cffa19e2e5cace58e9f10c599 bg_dfrio.gif
	aab06d4ab78336b7315201637d9f1b0e bg_dfrio.gif.dec
	474fa3c28d867f7113c060020b3e268b bg_dfwe.gif
	05d10323111f02233163a6742556c974 bg_dfwe.gif.dec
	f0b327565c25128ad15f9c378bc4ea60 bg_dsaf.gif
	d9b68522053396644bcb72448d6cf327 bg_dsaf.gif.dec
	af906032917674f1f39a260b2b9fe0fb bg_dsaffe.gif
	6507f6b1e2ce05dccf329b8cab078071 bg_dsaffe.gif.dec
	633b59e7b97ef4574804ca35669fbf95 bg_dsef.gif
	b100d530d67cfbe76394bb0160567382 bg_dsef.gif.dec
	203a6ff36ee2cd58daf5680b5a6890ec bg_dsert.gif
	2d552b20e8164f3d4250fd8871b11b0f bg_dsert.gif.dec
	877a34931b087d04d387633824d9c813 bg_dwed.gif
	e990e0d1ee90cd10c4be7bfde6cc3e5a bg_dwed.gif.dec
	c8373db89be0a155673e0cd414442fc1 bg_edf.gif
	8233c532bfcc4ccf2831765eae084409 bg_edf.gif.dec 
	8d7e8b7871b634ad67b13e55aebb7fb7a954ff90 bg_aefk.gif
	1e6b9414fce4277207aab2aa12e4f0842a23f9c1 bg_aefk.gif.dec
	ed64fba3195f52192c65cad491a28bf18f6f67a3 bg_afvd.gif
	28a43eac3be1b96c68a1e7463ae91367434a2ac4 bg_afvd.gif.dec
	cc492d4b188f4cf5003f8b6954f6dd071a8066c2 bg_dafd.gif
	97a374bac7572d44ca8c73c49d3d6ddeade90e34 bg_dafd.gif.dec
	81612fc09cfae280cc35b1331c832a5a87c2edff bg_dasfs.gif
	b32b675699a59b4272a956dbd81738d02d4ca8a4 bg_dasfs.gif.dec
	352a2cf4bb2c9e300ce9a51740f238c9282ca6e4 bg_dfdsh.gif
	2ceae0f5f3efe366ebded0a413e5ea264fbf2a33 bg_dfdsh.gif.dec
	05c539ca5dfbfab8e61ffab4b7b13ba2a5e7154c bg_dfell.gif
	ad9734b05973a0a0f1d34a32cd1936e66898c034 bg_dfell.gif.dec
	f3c6c0c73dcccbf44521763985bbf1ad6e3317eb bg_dfesik.gif
	a9e529c7b04a99019dd31c3c0d7f576e1bbd0970 bg_dfesik.gif.dec
	5e33dd2fcf0c32d3fc458b2d99a0033461c3a6ea bg_dfeu.gif
	69d95479d520e016ce733541ec815aafe16ead04 bg_dfeu.gif.dec
	b995e16fc3a981d693778e370e5ba19861412db6 bg_dfew.gif
	efcb9be7bf162980187237bcb50f4da2d55430c2 bg_dfew.gif.dec
	39952ab95453de127a6a61f4e67c3109ca8ff93e bg_dfews.gif
	1ba5bcd62abcbff517a4adb2609f721dd7f609df bg_dfews.gif.dec 
最小闭合的攻击样本：
pdf 0day：3668b018b4bb080d1875aee346e3650a ， size = 806918
rat：28822c7f7744cdce2af467ef35d0e5c73397ea2886d4db0eb71e9272dd313b00 ，size = 	33824
				
攻击能力计算： 
	 
	K = 2 (正常安全认知范围)
	a = 3 (无交互)
	s = 1 (鱼叉式网络钓鱼)
	m = 6 (代码注入，特种木马，特定目标感染，ASM编写,高难度/复杂技术实现(首次实现了全rop方式shellcode)，武器集合 )
	p = 1 (攻击1种平台)
	x = 5 ( 利用0day cve-2013-0640,cve-2013-0641);
	

	攻击能力 = (a+s+m+p)^(k) * (1+x)^ 2 + c  
	
	AT = (3 + 1 + 6 + 1) ^ 2 * (1 + 5) ^ 2 +　(806918 + 33824)/1024 
	   = 11^2 * (6^2)+ 821
	   = 4356+ 821
	   = 5177

	  ==> 5177 *1000/ 1279625(1T攻击力单位) = 4.045T
				
参考引用：
1.https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08083618/themysteryofthepdf0-dayassemblermicrobackdoor.pdf
2.http://blog.fireeye.com/research/2013/02/the-number-of-the-beast.html
3.https://securingtomorrow.mcafee.com/mcafee-labs/emerging-stack-pivoting-exploits-bypass-common-security/
4.https://blog.crysys.hu/2013/02/miniduke/
5.《论高级威胁的本质及攻击能力的量化研究》- www.vxjump.net/files/aptr/aptr.txt