Aurora:极光攻击行动评估 - By nEINEI Time:2010-01-10 1) 利用IE漏洞 Microsoft Internet Explorer DOM操作内存损坏漏洞 (Microsoft已发布安全通报(979352)针对此漏洞(CVE-2010-0249))下载可执行的木马文件,进而控制目标计算机器,继续下载控制组件。 2)下载的木马,Roarur.dr,进而继续下Roarur.dll。 3)盗取信息为主要目的。 Symptoms Outbound network connections to “hxxp://demo[remove].jpg” The presence of the following files: %SystemDir%\Rasmon.dll %SYSDIR%\DFS.bat The presence of the following registry keys: • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[% random 4 chars %] "ImagePath" = %SystemRoot%\svchost.exe -k netsvcs • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[% random 4 chars %] "Start"= 02, 00, 00, 00 • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[% random 4 chars %]\Parameters "ServiceDll" = %SystemRoot%\rasmon.dll 相关样本信息: securmon.dll: E3798C71D25816611A4CAB031AE3C27A Rasmon.dll: 0F9C5408335833E72FE73E6166B5A01B a.exe: CD36A3071A315C3BE6AC3366D80BB59C b.exe 9F880AC607CBD7CDFFFA609C5883C708 AppMgmt.dll 6A89FBE7B0D526E3D97B0DA8418BF851 A0029670.dll 3A33013A47C5DD8D1B92A4CFDCDA3765 msconfig32.sys 7A62295F70642FEDF0D5A5637FEB7986 VedioDriver.dll 467EEF090DEB3517F05A48310FCFD4EE acelpvc.dll 4A47404FC21FFF4A1BC492F9CD23139C wuauclt.exe 69BAF3C6D3A8D41B789526BA72C79C2D jucheck.exe 79ABBA920201031147566F5418E45F34 AdobeUpdateManager.exe 9A7FCEE7FF6035B141390204613209DA zf32.dll EB4ECA9943DA94E09D22134EA20DC602 最小闭合的攻击样本: 1 漏洞样本hash :77365bb640674094231aede64eb45f97484c,size = 12739 bytes. 2 RAT样本d42626afcc202daea81d19ed0ed7d0a918997c59200e9e68e36560ac119a1ef0,size = 34,816 攻击能力计算: K = 2 (正常理解范围) a = 3 (无交互) s = 1 (浏览器方式) m = 4 (常规方式+开源代码改编利用+特种木马+武器集合) p = 1 (攻击1种平台) x = 5 (攻击组织独享) 攻击能力 = (a+s+m+p)^(k) * (1+x)^ 2 + c AT = (3 + 1 + 4 + 1) ^ 2 * (1 + 5) ^ 2 + (12739+34816)/1024 = 9^2 * (6^2)+ 46 = 2962 ==> 2962*1000/1279625(1T攻击力单位) = 2.314T 参考引用: 1.https://www.symantec.com/connect/blogs/trojanhydraq-incident-analysis-aurora-0-day-exploit 2.https://www.virustotal.com/en/file/eea9309bc2ab7e4afd80d89f0f876ead0ed6851668b51fd14dedab8fb975e5c5/analysis/ 3.https://www.zscaler.com/blogs/research/aurora-exploit-still-floating 4.《McAfee Labs:Combating Aurora》 5.《多家企业网络入侵事件传言的同源木马样本分析报告》-antiy labs. 6.《论高级威胁的本质及攻击能力的量化研究》- www.vxjump.net/files/aptr/aptr.txt