2013ǯ8·îº¢¤è¤ê¥Þ¥ë¥¦¥§¥¢³«È¯¼Ô¤é¤Î¥³¥ß¥å¥Ë¥Æ¥£Æâ¤Ç¥Þ¥ë¥¦¥§¥¢¤òVBScript¤ØÊÑ´¹¤ò°ÍÍꤹ¤ë¤Ê¤É¤Î¥¹¥ì¥Ã¥É¤ò¸«¤«¤±¤ë¤è¤¦¤Ë¤Ê¤ê¤Þ¤·¤¿¡£
²¼¿Þ¤Ï°ìÎã¤Ç¡¢°¿¤ëRAT¡ÊRemote Administration Tool¡Ë¤òVBScript¤ØÊÑ´¹¤·¤ÆÍߤ·¤¤¡¢¤È¤¤¤Ã¤¿°ÍÍê¤Î¤â¤Î¤Ç¤¹¡£
´û¸¤Î¥Þ¥ë¥¦¥§¥¢¤ò¤ï¤¶¤ï¤¶Â¾¤Î³«È¯¸À¸ì¤Çºî¤êľ¤¹¼ç¤ÊÍýͳ¤È¤·¤Æ¡¢
¡¡¡¡¡¦°ì»þŪ¤Ê¥»¥¥å¥ê¥Æ¥£Âкö¥Ä¡¼¥ë¤Î²óÈò
¡¡¡¡¡¦VBScript¤Ê¤É¤Î¥¹¥¯¥ê¥×¥È¸À¸ì¤Ç¤Ï¥¨¥ó¥³¡¼¥É½èÍý¤¬ÍÆ°×
¡¡¡¡¡¦¥¹¥¯¥ê¥×¥È¸À¸ì¤Ø¤ÎÊÑ´¹¡¢¸ø³«¤Ë¤è¤êÊ̤γ«È¯¼Ô¤¬Åо줷¡¢µ¡Ç½Ì̤ʤɤǵ¡Ç½¸þ¾å¤¬´üÂÔ
¤Ê¤É¤¬µó¤²¤é¤ì¤Þ¤¹¡£
ºÇ½ªÅª¤Ë¥¨¥ó¥³¡¼¥É¤ä°Å¹æ½èÍý¤òÍѤ¤¤Æ¤¤¤Þ¤¹¤Î¤Ç¡¢¸¡ÂΤ½¤Î¤â¤Î¤òÈï³²PC¾å¤è¤ê¥Ô¥ó¥Ý¥¤¥ó¥È¤Çȯ¸«¤¹¤ë¤³¤È¤Ï¤Ê¤«¤Ê¤«¹ü¤¬Àޤ줽¤¦¤Ç¤¹¡£¤Þ¤¿¡¢»Ã¤¯¤Ï¥µ¥¤¥Ð¡¼¹¶·â¼êË¡¤ËÊѲ½¤¬µ¯¤³¤ë¤È¤¤¤¦¤è¤ê¤Ï¡¢¤³¤Î¤è¤¦¤Ê²óÈò¼êË¡¤È¤Î¤¤¤¿¤Á¤´¤Ã¤³¤¬Â³¤¯¤È¹Í¤¨¤Æ¤¤¤Þ¤¹¡£¤³¤Î¤è¤¦¤Ê¾õ¶·¤òƧ¤Þ¤¨¤Þ¤¹¤È¡¢ÍøÍÑÉÑÅÙ¤¬Ä㤤¥¹¥¯¥ê¥×¥È¤Ê¤É¤Ïͽ¤áÆ°ºîÀ©¸Â¤ò¤·¤Æ¤ª¤¡¢¶¼°Ò¥ì¥Ù¥ë¤ò·Ú¸º¤·¤Æ¤ª¤¤¤¿Êý¤¬°Â¿´¤«¤â¤·¤ì¤Þ¤»¤ó¡£
²¼¿Þ¤Ï°ìÎã¤Ç¡¢°¿¤ëRAT¡ÊRemote Administration Tool¡Ë¤òVBScript¤ØÊÑ´¹¤·¤ÆÍߤ·¤¤¡¢¤È¤¤¤Ã¤¿°ÍÍê¤Î¤â¤Î¤Ç¤¹¡£
´û¸¤Î¥Þ¥ë¥¦¥§¥¢¤ò¤ï¤¶¤ï¤¶Â¾¤Î³«È¯¸À¸ì¤Çºî¤êľ¤¹¼ç¤ÊÍýͳ¤È¤·¤Æ¡¢
¡¡¡¡¡¦°ì»þŪ¤Ê¥»¥¥å¥ê¥Æ¥£Âкö¥Ä¡¼¥ë¤Î²óÈò
¡¡¡¡¡¦VBScript¤Ê¤É¤Î¥¹¥¯¥ê¥×¥È¸À¸ì¤Ç¤Ï¥¨¥ó¥³¡¼¥É½èÍý¤¬ÍÆ°×
¡¡¡¡¡¦¥¹¥¯¥ê¥×¥È¸À¸ì¤Ø¤ÎÊÑ´¹¡¢¸ø³«¤Ë¤è¤êÊ̤γ«È¯¼Ô¤¬Åо줷¡¢µ¡Ç½Ì̤ʤɤǵ¡Ç½¸þ¾å¤¬´üÂÔ
¤Ê¤É¤¬µó¤²¤é¤ì¤Þ¤¹¡£
¤¤¤º¤ì¤Ë¤»¤è¡¢¥Þ¥ë¥¦¥§¥¢³«È¯¼Ô¦¤Ë¤³¤Î¤è¤¦¤ÊÆ°¤¤¬¤¢¤ë¤È¤¤¤¦¤³¤È¤Ï¡¢¼¡¤Î¥µ¥¤¥Ð¡¼¹¶·â¤Îή¤ì¤È¤·¤ÆÍ»Ä̤¬¤¤°×¤¤¥¹¥¯¥ê¥×¥È¸À¸ì¥Ù¡¼¥¹¤Î¥Þ¥ë¥¦¥§¥¢¤Î¶¼°Ò¤¬ÁýÂ礹¤ë¤Èͽ¬¤Ç¤¤½¤¦¤Ç¤¹¡£
¤Á¤Ê¤ß¤Ë¡¢¸½ºß¤Á¤é¤Û¤é³Îǧ¤·¤Æ¤¤¤ë¤Î¤ÏZeuS¤Î°¡¼ï¤Ç¤âÍøÍѤµ¤ì¤Æ¤¤¤ë¤È¤µ¤ì¤ëAutoItScript¤«¤éVBScript¤Ø¤ÎÊÑ´¹¤Ç¤¹¡£
¤Á¤Ê¤ß¤Ë¡¢¸½ºß¤Á¤é¤Û¤é³Îǧ¤·¤Æ¤¤¤ë¤Î¤ÏZeuS¤Î°¡¼ï¤Ç¤âÍøÍѤµ¤ì¤Æ¤¤¤ë¤È¤µ¤ì¤ëAutoItScript¤«¤éVBScript¤Ø¤ÎÊÑ´¹¤Ç¤¹¡£
¡Ê¤³¤ÎAutoItScript¤Ç³«È¯¤µ¤ì¤¿¥Þ¥ë¥¦¥§¥¢¤ÎÁý²Ã¤Ë´Ø¤·¤Æ¥È¥ì¥ó¥É¥Þ¥¤¥¯¥í¼Ò¤Î¥Ö¥í¥°¤ÇÊó¹ð¤µ¤ì¤Æ¤¤¤Þ¤¹¡£¡Ë
¡ôZeuS¼«¿È¤ÎÊÑ´¹¤Ï¸«¤¿»ö¤¢¤ê¤Þ¤»¤ó¤¬¡¢¥½¡¼¥¹¥³¡¼¥É¤¬Î®½Ð¤·¤Æ¤¤¤ë¤³¤È¤ò¹Í¤¨¤ë¤ÈͤêÆÀ¤ë¤«¤â¡©
·¹¸þ¤«¤é¤·¤Þ¤¹¤È¡¢VBScript¤ÎÍøÍѤ¬ÌÜΩ¤Ã¤Æ¤¤¤Þ¤¹¤Î¤Ç¡¢¤½¤¦¤¤¤Ã¤¿°ÕÌ£¤Ç¤ÏÂбþºö¤ò¹Í¤¨»Ï¤á¤¿Êý¤¬Îɤ¤¤«¤â¤·¤ì¤Þ¤»¤ó¡£
²¼¤Îµ»ö¤Ë¼ç¤ÊÂбþºö¤¬µºÜ¤µ¤ì¤Æ¤¤¤Þ¤¹¤Î¤Ç¡¢»²¹Í¤Ë¤·¤Æ¤ß¤Æ¤ÏÇ¡²¿¤Ç¤·¤ç¤¦¤«¡£
VBScript Malware Demo using FileSystemObject
AutoItScript¤Ç³«È¯¤µ¤ì¤¿¥Þ¥ë¥¦¥§¥¢¤Ë¤Ä¤¤¤Æ
·¹¸þ¤«¤é¤·¤Þ¤¹¤È¡¢VBScript¤ÎÍøÍѤ¬ÌÜΩ¤Ã¤Æ¤¤¤Þ¤¹¤Î¤Ç¡¢¤½¤¦¤¤¤Ã¤¿°ÕÌ£¤Ç¤ÏÂбþºö¤ò¹Í¤¨»Ï¤á¤¿Êý¤¬Îɤ¤¤«¤â¤·¤ì¤Þ¤»¤ó¡£
²¼¤Îµ»ö¤Ë¼ç¤ÊÂбþºö¤¬µºÜ¤µ¤ì¤Æ¤¤¤Þ¤¹¤Î¤Ç¡¢»²¹Í¤Ë¤·¤Æ¤ß¤Æ¤ÏÇ¡²¿¤Ç¤·¤ç¤¦¤«¡£
VBScript Malware Demo using FileSystemObject
AutoItScript¤Ç³«È¯¤µ¤ì¤¿¥Þ¥ë¥¦¥§¥¢¤Ë¤Ä¤¤¤Æ
Êä¤ǡ¢¾å½Ò¤ÎAutoItScript¤Ë¤Ä¤¤¤Æ¿¨¤ì¤Æ¤ß¤¿¤¤¤È»×¤¤¤Þ¤¹¡£
AutoItScript¤ÏAutoIt¤¬¥¤¥ó¥¹¥È¡¼¥ë¤µ¤ì¤¿´Ä¶²¼¤Ç¤Ê¤±¤ì¤ÐÆ°ºî¤·¤Þ¤»¤ó¡£¤½¤³¤Ç¡¢AutoIt¤Ë¤è¤ê¥¹¥¯¥ê¥×¥È¤ò¥³¥ó¥Ñ¥¤¥ë¤·¤Þ¤¹¤ÈUPX¤Ë¤è¤ê¥Ñ¥Ã¥¯¤µ¤ìEXE¥Õ¥¡¥¤¥ë¤È¤·¤Æ½ÐÎϤ¹¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
AutoItScript¤ÏAutoIt¤¬¥¤¥ó¥¹¥È¡¼¥ë¤µ¤ì¤¿´Ä¶²¼¤Ç¤Ê¤±¤ì¤ÐÆ°ºî¤·¤Þ¤»¤ó¡£¤½¤³¤Ç¡¢AutoIt¤Ë¤è¤ê¥¹¥¯¥ê¥×¥È¤ò¥³¥ó¥Ñ¥¤¥ë¤·¤Þ¤¹¤ÈUPX¤Ë¤è¤ê¥Ñ¥Ã¥¯¤µ¤ìEXE¥Õ¥¡¥¤¥ë¤È¤·¤Æ½ÐÎϤ¹¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
⤷¡¢¥³¥ó¥Ñ¥¤¥ë¤·¤¿·ë²Ì¤Ï¡¢
¡¡¡¡¡¦UPX¤ÎÍøÍÑ¤Ï¥×¥í¥°¥é¥à¤ÎÁ±°¤Ë´Ø·¸Ìµ¤¯¡¢°ìÉô¤Î¥»¥¥å¥ê¥Æ¥£Âкö¥Ä¡¼¥ë¤Ë¸¡½Ð¤µ¤ì¤Æ¤·¤Þ¤¦
¡¡¡¡¡¦UPX¤ÎÍøÍÑ¤Ï¥×¥í¥°¥é¥à¤ÎÁ±°¤Ë´Ø·¸Ìµ¤¯¡¢°ìÉô¤Î¥»¥¥å¥ê¥Æ¥£Âкö¥Ä¡¼¥ë¤Ë¸¡½Ð¤µ¤ì¤Æ¤·¤Þ¤¦
¡¡¡¡¡¦EXE¥Õ¥¡¥¤¥ë¤Ï¥µ¥ó¥É¥Ü¥Ã¥¯¥¹·¿¤Î¥»¥¥å¥ê¥Æ¥£Âкö¥Ä¡¼¥ë¤Ç¸¡½Ð¤µ¤ì¤Æ¤·¤Þ¤¦²ÄǽÀ¤¬¤¢¤ë
¡¡¡¡¡¦AutoIt¤ÇºîÀ®¤·¤¿¤³¤È¤Ï¤¹¤°¤Ëʬ¤«¤Ã¤Æ¤·¤Þ¤¦
¤Ê¤É¤ÎÍýͳ¤Ë¤è¤ê¥»¥¥å¥ê¥Æ¥£Âкö¥Ä¡¼¥ë¤Ë½èÍý¤µ¤ì¤Æ¤·¤Þ¤¦²ÄǽÀ¤¬¹â¤Þ¤ê¤Þ¤¹¡£
¤½¤³¤Ç¡¢¹¶·â¼Ô¤é¤Ï»î¹Ôºø¸í¤·¤¿·ë²Ì¡¢²ò·èºö¤Î¤Ò¤È¤Ä¤È¤·¤Æ¥½¡¼¥¹¥³¡¼¥É¤ÎÊÑ´¹¤ò¹Í¤¨¤¿¤È¿ä¬¤µ¤ì¤Þ¤¹¡£
¡¡¡¡¡¦AutoIt¤ÇºîÀ®¤·¤¿¤³¤È¤Ï¤¹¤°¤Ëʬ¤«¤Ã¤Æ¤·¤Þ¤¦
¤Ê¤É¤ÎÍýͳ¤Ë¤è¤ê¥»¥¥å¥ê¥Æ¥£Âкö¥Ä¡¼¥ë¤Ë½èÍý¤µ¤ì¤Æ¤·¤Þ¤¦²ÄǽÀ¤¬¹â¤Þ¤ê¤Þ¤¹¡£
¤½¤³¤Ç¡¢¹¶·â¼Ô¤é¤Ï»î¹Ôºø¸í¤·¤¿·ë²Ì¡¢²ò·èºö¤Î¤Ò¤È¤Ä¤È¤·¤Æ¥½¡¼¥¹¥³¡¼¥É¤ÎÊÑ´¹¤ò¹Í¤¨¤¿¤È¿ä¬¤µ¤ì¤Þ¤¹¡£
»²¹Í¤Þ¤Ç¤ËÊÑ´¹Á°¤È¸å¤Ï²¼¤Î¥µ¥ó¥×¥ë¤Î¤è¤¦¤ÊÆâÍƤȤʤê¤Þ¤¹¡£¡Ê¥¤¥á¡¼¥¸¤À¤±¡¦¡¦¡¦¡Ë
¼ÂºÝ¤Ï¥µ¥ó¥×¥ë£²¤«¤é¤µ¤é¤Ë¥¨¥ó¥³¡¼¥É¤µ¤ì¤Þ¤¹¤Î¤Ç¡¢²ÄÆÉÀ¤Î¤¢¤ë¤³¤È¤ÏËؤɤ¢¤ê¤Þ¤»¤ó¡£°Õ¼±¤»¤º¤Ë¤ß¤ë¤È¡¢Ê£¿ô¤Î¥Þ¥ë¥¦¥§¥¢¤¬Â¸ºß¤¹¤ë¤è¤¦¤Ë¸«¤¨¤Þ¤¹¡£¤³¤³¤Þ¤Ç¤Î¥¤¥á¡¼¥¸¤È¤·¤Æ¤Ï¡¢¼¡¤Î¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£¸µ¤Ï¤Ò¤È¤Ä¤Î¸¡ÂΤʤΤǤ¹¤¬¡¢¼«Í³Å٤ι⤤¡Ê¡©¡Ë¸À¸ì¤ËÊÑ´¹¤¹¤ë¤³¤È¤Ç·ÁÂΤòÊѲ½¤µ¤»À¸Â¸Î¨¤ò¹â¤á¤Æ¤¤¤ë¤ï¤±¤Ç¤¹¡£
¥µ¥ó¥×¥ë£±¡§AutoItScript
FUNC __IS_SPREADING ()
LOCAL $W_KEY = STRINGSPLIT (@SCRIPT,".")
$SPREADING = REGREAD ("HKEY_LOCAL_MACHINE\SOFTWARE\" & $W_KEY[1],"")
IF $SPREADING = "" THEN
$SPREADING = "FALSE"
IF STRINGUPPER (STRINGMID (@FULLPATH,2)) = STRINGUPPER (":\" & @SCRIPT) THEN $SPREADING = "TRUE"
REGWRITE ("HKEY_LOCAL_MACHINE\SOFTWARE\" & $W_KEY[1],"","REG_SZ",$SPREADING)
ENDIF
ENDFUNC
¥µ¥ó¥×¥ë£²¡§VBScript
spreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (install,".")(0) & "\")
if spreading = "" then
if lcase ( mid(wscript.scriptfullname,2)) = ":\" & lcase(install) then
spreading = "true - " & date
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (install,".")(0) & "\", spreading, "REG_SZ"
else
usbspreading = "false - " & date
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (install,".")(0) & "\", spreading, "REG_SZ"
end if
end If
¼ÂºÝ¤Ï¥µ¥ó¥×¥ë£²¤«¤é¤µ¤é¤Ë¥¨¥ó¥³¡¼¥É¤µ¤ì¤Þ¤¹¤Î¤Ç¡¢²ÄÆÉÀ¤Î¤¢¤ë¤³¤È¤ÏËؤɤ¢¤ê¤Þ¤»¤ó¡£°Õ¼±¤»¤º¤Ë¤ß¤ë¤È¡¢Ê£¿ô¤Î¥Þ¥ë¥¦¥§¥¢¤¬Â¸ºß¤¹¤ë¤è¤¦¤Ë¸«¤¨¤Þ¤¹¡£¤³¤³¤Þ¤Ç¤Î¥¤¥á¡¼¥¸¤È¤·¤Æ¤Ï¡¢¼¡¤Î¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£¸µ¤Ï¤Ò¤È¤Ä¤Î¸¡ÂΤʤΤǤ¹¤¬¡¢¼«Í³Å٤ι⤤¡Ê¡©¡Ë¸À¸ì¤ËÊÑ´¹¤¹¤ë¤³¤È¤Ç·ÁÂΤòÊѲ½¤µ¤»À¸Â¸Î¨¤ò¹â¤á¤Æ¤¤¤ë¤ï¤±¤Ç¤¹¡£
ºÇ½ªÅª¤Ë¥¨¥ó¥³¡¼¥É¤ä°Å¹æ½èÍý¤òÍѤ¤¤Æ¤¤¤Þ¤¹¤Î¤Ç¡¢¸¡ÂΤ½¤Î¤â¤Î¤òÈï³²PC¾å¤è¤ê¥Ô¥ó¥Ý¥¤¥ó¥È¤Çȯ¸«¤¹¤ë¤³¤È¤Ï¤Ê¤«¤Ê¤«¹ü¤¬Àޤ줽¤¦¤Ç¤¹¡£¤Þ¤¿¡¢»Ã¤¯¤Ï¥µ¥¤¥Ð¡¼¹¶·â¼êË¡¤ËÊѲ½¤¬µ¯¤³¤ë¤È¤¤¤¦¤è¤ê¤Ï¡¢¤³¤Î¤è¤¦¤Ê²óÈò¼êË¡¤È¤Î¤¤¤¿¤Á¤´¤Ã¤³¤¬Â³¤¯¤È¹Í¤¨¤Æ¤¤¤Þ¤¹¡£¤³¤Î¤è¤¦¤Ê¾õ¶·¤òƧ¤Þ¤¨¤Þ¤¹¤È¡¢ÍøÍÑÉÑÅÙ¤¬Ä㤤¥¹¥¯¥ê¥×¥È¤Ê¤É¤Ïͽ¤áÆ°ºîÀ©¸Â¤ò¤·¤Æ¤ª¤¡¢¶¼°Ò¥ì¥Ù¥ë¤ò·Ú¸º¤·¤Æ¤ª¤¤¤¿Êý¤¬°Â¿´¤«¤â¤·¤ì¤Þ¤»¤ó¡£