Deep Panda:攻击行动评估 - By nEINEI Time:2013-06-30 1) 主要针对关键和战略业务垂直行业,包括:政府,国防,金融,法律和电信行业。 2)破坏基础工业设施为主要目的。 Symptoms 1. Copies itself to to %WINDIR%\system32\Msres<3 random characters>. the current system time when the copy was made but with the year changed to 2005. MACHINE\\SYSTEM\\CurrentControlSet\\Services\\” This defaults to “wuauserv”, 2. Adds itself to list of services started by ‘netsvc’ using the service name ‘helpsvc’. 3. If McAfee AV is installed, creates a copy of regsvr32.exe named Update.exe and then schedules the copy to be deleted on reboot using the well documented MoveFileExA API. 4. It then calls either the original or copy of regsvr32.exe with the parameters /s /u and the path to the copy of itself it made in Step 1. The /u parameter means “uninstall”, which calls DllUnregisterServer, this is an unsophisticated method of DLL entry point obfuscation. 5. DllUnregisterServer installs the driver and initiates the backdoor component. exe” is running (AntiVirus360 program from the Chinese ‘Quihoo 360 Technology Co., LTD’ 360 ), or the username of the DLL’s host process context is not ‘SYSTEM’, the driver is not written to disk. Barring the two aforementioned conditions, the sample decrypts the kernel driver to: “%sysdir%\Drivers\{6AB5E732-DFA9-4618-AF1C-F0D9DEF0E222}.sys” 相关样本信息: de7500fc1065a081180841f32f06a537 dae6b9b3b8e39b08b10a51a6457444d8 2dce7fc3f52a692d8a84a0c182519133 最小闭合的攻击样本: dropper :14c04f88dc97aef3e9b516ef208a2bf5, size = 177152 backdoor:47619fca20895abc83807321cbb80a3d ,size = 56832 rootkit:dae6b9b3b8e39b08b10a51a6457444d8,size = 21016 攻击能力计算: K = 2 (安全认知范围) a = 3 (无交互) s = 1 (可能来自钓鱼攻击) m = 4 (代码注入+rootkit+特种木马+特定目标感染) p = 1 (攻击WINDOWS) x = 2 (入侵渗透方式) 攻击能力AT = (a+s+m+p)^(k) * (1+x)^ 2 + c AT = (3+1+4+1) ^(2) * (1+2)^2 + (177152+56832+21016)/1024 = 9^ 2* 3^ 2 +251 =729 +251 =780 ==>780 * 1000/1279625(设定1T攻击力单位) = 0.609T 参考引用: 1.https://app.box.com/s/6po2pgedkjf4br5p7tm51go7p5g3z6g3 2.《论高级威胁的本质及攻击能力的量化研究》- www.vxjump.net/files/aptr/aptr.txt