martes, 4 de septiembre de 2012

Qhost - Falso Mensaje Privado de Facebook - Rutina Rijndael

Les traigo el siguiente troyano que utiliza Rijndeal para la codificación de datos (ver caso).
En este momento esta realizando Local Pharming a entidades Bancarias del Perú

Falso Email:



Icono de la Amenaza.


Análisis en V.T., con un indice muy bajo de detecciones.





Analizando el troyano encuentro que utiliza el mismo método de ofuscación de strings.
ver caso: http://oberheimdmx.blogspot.com.ar/2012/03/qhost-iv-falso-video-de-facebook.html

Datos codificados:

  loc_402480: ldstr "Ft8CZnVefFiLkH63uHL3mBB4vs+1MqAJFaYYY3O2+xI="

  loc_402488: ldstr "6A7XaALGTyZg/jU3WXJSE7aQ4bsmjYwyVvvzPI4Wy6q6t5IhiPq7ZiDUcgPcqUAM"

  loc_402490: ldstr "Ft8CZnVefFiLkH63uHL3mE2QM7qO0gwH487u2zHb7rH/ctFXg7G4kTmbil9StkgM"

  loc_402498: ldstr "Ft8CZnVefFiLkH63uHL3mMfv4L2QhCDHyUgFyFbABSw="

  loc_4024A0: ldstr "LNDRQHqUqBQZke9qnfqj7SLJG6XvMLS1J2Uu7Wsm+dFkSe9Hz552tY81UhnjMc4v"

  loc_4024A8: ldstr "6A7XaALGTyZg/jU3WXJSE7aQ4bsmjYwyVvvzPI4Wy6oIE7HCNCdGoq/gSiKKNZ9B"

  loc_4024BE: ldstr "tUF0d5UwHTQJWHPC037GjZcxI+60eZA+/iK9UhE7WKO3untwL9hHMZ9msD/ix0CV"

  loc_4024C6: ldstr "tUF0d5UwHTQJWHPC037GjZcxI+60eZA+/iK9UhE7WKO3untwL9hHMZ9msD/ix0CV"

  loc_4024CE: ldstr "tUF0d5UwHTQJWHPC037GjZcxI+60eZA+/iK9UhE7WKO3untwL9hHMZ9msD/ix0CV"

  loc_4024D6: ldstr "gu/hLx2k37LbJFrYE4FJWc68NdUBB26vgdPt2/bB3032LlEXXgyHBiP/BLzjkBy+"

  loc_4024F4: ldstr "CPNd1iLAC8rnx8dwxJTDQv8Yyj2ib7DH5N6+E7xY53dX/7+XIa8VQv6KHgFsErZI04kEOz5bajuG3uQz1nU6Pg=="

  loc_4024FC: ldstr "c4DAub0e1G54ZOZjPGWbgg=="

  loc_402504: ldstr "6ySHYvET4UiEuXSXfOPFpIKrhCJ2aR0mblI2wSdQssI="

  loc_40250C: ldstr "vl5QwlkWx0Ht7RmnWUWlvx3C6XO0SqB6odDAGIXQ73Q="

  loc_402522: ldstr "RD89hEp37/leK/mlmLS7sf/uSJL3z5qo2/LyiPY2B0pXhG0TTVJ5zdROBX52KKv1"

  loc_40252A: ldstr "3KV9m+7X1WQ93O4l5UZ4c+8sx2bwLP+7WIDBoayseAw="


Parte de la rutina de Crypografia Rijndael

Object: Defenza.cryptografia
indigena

  Code: FatFormat
  Start: 402AFC
  Size: 227
  Flag: MoreSects InitLocals
  Max Stack: 5
  Local Variables: 11000008

  loc_402AFC: nop
  loc_402AFD: ldstr "Pas5pr@se"
  loc_402B02: stloc.0
  loc_402B03: ldstr "s@1tValue"
  loc_402B08: stloc.1
  loc_402B09: ldstr "SHA1"
  loc_402B0E: stloc.2
  loc_402B0F: ldc.i4.2
  loc_402B10: stloc.3
  loc_402B11: ldstr "@1B2c3D4e5F6g7H8"
  loc_402B16: stloc.s 4
  loc_402B18: ldc.i4 256
  loc_402B1D: stloc.s 5
  loc_402B1F: ldnull
  loc_402B20: stloc.s 6
  loc_402B22: nop
  loc_402B23: call get_ASCII
  loc_402B28: ldloc.s 4
  loc_402B2A: callvirt GetBytes
  loc_402B2F: stloc.s 7
  loc_402B31: call get_ASCII



Desencriptado



Plaintext : Ft8CZnVefFiLkH63uHL3mBB4vs+1MqAJFaYYY3O2+xI=
Decrypted : C:\\Mis Documentos


Plaintext : 6A7XaALGTyZg/jU3WXJSE7aQ4bsmjYwyVvvzPI4Wy6q6t5IhiPq7ZiDUcgPcqUAM
Decrypted : C:\\Windows\\System32\\drivers\\etc\\hosts

Plaintext : Ft8CZnVefFiLkH63uHL3mE2QM7qO0gwH487u2zHb7rH/ctFXg7G4kTmbil9StkgM
Decrypted : C:\\Mis Documentos\\Documento1.docx

Plaintext : Ft8CZnVefFiLkH63uHL3mMfv4L2QhCDHyUgFyFbABSw=
Decrypted : C:\\Mis Documentos\\calc1.xlsx

Plaintext : LNDRQHqUqBQZke9qnfqj7SLJG6XvMLS1J2Uu7Wsm+dFkSe9Hz552tY81UhnjMc4v
Decrypted : C:\Windows\System32\drivers\csrss.exe


Plaintext : 6A7XaALGTyZg/jU3WXJSE7aQ4bsmjYwyVvvzPI4Wy6oIE7HCNCdGoq/gSiKKNZ9B
Decrypted : C:\\Windows\\System32\\drivers\\


Plaintext : tUF0d5UwHTQJWHPC037GjZcxI+60eZA+/iK9UhE7WKO3untwL9hHMZ9msD/ix0CV
Decrypted : http://www.unisportonline.co.uk/robots.txt


Plaintext : tUF0d5UwHTQJWHPC037GjZcxI+60eZA+/iK9UhE7WKO3untwL9hHMZ9msD/ix0CV
Decrypted : http://www.unisportonline.co.uk/robots.txt


Plaintext : tUF0d5UwHTQJWHPC037GjZcxI+60eZA+/iK9UhE7WKO3untwL9hHMZ9msD/ix0CV
Decrypted : http://www.unisportonline.co.uk/robots.txt


Plaintext : gu/hLx2k37LbJFrYE4FJWc68NdUBB26vgdPt2/bB3032LlEXXgyHBiP/BLzjkBy+
Decrypted : http://www.getsignbase.com/app/readme.txt


Plaintext : CPNd1iLAC8rnx8dwxJTDQv8Yyj2ib7DH5N6+E7xY53dX/7+XIa8VQv6KHgFsErZI04kEOz5bajuG3uQz1nU6Pg==
Decrypted : Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System

Plaintext : c4DAub0e1G54ZOZjPGWbgg==
Decrypted : EnableLUA

Plaintext : 6ySHYvET4UiEuXSXfOPFpIKrhCJ2aR0mblI2wSdQssI=
Decrypted : ConsentPromptBehaviorAdmin

Plaintext : vl5QwlkWx0Ht7RmnWUWlvx3C6XO0SqB6odDAGIXQ73Q=
Decrypted : PromptOnSecureDesktop

Plaintext : RD89hEp37/leK/mlmLS7sf/uSJL3z5qo2/LyiPY2B0pXhG0TTVJ5zdROBX52KKv1
Decrypted : SOFTWARE\Microsoft\Windows\CurrentVersion\Run


Plaintext : 3KV9m+7X1WQ93O4l5UZ4c+8sx2bwLP+7WIDBoayseAw=
Decrypted : Windows defender


Pharming Local  http://www.unisportonline.co.uk/robots.txt




muestra : http://www.mediafire.com/?wd6kfkua544d6o9

Pass = infected


PD: Para los que me solocitaron el fuente del desencriptor, les dejo el código mas abajo, este código no es mio, para mas datos pueden visitar la web del autor http://www.obviex.com/Resources/Articles.aspx .

///////////////////////////////////////////////////////////////////////////////
// SAMPLE: Symmetric key encryption and decryption using Rijndael algorithm.
//
// To run this sample, create a new Visual C# project using the Console
// Application template and replace the contents of the Class1.cs file with
// the code below.
//
// THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
// WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
//
// Copyright (C) 2002 Obviex(TM). All rights reserved.
//
using System;
using System.IO;
using System.Text;
using System.Security.Cryptography;

///



/// This class uses a symmetric key algorithm (Rijndael/AES) to encrypt and
/// decrypt data. As long as encryption and decryption routines use the same
/// parameters to generate the keys, the keys are guaranteed to be the same.
/// The class uses static functions with duplicate code to make it easier to
/// demonstrate encryption and decryption logic. In a real-life application,
/// this may not be the most efficient way of handling encryption, so - as
/// soon as you feel comfortable with it - you may want to redesign this class.
///
public class RijndaelSimple
{
    ///



    /// Encrypts specified plaintext using Rijndael symmetric key algorithm
    /// and returns a base64-encoded result.
    ///
    ///

    /// Plaintext value to be encrypted.
    ///
    ///

    /// Passphrase from which a pseudo-random password will be derived. The
    /// derived password will be used to generate the encryption key.
    /// Passphrase can be any string. In this example we assume that this
    /// passphrase is an ASCII string.
    ///
    ///

    /// Salt value used along with passphrase to generate password. Salt can
    /// be any string. In this example we assume that salt is an ASCII string.
    ///
    ///

    /// Hash algorithm used to generate password. Allowed values are: "MD5" and
    /// "SHA1". SHA1 hashes are a bit slower, but more secure than MD5 hashes.
    ///
    ///

    /// Number of iterations used to generate password. One or two iterations
    /// should be enough.
    ///
    ///

    /// Initialization vector (or IV). This value is required to encrypt the
    /// first block of plaintext data. For RijndaelManaged class IV must be
    /// exactly 16 ASCII characters long.
    ///
    ///

    /// Size of encryption key in bits. Allowed values are: 128, 192, and 256.
    /// Longer keys are more secure than shorter keys.
    ///
    ///
    /// Encrypted value formatted as a base64-encoded string.
    ///
    public static string Encrypt(string   plainText,
                                 string   passPhrase,
                                 string   saltValue,
                                 string   hashAlgorithm,
                                 int      passwordIterations,
                                 string   initVector,
                                 int      keySize)
    {
        // Convert strings into byte arrays.
        // Let us assume that strings only contain ASCII codes.
        // If strings include Unicode characters, use Unicode, UTF7, or UTF8
        // encoding.
        byte[] initVectorBytes = Encoding.ASCII.GetBytes(initVector);
        byte[] saltValueBytes  = Encoding.ASCII.GetBytes(saltValue);
       
        // Convert our plaintext into a byte array.
        // Let us assume that plaintext contains UTF8-encoded characters.
        byte[] plainTextBytes  = Encoding.UTF8.GetBytes(plainText);
       
        // First, we must create a password, from which the key will be derived.
        // This password will be generated from the specified passphrase and
        // salt value. The password will be created using the specified hash
        // algorithm. Password creation can be done in several iterations.
        PasswordDeriveBytes password = new PasswordDeriveBytes(
                                                        passPhrase,
                                                        saltValueBytes,
                                                        hashAlgorithm,
                                                        passwordIterations);
       
        // Use the password to generate pseudo-random bytes for the encryption
        // key. Specify the size of the key in bytes (instead of bits).
        byte[] keyBytes = password.GetBytes(keySize / 8);
       
        // Create uninitialized Rijndael encryption object.
        RijndaelManaged symmetricKey = new RijndaelManaged();
       
        // It is reasonable to set encryption mode to Cipher Block Chaining
        // (CBC). Use default options for other symmetric key parameters.
        symmetricKey.Mode = CipherMode.CBC;      
       
        // Generate encryptor from the existing key bytes and initialization
        // vector. Key size will be defined based on the number of the key
        // bytes.
        ICryptoTransform encryptor = symmetricKey.CreateEncryptor(
                                                         keyBytes,
                                                         initVectorBytes);
       
        // Define memory stream which will be used to hold encrypted data.
        MemoryStream memoryStream = new MemoryStream();      
               
        // Define cryptographic stream (always use Write mode for encryption).
        CryptoStream cryptoStream = new CryptoStream(memoryStream,
                                                     encryptor,
                                                     CryptoStreamMode.Write);
        // Start encrypting.
        cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length);
               
        // Finish encrypting.
        cryptoStream.FlushFinalBlock();

        // Convert our encrypted data from a memory stream into a byte array.
        byte[] cipherTextBytes = memoryStream.ToArray();
               
        // Close both streams.
        memoryStream.Close();
        cryptoStream.Close();
       
        // Convert encrypted data into a base64-encoded string.
        string cipherText = Convert.ToBase64String(cipherTextBytes);
       
        // Return encrypted string.
        return cipherText;
    }
   
    ///



    /// Decrypts specified ciphertext using Rijndael symmetric key algorithm.
    ///
    ///

    /// Base64-formatted ciphertext value.
    ///
    ///

    /// Passphrase from which a pseudo-random password will be derived. The
    /// derived password will be used to generate the encryption key.
    /// Passphrase can be any string. In this example we assume that this
    /// passphrase is an ASCII string.
    ///
    ///

    /// Salt value used along with passphrase to generate password. Salt can
    /// be any string. In this example we assume that salt is an ASCII string.
    ///
    ///

    /// Hash algorithm used to generate password. Allowed values are: "MD5" and
    /// "SHA1". SHA1 hashes are a bit slower, but more secure than MD5 hashes.
    ///
    ///

    /// Number of iterations used to generate password. One or two iterations
    /// should be enough.
    ///
    ///

    /// Initialization vector (or IV). This value is required to encrypt the
    /// first block of plaintext data. For RijndaelManaged class IV must be
    /// exactly 16 ASCII characters long.
    ///
    ///

    /// Size of encryption key in bits. Allowed values are: 128, 192, and 256.
    /// Longer keys are more secure than shorter keys.
    ///
    ///
    /// Decrypted string value.
    ///
    ///
    /// Most of the logic in this function is similar to the Encrypt
    /// logic. In order for decryption to work, all parameters of this function
    /// - except cipherText value - must match the corresponding parameters of
    /// the Encrypt function which was called to generate the
    /// ciphertext.
    ///
    public static string Decrypt(string   cipherText,
                                 string   passPhrase,
                                 string   saltValue,
                                 string   hashAlgorithm,
                                 int      passwordIterations,
                                 string   initVector,
                                 int      keySize)
    {
        // Convert strings defining encryption key characteristics into byte
        // arrays. Let us assume that strings only contain ASCII codes.
        // If strings include Unicode characters, use Unicode, UTF7, or UTF8
        // encoding.
        byte[] initVectorBytes = Encoding.ASCII.GetBytes(initVector);
        byte[] saltValueBytes  = Encoding.ASCII.GetBytes(saltValue);
       
        // Convert our ciphertext into a byte array.
        byte[] cipherTextBytes = Convert.FromBase64String(cipherText);
       
        // First, we must create a password, from which the key will be
        // derived. This password will be generated from the specified
        // passphrase and salt value. The password will be created using
        // the specified hash algorithm. Password creation can be done in
        // several iterations.
        PasswordDeriveBytes password = new PasswordDeriveBytes(
                                                        passPhrase,
                                                        saltValueBytes,
                                                        hashAlgorithm,
                                                        passwordIterations);
       
        // Use the password to generate pseudo-random bytes for the encryption
        // key. Specify the size of the key in bytes (instead of bits).
        byte[] keyBytes = password.GetBytes(keySize / 8);
       
        // Create uninitialized Rijndael encryption object.
        RijndaelManaged    symmetricKey = new RijndaelManaged();
       
        // It is reasonable to set encryption mode to Cipher Block Chaining
        // (CBC). Use default options for other symmetric key parameters.
        symmetricKey.Mode = CipherMode.CBC;
       
        // Generate decryptor from the existing key bytes and initialization
        // vector. Key size will be defined based on the number of the key
        // bytes.
        ICryptoTransform decryptor = symmetricKey.CreateDecryptor(
                                                         keyBytes,
                                                         initVectorBytes);
       
        // Define memory stream which will be used to hold encrypted data.
        MemoryStream  memoryStream = new MemoryStream(cipherTextBytes);
               
        // Define cryptographic stream (always use Read mode for encryption).
        CryptoStream  cryptoStream = new CryptoStream(memoryStream,
                                                      decryptor,
                                                      CryptoStreamMode.Read);

        // Since at this point we don't know what the size of decrypted data
        // will be, allocate the buffer long enough to hold ciphertext;
        // plaintext is never longer than ciphertext.
        byte[] plainTextBytes = new byte[cipherTextBytes.Length];
       
        // Start decrypting.
        int decryptedByteCount = cryptoStream.Read(plainTextBytes,
                                                   0,
                                                   plainTextBytes.Length);
               
        // Close both streams.
        memoryStream.Close();
        cryptoStream.Close();
       
        // Convert decrypted data into a string.
        // Let us assume that the original plaintext string was UTF8-encoded.
        string plainText = Encoding.UTF8.GetString(plainTextBytes,
                                                   0,
                                                   decryptedByteCount);
       
        // Return decrypted string.  
        return plainText;
    }
}

///



/// Illustrates the use of RijndaelSimple class to encrypt and decrypt data.
///
public class RijndaelSimpleTest
{
    ///



    /// The main entry point for the application.
    ///
    [STAThread]
    static void Main(string[] args)
    {
        string   plainText          = "Hello, World!";    // original plaintext
       
        string   passPhrase         = "Pas5pr@se";        // can be any string
        string   saltValue          = "s@1tValue";        // can be any string
        string   hashAlgorithm      = "SHA1";             // can be "MD5"
        int      passwordIterations = 2;                  // can be any number
        string   initVector         = "@1B2c3D4e5F6g7H8"; // must be 16 bytes
        int      keySize            = 256;                // can be 192 or 128
       
        Console.WriteLine(String.Format("Plaintext : {0}", plainText));

        string  cipherText = RijndaelSimple.Encrypt(plainText,
                                                    passPhrase,
                                                    saltValue,
                                                    hashAlgorithm,
                                                    passwordIterations,
                                                    initVector,
                                                    keySize);

        Console.WriteLine(String.Format("Encrypted : {0}", cipherText));
       
        plainText          = RijndaelSimple.Decrypt(cipherText,
                                                    passPhrase,
                                                    saltValue,
                                                    hashAlgorithm,
                                                    passwordIterations,
                                                    initVector,
                                                    keySize);

        Console.WriteLine(String.Format("Decrypted : {0}", plainText));
    }
}
//
// END OF FILE
///////////////////////////////////////////////////////////////////////////////



Es todo por el momento



@Dkavalanche 2012
.

No hay comentarios:

Android: BankBot. Hace un tiempo se filtro el fuente de un Bankbo t para android y se masifico bastante, creo que muchos lo han lanzado pa...