Downloaded 21 times
![Poweliks
Copyright
©
2014
Symantec
Corpora6on
29
Trojan.Poweliks
Windows
Powershell
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{73E709EA-‐5D93-‐4B2E-‐
BBB0-‐99B7938DA9E4}LocalServer32(Default)
=
rundll32.exe
javascript:"..mshtml,RunHTMLApplica6on
";eval("epdvnfou/xsjuf)
(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/
SuSve)(ILDS]]dmtje]]|84f81:v.6e:4.5c3f.ccc1.::c8:49eb:f5~]]mpdbmzswfs43]]b(*,
(=0tdsjqu?(*".replace(/./g,func6on(_){return
%20String.fromCharCode(_.charCodeAt()-‐1);}))
"a"="#@~^k4QAAA==n{F+2i@#@&l{x APzmOk7+p6(L+1O`r ?1.rwDRUtnVsE*i@#@](https://image.slidesharecdn.com/cb14hiroshishinotsukaja-150622050830-lva1-app6891/85/CODE-BLUE-2014-by-HIROSHI-SHINOTSUKA-29-320.jpg)
Uploaded byCODE BLUE
CODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKA
The document discusses various types of malware, particularly targeting Windows systems, including trojans like 'trojan.blueso' and 'trojan.poweliks.' It provides technical details about their operation, including code snippets and system registry alterations used to execute malicious actions. Additionally, it includes copyright information from Symantec and disclaims any warranties associated with the content.
More Related Content
![CODE BLUE 2014 : [ドローンへの攻撃] マルウェア感染とネットワーク経由の攻撃 by ドンチョル・ホン DONGCHEOL HONG](https://cdn.slidesharecdn.com/ss_thumbnails/cb14dongcheolhongja-150622050828-lva1-app6891-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to CODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKA
![[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...](https://cdn.slidesharecdn.com/ss_thumbnails/d1t1s07tomonagamasubuchifightagainstmalwaredevelopmentlifecycle2022-10-1806-230101090047-9ab922cd-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s04zih-cingliaoyu-tungchnagclouddragonscredentialfactoryispoweringupitsespionageactivitiesagains-230102085356-8e46661b-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...](https://cdn.slidesharecdn.com/ss_thumbnails/anjieyangyourprintercodebluefortranslator-230103071138-8fcd3032-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...](https://cdn.slidesharecdn.com/ss_thumbnails/d1t1s08takahiroharuyamac2scan-230101090416-eee10a0a-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...](https://cdn.slidesharecdn.com/ss_thumbnails/d1t2s04vladislavhrckaunderthehoodofwslinksvirtualmachine-230102091156-e3c59f0e-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka](https://cdn.slidesharecdn.com/ss_thumbnails/d1t2s04vladislavhrckaunderthehoodofwslinksvirtualmachinejapanesemachinetranslation-230102091457-ae9568be-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Tales of 5G hacking by Karsten Nohl](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s09221127-230103071757-420d7b85-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...](https://cdn.slidesharecdn.com/ss_thumbnails/d1t2s05u25yuumatakienkentarovar5-230102092618-bbf74898-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t2s052022-10-28-dfirandthreathuntingwithwindowseventlogszachmathisversion3-230103072306-eb57bdc0-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07allanfriedmanen-230103060535-324b96bf-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也](https://cdn.slidesharecdn.com/ss_thumbnails/d1t1s09yutawhoisthemalgopherjapanese1-230102082553-e0b239bb-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...](https://cdn.slidesharecdn.com/ss_thumbnails/codeblue2022chechangsilviayeh-230102084414-c1570bd5-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07hiroyukiitabashijp-230103063336-b5b21552-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07allanfriedmanjp-230103060017-24438771-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07lorenzopupilojp-230103061253-df49295c-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...](https://cdn.slidesharecdn.com/ss_thumbnails/d1t1s09yutawhoisthemalgopherenglishesix1-230102083158-ba91a7f7-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07hiroyukiitabashien-230103064031-868ff2ae-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07ikuotakahashijp-230103054428-3dbd8ee7-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07ikuotakahashien-230103055145-37529240-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07lorenzopupiloen-230103062123-07ea5347-thumbnail.jpg?width=640&height=640&fit=bounds)
CODE BLUE 2014 : マルウエアによる検出回避方法の解説 by 篠塚 大志 HIROSHI SHINOTSUKA
- 1.
- 2. Copyright © 2014 Symantec Corpora6on 2 • • • •
- 3. Copyright © 2014 Symantec Corpora6on 3 24 365
- 4. 1 2 3 4 Copyright © 2014 Symantec Corpora6on 4
- 5. Trojan.Blueso Copyright © 2014 Symantec Corpora6on 5 0 5,000 10,000 15,000 20,000 25,000 30,000 35,000 Trojan.Blueso
- 6. Trojan.Blueso Copyright © 2014 Symantec Corpora6on 6 RAR MB AutoIt AutoIt Windows BASIC Windows GUI RAR AutoIt
- 7. Inject Backdoor.Trojan Copyright © 2014 Symantec Corpora6on 7 Windows Internet Explorer AutoIt
- 8. Copyright © 2014 Symantec Corpora6on 8 / /
- 9. 1 2 3 4 Copyright © 2014 Symantec Corpora6on 9
- 10. Copyright © 2014 Symantec Corpora6on 10 malicious • •
- 11. Copyright © 2014 Symantec Corpora6on 11 Windows AutoIt
- 12. Copyright © 2014 Symantec Corpora6on 12
- 13. Copyright © 2014 Symantec Corpora6on 13 AutoIt
- 14. • • • malicious • Copyright © 2014 Symantec Corpora6on 14
- 15. 1 2 3 4 Copyright © 2014 Symantec Corpora6on 15
- 16. Copyright © 2014 Symantec Corpora6on 16 TAB
- 17. Copyright © 2014 Symantec Corpora6on 17
- 18. Copyright © 2014 Symantec Corpora6on 18
- 19. Copyright © 2014 Symantec Corpora6on 19 AutoIt 87486 900 1
- 20. Copyright © 2014 Symantec Corpora6on 20 • • ZIP Jpeg
- 21. ( ) Copyright © 2014 Symantec Corpora6on 21
- 22. 1 2 3 4 Copyright © 2014 Symantec Corpora6on 22
- 23. Blueso Copyright © 2014 Symantec Corpora6on 23 Windows Internet Explorer !!?? AutoIt
- 24. Copyright © 2014 Symantec Corpora6on 24 1) Internet Explorer -‐> malicious 2) -‐> AutoIT 3) AutoIt -‐> NtSetInforma6onProcess API AutoIT Windows (essen6al) AutoIt Windows -‐>
- 25. Copyright © 2014 Symantec Corpora6on 25
- 26. 1 2 3 4 Copyright © 2014 Symantec Corpora6on 26
- 27. Bamital Copyright © 2014 Symantec Corpora6on 27 HKEY_LOCAL_MACHINEsystemCurrentControlSetControlSession Manager AppCertDlls"AppSecDll" = "%USER_Profile%Local SefngsApplica6on DataWindows Serverxblscp.dll“ xblscp.dll malicious malicious
- 28. Bamital(2) Copyright © 2014 Symantec Corpora6on 28 • • •
- 29. Poweliks Copyright © 2014 Symantec Corpora6on 29 Trojan.Poweliks Windows Powershell HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{73E709EA-‐5D93-‐4B2E-‐ BBB0-‐99B7938DA9E4}LocalServer32(Default) = rundll32.exe javascript:"..mshtml,RunHTMLApplica6on ";eval("epdvnfou/xsjuf) (=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/ SuSve)(ILDS]]dmtje]]|84f81:v.6e:4.5c3f.ccc1.::c8:49eb:f5~]]mpdbmzswfs43]]b(*, (=0tdsjqu?(*".replace(/./g,func6on(_){return %20String.fromCharCode(_.charCodeAt()-‐1);})) "a"="#@~^k4QAAA==n{F+2i@#@&l{x APzmOk7+p6(L+1O`r ?1.rwDRUtnVsE*i@#@
- 30. Copyright © 2014 Symantec Corpora6on 30 • • • •
- 31. & Q A Copyright © 2014 Symantec Corpora6on 31
- 32. Thank you! Copyright © 2014 Symantec CorporaMon. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corpora6on or its affiliates in the U.S. and other countries. Other names may be trademarks of their respec6ve owners. This document is provided for informa6onal purposes only and is not intended as adver6sing. All warran6es rela6ng to the informa6on in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The informa6on in this document is subject to change without no6ce.