Wins blog

글로벌 정보보안 파트너! Global Security  No.1 윈스는 국가대표 정보보안 기업에서 글로벌 강소기업으로 도약합니다.

보안 정보

앞 내용 보기 다음 내용 보기
악성코드 정보FIREBALL- 2억5천명이 감염된 중국발 악성 ADware
작성일 2017-06-13 조회 1682

[그림.1] Fireball 감염 Flow [출처 : http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/ ]

 

중국에서 비롯된 사이버 공격 캠페인이 발견되었다. 이미 세계 2억 5천만 대의 컴퓨터와 기업의 네트워크 20%가 감염되었다고 한다. 이들이 사용하고 있는 건 바로 파이어볼(Fireball)이라는 멀웨어라고 하며, 베이징의 디지털 마케팅 대행업체인 라포텍(Rafotech)에서 진행한 것으로 알려졌다고 보안 전문업체 체크포인트(Checkpoint)가 경고해왔다.

 

 

► 공격 설명

FireBall은 브라우저 하이재커로 개인정보 유출 및 사용자가 원치 않는 광고를 노출시키는 악성Adware이다.

 

Fireball Adware는 중국 Refotech의 Deal Wifi 및 Mustang Browser 소프트웨어 프리웨어 배포판에 사용자의 동의 없이 번들소프트웨어로 설치된다.
설치후 사용자의 브라우저를 조작해 기본 검색 엔진 및 홈페이지를 가짜 검색 엔진페이지로 변조한다.
이 후 사용자로부터 입력받은 정보를 바탕으로 개인정보 수집 및 맞춤형 광고를 노출시켜 수익을 창출하며, 일반 사용자는 제거할 수 없는 기능을 가지고 있다.

 

[그림.2] Desktop PPI Bundling 설치 화면 [출처 : http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/ ]

 

 

► 취약시스템
Windows All Versions

 

 

► 위험도 65
CVSS Score : 6.5
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

 

 

► 공격영향
정보탈취,동의없는 광고 노출

 

 

► 해결방안
1. Windows 사용자 제거방법은 Windows 제어판의 프로그램 및 기능 목록에서 응용프로그램을 제거하여 애드웨으를 제거
2. 멀웨어 방지 소프트웨어, 애드웨어 클리너를 통해 스캔하고 치료
3. 브라우저에서 악의적인 애드온, 확장 프로그램 또는 플러그인을 제거
4. 인터넷 브라우저의 셋팅을 Default 상태로 되돌리기

 

 

► Snort 패턴

alert TCP any 80 -> any any (msg:"Win32/ADware.Fireball.99840"; flow:to_client; uricontent:"GET /provide?clients= "; nocase; content:"&reqs=visit.startload HTTP/1."; distance:30; within:40; content:"|0D 0A 48 6F 73 74 3A 20 64 32 68 72 70 6E 66 79 62 33 77 76 33 6B 2E 63 6C 6F 75 64 66 72 6F 6E 74 2E 6E 65 74 0D 0A 0D 0A|"; distance:0; priority:2; sid:0)

 

 

► Yara 패턴

/*
   Yara Rule Set
   Author: Florian Roth
   Date: 2017-06-02
   Identifier: Fireball
   Reference: https://goo.gl/4pTkGQ
*/

/* Rule Set ----------------------------------------------------------------- */

rule Fireball_de_svr {
   meta:
      description = "Detects Fireball malware - file de_svr.exe"
      author = "Florian Roth"
      reference = "https://goo.gl/4pTkGQ"
      date = "2017-06-02"
      hash1 = "f964a4b95d5c518fd56f06044af39a146d84b801d9472e022de4c929a5b8fdcc"
   strings:
      $s1 = "cmd.exe /c MD " fullword ascii
      $s2 = "rundll32.exe "%s",%s" fullword wide
      $s3 = "http://d12zpbetgs1pco.cloudfront.net/Weatherapi/shell" fullword wide
      $s4 = "C:v3exede_svr_inst.pdb" fullword ascii
      $s5 = "Internet Connect Failed!" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 3000KB and 2 of them )
}

rule Fireball_lancer {
   meta:
      description = "Detects Fireball malware - file lancer.dll"
      author = "Florian Roth"
      reference = "https://goo.gl/4pTkGQ"
      date = "2017-06-02"
      hash1 = "7d68386554e514f38f98f24e8056c11c0a227602ed179d54ed08f2251dc9ea93"
   strings:
      $x1 = "instlspReleaseLancer.pdb" ascii
      $x2 = "lanceruse.dat" fullword wide

      $s1 = "Lancer.dll" fullword ascii
      $s2 = "RunDll32.exe "" fullword wide
      $s3 = "Micr.dll" fullword wide
      $s4 = "AG64.dll" fullword wide
      $s5 = "",Start" fullword wide
   condition:
      ( uint16(0) == 0x5a4d and filesize < 400KB and ( 1 of ($x*) or 3 of ($s*) ) ) or ( 6 of them )
}

rule QQBrowser {
   meta:
      description = "Not malware but suspicious browser - file QQBrowser.exe"
      author = "Florian Roth"
      reference = "https://goo.gl/4pTkGQ"
      date = "2017-06-02"
      score = 50
      hash1 = "adcf6b8aa633286cd3a2ce7c79befab207802dec0e705ed3c74c043dabfc604c"
   strings:
      $s1 = "TerminateProcessWithoutDump" fullword ascii
      $s2 = ".Downloader.dll" fullword wide
      $s3 = "SoftwareChromiumBrowserCrashDumpAttempts" fullword wide
      $s4 = "QQBrowser_Broker.exe" fullword wide
   condition:
      ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )
}

rule chrome_elf {
   meta:
      description = "Detects Fireball malware - file chrome_elf.dll"
      author = "Florian Roth"
      reference = "https://goo.gl/4pTkGQ"
      date = "2017-06-02"
      hash1 = "e4d4f6fbfbbbf3904ca45d296dc565138a17484c54aebbb00ba9d57f80dfe7e5"
   strings:
      $x2 = "schtasks /Create /SC HOURLY /MO %d /ST 00:%02d:00 /TN "%s" /TR "%s" /RU "SYSTEM"" fullword wide
      $s6 = "aHR0cDovL2R2Mm0xdXVtbnNndHUuY2xvdWRmcm9udC5uZXQvdjQvZ3RnLyVzP2FjdGlvbj12aXNpdC5jaGVsZi5pbnN0YWxs" fullword ascii /* base64 encoded string 'http://dv2m1uumnsgtu.cloudfront.net/v4/gtg/%s?action=visit.chelf.install' */
      $s7 = "QueryInterface call failed for IExecAction: %x" fullword ascii
      $s10 = "%s %s,Rundll32_Do %s" fullword wide
      $s13 = "Failed to create an instance of ITaskService: %x" fullword ascii
      $s16 = "Rundll32_Do" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 600KB and 2 of them )
}

rule Fireball_regkey {
   meta:
      description = "Detects Fireball malware - file regkey.exe"
      author = "Florian Roth"
      reference = "https://goo.gl/4pTkGQ"
      date = "2017-06-02"
      hash1 = "fff2818caa9040486a634896f329b8aebaec9121bdf9982841f0646763a1686b"
   strings:
      $s1 = "WinMainReleaseWinMain.pdb" fullword ascii
      $s2 = "ScreenShot" fullword wide
      $s3 = "WINMAIN" fullword wide
   condition:
      ( uint16(0) == 0x5a4d and filesize < 300KB and all of them )
}

rule Fireball_winsap {
   meta:
      description = "Detects Fireball malware - file winsap.dll"
      author = "Florian Roth"
      reference = "https://goo.gl/4pTkGQ"
      date = "2017-06-02"
      hash1 = "c7244d139ef9ea431a5b9cc6a2176a6a9908710892c74e215431b99cd5228359"
   strings:
      $s1 = "aHR0cDovL2" ascii /* base64 encoded string 'http://d3i1asoswufp5k.cloudfront.net/v4/gtg/%s?action=visit.winsap.work&update3=version,%s' */
      $s2 = "%ssvchost.exe -k %s" fullword wide
      $s3 = "SETUP.dll" fullword wide
      $s4 = "WinSAP.dll" fullword ascii
      $s5 = "Error %u in WinHttpQueryDataAvailable." fullword ascii
      $s6 = "UPDATE OVERWRITE" fullword wide
   condition:
      ( uint16(0) == 0x5a4d and filesize < 600KB and 4 of them )
}

rule Fireball_archer {
   meta:
      description = "Detects Fireball malware - file archer.dll"
      author = "Florian Roth"
      reference = "https://goo.gl/4pTkGQ"
      date = "2017-06-02"
      hash1 = "9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022"
   strings:
      $x1 = "archer_lylReleaseArcher_Input.pdb" fullword ascii

      $s1 = "Archer_Input.dll" fullword ascii
      $s2 = "InstallArcherSvc" fullword ascii
      $s3 = "%s_%08X" fullword wide
      $s4 = "d.PhysicalDrive%d" fullword wide
   condition:
      uint16(0) == 0x5a4d and filesize < 400KB and ( $x1 or 3 of them )
}

rule clearlog {
   meta:
      description = "Detects Fireball malware - file clearlog.dll"
      author = "Florian Roth"
      reference = "https://goo.gl/4pTkGQ"
      date = "2017-06-02"
      hash1 = "14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3"
   strings:
      $x1 = "ClearLogReleaselogC.pdb" ascii

      $s1 = "C:WindowsSystem32cmd.exe /c """ fullword wide
      $s2 = "logC.dll" fullword ascii
      $s3 = "hhhhh.exe" fullword wide
      $s4 = "ttttt.exe" fullword wide
      $s5 = "Logger Name:" fullword ascii
      $s6 = "cle.log.1" fullword wide
   condition:
      ( uint16(0) == 0x5a4d and filesize < 500KB and $x1 or 2 of them )
}

rule Fireball_gubed {
   meta:
      description = "Detects Fireball malware - file gubed.exe"
      author = "Florian Roth"
      reference = "https://goo.gl/4pTkGQ"
      date = "2017-06-02"
      hash1 = "e3f69a1fb6fcaf9fd93386b6ba1d86731cd9e5648f7cff5242763188129cd158"
   strings:
      $x1 = "SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsMRT.exe" fullword wide
      $x2 = "tIphlpapi.dll" fullword wide
      $x3 = "http://%s/provide?clients=%s&reqs=visit.startload" fullword wide
      $x4 = "GubedReleaseGubed.pdb" fullword ascii
      $x5 = "d2hrpnfyb3wv3k.cloudfront.net" fullword wide
   condition:
      ( uint16(0) == 0x5a4d and filesize < 300KB and 1 of them )
}

[표.1] FireBall YARA 탐지 패턴[출처 : https://github.com/Neo23x0/signature-base/blob/8e5c129124edcbeaad18122a7eab9453294bab6b/yara/crime_fireball.yar ]

 

 

► 참조

• checkpoint
FIREBALL ? The Chinese Malware of 250 Million Computers Infected
http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/
http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/

• Github
Neo23x0/signature-base
https://github.com/Neo23x0/signature-base/blob/8e5c129124edcbeaad18122a7eab9453294bab6b/yara/crime_fireball.yar

• Virustotal
Virustotal
https://www.virustotal.com/ko/file/e3f69a1fb6fcaf9fd93386b6ba1d86731cd9e5648f7cff5242763188129cd158/analysis/

 

• Payload Security
e3f69a1fb6fcaf9fd93386b6ba1d86731cd9e5648f7cff5242763188129cd158
https://www.hybrid-analysis.com/sample/e3f69a1fb6fcaf9fd93386b6ba1d86731cd9e5648f7cff5242763188129cd158?environmentId=100

첨부파일 첨부파일이 없습니다.
태그   fireball  adware  malware  Rafotech