ÀÛ¼ºÀÚ : ±â¼úÁö¿øºÎ ±è »ï ¼ö kiss@nextline.net
IceSword (·çƮŶ ŽÁö∙»èÁ¦ ÇÁ·Î±×·¥)
¼û°ÜÁø ÇÁ·Î¼¼½º³ª ¼ºñ½º, Æ÷Æ® µîÀ» ºÓÀº»öÀ¸·Î Ç¥½ÃÇØ ·çƮŶÀÇ Á¸À縦 ¾Ë·ÁÁÖ´Â À©µµ¿ì¿ë º¸¾È Åø ÀÔ´Ï´Ù. ÀÏ¹Ý Åø·Î´Â º¼ ¼ö ¾ø´Â ·çƮŶ ±â¹ýÀ» »ç¿ëÇÏ´Â ÆÄÀÏÀ̳ª ±× ·¹Áö½ºÆ®¸®¸¦ º¼ ¼ö ÀÖ°Ô ÇØ »ç¿ëÀÚ°¡ Á÷Á¢ À̸¦ »èÁ¦ÇÒ ¼ö ÀÖ½À´Ï´Ù. ·çƮŶ ±â¹ýÀº °è¼Ó ¹ßÀüÇÏ°í Àֱ⿡ IceSword·Î´Â ¸ðµÎ ŽÁöÇÒ ¼ö´Â ¾øÀ¸¸ç ¹é½Åµî°ú ´Ù¸¥ ·çƮŶ ŽÁöµµ±¸ÀÇ °Ë»ç³»¿ë, Google°Ë»ö µîÀ» ÅëÇØ »èÁ¦³»¿ëÀ» ½ÅÁßÈ÷ °áÁ¤ÇϽñ⠹ٶø´Ï´Ù.
ÆÄÀÏÀ̳ª ·¹Áö½ºÆ®¸®¸¦ »èÁ¦ÇÒ ¶§´Â »ó´çÇÑ ÁÖÀǸ¦ ¿äÇÕ´Ï´Ù. ƯÈ÷ SSDT(System Service Descriptor Table)Ç׸ñÀÇ °æ¿ì¿¡´Â ƯÈ÷ ÁÖÀǸ¦ ÇØ¾ß ÇÕ´Ï´Ù. º¸¾ÈÇÁ·Î±×·¥µµ kernel hook±â¹ýÀ» ÀÌ¿ëÇϱ⿡ ºÓ°Ô Ç¥½ÃµÇ¾ú´Ù°í ¸ðµÎ ·çƮŶÀÌ ¾Æ´Õ´Ï´Ù.
(½ÇÁ¦·Î kavÀÇ klif.sys, outpostÀÇ filtnt.sys, daemonÀÇ d347bus.sysµµ ºÓ°Ô Ç¥½ÃµË´Ï´Ù.)
IceSword´Â À§¿¡¼ ¾ð±ÞÇÑ ±â´É ¿Ü¿¡µµ Startup, BHO µîÀÇ ±â´ÉÀÌ ÀÖ¾î ÀϹÝÀûÀÎ ºÐ¼®µµ±¸·Îµµ »ç¿ëÀÌ °¡´ÉÇÕ´Ï´Ù.
IceSword º¸¾ÈÅøÀÇ °æ¿ì IceSword.exe, lsHelf.exe·Î ±¸¼ºµÇ¸ç IceSword.exeÀÇ °æ¿ì ¿µ¹®ÆÇÀÌ ÀÖÁö¸¸ lsHelf.exeÀÇ Áß¹®ÀÔ´Ï´Ù.
IceSword.exe : ½ÇÇàµÇ°í ÀÖ´Â ·çƮŶ ¹× ¹éµµ¾î(¹ÙÀÌ·¯½º)¸¦ ºÓ°Ô Ç¥½ÃÇØÁÖ¸ç ÇÁ·Î¼¼½º ¹× ½ÇÇàÆÄÀÏ ·¹Áö½ºÆ®¸® »èÁ¦°¡ °¡´ÉÇÕ´Ï´Ù.
(½ÇÇàµÇÁö ¾Ê´Â ·çƮŶ ¹× ¹éµµ¾î(¹ÙÀÌ·¯½º)´Â ºÓÀº»öÀ¸·Î Ç¥½ÃµÇÁö ¾Ê½À´Ï´Ù.)
IsHelf.exe : IceSword.exe¿¡¼ °ËÃâµÈ ·çƮŶ ¹× ¹éµµ¾î(¹ÙÀÌ·¯½º)ÀÇ À§Ä¡¸¦ °Ë»öÇÒ ¼ö ÀÖÀ¸¸ç »èÁ¦ ±â´ÉÀº Á¦°øµÇÁö ¾Ê½À´Ï´Ù.
(½ÇÇàµÇÁö ¾Ê´Â ·çƮŶ ¹× ¹éµµ¾î(¹ÙÀÌ·¯½º)´Â °Ë»öµÇÁö ¾Ê½À´Ï´Ù.)
IceSword (Á¦ÀÛÀÚ È¨ÆäÀÌÁö)
http://www.blogcn.com/user17/pjf/index.html
°ø°³ÀÚ·á½Ç
http://www.bomul.com(½ÉÆÄÀÏ)
http://www.simfile.com(º¸¹°¼¶)
IceSword 1.20 ¿µ¹®¹öÀü
http://202.38.64.10/~jfpan/download/IceSword120_en.zip
1) IceSword ½ÇÇà¹æ¹ý
¨ç IceSword120_en.zip ÆÄÀÏ ¾ÐÃàÇØÁ¦
IceSword ÇÁ·Î±×·¥Àº º°µµÀÇ ¼³Ä¡°úÁ¤ ¾øÀÌ ´Ù¿î·Îµå ¹ÞÀº IceSword120_en.zip ÆÄÀÏ ¾ÐÃàÇØÁ¦ ÈÄ IceSword.exeÀ» ½ÇÇàÇÏ½Ã¸é µË´Ï´Ù.
¨è IceSword.exe ½ÇÇà
¨é Cooperator.zip ¾ÐÃàÇØÁ¦
IsHelf.exe´Â ¾ÐÃà ÇØÁ¦ÇÑ IceSword Æú´õ ³»¿¡ Cooperator.zip ÆÄÀÏÀÇ ¾ÐÃàÀ» Ç®¸é Cooperator µð·ºÅ丮 ³»¿¡ Á¸ÀçÇÕ´Ï´Ù.
¨ê IsHelp.exe ½ÇÇà
lsHelf.exe´Â IceSword.exe°¡ ½ÇÇàµÈ »óÅ¿¡¼ ½ÇÇàµË´Ï´Ù.
2) IceSword »ç¿ë¹æ¹ý
ÇØÅ· ¼¹ö¸¦ ÀÌ¿ëÇÑ ·çƮŶ ¹× ¹éµµ¾î °ËÃâ
¿ëµµ : DB¼¹ö
OS : À©µµ¿ì 2000¼¹ö
ÇÁ·Î±×·¥ : MSSQL 2000
ÇØÅ·À¯Çü : SQL Injection Ãë¾à¼ºÀ» ÀÌ¿ëÇÑ °ø°ÝÀ¸·Î administrator ±ÇÇÑÀ» ȹµæ ÈÄ ¿ø°Ý Á¢¼ÓÀ» ÀÌ¿ëÇÑ ·çƮŶ ¹× ¹éµµ¾î ¼³Ä¡
¨ç IceSword.exe ½ÇÇà
IceSword.exe¸¦ ½ÇÇà½ÃÅ°°í process, services, port, startup, kernel module µîÀÇ Ç׸ñ¿¡ ºÓ°Ô Ç¥½ÃµÈ °ÍÀÌ ÀÖ´ÂÁö È®ÀÎÇÕ´Ï´Ù.
(º¸´Ù È¿À²ÀûÀ¸·Î ·çƮŶÀ» ŽÁöÇϱâ À§Çؼ´Â IceSword.exe¿Í IsHelf.exe µîÀ» CD¿¡ ¿Å±ä ÈÄ CD»óÀÇ IceSword.exe¸¦ ½ÇÇàÇÕ´Ï´Ù. ±× ÈÄ ½ÃÀÛ,½ÇÇà, msconfig Ä¡°í È®ÀÎ,½ÃÀÛÇÁ·Î±×·¥, ¾Æ¹« Ç׸ñÀ̳ª üũ,Àû¿ë,´Ý±â, ÀçºÎÆà ¿©ºÎ¸¦ ¹°À» ¶§ ´Ù½Ã ½ÃÀÛ Å¬¸¯ ÀçºÎÆà ÈÄ CD¿¡ ÀÖ´Â IceSword.exe¸¦ ½ÇÇà½ÃÄÑ °Ë»çÇÏ´Â ¹æ¹ýÀÌ ÀÖ½À´Ï´Ù. üũµÈ Ç׸ñÀº ÀúÀý·Î üũ ÇØÁ¦µË´Ï´Ù.)
¨è Process
hxdef.exe, wmimpmt.exe ÇÁ·Î¼¼½º°¡ ºÓ°Ô Ç¥½ÃµÇ°í Àִ ȸéÀÔ´Ï´Ù.
ÇÁ·Î¼¼½º Á¾·á : [ÇØ´çÇÁ·Î¼¼½º]-[¸¶¿ì½º¿ìÃø¹öÆ°]-[Terminate Process]
¨é Win32 Services
Win32 Services¿¡ Á¸ÀçÇÏÁö ¾Ê´Â WmiMpmt, Hender ¼ºñ½º°¡ ÀçºÎÆà ½Ã ÀÚµ¿½ÃÀÛ µÇµµ·Ï Services ¸ñ·Ï¿¡ ¼³Á¤µÇ¾îÀÖ½À´Ï´Ù.
¼ºñ½º ÁßÁö : [ÇØ´çÇÁ·Î¼¼½º]-[¸¶¿ì½º¿ìÃø¹öÆ°]-[Disabled]
¨ê Port
wmimpmt.exe ÇÁ·Î¼¼½ºÀÇ Æ÷Æ®¸¦ °Ë»ö ½Ã Áß±¹, ¿À½ºÆ®·¹Àϸ®¾Æ ÂÊ IP°¡ ¿¬°áµÇ¾îÀÖÀ½À» È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù.
Æ÷Æ® ¸®Ç÷¹½¬ : [ÇØ´çÇÁ·Î¼¼½º]-[¸¶¿ì½º¿ìÃø¹öÆ°]-[Refresh]
¨ë System Check ȸé
È÷µçÇÁ·Î¼¼½º·Î wmimpmt.exe, hxdef.exeÀÌ °ËÃâµÈ ȸéÀÔ´Ï´Ù.
¨ì ½ÇÇàÆÄÀÏ °æ·Î°Ë»ö
IceHelp.exeÀ¸·Î ºÓ°Ô Ç¥½ÃµÈ ÇÁ·Î¼¼½º ¹× È÷µçÆÄÀÏÀÌ °æ·Î¸¦ °Ë»öÇÒ ¼ö ÀÖÁö¸¸ IceSword.exe¿¡¼µµ °æ·Î°¡ °Ë»öµË´Ï´Ù.
[wmimpmt.exe]
°æ·Î : C:\WINNT\system32\wmimpmt.exe
[wmimpmt.exe] – [µî·ÏÁ¤º¸]
ccproxy ÀÇÇØ ±¸µ¿µÇ´Â ÇÁ·Î¼¼½ºÀÓÀ» È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù.
[hxdef.exe]
°æ·Î : C:\WINNT\system32\hxdef.exe
¨í Registry
·çƮŶÀ̳ª ¹éµµ¾î°¡ ¼³Ä¡µÈ °æ¿ì´Â À¯°ü»óÀ¸·Î È®ÀÎ ¹× »èÁ¦ÇÒ ¼ö ¾øµµ·Ï ·¹Áö½ºÆ®¸®¸¦ ¼öÁ¤ÇßÀ» °¡´É¼ºÀÌ Å©¹Ç·Î Registry Ç׸ñÀ» üũÇÕ´Ï´Ù.
³»ÄÄÇ»ÅÍ\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
[Hender]
·¹Áö½ºÆ®¸®»èÁ¦ : [Hender]-[¸¶¿ì½º¿ìÃø¹öÆ°]-[Delete]
[WmiMpmt]
·¹Áö½ºÆ®¸®»èÁ¦ : [WmiMpmt]-[¸¶¿ì½º¿ìÃø¹öÆ°]-[Delete]
3) IsHelp »ç¿ë¹æ¹ý
IceSword.exeÀ» ÀÌ¿ëÇÏ¿© ·çƮŶ ¹× ¹éµµ¾î(¹ÙÀÌ·¯½º)°¡ °ËÃâµÇ¾úÀ» °æ¿ì IsHelp.exeÀ» ÀÌ¿ëÇÏ¿© ·çƮŶ ¹× ¹éµµ¾î(¹ÙÀÌ·¯½º) Àç°ËÃâ ¹× °æ·ÎŽ»öÀ» ÇÕ´Ï´Ù.
¨ç IsHelp.exeÀÇ Advancement module ºÎºÐ¿¡¼ hxdef.exe, wmimpmt.exe°¡ °ËÃâµÇ´Â ȸéÀÔ´Ï´Ù.
[hxdef.exe]
[wmimpmt.exe]
¨è ·çƮŶ ¹× ¹éµµ¾î(¹ÙÀÌ·¯½º) °Ë»ö
·ÎÄõð½ºÅ©»ó¿¡ Á¸ÀçÇÏ´Â ·çƮŶ ¹× ¹éµµ¾î(¹ÙÀÌ·¯½º)·Î ÀǽɵǴ hwdef.exe,
wmimpmt.exe°¡ °ËÃâµÇ´Â ȸéÀÔ´Ï´Ù.
¨é Registry °Ë»ö
IceSword.exe¿¡¼´Â ÇØ´ç °æ·Î¸¦ Á÷Á¢ °Ë»öÇØ¾ß ÇÏÁö¸¸ IsHelp.exe ·¹Áö½ºÆ®¸® Ç׸ñ¿¡¼´Â ÇØ´ç °æ·Î°¡ ÀÚµ¿ Ž»öµÇ¸ç, »èÁ¦´Â IceSword.exeÀÇ RegistryÇ׸ñ¿¡¼¸¸ °¡´ÉÇÕ´Ï´Ù.
³»ÄÄÇ»ÅÍ\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
[Hender]
[WmiMpmt]
¨ê ·çƮŶ ¹× ¹éµµ¾î(¹ÙÀÌ·¯½º) °æ·Î°Ë»ö
°ËÃâµÈ ·çƮŶ ¹× ¹éµµ¾î(¹ÙÀÌ·¯½º)ÀÇ ÆÄÀϸíÀ» ÀÌ¿ëÇÏ¿© ÆÄÀÏÀÇ À§Ä¡¸¦ °Ë»öÇÒ ¼ö ÀÖ½À´Ï´Ù.
¨ë À§¿Í°°ÀÌ IceSword, IsHelp¿¡¼ ·çƮŶ ¹× ¹éµµ¾î(¹ÙÀÌ·¯½º) ÀÇ½É ÇÁ·Î¼¼½º°¡ °ËÃâµÇ°Å³ª ƯÁ¤ Port·Î ÇØ¿ÜÂÊ ¾ÆÀÌÇÇ°¡ ¿¬°áµÇ¾î ÀÖ°í System Check ¸ñ·Ï¿¡ È÷µçÆÄÀÏÀÌ °ËÃâµÉ ¶§´Â ·çƮŶÀ̳ª ¹éµµ¾î(¹ÙÀÌ·¯½º) ÀǽÉÀ» ÇØ ¾ßÇÕ´Ï´Ù. ¹é½Å°Ë»ç ¹× cport, RootkitRevealer µîÀÇ ÇÁ·Î±×·¥À¸·Î ·çƮŶ Á¸Àç¿©ºÎ¸¦ ´Ù½Ã È®ÀÎÇÏ¿© »èÁ¦¿©ºÎ¸¦ °áÁ¤ÇÕ´Ï´Ù. À§ÀÇ°æ¿ì ¹é½ÅÀ̳ª cport, RootkitRevealer ´Â °ËÃâµÇÁö ¾Ê´Â ºÎºÐÀÌ ÀÖ¾úÀ¸¹Ç·Î ÇØ´ç ÇÁ·Î¼¼½º ¹× ÆÄÀÏ, ·¹Áö½ºÆ®¸®¸¦ »èÁ¦ÇÒ ¶§´Â ½ÅÁßÈ÷ °áÁ¤ÇÏ¼Å¾ß ÇÕ´Ï´Ù.
¨ì ¸¸¾à ¹®Á¦µÇ´Â ÇÁ·Î¼¼½º°¡ explorer.exe, winlogon.exe, svchost.exe¿Í °°Àº À©µµ¿ìÀÇ Á¤»óÇÁ·Î¼¼½º¶ó¸é dll injectionÀ» ÀǽÉÇØ º¸¾Æ¾ß ÇÕ´Ï´Ù. IsHelf.exe·Î ¹®Á¦¸¦ ¾ß±âÇÑ dllÀ» È®Á¤ÇÑ ÈÄ process explorer¿Í °°Àº ÇÁ·Î±×·¥À¸·Î ÇØ´ç ÇÁ·Î¼¼½º¸¦ Á¤Áö(suspend)½ÃŲ ÈÄ IceSword.exe·Î ÇØ´ç dllÀ» ÇÁ·Î¼¼½º¿¡¼ Á¦°Å(unload) ÇÕ´Ï´Ù. ±× ÈÄ¿¡ IceSword.exeÀÇ file Ç׸ñ¿¡¼ ã¾Æ Á÷Á¢ »èÁ¦ÇÕ´Ï´Ù. Á¤Áö½ÃŲ ÇÁ·Î¼¼½º´Â process explorer·Î ´Ù½Ã½ÃÀÛ (resume)ÇÕ´Ï´Ù.
process explorer¿¡´Â ÇÁ·Î¼¼½º¸¦ Á¤Áö½ÃÅ°´Â ±â´ÉÀº ÀÖÁö¸¸ dllÀ» ÇÁ·Î¼¼½º¿¡¼ Á¦°ÅÇÏ´Â ±â´ÉÀº ¾ø°í, IceSword.exe´Â ±× ¹Ý´ëÀÔ´Ï´Ù. ¹®Á¦µÇ´Â À©µµ¿ìÀÇ Á¤»óÇÁ·Î¼¼½º°¡ 2°³ ÀÌ»óÀ̶ó¸é ÇÁ·Î¼¼½º°¡ ¼·Î ¿¬µ¿µÇ¾î ÀÖÀ» ¼ö ÀÖÀ¸¹Ç·Î ÇØ´ç ÇÁ·Î¼¼½º¸¦ ¸ðµÎ Á¤Áö½ÃŲ ÈÄ À§ ¼³¸í¿¡ µû¸¨´Ï´Ù.
4) ·çƮŶ ¹× ¹éµµ¾î(¹ÙÀÌ·¯½º) Àç°Ë»ç
¨ç °ËÃâµÈ ·çƮŶ ¹× ¹éµµ¾î(¹ÙÀÌ·¯½º) ÇÁ·Î¼¼½º ¹× ÆÄÀÏ, ·¹Áö½ºÆ®¸®¸¦ ¸ðµÎ »èÁ¦ Çϼ̴ٸé IceSword.exe, IsHelp.exeÀ» Àç ½ÇÇàÇÏ¿© ·çƮŶ ¹× ¹éµµ¾î(¹ÙÀÌ·¯½º)ÀÇ °ËÃâÀ» ÀçÈ®Àΰú ¹é½Å°Ë»ç(¾ÈÀü¸ðµå), °èÁ¤, ·ÎÄõð½ºÅ©º¸¾È, Æнº¿öµåº¯°æ, À©µµ¿ì¾÷µ¥ÀÌÆ®, Æ÷Æ®Â÷´ÜµîÀÇ º¸¾È°ü·Ã ¼³Á¤À» È®ÀÎÇÕ´Ï´Ù.
|