| Ãë¾àÁ¡ID |
24048 |
| À§Çèµµ |
40 |
| Æ÷Æ® |
23432 |
| ÇÁ·ÎÅäÄÝ |
TCP |
| ºÐ·ù |
BackDoor |
| »ó¼¼¼³¸í |
ÇØ´ç ½Ã½ºÅÛ¿¡¼ Asylum ¹éµµ¾î°¡ ¹ß°ßµÈ´Ù.
AsylumÀº 2000³â 4¿ù¿¡ ¼¹ö´Â ¾î¼Àºí·¯(Assembler), Ŭ¶óÀ̾ðÆ®´Â µ¨ÆÄÀÌ(Delphi)·Î Á¦ÀÛµÈ ¿ÀÇ ¼Ò½º Æ®·ÎÀÌ ¸ñ¸¶ ÇÁ·Î±×·¥ÀÌ´Ù. AsylumÀº 0.1, 0.1.1, 0.1.2, 0.1.3, 0.1.4, mini1.0, mini1.1, asylum 0.1.3 Multipager, Web asylum 1.0 µî ´Ù¾çÇÑ ¹öÀüÀ» °¡Áø´Ù. ÀÌ ¹éµµ¾î ÇÁ·Î±×·¥Àº ¿ø°Ý Á¦¾î°¡ °¡´ÉÇÑ Å¬¶óÀ̾ðÆ® ÇÁ·Î±×·¥ÀÎ client.exe, ´ë»ó ½Ã½ºÅÛ¿¡ ¼³Ä¡µÇ´Â ¼¹öÇÁ·Î±×·¥ÀÎ server.exe, ¼¹ö¸¦ ÆíÁýÇÒ ¼ö ÀÖ´Â config.exe·Î ±¸¼ºµÇ¾î ÀÖ´Ù. ÀÌ ÇÁ·Î±×·¥Àº ±âº»ÀûÀ¸·Î´Â 23432 TCP Æ÷Æ®¸¦ »ç¿ëÇÏÁö¸¸ ¼¹ö ÆíÁý ÇÁ·Î±×·¥ÀÎ config.exe ÇÁ·Î±×·¥À» ÅëÇؼ ÀÓÀÇÀÇ Æ÷Æ®·Î º¯°æÀÌ °¡´ÉÇÏ´Ù. ÀÌ config.exe ÇÁ·Î±×·¥À» ÀÌ¿ëÇؼ ¿ø°ÝÁö °ø°ÝÀÚ´Â Æ÷Æ®¸¦ ÀÓÀÇ·Î º¯°æÇÒ ¼ö ÀÖÀ¸¸ç ·¹Áö½ºÆ®¸®, system.ini, win.ini ¸¦ ÅëÇؼ ÀÚµ¿ ½ÇÇà ¹æ¹ýÀ» ¼±ÅÃÇÒ ¼ö ÀÖ´Ù. ¸¸¾à, ½Ã½ºÅÛ¿¡ ÀÌ ¹éµµ¾î°¡ ¼³Ä¡µÇ¾î ÀÖ´Ù¸é ´ÙÀ½°ú °°Àº ÀÚµ¿ ½ÇÇà Á¤º¸µéÀ» ¹ß°ßÇÒ ¼ö ÀÖ´Ù.
1. 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' ¶Ç´Â 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices' ¶Ç´Â 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' À§Ä¡¿¡¼ "SystemAdministration" Å°
2. system.ini ÆÄÀÏÀÇ [boot] ¹Ø¿¡¼ shell=Explore.exe wincmp32.exe Å°
3. win.ini ÆÄÀÏÀÇ [Windows] ¹Ø¿¡¼ load=c:\windows\wincmp32.exe Å° ¶Ç´Â run=c:\windows\wincmp32.exe Å°
¿ø°ÝÁö °ø°ÝÀÚµéÀº ÀÌ Asylum ¹éµµ¾î¸¦ ÀÌ¿ëÇÏ¿© ¿ø°ÝÀ¸·Î ´ë»ó½Ã½ºÅÛ¿¡¼ ´ÙÀ½°ú °°Àº µ¿ÀÛÀ» ¼öÇàÇÒ ¼ö ÀÖ´Ù.
- ÆÄÀÏ ¾÷·Îµå/½ÇÇà
- ½Ã½ºÅÛ ÀçºÎÆÃ
- ¼¹ö ÇÁ·Î±×·¥ Á¦°Å
- À¥ÆäÀÌÁö Àü¼Û
- ÇÁ¶ô½Ã(Proxy)¸¦ ÅëÇÑ Á¢¼Ó
- ÄÜ¼Ö ¹× GUI Ŭ¶óÀ̾ðÆ® ÇÁ·Î±×·¥
- ¼¹ö ÆíÁý (ÀÚµ¿ ½ÇÇà ¹æ¹ý, Æнº¿öµå ¼³Á¤, Æ÷Æ® º¯°æ, ICQ notification, ...)
* Ãë¾àÇÑ Ç÷§Æû :
Microsoft Windows Any version
* Âü°í »çÀÌÆ®:
http://www.iss.net/security_center/static/4849.php
http://www.dark-e.com/archive/trojans/asylum/
http://www.tlsecurity.net/backdoor/asylium.html |
| ÇØ°áÃ¥ |
½Ã½ºÅÛ¿¡¼ ¹éµµ¾î¸¦ Á¦°ÅÇØ¾ß ÇÑ´Ù.
1. 'regedit' À̳ª ±âŸ ·¹Áö½ºÆ®¸® ÆíÁý ÇÁ·Î±×·¥À» ÅëÇؼ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run ¶Ç´Â
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices ¶Ç´Â
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run À§Ä¡ÀÇ ·¹Áö½ºÆ®¸®¿¡¼ 'SystemAdministration' Å°¸¦ Á¦°ÅÇÑ´Ù.
2. system.ini ÆÄÀÏ¿¡¼ shell=Explore.exe wincmp32.exe ¸¦ shell=Explore.exe ·Î º¯°æÇÑ´Ù.
3. win.ini ÆÄÀÏ¿¡¼ load=c:\windows\wincmp32.exe ¶Ç´Â run=c:\windows\wincmp32.exe ¸¦ Á¦°ÅÇÑ´Ù.
4. ÄÄÇ»Å͸¦ ÀçºÎÆÃÇϰųª wincmp32.exe ¸¦ Á¾·áÇÑ´Ù.
3. À©µµ¿ìÁî µð·ºÅ丮¿¡¼ Æ®·ÎÀÌ ¸ñ¸¶ ÇÁ·Î±×·¥ wincmp32.exe¸¦ Á¦°ÅÇÑ´Ù.
-- ¶Ç´Â --
¹é½Å ÇÁ·Î±×·¥(¾ÈƼ¹ÙÀÌ·¯½º ÇÁ·Î±×·¥)À» ÀÌ¿ëÇÏ¿© Ä¡·áÇØ¾ß ÇÑ´Ù. |
| °ü·Ã URL |
(CVE) |
| °ü·Ã URL |
(SecurityFocus) |
| °ü·Ã URL |
(ISS) |
|
