关于恶意文档的一些碎碎念

  • A+
所属分类:安全闲碎


该文章并不涉及太多技术细节,想要学习技术的可自行绕道。


这几天在逛一些威胁情报网站的时候,发现了一个比较有意思的样本,爆出来的时候是0杀,截至文章编辑时,VT查杀率为2/60


关于恶意文档的一些碎碎念


而该文档的具体细节也已被解密了出来,加载方式并无太复杂的点,只是用到了xor加密的技术,相关检测的yara可以在这里找到:https://github.com/Neo23x0/signature-base/pull/97/commits/d30a30e4c77fd6c4b4341eb5de27349554c6cb49,于是我翻阅了msdn,发现微软官方也对该技术有所讲解,只是没有太深入的说明:


关于恶意文档的一些碎碎念


原文地址如下:


https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/a0919e5e-46b8-46ef-9c52-abcfa8106cae


除此之外,还有如 40-bit RC4 Encryption、CryptoAPI RC4 Encryption、ECMA-376 Document Encryption等加密方式,不过这些就需要你对doc和xml的文件格式有所了解了。


并且有原几年前的xor加密文档,到如今依旧安全:


而如果想要弄清word、xls的具体格式,可以参照微软官方的开发文档:


https://interoperability.blob.core.windows.net/files/MS-DOC/%5bMS-DOC%5d-190319.pdf


随着各类安全产品的增多,或许这种古老的技术,依旧可以发光发热。


最后附上一份xor的加密语法,希望对各位读者有用


Option Explicit Sub test()      'this sub is only present to demonstrate use of the function!     'it is not required to use the function.    Dim r As Range, retVal, sKey As String     sKey = Application.InputBox("Enter your key", "Key entry", "My Key", , , , , 2)     retVal = MsgBox("This is the key you entered:" & vbNewLine & Chr$(34) & sKey & Chr$(34) & vbNewLine & _     "Please confirm OK or Cancel to exit", vbOKCancel, "Confirm Key")     If retVal = vbCancel Then Exit Sub     For Each r In Sheets("Sheet1").UsedRange         If r.Interior.ColorIndex = 6 Then             r.Value = XorC(r.Value, sKey)         End If     Next r End Sub  Function XorC(ByVal sData As String, ByVal sKey As String) As String     Dim l As Long, i As Long, byIn() As Byte, byOut() As Byte, byKey() As Byte     Dim bEncOrDec As Boolean      'confirm valid string and key input:    If Len(sData) = 0 Or Len(sKey) = 0 Then XorC = "Invalid argument(s) used": Exit Function      'check whether running encryption or decryption (flagged by presence of "xxx" at start of sData):    If Left$(sData, 3) = "xxx" Then         bEncOrDec = False 'decryption        sData = Mid$(sData, 4)     Else         bEncOrDec = True 'encryption    End If      'assign strings to byte arrays (unicode)    byIn = sData     byOut = sData     byKey = sKey     l = LBound(byKey)     For i = LBound(byIn) To UBound(byIn) - 1 Step 2         byOut(i) = ((byIn(i) + Not bEncOrDec) Xor byKey(l)) - bEncOrDec 'avoid Chr$(0) by using bEncOrDec flag        l = l + 2         If l > UBound(byKey) Then l = LBound(byKey) 'ensure stay within bounds of Key    Next i     XorC = byOut     If bEncOrDec Then XorC = "xxx" & XorC 'add "xxx" onto encrypted textEnd Function 


本文始发于微信公众号(鸿鹄实验室):关于恶意文档的一些碎碎念

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: