참고 URL : https://github.com/kevthehermit/RATDecoders/blob/master/DarkComet.py

참고 URL : https://blog.malwarebytes.org/intelligence/2012/06/you-dirty-rat-part-1-darkcomet/

              

http://www.arbornetworks.com/asert/wp-content/uploads/2012/07/Crypto-DarkComet-Report.pdf

http://www.contextis.com/blog/malware-analysis-dark-comet-rat//



http://www.arbornetworks.com/asert/2012/03/its-not-the-end-of-the-world-darkcomet-misses-by-a-mile/

http://blog.trendmicro.com/trendlabs-security-intelligence/darkcomet-surfaced-in-the-targeted-attacks-in-syrian-conflict/

http://resources.infosecinstitute.com/darkcomet-analysis-syria/


Mutex Name : DC_MUTEX-[랜덤문자열]



# Yara Rule (출처 : https://github.com/botherder/viper/blob/master/data/yara/rats.yara)


rule DarkComet

{

    meta:

        author = " Kevin Breen <kevin@techanarchy.net>"

        date = "2014/04"

        ref = "http://malwareconfig.com/stats/DarkComet"

        family = "darkcomet"

        tags = "rat, darkcomet"


    strings:

        // Versions 2x

        $a1 = "#BOT#URLUpdate"

        $a2 = "Command successfully executed!"

        $a3 = "MUTEXNAME" wide

        $a4 = "NETDATA" wide

        // Versions 3x & 4x & 5x

        $b1 = "FastMM Borland Edition"

        $b2 = "%s, ClassID: %s"

        $b3 = "I wasn't able to open the hosts file"

        $b4 = "#BOT#VisitUrl"

        $b5 = "#KCMDDC"


    condition:

        all of ($a*) or all of ($b*)

}



Server <-> Bot 간 RC4 암호알고리즘을 사용하여 통신하는 것은 알겠다. 그리고 기본 키로 #KCMDDC[버전]#-890[password] 형식인 것을 알겠는데 Decrypt 하는 법을 모르겠다... 음..


+ 추가 2014.08.19

참고 URL : http://matasano.com/research/PEST-CONTROL.pdf





성당의 미사곡 연주를 목표! 아자뵤!


나꿍이에게 멋진 곡 연주 들려주기!


윈도우 7 아이콘 깨졌을 때 조치 방안


@echo off
taskkill /f /im explorer.exe
attrib %userprofile%\appdata\local\iconcache.db -s -r -h
del /q %userprofile%\appdata\local\iconcache.db
start explorer.exe
exit
출처 : http://support.microsoft.com/kb/2417044/ko


+ Recent posts

티스토리툴바