Babar:AnotherNationalSpywareDiscoveredGettargetvaluedata,includinginstantmessaging,softphone,browserandofficesoftwaredata.Throughitsresearchandanalysis,itisfoundthatthemalwareconsistsoftwoparts:downloadingandimplanting.ThelatteriscapableofpiggybackingontheassociatedremotingAPItostealdatawithoutinterruptingprogramexecution.Theprogram'sinternalcodenameis"Babar64,"whichisverysimilartoaspywarenamedBabardescribedinareportreleasedbytheCanadianCommunicationsSecurityAgency(CSEC)inJanuarythisyear.CSECsuspectsitoriginatedfromFrenchintelligenceagencies.下载部分:DROPPERMD59fff114f15b86896d8d4978c0ad2813dSHA-127a0a98053f3eed82a51cdefbdfec7bb948e1f36FileSize693.4KB(710075bytes)植入部分:MD54525141d9e6e7b5a7f4e8c3db3f0c24cSHA-1efbe18eb8a66e4b6289a5c53f22254f76e3a29bdFileSize585.4KB(599438bytes)尽管对其来源的怀疑很难从恶意软件的二进制文件中得到证实,但Analystswerestillamazedbythecomplexhigh-endtechnologyemployedbytheBabar.Additionally,codeanalysisrevealedaremarkablysimilarcodehandwritingtothatofthepreviouslynefariousBunnymalware,leadingtothepresumptionthatthetwoprogramssharethesameauthorship.Babarcaninfectthetargetmachinebyhanginghorsewebsitesormaliciousemailattachments,andtheninstallitthroughthedownloader.Theimplantpartisactuallya32-bitmaliciousDLLfilewritteninC++.ByapplyingaglobalWindowshook,itcaninjectitselfintotherunningsystemprocessandinvadeintotheapplication.Itcanthenrecordkeystrokes,capturescreenshots,eavesdroponsoftphones,andspyoninstantmessengers,amongotherthings.Babarisahighlysophisticatedspywarewhosesolepurposeistomonitorthetargetuser'scomputeractivity.TheDLLfilesdeployedbythedownloadertotheuser'smachineareplacedintheapplication'sdatafolder,alongwithafiledirectorycalledMSI,whichisresponsibleforstoringruntimedata.BabarcaninjectitsDLLintouptothreedesktopprocessesformulti-instanceoperation.除其他外,它还附带一个用户空间工具包组件,可以应用全局Windows挂钩来入侵所有桌面进程。通过这种方式,Babar能够通过Windows迂回技术安装API挂钩,从任意进程中窃取数据。监视活动可以通过本地实例或受感染的进程执行,前者主要监视窗口名称或剪贴板数据,而全局挂钩直接从WindowsAPI调用中窃取信息。Babar窃取的关键信息列表:Keystrokeloggingscreenshot从手机软件中捕获音频流窃取剪贴板数据系统和用户默认语言,键盘布局桌面窗口名称Keystrokelogging模块基于WindowsRAWINPUT,该恶意软件为窗口信息构建了一个不可见窗口。通过处理这个窗口信息的队列,过滤掉输入事件,并派发给原来的输入设备对象。该对象通过GetRawInputData函数捕获键盘事件。Babar的进程钩子专注于以下应用程序:互联网通信-iexplore.exe、firefox.exe、opera.exe、chrome.exe、Safari.exe、msnmsgr.exe文件处理-exe、winword.exe、powerpnt.exe、visio。exe、acrord32.exe、notepad.exe、wordpad.exe.txt通信类型:skype.exe、msnmsgr.exe、oovoo.exe、nimbuzz.exe、googletalk.exe、yahoomessenger.exe、x-lite.exe恶意植入模块可以窃取键盘输入、编辑文件信息、拦截聊天消息以及记录电话软件通话。窃取的信息被加密并放置在磁盘的%APPDATA%\MSI目录下的一个文件中。在命令和控制服务器Babar的分析样本的配置数据中,有两个硬编码的服务器地址:http://www.horizo??ns-tourisme.com/_vti_bin/_vti_msc/bb/index.phphttp://www.gezelimmi.com/wp-includes/misc/bb/index.php第一个地址是一个旅游网站,由总部设在法国的阿尔及利亚旅游机构运营。第二个地址是土耳其域名,当前访问会返回403错误。这两个地址都是合法网站,但被用作Babar的命令和控制服务器。原文地址:http://www.aqniu.com/tools/6692.html
