{"id":1157,"date":"2013-12-01T19:52:37","date_gmt":"2013-12-01T19:52:37","guid":{"rendered":"http:\/\/www.kodcafe.com\/?p=1157"},"modified":"2013-12-01T19:52:37","modified_gmt":"2013-12-01T19:52:37","slug":"kilim-zararli-yazilimi","status":"publish","type":"post","link":"http:\/\/www.kodcafe.com\/?p=1157","title":{"rendered":"Kilim Zararl\u0131 Yaz\u0131l\u0131m\u0131"},"content":{"rendered":"

Sosyal medya kullan\u0131m\u0131n\u0131n artmas\u0131yla e-posta kutular\u0131n\u0131 dolduran spam maillerin benzerleri art\u0131k sosyal medya hesaplar\u0131nda da yayg\u0131nla\u015fmaya ba\u015flad\u0131. Ayr\u0131ca sosyal medya zararl\u0131 yaz\u0131l\u0131mlar\u0131n yay\u0131lmas\u0131\u00a0 i\u00e7in s\u0131kl\u0131kla kullan\u0131lan bir alan olmaya do\u011fru kay\u0131yor. Son g\u00fcnlerde \u00e7e\u015fitli versiyonlar\u0131n\u0131 g\u00f6rd\u00fc\u011f\u00fcm\u00fcz\u00a0Kilim zararl\u0131 yaz\u0131l\u0131m\u0131<\/b>\u00a0da yay\u0131lmak i\u00e7in sosyal medyay\u0131 kullanan zararl\u0131 yaz\u0131l\u0131mlardan biri olarak kar\u015f\u0131m\u0131za \u00e7\u0131kmaktad\u0131r. Kilim zararl\u0131 yaz\u0131l\u0131m\u0131n\u0131n dikkat \u00e7eken bir \u00f6zelli\u011fi ise i\u00e7erdi\u011fi JavaScript kodlar\u0131n\u0131n T\u00fcrk\u00e7e de\u011fi\u015fken ve fonksiyon isimlerine sahip olmas\u0131d\u0131r. Ayn\u0131 zamanda 70milyon.net ve begenihavuzu.com gibi siteler ile ileti\u015fim kurmas\u0131, zararl\u0131 yaz\u0131l\u0131m\u0131n T\u00fcrkler taraf\u0131ndan yaz\u0131ld\u0131\u011f\u0131n\u0131 ve \u00f6zellikle T\u00fcrkleri hedef ald\u0131\u011f\u0131n\u0131 g\u00f6stermektedir.
\n
\nKilim zararl\u0131 yaz\u0131l\u0131m\u0131, sosyal medya \u00fczerinden,\u00a0chrome\u00a0<\/b>ve t\u00fcrevi olan\u00a0yandex\u00a0<\/b>taray\u0131c\u0131lar\u0131n\u0131 kullanarak yay\u0131lmaktad\u0131r. Bu taray\u0131c\u0131lara olu\u015fturdu\u011fu\u00a0player.crx\u00a0<\/b>dosyas\u0131 ile kendi eklentisi kurmaktad\u0131r ve daha sonra kurban\u0131n sosyal medya hesaplar\u0131 \u00fczerinde \u00e7e\u015fitli de\u011fi\u015fiklikler yapmaktad\u0131r. Kurban\u0131n aktif oturumunu kullanarak yay\u0131lmakta olan kilim zararl\u0131 yaz\u0131l\u0131m\u0131, kurban\u0131n \u00e7e\u015fitli sayfalar\u0131 be\u011fenmesine ve \u00e7e\u015fitli yay\u0131nlar yapmas\u0131na neden olmaktad\u0131r. Daha detayl\u0131 inceledi\u011fimizde yaz\u0131l\u0131m\u0131n paketlenmemi\u015f oldu\u011fu ve ileri analiz engelleme y\u00f6ntemleri gibi karma\u015f\u0131k yap\u0131lar i\u00e7ermedi\u011fi g\u00f6r\u00fclmektedir.<\/p>\n

\"1.png\"<\/div>\n

\u015eekil 1 Kilim Zararl\u0131 Yaz\u0131l\u0131m\u0131 PEiD \u00e7\u0131kt\u0131s\u0131<\/p>\n

Tespit<\/h2>\n

Zararl\u0131 yaz\u0131l\u0131m\u0131n \u00f6zet de\u011ferleri ve \u00f6zellikleri \u015f\u00f6yledir:<\/p>\n

MD5 :<\/b>\u00a075a272915b4bbe0f3d7c9bb988f53de8
\nSHA1:<\/b>\u00a051b4d5f9d5a3ea78ca0b889e4475be8d4c557173
\nDosya boyutu: 238.2 KB ( 243885 bytes )<\/p><\/blockquote>\n

\u015eekil 2<\/b>‘de g\u00f6r\u00fclece\u011fi gibi Virus Total taramas\u0131nda 48 anti vir\u00fcs program\u0131n\u0131n 19\u2019u taraf\u0131ndan tan\u0131n\u0131yor.<\/p>\n

\"2.png\"<\/div>\n

\u015eekil 2 Vir\u00fcs Total Taramas\u0131 Sonu\u00e7lar\u0131<\/p>\n

\u00d6zellikleri<\/h2>\n

Nas\u0131l yay\u0131l\u0131r:<\/b>\u00a0Zararl\u0131 yaz\u0131l\u0131m chrome ve yandex taray\u0131c\u0131lar\u0131n\u0131 kullanan kurbanlar\u0131n sosyal medya oturumlar\u0131n\u0131 kullanarak haz\u0131rlad\u0131\u011f\u0131 iletilerle yay\u0131lmaktad\u0131r. Zararl\u0131 yaz\u0131l\u0131m, olu\u015fturdu\u011fu taray\u0131c\u0131 eklentisi sayesinde kurban\u0131n sosyal medya arkada\u015flar\u0131n\u0131 \u00e7eken\u00a0http<\/b>talepleri haz\u0131rlamaktad\u0131r. Kurban\u0131n sosyal medya arkada\u015flar\u0131n\u0131 elde eden zararl\u0131 yaz\u0131l\u0131m, bu isimlerin ge\u00e7ti\u011fi bir ileti haz\u0131rlamaktad\u0131r. Kurban b\u00f6ylece arkada\u015flar\u0131n\u0131n etiketlendi\u011fi zararl\u0131 yaz\u0131l\u0131m\u0131 yayan iletiler payla\u015fmaktad\u0131r.\u00a0\u015eekil 3<\/b>‘te facebook \u00fczerinde payla\u015f\u0131lm\u0131\u015f zararl\u0131 yaz\u0131l\u0131m\u0131n kendini yaymak i\u00e7in haz\u0131rlad\u0131\u011f\u0131 \u00f6rnek bir ekran g\u00f6r\u00fcnt\u00fcs\u00fc g\u00f6r\u00fclmektedir.<\/p>\n

\"3.png\"<\/div>\n

\u015eekil 3 Kilim Taraf\u0131ndan Olu\u015fturulan \u0130leti \u00d6rne\u011fi<\/p>\n

Zararl\u0131 yaz\u0131l\u0131m\u0131n olu\u015fturdu\u011fu dosya sisteminde ve kay\u0131t defteri anahtarlar\u0131nda yapt\u0131\u011f\u0131 de\u011fi\u015fiklikler ise \u015fu \u015fekildedir:
\nZararl\u0131 yaz\u0131l\u0131m \u00e7al\u0131\u015ft\u0131r\u0131ld\u0131\u011f\u0131nda\u00a0C:\\ProgramData\\VideoPlayer<\/b>\u00a0alt\u0131nda\u00a0\u015eekil 4<\/b>‘te g\u00f6r\u00fclen dosyalar\u0131 olu\u015fturmaktad\u0131r.<\/p>\n

\"4.png\"<\/div>\n

\u015eekil 4 Kilim Taraf\u0131ndan Olu\u015fturulan Dosyalar<\/p>\n

Zararl\u0131 yaz\u0131l\u0131m\u0131n ekledi\u011fi anahtarlar ve de\u011ferleri a\u015fa\u011f\u0131daki gibidir:<\/p>\n

HKLM\\SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallForcelist\\1: “hkfmnabobennlihmnmkiplpinbdkppdp<\/b>;C:\\ProgramData\\VideoPlayer\\update.xml”<\/p>\n

HKLM\\SOFTWARE\\Policies\\YandexBrowser\\ExtensionInstallForcelist\\1: “hkfmnabobennlihmnmkiplpinbdkppdp<\/b>;C:\\ProgramData\\VideoPlayer\\update.xml”<\/p>\n

 <\/p><\/blockquote>\n

Zararl\u0131 yaz\u0131l\u0131m, dosya sisteminde olu\u015fturdu\u011fu\u00a0update.xml<\/b>\u00a0dosyas\u0131na g\u00f6re Chrome ve Yandex taray\u0131c\u0131lar\u0131n g\u00fcncellenmesine dair bir kay\u0131t defteri girdisi olu\u015fturmaktad\u0131r.<\/p>\n

Update.xml dosyas\u0131n\u0131n i\u00e7eri\u011fi ise a\u015fa\u011f\u0131da verilmi\u015ftir. Dosya i\u00e7eri\u011finden eklenen anahtar de\u011ferleri ile taray\u0131c\u0131n\u0131n zararl\u0131 yaz\u0131l\u0131m\u0131n olu\u015fturdu\u011fu player.crx eklenti dosyas\u0131 ile g\u00fcncellenmek istendi\u011fi anla\u015f\u0131lmaktad\u0131r<\/p>\n

<?xml version=”1.0″ encoding=”UTF-8″ ?><\/p>\n

– <gupdate xmlns=”http:\/\/www.google.com\/update2\/response” protocol=”2.0″><\/p>\n

– <app appid=”hkfmnabobennlihmnmkiplpinbdkppdp<\/b>“><\/p>\n

<updatecheck codebase=”C:\\ProgramData\\VideoPlayer\\player.crx<\/b>” version=”1.0″ \/><\/p>\n

<\/app><\/p>\n

<\/gupdate><\/p>\n

 <\/p><\/blockquote>\n

Zararl\u0131 yaz\u0131l\u0131m,\u00a0sald\u0131rganla ileti\u015fime<\/b>\u00a0ge\u00e7mek i\u00e7in\u00a070milyon.com<\/b>\u00a0ve\u00a0begenihavuzu.com<\/b>\u00a0sitelerini kullanmaktad\u0131r. Zararl\u0131 yaz\u0131l\u0131m, kurban\u0131n sosyal medya oturumu i\u00e7in kullan\u0131lan token bilgisini haz\u0131rlad\u0131\u011f\u0131 http talebi ile kendi sistemine aktarmaktad\u0131r. Ayr\u0131ca kurban\u0131n, bu sitelerden \u00e7ekti\u011fi (http talepleri ile<\/i>) facebook sayfa isimlerini be\u011fenmesine neden olmaktad\u0131r. Ayr\u0131ca bu sitelerden video, foto\u011fraf gibi bilgiler \u00e7ekerek, bu bilgilerle kurban\u0131n bilgilerini harmanlayarak kurban\u0131n hesab\u0131nda yay\u0131lmak i\u00e7in iletiler yay\u0131nlamaktad\u0131r.<\/p>\n

Sitelerin alan ad\u0131 kay\u0131tlar\u0131 a\u015fa\u011f\u0131daki gibidir. Alan ad\u0131 kay\u0131tlar\u0131n\u0131n “privacyprotect.org<\/b>” \u00fczerinde yap\u0131ld\u0131\u011f\u0131 g\u00f6r\u00fclmektedir. Daha detayl\u0131 bilgi i\u00e7in “privacyprotect.org<\/b>“a talepte bulunulmas\u0131 gerekmektedir.<\/p>\n

\"5.png\"<\/div>\n

\u015eekil 5 Zararl\u0131 Yaz\u0131l\u0131m\u0131n \u0130leti\u015fim Kurdu\u011fu Sitelerin Alan Ad\u0131 Kay\u0131tlar\u0131<\/p>\n

Davran\u0131\u015f ve Kod analizi bulgular\u0131<\/h2>\n

Zararl\u0131 yaz\u0131l\u0131m \u00e7al\u0131\u015ft\u0131r\u0131ld\u0131\u011f\u0131nda olu\u015fan proses a\u011fac\u0131\u00a0\u015eekil 6<\/b>‘da g\u00f6r\u00fclmektedir. Komut sat\u0131r\u0131 istemcisi \u00e7al\u0131\u015farak a\u00e7\u0131k olan taray\u0131c\u0131y\u0131 kapatmaktad\u0131r. Daha sonra \u00e7al\u0131\u015fan\u00a0“verclsid”\u00a0<\/b>prosesleri ise kay\u0131t defteri girdilerini olu\u015fturmakta ve dosya sistemine gerekli dosyalar\u0131 atmaktad\u0131r.<\/p>\n

\"6.png\"<\/div>\n

\u015eekil 6 Kilim Proses A\u011fac\u0131<\/p>\n

Zararl\u0131 yaz\u0131l\u0131m iki a\u015famadan olu\u015fmaktad\u0131r.<\/p>\n

Exe uzant\u0131l\u0131 dosyan\u0131n amac\u0131<\/p>\n