一个盗取用户淘宝信息的木马分析木马核心功能:当用户使用浏览器上网时,该木马会盗取目标机器的淘宝账户的订单信息,宝贝信息,经常浏览的宝贝,收藏的宝贝,订单号,支付方式,用户cookie等等,然后发送到木马作者的服务器.基本信息详细分析复制自身到system目录下然后从这里开始一系列木马行为开始准备LSP利用SPI(服务提供者接口)枚举协议,为LSP的安装做准备获取LSPGUID安装LSP安装位置是c:\windows\system32Acceleratex86.dll,下次重新浏览器浏览网页的时候就会被加载了对应IDA安装之后程序睡眠退出另一条分支分析这里检测木马的dll是不是被注入到浏览器了木马工作的时候需要母体把这个dll注入进去,LSP可以帮助木马的DLL完成注入的功能然后修改注册表”SoftwareMicrosoftWindowsCurrentVersionInternetSettingsZones”,降低浏览器的安全级别(默认是较高的)然后继续看这家伙要干嘛,重启IE发现木马作者的DLL已经注入到了IE中,接下来就是盗取信息了.抓包看一下功能是获取了淘宝账户的订单信息,宝贝信息,经常浏览的宝贝,收藏的宝贝,用户cookie等等,然后发送到作者的服务器劫持浏览器获取淘宝账户信息仔细分析浏览器访问网页从木马作者服务器获取一部分数据,还不知道要干什么呢接着是获取淘宝的账号相关的信息获取的相关的信息.从木马服务器请求数据服务器地址返回的数据111111wvC1UUcdwvK80tDF08N8saaxtNDFz6J8yrnTw9DF08O/qLi2v+58tqm1pdDFz6J8t7TAoXw8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCI+fDx0ciBjbGFzcz0ib3JkZXItaGQiPnw5OC4xMjYuOTguMTc4fGh0dHBzOi8vdHJhZGUudGFvYmFvLmNvbS90cmFkZS9qc29uL29yZGVyX2FkZHJlc3NfaW5mby5odG0/Yml6X29yZGVyX2lkfHRyYWRlLnRhb2Jhby5jb20vdHJhZGUvZGV0YWlsL3RyYWRlX2l0ZW1fZGV0YWlsLmh0bXx0cmFkZS50YW9iYW8uY29tL3RyYWRlL2RldGFpbC90cmFkZV9pdGVtX2RldGFpbC5odG18aHR0cDovL21lbWJlcjMudGFvYmFvLmNvbS9tZW1iZXIvdXNlcl9wcm9maWxlLmpodG1sfGh0dHA6Ly9tZW1iZXIzLnRhb2Jhby5jb20vbWVtYmVyL3VzZXJfcHJvZmlsZS5qaHRtbHw8cCBjbGFzcz0iYmFvYmVpLW5hbWUiPnxodHRwOi8vdHJhZGUudGFvYmFvLmNvbS90cmFkZS9kZXRhaWwvdHJhZGVfc25hcC5odG0/fGl0ZW1J政法p8aHR0cDovL3JhdGUudGFvYmFvLmNvbS9yYXRlLmh0bT91c2VySWQ9fLaptaW6xXxodHRwOi8vdHJhZGUudG1hbGwuY29tL2RldGFpbC9vcmRlckRldGFpbC5odG18主题K21Lm6wvLB97PM09DS4rz7u/K9qNLpfLapta新疆xc+ifGh0dHA6Ly90cmFkZS50YW9iYW8uY29tL3RyYWRlL2l0ZW1saXN0L2xpc3Rfc29sZF9pdGVtcy5odG0/c3BtPTEuNzI3NDU1My4xOTk3NTI1MDczLjMuN2VnVWJvfGh0dHA6Ly90cmFkZS50YW9iYW8uY29tL3RyYWRlL2l0ZW1saXN0L2xpc3Rfc29sZF9pdGVtcy5odG18aHR0cDovL3RyYWRlLnRhb2Jhby5jb20vdHJhZGUvaXRlbWxpc3QvbGl政法F9zb2xkX2l0ZW1zLmh0bT9zcG09YTF6MDkuMS4wLjAuSlRQTXg3JnNjbT0xMDEyLjEuMy4wfGh0dHA6Ly90cmFkZS50YW9iYW8uY29tL3RyYWRlL2l0ZW1saXN0L2xpc3Rfc29sZF9pdGVtcy5odG18zu/B99DFz6J8wvK80sH00dR8bGFiZWwgZm9yPSJ8tcfCvC3M7MOofDx0Ym9keSBp政法0ifHRtYWlsfGV2ZW50X3N1Ym1pdF9kb19xdWVyeT0xJmNsb3Nlb3JkZXJfZmxhZz0xJmlzQXJjaGl2主题1mYWxzZSZpc0FyY2hpdmVEZWZhdWx0PTAmdXNlcl90eXBlPTEmcGFnZU51bT0lZCZvcmRlcj1kZXNjJm9yZGVyX3R5cGU9b3JkZXJMaXN0JmlzUXVlcnlNb3JlPWZhbHNlJnNlbGVjdF9zaG9wX25hbWU9Jml主题3duT2ZmaWNpYWxTaG9wPWZhbHNlJnNlbGxlck51bUlEPSVzJmZyb21fZmxhZz0mdGltZVN0YW1wPSZzZXNzaW9uSUQ9JmF1dGhUeXBlPTEmYXVjdGlvblRpdGxlPSZiaXpPcmRlclRpbWVCZWdpbj0mYml6T3JkZX激b3VyQmVnaW49MDAmYml6T3JkZXJNaW5CZWdpbj0wMCZiaXpPcmRlclRpbWVFbmQ9JmJpek9yZGVySG91ckVu政法0wMCZiaXpPcmRlck1pbkVu政法0wMCZidXllck5pY2s9JmF1Y3Rpb25TdGF0dXM9QUxMJmNvbW1lbnRTdGF0dXM9QUxMJmJpek9yZGVySWQ9JmxvZ2l政法Gljc1NlcnZpY2U9QUxMJnRyYWRlRGlzc2Vuc2lvbj1BTEwmYXVjdGlvblR5cGU9MCZzaG9wTmFt主题1BbGwmYWN0aW9uPWl0ZW1saXN0JSUyRlF1ZXJ5QWN0aW9ufGh0dHA6Ly98SUVYUExPUkUuRVhFX0ZJUkVGT1guRVhFXzM2MFNFLkVYRXxza3Q9fDE2fDZ8x+vJ1Lry1NnK1HzH68/I1/jPwsC0usi/2suufL+qyei0y8ioz958z7XNs7exw6Z8主题63qLSmwO18w9zC68rkyOt8NXwiYWRkcmVzcyJ81+7QwsnMxrfP6sfp111111应是...