Analysis of countermeasures against various types of malicious web pages-Chapter 7 on using the registry
Internet vulnerabilities such as Internet Explorer allow you to browse the Web page to make your computer look beyond the control of your computer, or drive disks, or even Trojans, spread viruses, and the spread of this form is becoming increasingly fierce, let's take a look at the malicious web pages.
Before analyzing the analysis, we will first introduce how to modify the Registry. Because the registry is a hub in Web viruses, it is used to make your computer completely invisible.
Method 1: direct modification
Regedit is typed in the run and then edited. This is the usual method for modifying the registry.
Method 2: Reg package import Method
Now we will take unlocking the Registry as an example (in fact, it is better and more convenient to unlock the registry using tools such as rabbit. Here we just explain how to build the reg package)
For win 9x/ME/NT 4.0, save the following content as the *. reg file in notepad and import it.
Regedit4
A blank line is required. Otherwise, the modification will fail.
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System]
"Disableregistrytools" = DWORD: 00000000
For Windows 2000 or XP, change regedit4 to Windows Registry Editor Version 5.00.
Method 3: INF Installation Method
For 98/me, save the following content as a. inf suffix file, right-click the file and select install
[Version]
Signature = "$ Chicago $"
[Defainstall install]
Addreg = unlock. Add. Reg
Delreg = unlock. Del. Reg
[Unlock. Add. Reg]
Hkcu, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System
[Unlock. Del. Reg]
Hkcu, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System
If it is 2000 or XP, change Chicago to Windows NT
For other modified formats, I will not mention them here. You can find the materials by yourself. If you do not have any other INF packages, you can contact me :)
Method 4: vbs script
Save the following content as a. vbs suffix File
Dim unlock
Set unlock = wscript. Createobject ("wscript. Shell ")
Unlock. Popup "unlocks the registry for you"
Unlock. regwrite "hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System \ disableregistrytools", 0, "REG_DWORD"
Method 5: Hehe, the method of still administering the body of the person in his own way. I will not introduce it here.
Edit the Registry in DOS.
Please remember to back up the registry before modifying the registry !! Remember !!
Now that we know the method, we can analyze all kinds of malicious websites and their strategies.
Malicious websites can be divided into the following categories:
1. Use the IE text vulnerability to modify registry behavior through the edited script Program
1. Slightly modify the Registry: for example, title blocking, default home page, search page, add advertisement, etc, let's take a look at a section of the original Code
//. setclsid ("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}"); the malicious web page uses this ID to modify the registry.
// SHL. regwrite ("hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ norun", 01, "REG_BINARY "); this code disappears your running menu.
cleanup method:
This article does not provide solutions for general modified browsers, because there are many articles on the Internet about how to restore the Registry by repairing the registry, you can check it by yourself
I think this type of modification can be fixed by using the registry Repair Tool without manual modification.
common tools include: Super Rabbit magic, Master optimization, 3721 magic gem, and IE repair Device of anti-virus king.
rising registry repair tools: http://it.rising.com.cn/newSite/Channels/anti_virus/Antivirus_Base/TopicExplorerPagePackage/spite ful.htm
drug overlord registry repair tools: http://sh.duba.net/download/other/tool_011027_RegSolve.htm
recommended a good online repair site: www.j3j4.com
Patch: Windows 2000: http://www.microsoft.com/china/windows2000/SP2.htm
Windows 9x users: http://www.microsoft.com/downloads/release. Asp? Releaseid = 32558
2. Modify the Registry to prohibit modification in the form of commands. The purpose is not to allow users to repair it through the registry.
The most common modification is to lock the registry and corrupt associations such as. Reg,. vbs, And. INF.
The methods for unlocking the Registry have been described earlier. As for the Association to be modified, any of them can be used as long as the association in the method of modifying the registry can be used, however, if. reg ,. vbs ,. the INF has been modified. What should I do ?, Don't worry. Change the. exe suffix to the. com suffix. I can edit the registry and change. com. What should I do? Not that cool. OK. I will change the suffix to. scr. Hey, you can also modify it.
The best and easiest way is to immediately restart the system, press F8 to enter dos, input scanreg/restore, and select the previous normal registry to restore, select the Registry when it is not modified! If you find that even scanreg has been deleted (some websites are so cruel, you just need to copy a scanreg.exe file to comman.
It is necessary to talk about the common default values of file association here.
The normal EXE is associated with [hkey_classes_root \ exefile \ shell \ open \ command]
The default key value is "% 1% *". You can use the EXE file by modifying the association back.
3. After modifying the registry, leave a backdoor to make it seem that you have successfully modified the Registry. After restarting the registry, it is restored to the modified status.
This is mainly because a backdoor is left in the startup Item. You can open the Registry (you can also use some tools such as the optimization master to check it)
Hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
Hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ runonce
Hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ runservices
Hkcu \ Software \ Microsoft \ Windows \ currentversionrun-
Check whether there are any suspicious startup projects. Which of the following are ignored by my friends?
I want to give a few tips, and the key value in the startup item has the .hmland .htm suffixes. It is best to remove them, as well as the startup item with the. vbs suffix. There is also a very important one. If there is a startup Item, there are similar key values, for example:
The system key value is Regedit-s c: \ WINDOWS ...... Please note that this Regedit-S is a backdoor parameter of the Registry and is used to import the Registry. This option must be removed.
Another type of modification will generate a. vbs suffix file in C: \ WINDOWS \ or a. dll file. In fact, the. dll file is actually a. reg file.
Now you need to check c: \ windows \ win. INI file, check whether load =, run =, these two options should be empty behind, if there are other programs to modify load =, run =, Will = after the program is deleted, before deletion, check the path and file name. After deletion, delete the corresponding file under system.
Another method is to search for all the files in drive C if you repeatedly modify, restart, and restore them. the vbs file may be hidden. Use the notebook to open it. You can see that all the items in the file that modify the Registry delete it or change the suffix for the sake of insurance, you can search for files by virus time on a malicious webpage :)
The following vulnerability deserves your attention. Many friends have said that I have tried all the methods you mentioned. There is absolutely no suspicious content in the startup item, and there is no vbs file, there is another trap when you start IE, that is, the advertisement in the tool menu on the main ie interface must be removed, because these will be started when you start IE, so do not try to open the IE window before you finish modifying the other items. Otherwise, it will be a waste of effort to open the Registry HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ extensions and delete the advertisement.
An important issue is that you must first clear all temporary ie files after the trap of malicious web pages. Remember!
how can we defend against such malicious web pages?
A once and for all method, delete the F935DC22-1CF0-11D0-ADB9-00C04FD58A0B id
in the Registry path for hkey_classes_root \ CLSID \ {F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}
remember, read clearly and then delete, do not delete other errors. Removing this F935DC22-1CF0-11D0-ADB9-00C04FD58A0B does not affect the system.
In the IE menu bar, select "Tools"> "Internet Options". In the displayed dialog box, switch to the "Security" tab, select "Internet" and click "Custom Level". In the "Security Settings" dialog box, select "Disable" or "prompt" for all options in "ActiveX Control and plug-in" and "script. However, if you select "Disable", some websites that normally use ActiveX and scripts may not be completely displayed. Suggestion: prompt. When a warning occurs, check the original code of the website. If any SHL occurs. do not use regwrite or other code. If the original code is encrypted, do not use websites that are not familiar with you. If you cannot use the right-click operation, be careful (check what the original code is called unless there is any good Java or malicious code)
for Windows 98 users, Open C: \ windows \ Java \ packages \ cvlv1nbb. zip to "activexcomponent. delete class. For Windows ME users, Open c: \ windows \ Java \ packages \ 5nzvfpf1. zip to "activexcomponent. "Class" is deleted, which does not affect normal Webpage Browsing
in Windows 2000/XP, some malicious scripts can be blocked by disabling "Remote Registry service. You can choose "Control Panel"> "Administrative Tools"> "service", right-click "Remote Registry Service", and select "properties" in the displayed menu to open the Properties dialog box, set "Startup ype" to "disabled" in "General ". In this way, some malicious scripts can be intercepted.
Hey, you don't need IE. You can also use other browsers ......
do not restart the computer immediately after you have caught a malicious web page. Check the startup items to see if there are any dangerous startup items. It is better to use deltree or another one.
Ii. Use the IE vulnerability to directly damage the Windows System
It's nothing new to format a hard disk by browsing the Web page. One day, when you access the Internet, you suddenly jump out and warn that the current page contains insecure pages. If you choose "yes ", the hard disk may be formatted.
Look at some of its original code:
// Wsh (......)
To defend against such web pages, you can use the following method:
Delete the F935DC22-1CF0-11D0-ADB9-00C04FD58A0B ID, because this ID can be used to generate the command format, you can execute the hard disk executable file, the specific path
Hkey_classes_root \ CLSID \ {F935DC22-1CF0-11D0-ADB9-00C04FD58A0B} again remind, do not delete the error.
We recommend that you change the deltree.com and format.com commands, for example, use the optimization master and change it to deltree. wom and format. Wom.
Changing the name of wscript.exe in Windows is also a method.
You can also uninstall wsh:
98/me: Go to "Control Panel", select "Add/delete programs", select "Windows Installer", and select "attachment ", select the Windows Scripting Host in "details" and confirm to uninstall the host.
To disable wsh in Windows 2000, double-click the "my computer" icon and run the "tools/Folder Options" command to select"
On the "file type" tab, find the "vbs VBSCRIPT script file" option, click the [delete] button, and click [OK ].
Or upgrade wsh to wsh 5. 6
The IE browser can be modified by malicious scripts because IE 5.5 and wsh in earlier versions allow attackers to use the GetObject function in JavaScript and htmlfilr ActiveX object to read the viewer's registry. Microsoft's latest Microsoft Windows Script 5.6 has fixed this question.
Wsh 5.6 for Win9x/NT official download: www.microsoft.com
Wsh 5.6 for Win2000 official download: http://www.microsoft.com/devonly/
3. Security Vulnerabilities
now, you can use the registry to generate files on the hard disk and read the Registry.
the IE vulnerability can spread viruses. Currently, Browsing webpages can be infected with Script viruses such as happy time, many of them are intruded by the IE vulnerability and the current webpage Trojan problem. In fact, the MIME Header error vulnerability of IE is used to allow users to automatically run the trojan program. This type of program is easy to create, it's easy to spread, countermeasures for this type of MIME Header error: patching or upgrading http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp
1. Let's take a look at a vulnerability in IE 5.0: You can write an incorrect HTML code so that your IE can be taken away, and the Code cannot be pasted here.
let's take a look at this ID: 0d43fe01-f093-11cf-8940-00a0c9054228, which is used to generate a file
2. Ieis still exposed to ifrmeholes. By using this loophole, You can automatically execute the. exe file after the IE page is viewed.
defense countermeasure: You 'd better upgrade IE to SP2, or install patch q290108 (Thank you for pointing out the error here, if you are afraid of occupying a large amount of resources, you must remember to add patches. At present, many viruses are spread by exploiting the vulnerabilities of IE and Oe. Love Forest virus is one of them.
Delete hkey_classes_root \ CLSID \ {0d43fe01-f093-11cf-8940-00a0c9054228}.
3. In IE6 (build 2600), you can use a piece of Javascript script code to make ie dos. 98 can cause no response from IE. When trying to terminate the task, it will cause the operating system to crash, and 2000 of the CPU in 50% will be used for a long time. Then, the browser will ask if it will be used.
defense countermeasure: Disable Java and scripts. It is recommended that you upgrade IE or install patches (it seems that it cannot be done without patching)
4. The Framework (frame) vulnerability in IE is affected by IE 5.01 and 5.5.6.0, which can leak user information.
countermeasure: patching: http://www.microsoft.com/Windowsupdate
http://www.microsoft.com/technet/security/bulletin/MS02-009.asp
Attackers can exploit IE to execute actives. Although IE provides a prompt function for "Download Signed ActiveX control", malicious attack code bypasses IE, download and execute ActiveX control programs without prompting, and then a malicious attacker will gain control of the system. To shield these black hands, open the Registry Editor and expand the following branch:
The solution is to create a CLSID-based key value {6e449683_c509_11cf_aafa_00aa00 b6015c} for Active Setup controls under HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ ActiveX Compatibility }, create a regi_dword-type compatibility key under the new key value, and set the key value to 0x00000400.
Four boring malicious web pages
This type of web page uses JavaScript code. For example, there are countless closed windows that can only be used up to restart CPU resources. To tell the truth, currently, webpage monitoring of anti-virus software in China cannot intercept such malicious webpages (I have never tried it abroad)
This type of web page is not difficult to write. It is achieved by writing some endless loops.
Defense method: Disable Java. Upgrade IE to a later version.
The other is to take advantage of the Win98 vulnerability to cause you to lose the line or crash. The defense countermeasure is to patch 98 (do not use 98, 2000 stable)
When you access the Internet, remember to enable Web page monitoring or registry monitoring. Currently, anti-virus software in China has a good success rate in intercepting registration writing.
From the above analysis, we can see that a very important problem is that you must patch your system from time to time. Microsoft usually releases a patch, and soon new virus code will attack you, so always install patches!
(Source: Hotspot Network)