Two tips on Automatic Analysis of webpage Trojans

Source: Internet
Author: User

Author: rayh4c [80sec]

Currently, webpage trojans on the Internet are mostly fixed sets of code with few changes, including encryption methods of script code, and almost all encryption methods are interpreted. As hackers are all engaged in process-based Trojans, foreigners have also made great achievements in automated analysis of Web Trojans. I have seen various automated network horse analysis systems in China, including chuangyu, 360 security guard, and anheng. Other major anti-virus security companies in China should also have their own network horse analysis systems.

Automatic Analysis of webpage Trojans requires a good page analysis system, separating various static element resources and script content on the page, and a simulated script interpretation engine and sandbox environment. Here I will only talk about my two tips:

1. Pure Static Analysis

Only the static content of the page needs to be obtained, and only the HTML content and script content need to be separated using regular expression matching to directly analyze the HTML content. The rest will throw the separated script content to the script interpretation engine for execution, of course, there are some small bottlenecks here, but we can transform the script interpretation engine to process the key functions used by some Web horses. It is not difficult to separate key content such as OBJECT and SHELLCODE. Javascript interpretation engine we can choose spider monkeys, of course, this thing has a fatal disadvantage, if hackers Use VBSCRIPT or encapsulate code into FLASH and other files without static code content to execute the script, it is difficult to perform automatic analysis.

2. Sandbox Analysis

In view of the shortcomings of the first method, we can still use the sandbox method to analyze and directly drop the Web horse into a real browser to run, however, before that, we need to use the first old idea to solve several key script functions. For example, we can use a script breakpoint to output key content or analyze script behavior. For IE, we can use com hook, and FF can directly use the Greaseamonkey plug-in without great effort.

The above are just two simple ideas that do not involve actual content. I am also slowly exploring, and the "hacker" Trojan mounting method will certainly become more advanced, and I prefer sandbox analysis.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.