Two tips on Automatic Analysis of webpage Trojans

Author: rayh4c [80sec]

Currently, webpage trojans on the Internet are mostly fixed sets of code with few changes, including encryption methods of script code, and almost all encryption methods are interpreted. As hackers are all engaged in process-based Trojans, foreigners have also made great achievements in automated analysis of Web Trojans. I have seen various automated network horse analysis systems in China, including chuangyu, 360 security guard, and anheng. Other major anti-virus security companies in China should also have their own network horse analysis systems.

Automatic Analysis of webpage Trojans requires a good page analysis system, separating various static element resources and script content on the page, and a simulated script interpretation engine and sandbox environment. Here I will only talk about my two tips:

1. Pure Static Analysis

Only the static content of the page needs to be obtained, and only the HTML content and script content need to be separated using regular expression matching to directly analyze the HTML content. The rest will throw the separated script content to the script interpretation engine for execution, of course, there are some small bottlenecks here, but we can transform the script interpretation engine to process the key functions used by some Web horses. It is not difficult to separate key content such as OBJECT and SHELLCODE. Javascript interpretation engine we can choose spider monkeys, of course, this thing has a fatal disadvantage, if hackers Use VBSCRIPT or encapsulate code into FLASH and other files without static code content to execute the script, it is difficult to perform automatic analysis.

2. Sandbox Analysis

In view of the shortcomings of the first method, we can still use the sandbox method to analyze and directly drop the Web horse into a real browser to run, however, before that, we need to use the first old idea to solve several key script functions. For example, we can use a script breakpoint to output key content or analyze script behavior. For IE, we can use com hook, and FF can directly use the Greaseamonkey plug-in without great effort.

The above are just two simple ideas that do not involve actual content. I am also slowly exploring, and the "hacker" Trojan mounting method will certainly become more advanced, and I prefer sandbox analysis.