Use well-known websites to cheat and discover Trojans

From: <large and medium-sized network intrusion cases direct attack and defense> E-Industry Press authorizes the red and black Union www.2cto.com to publish

If you view the link address of the Google image preview page at this time, you can see the following figure:

Http://images.google.com/imgres?

Imgurl = http://www.bkjia.com/UploadPic/2010-11/2010112145250623.jpg &

Imgrefurl = http://www.ladymetro.com/fashion/content/4762&usg=

_ E930yGV25zCQ0nGbF9GpGQAS5xA = & h = 478 & w = 300 & sz = 47 &

Hl = zh-CN & start = 147 & tbnid = WAOJc3A1C4arwM: & tbnh = 129 & tbnw = 81

The "imgurl =" parameter is followed by the actual link address of the image, imgrefurl = parameter is followed by the link address of the Image Source Page, and others are additional parameters.

If you modify the link address of the Image Source Page after imgrefurl = parameter, You can embed any webpage, including the trojan webpage, on the Google image preview page. For example, if the imgrefurl = parameter link in the link address of any Google image preview page is changed to a Baidu link address, the Baidu homepage is displayed in the Google image preview page (figure 2 ).

Figure 2 search for Trojan effect on Google Images

Of course, if Baidu links are replaced with Trojan pages, they will be attacked by Trojan pages. However, this link address is too long and has many parameters, which may be confusing. Therefore, you can remove unnecessary parameters and rewrite them as follows:

Http://images.google.com/imgres?

Imgurl = http://www.bkjia.com/UploadPic/2010-11/2010112145250623.jpg &

Imgrefurl = http://www.baidu.com & tbnid = WAOJc3A1C4arwM:

The URL of the image after the "imgurl =" parameter can also be omitted as any character and rewritten as follows:

Http://images.google.com/imgres? Imgurl = 1 & imgrefurl = http://www.baidu.com & tbnid = WAOJc3A1C4arwM:

The "tbnid =" parameter can be any character, so it is rewritten as follows (Figure 3 ):

Http://images.google.com/imgres? Imgurlw.1.gif & imgrefurl = http://www.baidu.com & tbnid = W

Figure 3

When launching a trojan attack, the attacker certainly does not directly write the link address of the webpage, which is too obvious. Attackers can convert the webpage Trojan link address to % hexadecimal form, for example, "http://www.baidu.com" can be converted:

% 68% 74% 74% 3a % 2f % 2f % 70% 77% 77% 2e % 77% 62% 61% 69% 64% 2e % 75% 6f % 6d

The trojan link address is changed to (figure 4 ):

Http://images.google.com/imgres? Imgurl = 1 & imgrefurl = % 68% 74% 74% 70% 3a % 2f % 2f % 77% 77% 77% 2e % 62% 61% 69% 64% 2e % 75% 6f % 6d & tbnid = W

Figure 4

The trojan link address makes it difficult to see what the problem is, and attackers can further disguise the link. For example:

Http://images.google.com/imgres? Imgurl = porn & imgrefurl = % 68% 74% 74% 70% 3a % 2f % 2f % 77% 77% 77% 2e % 62% 61% 69% 64% 2e % 75% 6f % 6d & tbnid = W

Http://images.google.com/imgres? Imgurl = sex & imgrefurl = % 68% 74% 74% 70% 3a % 2f % 2f % 77% 77% 77% 2e % 62% 61% 69% 64% 2e % 75% 6f % 6d & tbnid = W

You can also directly add the "imgurl =" parameter to an interesting real image link address. When you click to open this Google Image Search link, an "Exciting" image is displayed, however, the trojan webpage is also opened.

Use well-known sites to cheat and drive Trojans

There are many "Pushing" attacks on the Internet, which trick netusers into browsing malicious websites by various means, leading to the loss of passwords of various online banking or game accounts. Likewise, phishing attacks are also used to spoof sex web Trojans.

Search for Trojans using Google Images

Many users are still very reassured about large websites such as Google, Baidu, TOM, and sina. Therefore, many users may click the links to these websites with confidence. However, these large websites are not so secure and may also be exploited by attackers to launch Trojan attacks. For example, in a forum, a netman can see a post named "hidden XX images searched by Google", with a link pointing to Google Image Search:

Http://images.google.com/imgres? Imgurl = porn & imgrefurl = % 68% 74% 74% 70% 3a % 2f % 2f % 77% 77% 77% 2e % 62% 61% 69% 64% 2e % 75% 6f % 6d & tbnid = W

Because this link is directed to Google image search, browsing does not doubt the security of the link source. After clicking the link, you will not see the image you want to see, but will be attacked by a Trojan.

Taking Google as an example, Google is the world's largest search engine, and Google has other huge WEB application product lines, it involves almost all Internet applications such as EMAIL, BLOG, online documentation, personal homepage, electronic map, forum, and RSS. However, the image search service provided by Google has a security problem.

On the Google image search result page, click an image to open an image preview page. The image information is displayed at the top of the page, and the Image Source Page is displayed in the frame below (figure 1 ).