Ajax allows a web page Trojan“quietly perform”-vulnerability warning-the black bar safety net

ID MYHACK58:62200715914
Type myhack58
Reporter 佚名
Modified 2007-06-25T00:00:00


On the Ajax implementation, the developer is to think like the“Ajax to do that in user when browsing the web should not feel it to execute asynchronously, and does not need to wait for the page to refresh can be done automatically verify data”, such as whether the user name can be registered. Whenever I think of“feel it”this sentence, you will think there are many network security related stuff, such as Trojans, are hope can be done in the user can not feel performed, or the user can feel the time to do something about it.

Many of the“research network of safe friends”are supposed to feel, Microsoft'soperating systemhas been a long time did not like before can“ms05039.exe www.microsoft.com 7 7 5 8”to get to SYSTEM permissions. So we are to look to the browser, in the hope that once users browse a web page will automatically download the real Trojan service end of the file, and then execute in the background, so that the Web is a“Web Trojan”in. Doing this has several obvious benefits:

1, Do not have to find ways to break through the layers of firewall, a local area network within the user themselves through the“rebound connection”mode is easily controlled.

2, If this has a Trojan of the web in hits high on the website, there will be a very large attack surface, as long as the browse the page it may be in the Trojans, than the struggle of waiting for scan results cool.

3, The transmission of the e-mail can also be included with this page.

Thus a variety of the IE vulnerability appeared, from the beginning to think of a way the users browse the web“56K cat network speed turned out to be downloaded in the background 300K about Trojan service end”, to all kinds of“11k downloaders”, everyone only purpose is to want to do the“make the user feel less than the time of execution.” It is also for this purpose, I decided to study the following put Ajax into a web page Trojans, get Trojan horse“quietly into the village, fire a gun don't” is.

Research Ajax first to study the“XmlHttp”, from the MSDN explanation: XmlHttp to provide the client with the http server communications Protocol. The client through the XmlHttp object(MSXML2. XMLHTTP. 3. 0)to the http server to send requests and use the Microsoft XML document object model Microsoft? XML Document Object Model (DOM)processing to respond. Usually a simple Ajax, it is written:

! /Article/UploadPic/2007-6/200762592212286.jpg

From the fourth step, the browser no longer waits for the server to return the results, but continue to deal with“other things”, this is the“user feel less when asynchronous execution”, etc. the server returns a result, before the start of the Processing Server returns the information, so this time the most suitable to go to the server to download the Trojan. About the asynchronous implementation, there is a comparison image of, for example, the small Li and his girlfriend take to the streets, to see a ladies store, Li reluctant to go in, just at the door, this time, he can choose two ways: 1, in the doorway, waiting for girlfriend to come out(synchronous execution, and then continue shopping; 2, the two people prior to discuss good, and then leave., etc. girlfriend comes out when will called him back, and then continue shopping.

The Xmlhttp object has 4 attributes, used to describe the server returns a different data type, so JAVASCRIPT variables received. Began to study, I have an idea: the Javascript language variables are weakly typed, the variable is defined after the initialization is why the type is what type of variable. Which has a property“responseStream”returned“Ado Stream” object, the object has a method used to return data saved to a file, you can complete a“download Trojan”in this process. Thus wrote a script, put the object returned by the alert out, not even the returned object, but an error occurred, the alert type is not supported. Then search for“responseStream”information, in the MSDN there is no detailed information, use“. Net2005”compiler debugging when you can't see the return type, The code. google. com also can't find the relevant code which heroes are associated may be operated responseStream information, please give.

Crack web Trojan encryption article:

In order to continue to study, had to“probe the probe tiger's nest”, in the QQ group to view the chat history, find the QQ tail of the given website, such sites are usually to be hung up on the horse. Open the antivirus software and then open the web site, and sure enough the message has a virus:

! /Article/UploadPic/2007-6/200762592212545.jpg

Stop the antivirus software real-time monitoring, using EditPlus to edit the page source code, The code content is encrypted.

! /Article/UploadPic/2007-6/200762592213816.jpg

Based on the javascript of the page and the encryption is symmetrical, you can restore back. The code is VERY messy, this piece of code The author does not want everyone to see. Typography after see clearly, the important take out:

! /Article/UploadPic/2007-6/200762592213553.jpg

The encryption process is as follows:

! /Article/UploadPic/2007-6/200762592214108.jpg

We actually do not care about the specific encryption and decryption algorithm is what, only care about how to decrypt it, the following is the decryption process:

! /Article/UploadPic/2007-6/200762592214228.jpg

Thus encrypted, the user sees is the encrypted page, and the browser will automatically perform the decryption process. To crack such an encryption is very simple, the source code is saved as a htm file, and then modify the code, the decryption of the result in a text field output.

! /Article/UploadPic/2007-6/200762592214693.jpg

Again use a browser to open to see the decrypted real code in the text field. Because this code will be antivirus software killing, it is not given in the text, the layout again after grabbing the map:

! /Article/UploadPic/2007-6/200762592214196.jpg

This code is a real page Trojan code. Improved web Trojan article:

Users browse the web, 浏览器自动下载Http://m2126.com/web/exe/data/1.exe saved to the windows directory and then executed. Antivirus will Avira it, is because the antivirus software in this section of the code found in the“feature code”, since there is source code. We also come to find out, See Is it what the point to write too much mess up my Swiss Star. Looking for very simple, open the antivirus software, delete a row, and then save it, if you delete the places are not features of the code, The antivirus will report a virus.

! /Article/UploadPic/2007-6/200762592215368.jpg

This is caused by the rising discontent of the code, see the name you can think of, this piece of code to perform the download of the Trojan. Analysis this section of the code there are two bad places:

1, in the x. open()here, the last parameter is“0”is false, using a non-asynchronous transmission, that is the code execution to a certain a place need to wait for the server to return the result before continuing execution. Obviously not“feel it”principle.

2, because the code wants to do after the download is complete instantly, so just download the file to execute.

For the first point, why not use asynchronous transfer? Because the code is not Ajax, not determine the server returns the status, the use of the“traditional web Trojan mode”. If there is forced to the“0”to“1”will cause the Trojan also does not download is complete, it is executed, the result is of course wrong. The code author may not have thought about Ajax, so I had to use the traditional mode. However now the website“web2. 0”, webpage Trojan why not follow the trend? For the second point, consider the To antivirus fierce as a tiger, we're“the enemy advances I retreat”, does not immediately execute Trojans, etc. the next time the user restarts the computer and then executed. You want to know personal machine and the server the biggest difference is that individual machines may one day restart N times, the server may N year restart 1 times.

May have some readers will think about modifying the registry. So congratulations to you, the answer wrong! Because the antivirus software will monitor the registry, do not the tiger's tooth extraction? Our principle is to“quietly”. The recommended idea is the following: in the windows System in some special folder, and start the system will automatically perform the directory file, such as"C:\Documents and Settings\All Users\Start Menu\Programs\Startup"directory. Thus, our idea is clear, the first to use Ajax technology to silently download a Trojan horse, and then quietly copied to this directory, if you're ruthless you can also by the pop-up message box“sorry! Youroperating systemhave a serious error, for the inconvenience, in order to avoid loss of important files, please manually restart the system!”。

Below is my changed code, The use of the Ajax technology:

! /Article/UploadPic/2007-6/200762592215587.jpg

Note that in the Save File Path there, the path to the front“\\..\\”is not less, because Trojan is the default download location is windows,or winnt the.

In my virtual machine of windows xp sp2 to access this page, you can see the execution is successful.

! /Article/UploadPic/2007-6/200762592215982.jpg

Note that the startup items and the target folder. We can according to their own needs to change the code, This is just a simple example of application, to a web page Trojan use Ajax technology has been improved. Recommended for everyone after the written web Trojan, download Trojan process, the use of Ajax techniques to download a Trojan, the benefits of this are obvious.

Ajax web Trojan the in-depth article:

As we all know, the web Trojan the cover is very strong, anyone browsing can bid, this is the page the Trojans a big benefit, but sometimes become a disadvantage, it is the lack of a targeted. How can you call targeted? So many examples such as you just want to browse this part of the page someone or that someone caught, while others have no reaction. Sounds good magic Ah, everyone watching the page, what I caught and you didn't, it really is a character issue?

In the discussion on technology before, first talk about why should be targeted. In our penetration of the corporate intranet, is not within the enterprise all staff attached great importance to network security, often there are so few people for this do not understand anything. They are likely to Defense is relatively weak, or the patch hit very late, well, this time the goal is to make this to help people browse Trojans, and other people on the computer is normal.

First of all to the invasion of the corporate WEB site because you want to use Web Trojans, there must be at least the target site for the web page write, and modify permissions. Then get it it get a list of people, in fact you don't need to know what their specifically called what, as long as know they in the corporate external website registered user name and mailbox is, the specific method can refer to“social engineering”attacks. Here we step into the theme, how can alone allow these people to browse the page when executed?

Most sites allow users to login place, email login, Forum login, etc., in user input the user name after, to judge if his name is in our blacklist, put the Trojans lost to him.

Below is my changed code: AdvanceAjax.htm

! /Article/UploadPic/2007-6/200762592215519.jpg

Code: go.js(web page Trojan page

! /Article/UploadPic/2007-6/200762592215707.jpg

Code The process of comparison as follows:

! /Article/UploadPic/2007-6/200762592215698.jpg

The code can be embedded into the corporate website, Forum, e-mail login page. Do the obvious advantage of this is: even if some users complain that there are problems, the network security engineer your own turn and still found nothing abnormal, might be considered the customer and in the absence of complaints.

Ajax web Trojan extended vol. of pure theory

With Web Trojans are increasingly invisible, we hang horse more and more, slowly, formed a certain scale, it will cause some management problems. Because even if a Trojan horse is again good, once more, is killing the possibilities will still be greatly increased. Microsoft IE vulnerabilities still continue to increase, and sometimes want to put all your web Trojan different websites all change, but also a one of the find your own back door, one by one. To do so, it does not meet the program's scalability, a good program, it should be done in no change or less change the already written code, you can add the extension function. So our code still needs to be improved.

Note, the careful reader should note that the article gives the code even though it can be used, but the success rate is very low, because I deliberately used a very old version of web Trojan in continuous processing, the ultimate goal is to make everyone understand web Security importance. While the present article of the code once given, there will be a strong offensive, so in order to be conservative, just to provide some ideas. Let the user open the page, not the Trojan is embedded into the current page, but the user's request to another website, the page processing. From another site the page returns a real web page Trojan, and then perform, and finally just put this page management. Javascript can only access the domain resources, but can not cross-domain access. That is, www.microsoft.com站点中的Javascript只能访问www.microsoft.com站点下的资源,but can not cross-domain access www. sun. com site in resources. Solve way is to use a proxy, and Ajax access the domain server-side scripting file, asp, jsp, php, etc., and then by the service end of the script file to access the other site under resources, and then returned to the Ajax processing. Detailed solutions reference the article the Use a Web Proxy for Cross-Domain XMLHttpRequest Calls on the address in:“http://developer.yahoo.com/javascript/howto-proxy.html” it.

Defense article

Defense this section of the code is actually very simple, my virtual machine the system does not hit the corresponding patch, the installation of the system is the default tomato garden a version of the system. The present machine has been playing up IE patch(don't ask me what the specific patch, anyway, are supposed to fight, open this page in the results would be:

! /Article/UploadPic/2007-6/200762592215464.jpg

This can be a good prevention“this code.” Note that I would like to emphasize what just may be the prevention of this code. IE vulnerability are emerging, often in Microsoft did not release the patch before the emergence of the loophole, so everyone while playing the patch, install antivirus software, it is not foolproof.

Look use Ajax web Trojan of tricks, trying to the user and antivirus software between playing hide and seek, we is there any way to once and for all prevent webpage Trojan? There was a word called“only disconnect the plug of the computer is secure”, and Kevin Mitnick replied:“in fact, you can convince the user to put the plug on”, thus there is no absolute security. And what can we do is as secure as possible, not as the metamorphosis it.

The proposed Defense idea is: first, assume that the underlying system has been hacked, and then take the appropriate some response, and then assuming that only the web service is the invasion of hackers only have the web Service Control, and then take some corresponding countermeasures, so the layers of assumptions, our defenses will slowly sound.

According to the above ideas, web Trojan Defense should be: suppose we have browse the pages of the Trojan, the browser running in the background silently download a Trojan server, after the download is complete the Trojan is copied to the startup items, or will immediately execute. Well, think of a way to intercept, are not allowed to copy and perform.

1, The first modified start of the project record the permissions for administrator to the file write operation.

2, in the desktop build of the browser shortcut, on the shortcut right-click, select Properties>advanced>check the“other identity”.

3, The establishment of a new user, the user name is“q”, password is“q”by default join“Users group”. Because this is the“other run”again after the Open will be prompted to enter a user name and password, so simple some good input.

4, modify the security policy does not allow the new user login system.

Thus, every time we open the browser shortcut, is a users group identity is performed, and Trojans through the browser to perform, so the Trojans when executed and only the users group permissions. No system privileges, the Trojan can do? The system will immediately prompt does not have permission to perform, and then the poor Trojans on this“blundered”. Do another benefit is that you can prevent the malware to automatically install, all to to browser Poison, all 坑杀 it. The downside is you can not immediately install themselves want to use the plugin, if you have to install some trusted plugin, from the“Start”menu find the browser to re-open the page to install.