Analysis of web Trojan analysis automated 2 tricks-vulnerability warning-the black bar safety net

ID MYHACK58:62200923636
Type myhack58
Reporter 佚名
Modified 2009-06-22T00:00:00


Now online web Trojans and more are several sets of a fixed code, The changes are not many, including script code encryption methods, almost all is to explain the type of encryption, since the hack is performed the process of hanging horse, Inglés for the automated analysis of web Trojan also already have lucrative results. Domestic I have ever seen of the automation network horse analysis system there know Chong Yu, 3 6 0 security guards and security identity, the other including domestic each big anti-virus security company, should also has its own set of nets horse analysis system.

Automated analysis of web Trojan in need of a good page analysis system, separating the page in a variety of static elements of the resource and script the content, while the need for an analog to the script interpretation engine and the sandbox environment, etc. I'm here only to say my two small ideas:

1. Pure static analysis

Just need to get to the page of static content, only need to use the regular matching separate the HTML content and script content, direct analysis of the HTML content, the rest of the separated contents of the script and throw it to the script interpretation engine execution, of course, here are some small bottleneck, but we can transform the script interpretation engine, for some network Horse the use of the key function is the processing, not difficult to separate the OBJECT and the SHELLCODE like the key content. javascript interpretation engine we can choose the spider monkey, of course this thing has a fatal drawback, if the hackers use VBSCRIPT or package code into the FLASH, not the static code content of the file executing the script while it is difficult then subjected to automatic analysis.

2. Sandbox analysis

Given that the first way of the drawbacks, we can still use the sandbox mode analysis, directly to the network horse lost to a real browser to run, but before we need to use first the old idea of the first use solution to several key scripting functions, similar to the following script to the breakpoint bar, the output key of the content or for the Scripting of behavior analysis. IE, we can use the COM HOOK, and the FF don't even need much effort to we can directly use Greaseamonkey plug-ins.

The above is just vague to say the two small ideas, not related to the actual content. I'm also slowly groping,“hackers”hung it way to certainly be more advanced, I tend to sandbox analysis.