August 08, 2006

Fake "Cannot find server" Web Pages

This is probably old news to many but it might save you some time if you didn't know before.

I've come across this simple trick to simulate having taken down a web server, being used in a real case I was investigating: suppose you find a trojan that steals information and sends it to a central web server; suppose you contact the ISP of the web server and ask them to take the server down; suppose they respond accepting the request; finally, suppose you try to connect to the server using your Internet Explorer and you get the following response:


Does that mean the web server is down? Well, not necessarily. The page you are seeing is just a regular HTML page. It may have been displayed by Internet Explorer itself because it wasn't able to contact the server OR it may have been sent back by the same server that pretends to be down!

Looking at your network traces will leave no doubt of which of the two possibilities you are facing, but the point is: you need to check your traces. In my case, it was the last one.

By the way, if you look at the source code of the page and see this javascript code, don't freak out: it's been copied from an original IE error page. It's the code that allows the user to click in the "Detect Network Setttings" link (see the screenshot) and have IE autodetect the proxy settings:

[...]
<[REMOVETHIS]SCRIPT>function doNetDetect() {
saOC.NETDetectNextNavigate();
location.reload();
}
<[REMOVETHIS]/SCRIPT><[REMOVETHIS]body bgcolor="white">
<[REMOVETHIS]object id=saOC CLASSID='clsid:B45FF030-4447-11D2-85DE-00C04FA35C89' HEIGHT=0 width=0><[REMOVETHIS]/object>
[...]

The "object" tag creates an instance of the SearchAssistantOC object, represented by that CLSID and contained in shdocvw.dll, and the script invokes one of its methods, NETDetectNextNavigate(), that while officially undocumented it is known to do the proxy autoconfiguration I referred to before.

References:

1.- Documentation on DHTML:

http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/reference/dhtml_reference_entry.asp

2.- Documentation on the "object" tag:

http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/object.asp

3.- List of objects, properties and methods contained in shdocvw.dll (unofficial):

http://techsupt.winbatch.com/webcgi/webbatch.exe?techsupt/tsleft.web+WinBatch/OLE~COM~ADO~CDO~ADSI~LDAP/OLE~with~MSIE+SHDOCVW~dll~.txt

0 Comments:

Post a Comment

<< Home