September 01, 2006

Malicious web pages are all around

I bet everybody knows somebody who thinks you are kidding when you tell them that a malicious web page could take full control of their computers just by browsing to it if they don't take some precautions. I thought I'd rather share a small example from a real-world incident I investigated recently hoping someone finds it useful to show the risk to the non-believers.

The PC of the victim had been completely taken over by the attacker(s). Among other things, a trojan program had been installed that would monitor all web connections established by the victim and report to a certain web site all kinds of information. Bad.

The forensic analysis of the system revealed the infection vector: the user had browsed to a particular web page and the active content of that page had managed to download and install a program into the system. This program, in turn, was a downloader itself that downloaded and installed other programs, but that's beyond our current interest.

So, what did this active content looked like? Well, you can see for yourself. Inside the ZIP file that accompanies this article (see below) you will find an HTML file containing a slightly modified version of that code. Actually, you will find two versions: demo.html and demo_verbose.html. They are basically the same, but the verbose version incorporates pop-up messages so you can follow its execution step by step.

You can download the zip file from:


(ZIP password: "radajo")

In summary, the page instantiates an object (RDS.DataSpace) and then, using javascript to manipulate that object, it tries to download a file from a particular URL (http://10.10.10.10/somefile.exe), copy it to the hard drive (c:\tempfile.exe) and then execute it.

The good news is that this particular attack will not work if you have a security level of "Medium" or higher, which, of course, is the recommendation for your Internet Zone. Nor will it work if you click "No" at the popup warning messages, which of course, is another good thing to do.

Sadly, however, most users don't follow the recommendations, just like the victim in this case. :-(

If you want to see it running, do the following: copy both html files to a directory served by your favourite web server (e.g. wwwroot in IIS). Also, copy some inocuous executable file (e.g. calc.exe) to the same directory so that it is also served by the web server. Then, edit the html files using your favourite text editor to reflect the IP of your web server and the correct URL to access the executable file. Finally, launch Internet Explorer (it might work with other web browsers, but I have only tested IE and only in XP SP1 and SP2) in a different system and type in the URL to access the demo.hml or demo_verbose.html files. You will probably get the following warning message from IE three times:

Click "Yes" every time and you should get your downloaded program running (e.g. calc.exe).

Please note that this may not work depending on the security settings of your IE (Tools-> Internet Options -> Security). If you definitely want it to work you can include the url of your web server in the "Trusted Sites". Effectively, you are enabling every feature for the site. Alternatively, you can set a security level of "Medium" for you Internet Zone and then customize it to enable the following two options:
  • Access data sources across domains
  • Initialize and script ActiveX controls not marked as safe
That is: "Medium" security level plus those two settings will enable all this malicious web page needs.

If this example helps in opening the eyes of even just one person, I'll be happy. :-)

0 Comments:

Post a Comment

<< Home