Cenzic 232 Patent
Paid Advertising
web application security lab

JavaScript XSS is Conduit For Viruses (but so is VBScript)

I know this sort of attack has been around for a while, but perhaps not quite in this way and not quite as many servers were affected, but there is a report over at SANS talking about an XSS VBScript malware that injects malware. Ben Heinkel alerted me to it and actually put up two screenshots here and here showing how the code actually worked. Pretty nasty stuff, especially as it appears there is no virus definition for this particular variant yet.

However, there are two things about this that are more interesting from an attack perspective. The first is that this was not calling malware that was uploaded to the site that had been compromised. Why bother? Since the sites themselves had XSS holes on them (I’m assuming persistent) the only requirement was that the executable and VBScript was housed somewhere on the Internet. No longer do you have to upload your malware to the machine you want to infect people from. Who needs all that hassle when all you really want to do is link to it?

The second thing that’s interesting is that this uses VBScript. Firefox users might be cheering since they wouldn’t be vulnerable to this without a plugin, but really it’s a pretty interesting thing that it is easier to write Malware that installs executables in VBScript than JavaScript. Although JavaScript is still the favorite for port scanning and controlling the page it was VBScript used in the attack. I think people tend to forget about VBScript, but it’s potentially just as nasty considering the wide userbase that supports it.

12 Responses to “JavaScript XSS is Conduit For Viruses (but so is VBScript)”

  1. Awesome AnDrEw Says:

    I love VBScript. I’ve been using it for a long time, and I have many many examples from former domains of how to use it to install trojans, worms, and spyware. I have one with a huge string of characters that it parses together to create an AIM virus, and another one that uses a hole in Windows Media Player to launch itself.

  2. Awesome AnDrEw Says:

    The article made it very simple to find the source of the script, and so I added it to my collection of scripts.

  3. pdp Says:

    I have used VBScript to bypass the security of several high-profile web applications… so VBScript indeed rocks. You can do stuff similar to:

    vbscript:MsgBox(”XSS”)

    I know it affects IE only, but hei, most users use IE for surfing the net. So imagine a filter that sanitizes the javascript: keyword. Right? well, use vbscript: then.

  4. Kyran Says:

    Heh. Funnily enough, I was thinking about this on the way home yesterday. Once infected, use IM networks to send links to persistant XSS, possibly based on VBScript. Then go from there.
    Could create a giant botnet in a few days.

  5. Awesome AnDrEw Says:

    They’ve had many problems stemming from VBScript on the AIM network in the past. pdp, I’m pretty proficient in VBS, but do you know of a way to inject multiple lines of code via the URL bar other than using a .vbs file to embed it? I’m refering to how it’s possible to break up an entire Javascript and put it on a single line having every statement ending with a semi-colon so that it can be placed in an address bar, because the only thing to technically end each statement is a carriage-return.
    Example (just in case I’m not explaining it well):
    Javascript - http://host.com/page.php?stuff=”>alert(’Statement 1′);location.href=’http://host2.com/thisisthesecondstatement’;

    Where as VBS can only do a single line of code.

    VBScript - http://host.com/page.php?stuff=msgbox “Can only perform one statement when used in this fashion.”

    So is there any way around this without using a remote script file?

  6. digi7al64 Says:

    http://sla.ckers.org/forum/read.php?3,6877,6970#msg-6970

    very similar to what i posted there with the exception of the attack routine but meh.

    Also i have discussed other methods with some friends and we did toy with the idea of using the MS DEBUG command to assemble ASM code which would have allowed us to house the entire spoilt on a per site basis meaning there was no single shutdown point, but alas, we never pushed forward with that branch of the project.

  7. Kyran Says:

    Andrew, have you tried %0A, a newline?

  8. Awesome AnDrEw Says:

    %0A causes a syntax error. Normally JS functions look something like this:

    fucktion(txt){
    alert(txt);
    }

    Where the semi-colon ends the statement, and allows the next to begin. This is what allows for multiple lines to be condensed into a single URL. A VB function, or sub, would be as follows:

    Function Dosomething(Text$)
    If len(Text$) > 0 Then
    Msgbox “You have entered ” & chr(34) & Text$ & chr(34) & “.”
    End If
    End Function

    There’s nothing following any of the syntax to physically end the statement other than the carriage-return, but it doesn’t seem like it can be injected into a URL.

  9. pdp Says:

    Awesome, of course you can :) … you just have to think sometimes outside of the box. Try this out:

    vbscript:Execute(chr(77) & chr(115) & chr(103) & chr(66) & chr(111) & chr(120) & chr(40) & chr(34) & chr(66) & chr(108) & chr(97) & chr(34) & chr(41) & chr(13) & chr(10) & chr(77) & chr(115) & chr(103) & chr(66) & chr(111) & chr(120) & chr(40) & chr(34) & chr(66) & chr(108) & chr(97) & chr(34) & chr(41))

    This code executes two alert boxes. It is not efficient in terms of size, but hei, it is too early in the morning here in London. You can make it a lot shorter then this with URL encoding magic.

    cheers

  10. GNUCITIZEN » VBScript to Rule IE Says:

    […] have published a report on VBScript malware and related things. The report was mentioned on ha.ckers.org which was followed by a small discussion on various ways of injecting VBScript, executing […]

  11. Awesome AnDrEw Says:

    Thank you for clarifying that for me.

  12. Awesome AnDrEw Says:

    Thanks for clarifying the situation.