The "CSI:Internet" series was originally published in c't magazine starting in issue 13/2010. For links to other articles in this series please refer to out CSI:Internet HQ page.The code fragments in this article may cause your anti-virus scanner to issue an alert. However, these are false alarms.
Episode 1: Alarm at the pizza service
by Thorsten Holz
As I'm selecting a pizza on the website of my favourite pizza service, my anti-virus scanner issues an alert: It claims to have found and removed a "trojan.backdoor". Let's see what's going on here.
I haven't really done anything on this computer today, and I usually keep it clean, too. So it's probably something to do with this web page I've just opened. So first of all, I take a look at the source code. If it really is an attack, the HTML code should contain some indication somewhere.
<script>var c ='%25%33%43%69%66%72%61%6d%65[ ... ]%25%33%45';
That does look a lot like rubbish. Essentially, it repeatedly sends a long sequence of hexadecimal characters through the
document.write to directly write it to the web page that is being displayed in the browser. A typical drive-by download scenario!
So how can a web page shift a trojan to my system just like that? I didn't click on anything. To understand what's happening, I somehow have to get my hands on the plain text code. On a test system, I would now save the page and simply replace the write command with an
alert(). The browser would then conveniently display the decoded text in a pop-up window. However, this is my private computer, and I don't want to risk it. Who knows what else this guy has in store (if it really is a guy).
document object is only defined within the browser context. After I've replaced
document.write() with a simple
print(), however, the code works fine:
$ js 1.js
width="0" height="0" frameborder="0">
Looks like somebody injected an iFrame with a reference to another web page into the website of my favourite pizza service. They probably exploited a vulnerability in the web software used and added the code via a method such as SQL injection. A value of zero for the height and width of the embedded iFrame makes the iFrame as good as invisible – I'm smelling a rat.