In association with heise online

18 June 2010, 11:22

The "CSI:Internet" series was originally published in c't magazine starting in issue 13/2010. For links to other articles in this series please refer to out CSI:Internet HQ page.The code fragments in this article may cause your anti-virus scanner to issue an alert. However, these are false alarms.


Episode 1: Alarm at the pizza service

by Thorsten Holz

As I'm selecting a pizza on the website of my favourite pizza service, my anti-virus scanner issues an alert: It claims to have found and removed a "trojan.backdoor". Let's see what's going on here.

I haven't really done anything on this computer today, and I usually keep it clean, too. So it's probably something to do with this web page I've just opened. So first of all, I take a look at the source code. If it really is an attack, the HTML code should contain some indication somewhere.

After a short search I do find something; there is a strange JavaScript segment at the end of the page:

<script>var c ='%25%33%43%69%66%72%61%6d%65[ ... ]%25%33%45';
var d=unescape(unescape(c));

Zoom Evil does not only lurk in murky corners. More and more often, otherwise harmless web pages contain what is called a drive-by download.
That does look a lot like rubbish. Essentially, it repeatedly sends a long sequence of hexadecimal characters through the unescape() JavaScript function and then uses document.write to directly write it to the web page that is being displayed in the browser. A typical drive-by download scenario!

So how can a web page shift a trojan to my system just like that? I didn't click on anything. To understand what's happening, I somehow have to get my hands on the plain text code. On a test system, I would now save the page and simply replace the write command with an alert(). The browser would then conveniently display the decoded text in a pop-up window. However, this is my private computer, and I don't want to risk it. Who knows what else this guy has in store (if it really is a guy).

Therefore, I choose the slightly more involved but safer way by using SpiderMonkey to execute the code. My first attempt at throwing the script segment into Mozilla's JavaScript as a text file results in an error message, "ReferenceError: document is not defined". That's not surprising, because the document object is only defined within the browser context. After I've replaced document.write() with a simple print(), however, the code works fine:

$ js 1.js
<iframe src="hxxp://"
width="0" height="0" frameborder="0">

Looks like somebody injected an iFrame with a reference to another web page into the website of my favourite pizza service. They probably exploited a vulnerability in the web software used and added the code via a method such as SQL injection. A value of zero for the height and width of the embedded iFrame makes the iFrame as good as invisible – I'm smelling a rat.

Next: The hidden iFrame

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit