Malicious code, exploit vectors or top-programmer job?

What would you say if you saw one of these code snippets in a website you browse to:

dim tass

Set tass = CreateObject(“CnsHelper.CH”)

If IsObject(tass) then

HasCns = true

else

HasCns = false

end if

or:

function winIE5upPlyrDetect(){
var playerAxObj;
var iectlAxObj;
try{
iectlAxObj = new ActiveXObject(“Shell.Explorer”);
}
catch(e){
}
try{

or:

var fs = new ActiveXObject(“Scripting.FileSystemObject”);

try {
//open file, 8=appends to file, true=will create file if doesn’t already exist
var a = fs.OpenTextFile( fileUri, 8, true );
a.Writeline( text );
a.Close();
}

You are probably looking at this and thinking, “ok, what is he going to show us now – some newfangled attack vector, spyware drive-by installer, local system access…”. Guess again.

Sample #1 is coming from Yahoo.com (more specifically http://cn.zs.yahoo.com/func.vbs), and yes – you saw that correctly, is creating the CnsHelper.CH object – an object that multiple sources consider an unwanted AdWare application (see: http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=ADW%5FCNSMIN%2EA, http://www.spynomore.com/bho-hijacker-toolbar-cnsmin.htm, http://www.pestpatrol.com/spywarecenter/pest.aspx?id=453072511, …)

Sample  #2 is unreal. Well, actually it’s real. Real.com. (http://uk.real.com/js/playerdetection.js?rev=9507). This is how a developer tests to see if the browser looking at the page is Internet Explorer…

Sample #3 is the all powerful walmart.com (http://www.walmart.com/kiosk/js/log.js) which, and I’m quoting the code comment right before the function (sit tight):

/**
* Opens a local file and appends a string to it.
* Returns boolean indicating succes of opening/writing.
*/
Right. When browsing the web…

You do the math. Just think now how hard it is to work in such a demanding environment, where the good guys do not always follow the good guys coding manual (what? Didn’t you all get the memo?).

Till next time,


Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.