What would you say if you saw one of these code snippets in a website you browse to:
Set tass = CreateObject(“CnsHelper.CH”)
If IsObject(tass) then
HasCns = true
HasCns = false
iectlAxObj = new ActiveXObject(“Shell.Explorer”);
var fs = new ActiveXObject(“Scripting.FileSystemObject”);
//open file, 8=appends to file, true=will create file if doesn’t already exist
var a = fs.OpenTextFile( fileUri, 8, true );
a.Writeline( text );
You are probably looking at this and thinking, â€œok, what is he going to show us now â€“ some newfangled attack vector, spyware drive-by installer, local system accessâ€¦â€. Guess again.
Sample #1 is coming from Yahoo.com (more specifically http://cn.zs.yahoo.com/func.vbs), and yes â€“ you saw that correctly, is creating the CnsHelper.CH object â€“ an object that multiple sources consider an unwanted AdWare application (see: http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=ADW%5FCNSMIN%2EA, http://www.spynomore.com/bho-hijacker-toolbar-cnsmin.htm, http://www.pestpatrol.com/spywarecenter/pest.aspx?id=453072511, â€¦)
SampleÂ #2 is unreal. Well, actually itâ€™s real. Real.com. (http://uk.real.com/js/playerdetection.js?rev=9507). This is how a developer tests to see if the browser looking at the page is Internet Explorerâ€¦
Sample #3 is the all powerful walmart.com (http://www.walmart.com/kiosk/js/log.js) which, and Iâ€™m quoting the code comment right before the function (sit tight):
* Opens a local file and appends a string to it.
* Returns boolean indicating succes of opening/writing.
Right. When browsing the webâ€¦
You do the math. Just think now how hard it is to work in such a demanding environment, where the good guys do not always follow the good guys coding manual (what? Didnâ€™t you all get the memo?).
Till next time,