What would you say if you saw one of these code snippets in a website you browse to:
dim tass Set tass = CreateObject("CnsHelper.CH") If IsObject(tass) then HasCns = true else HasCns = false end if
or:
function winIE5upPlyrDetect(){ var playerAxObj; var iectlAxObj; try{ iectlAxObj = new ActiveXObject("Shell.Explorer"); } catch(e){ } try{
or:
var fs = new ActiveXObject("Scripting.FileSystemObject"); try { //open file, 8=appends to file, true=will create file if doesn't already exist var a = fs.OpenTextFile( fileUri, 8, true ); a.Writeline( text ); a.Close(); }
You are probably looking at this and thinking, “ok, what is he going to show us now – some newfangled attack vector, spyware drive-by installer, local system access…â€. Guess again.
Sample #1 is coming from Yahoo.com (more specifically http://cn.zs.yahoo.com/func.vbs), and yes – you saw that correctly, is creating the CnsHelper.CH object – an object that multiple sources consider an unwanted AdWare application (see: http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=ADW%5FCNSMIN%2EA, http://www.spynomore.com/bho-hijacker-toolbar-cnsmin.htm, http://www.pestpatrol.com/spywarecenter/pest.aspx?id=453072511, …)
Sample #2 is unreal. Well, actually it’s real. Real.com. (http://uk.real.com/js/playerdetection.js?rev=9507). This is how a developer tests to see if the browser looking at the page is Internet Explorer…
Sample #3 is the all powerful walmart.com (http://www.walmart.com/kiosk/js/log.js) which, and I’m quoting the code comment right before the function (sit tight):
/**
- Opens a local file and appends a string to it.
- Returns boolean indicating succes of opening/writing. */ Right. When browsing the web…
You do the math. Just think now how hard it is to work in such a demanding environment, where the good guys do not always follow the good guys coding manual (what? Didn’t you all get the memo?).
Till next time,