9.3 Detecting Internet Browser Attacks

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes Slots : 1
	Table of Contents
	Chapter 9.  Internet Browser Attacks

Detecting incoming malicious mobile code in the browser environment (without relying on an antivirus scanner) isn't for the technological faint of heart. It requires a minimum understanding of browser-based languages and technologies.

9.3.1 Use an Antivirus Scanner or Firewall

If you are using a well-designed and fully functional antivirus scanner/firewall product, it should detect some known security vulnerabilities. Unfortunately, browser exploits are frequent and varied, and it only takes one little change to bypass a scanner. Antivirus scanners do not have the greatest luck against browser-based malicious mobile code. Some software tools, such as Finjan's SurfinShield are built from the ground up to detect and prevent browser-based security threats, and as such, should be given higher consideration in an environment with a higher than normal risk of browser exploits.

9.3.2 Check Unexpected or Unexplained Errors

Malicious mobile code often causes unexpected errors or warnings. If you are surfing a web site and all of a sudden an error message pops up saying something like, "Unable to access System Registry," there is a good chance malicious mobile code is afoot. I also get suspicious if my browser warns me that unsafe content is attempting to access local resources. That said, most browser errors are created by legitimate , poorly written scripts or buggy browser code. When in doubt, try the next step.

9.3.3 View Source Code

On suspicious web pages, I often view the source code (View Source or Page Source), and scan for tags that can contain malicious code. Mostly I look for scripting tags, obscured URLS, or references to malicious-sounding web sites. I look for <object> and <applet> tags that indicate active content files. I look for tags, <frameset> or <iframe> that initiate multiple frames headed to different domains, or coding that accesses local files or directories. If I'm strapped for time, I'll save the suspicious web page to disk to examine later using File Save As HTML file.

9.3.4 Look for the FileSystemObject in Scripts

Microsoft's Scripting Runtime Engine is installed with Windows 98, Windows 2000, Windows Scripting Host, and a few other Microsoft applications. Among other tasks , it allows scripts developed in JavaScript, VBScript, and JScript to access the local file system. One particular file, SCRRUN.DLL , contains the FileSystemObject programming call. With it, scripts can view, modify, and create file system and directory objects. It is a favorite of malicious script writers. Example 9-5 and Example 9-6 show the FileSystemObject being used to create a subdirectory and to read an AUTOEXEC.BAT .

Example 9-5. VBScript using a FileSystemObject call to create a new subdirectory called C:\Malicious

 Sub CreateFolder Dim fsysobj, foldr Set fsysobj = CreateObject("Scripting.FileSystemObject") Set foldr = fsysobj.CreateFolder("C:\Malicious") End Sub 

Example 9-6. JScript using FileSystemObject call to read AUTOEXEC.BAT file.

 Sub ReadFile Var fsysobj, file1 fsysobj = new ActiveXObject("Scripting.FileSystemObject") file1=fsysobj.GetFile("C:\AUTOEXEC.BAT") End Sub 

When I'm looking at possibly malicious scripting code, I look for coding that interacts with the local file system. Finding instances of the FileSystemObject being used is a good sign of this type of interaction going on.

9.3.5 Look for Unexpected Newly Modified Files

Using Windows File Find feature (Start Find Files or folders) look for files created within the last few days. Look for suspicious modification dates on existing files or newly created files. If any of the major system files have changed unexpectedly, suspect malicious mobile code.