javascript spy script analysis: scanbox source code analysis and demonstration

Posted by lipsius at 2020-03-25


This malicious code named scanbox is a JavaScript malicious script with spy functions such as information collection and keyboard recording, which is suitable for IE browser. Scanbox has the functions of collecting the basic information of the host, obtaining the application installed by the host, obtaining the flash version, obtaining the office version, verifying adobe reader and keyboard record, etc.

After that, we will analyze how to realize each function source code. There are many websites that make complaints about it, but few of them are analyzed and interpreted. The author finally found this incomplete (817 lines) source code in personal blog of foreign security personnel.

Procedural framework

First look at the scanbox script framework


[figure 1] scanbox program framework

When the malicious script is inserted into the website page and then accessed by the user, the script is parsed locally by the browser, and the program flow can be abstracted into several modules as shown in Figure 1.

Collect basic information

[figure 2] source code for collecting basic information

The object record in [figure 2] includes some basic information of the current page header, as well as host information such as screen resolution, operating system, language, etc.

Encryption module

[figure 3] source code of encryption module

There is nothing to say about this. Base64 class library is not introduced, so Base64 coding implemented with native JS is used.

communication module

[figure 4] source code of communication module

The communication module is realized by two functions, one is get function, the other is post function, which is the common method of HTTP request. It can return the stolen information to the attacker's background server. The get function is to create a image object by setting the SRC attribute to implement the get request; the post function is to create a form form, by setting input elements, and then calling submit () to commit post. This is also a convenient place for JavaScript to communicate with the background.

Report module

[figure 5] source code of activity reporting module

The image object is also used to transfer data to the background in get mode, and the encryption module (Base64) is used to encrypt the data before transmission. Set the timer through setinterval function to report the activity to the server at a certain time interval.

Plug-in collection

1、pluginid = 1

The function of plug-in 1 (pluginid = 1) is to obtain the list of software installed by the operating system through the res: / / protocol. Res protocol is a pre-defined protocol of IE browser, which can analyze all resource files conforming to Win32 PE format. As shown in Figure 6 below:

[figure 6] use resource editor to view resource files

The above figure is to view the bitmap resource file of explorer.exe through the PE file viewing tool resourceeditor. However, this function can also be realized by using IE browser, as follows:

[figure 7] use res protocol to view resource files

Then we can use the creation of image object, set the SRC attribute of image object to the URL of resource file that accesses a specific PE file through res protocol, and then use the onload and onerror events of image to judge whether the image object is loaded successfully, which is equivalent to judging whether the res protocol corresponding to the SRC attribute of image object is accessed successfully, so as to judge whether a specific application is installed in the victim Host computer. The following picture:

[figure 8] a way to test whether a specific application is installed

However, scanbox does not use this method to judge, but creates activexobject ("Microsoft. XMLDOM") objects and parses res protocol in XML documents. The XML format string constructed before calling the validateXML function in the following image is red markup:

[figure 9] construct XML format document

Next, we call validatexml to verify. The principle is to create activexobject object parsing. Through the matching of error code features, we can judge whether the PE file accessed by res protocol exists in XML document, and then judge whether the host installs a specific application.

[figure 10] create activexobject object to load XML

The following figure is a part of the application list enumerated in scanbox source code. It can be found that scanbox focuses on whether the host installs security protection software, which collects important information for further attacks later.

[figure 11] some applications of scanbox enumeration


The function of plug-in 3 (pluginid = 3) is to determine the flash version information. The principle is to call activexobject() and flash related objects to obtain the flash version.

[figure 12] get flash version


The function of plug-in No. 5 (pluginid = 5) is to obtain the office version information. The principle is the same as that of creating activexobject object and obtaining the version number

[figure 13] get the office version


The function of plug-in 6 (pluginid = 6) is to determine whether to install adobe reader. The principle is the same as above

[Figure 14] judge adobe reader


This incomplete scanbox source code did not find the record of listening to keyboard tapping, but the focus of online reports is mostly on this, but the author added the keyboard recording module according to the mode of plug-in calling in scanbox. In fact, JavaScript is used to record the formed code on the Internet, and the implementation methods are consistent. That is, document.onkeydown and document.onkeypress events are used, as follows:

[figure 15] keyboard recording plug-in

This article only introduces the plug-ins in scanbox source code that can be found at present, but from the plug-in number, there are many plug-ins that do not appear in this source code, so the author can only analyze this.

Script measurement

If there is a storage XSS vulnerability in the website page, or scanbox is implanted into the page containing the login box through other penetration means, and then it will be loaded and executed by the user. The password entered by the user when logging in will be returned to the attacker's background with the records of the keyboard monitoring module, and it is clear text.

The author wrote several simple PHP scripts in the back-end as the target of scanbox returning data, decoded Base64 and saved the keyboard record in the local TXT file.

[figure 16] the background receives the script and writes it to the file

Next, embed scanbox malicious script on the background login page of a specific website to observe the behavior of the page after it is loaded.

[figure 17] communication behavior of login page implanted with scanbox

As shown in the figure below, the returned data of keyboard record will be written to the local file

[figure 18] keyboard record file

Concluding remarks

In general, scanbox, as a malicious script for client parsing, its attack effect is restricted by the browser security configuration, but it does not affect its powerful functions and serious consequences. If the attacker uses it properly and cooperates with the storage XSS vulnerability to implement the watering hole attack, monitoring the user name and password entered when the user logs in will cause incalculable risks to the user's privacy and property.

[author / arkteam Leo (team account), reprint please indicate from freebuf hacker and geek (freebuf. Com))