Last Updated: 2007-09-03 00:24:22 UTC
by Bojan Zdrnja (Version: 1)
Couple of days ago Maarten wrote a nice diary about an iframe tage pointing to a “benign” VBScript that was planted on a relatively high profile web site in Belgium (the original diary is here: http://isc.sans.org/diary.html?storyid=3324).
The main problem with VBScript is that you basically have to run it on Windows – there aren’t any stand alone VBScript interpreters for Linux (as far as I know – if you know of one please let us know through our contact form).
As we have to work with malicious VBScript programs on Windows platforms this means also that we have to be extra careful – we are actually using the platform that the original exploit was written for (virtual machines come to help here – you don’t want to infect your main host accidentally). As an analyst, you now have the following options
- Use Windows Script Host which can execute VBScript from the command line (the wscript command).
- Use Microsoft Script Debugger from Internet Explorer.
- Use Microsoft Script Editor from Internet Explorer
I will explain methods 1) and 3) here and leave 2) for a future diary (or as an exercise to you, if you find this whole diary interesting). The example malicious VB Script is almost the same as the one Maarten analyzed (and which one is pretty popular. The screenshot below shows the important part where the decoded content is executed with the execute(decode(cde)) call (the program first calls the decode() function and then executes its output):
Windows Script Host
And the output will look like this:
This is pretty much self explanatory … Let’s see the other method.
Using Microsoft Script Editor
Microsoft Script Editor is a powerful utility that comes with Microsoft Office so in order to install it you have to have a Microsoft Office license (I will cover the free Microsoft Script Debugger in a future diary – there is a reason I picked this one, as you will see in a future diary as well). Microsoft Script Editor will not be installed with Office by default, so you’ll have to add it (it’s under Office Tools and is called Microsoft Script Editor (HTML Source Editing)).
It is easy to check if it’s installed correctly since we have to configure Internet Explorer to use it as well. So first start Internet Explorer and go to Tools -> Internet Options -> Advanced and deselect Disable Script debugging (Internet Explorer). Now restart Internet Explorer and if everything is fine under View you should have an option called Script Debugger:
If you click on Open, Internet Explorer will allow you to choose between available debuggers, if you have more of them.
Now that we have our environment ready, let’s prepare the malicious VB Script. A nice thing when debugging programs like this is that we don’t have to strip out any HTML tags since Internet Explorer will parse that properly for us. There is one thing I like to do in advance, though. While you can tell Internet Explorer to break the script at the next statement, I prefer to do this manually by adding the statement “stop”. This is similar to a breakpoint, so the result will look like this:
abc = "006F006E002000650072….. [rest of the code]
Now we basically execute the file from Internet Explorer (double click it, but do this in an isolated virtual machine) and Internet Explorer will immediately ask us which debugger we want to use. Select Microsoft Script Editor and you will end up debugging the file:
I have to stress out, once again, how important it is to do this in an isolated virtual machine since you will be executing the malicious code.