,, MMP""MM""YMM `7MM P' MM `7 MM MM MMpMMMb. .gP"Ya MM MM MM ,M' Yb MM MM MM 8M"""""" MM MM MM YM. , .JMML. .JMML JMML.`Mbmmd' `7MMF' `7MF' `7MMF' `7MMF' `MA ,V MM MM VM: ,V `7M' `MF' MM MM .gP"Ya ,6"Yb.`7M' `MF'.gP"Ya `7MMpMMMb. MM. M' `VA ,V' MMmmmmmmMM ,M' Yb 8) MM VA ,V ,M' Yb MM MM `MM A' XMX MM MM 8M"""""" ,pm9MM VA ,V 8M"""""" MM MM :MM; ,V' VA. MM MM YM. , 8M MM VVV YM. , MM MM VF .AM. .MA..JMML. .JMML.`Mbmmd' `Moo9^Yo. W `Mbmmd'.JMML JMML. ,, ,, ,, .g8"""bgd `7MM `7MM mm db .dP' `M MM MM MM dM' ` ,pW"Wq. MM MM .gP"Ya ,p6"bo mmMMmm `7MM ,pW"Wq.`7MMpMMMb. MM 6W' `Wb MM MM ,M' Yb 6M' OO MM MM 6W' `Wb MM MM MM. 8M M8 MM MM 8M"""""" 8M MM MM 8M M8 MM MM `Mb. ,'YA. ,A9 MM MM YM. , YM. , MM MM YA. ,A9 MM MM `"bmmmd' `Ybmd9'.JMML..JMML.`Mbmmd' YMbmd' `Mbmo.JMML.`Ybmd9'.JMML JMML. -- Contact -- https://twitter.com/vxunderground firstname.lastname@example.org
A 'Preprocessor language' is a web-based language, which has been done to run on a server, and only on the server. The results by the executed web-based preprocessor script (like PHP) file will be transfered to the Webpage, which can be seen by the user. That means, the user will never see the code of that script. As a result, the script can not harm the user in any way, because it is executed on the server, (and only there) and just the results are send to the user. This has been also written in VirusBulletin March/2001 in an article by Denis Zenlin & Mike Pavlushchik called 'PHP go the Script Viruses'. The article deals with the PHP.Pirus (29a#5) and PHP.NewWorld and the common PHP problem. A very important statement of the article: '... and it does not have the ability to spread to other Web sites or PCs of the visitors who view an HTML page containing a malicious PHP script. This last case is not possible simply because a user receives a pure HTML page with absolutely no script inside from the PHP processor...' Well, that's not true at all, which I will prove in this article. :)
OK, what we need:
After these two messages, the user will be that scared of the page, that (s)he will not accept execution of the script.
Now the side effect: If you use this technique, and somebody runs it, there are NO (!!!) warnings, error-messages or informations about the danger of script. It just will be executed, that's all. :)
Well, now you should understand the idea, how it works (I hope so :D). Now let's move to the code! I've tested the code on my WinXP SP2 + IE 6.0 with PHP 5.0.2 on my computer (where I'm server + client) and on a www.host.sk domain, where I'm just a client. And, surprise/surprise, it worked anyway. ;) The following code will create a file called 'spth.php' on the harddisk C with it's own code, if a user (client) runs it. And most important: There will be NO warnings about the script. :) Now have a look at the code:
This technique is a prove that PHP can affect the user (client), even many people denied it. Beside of the problem that PHP is not that secure, the technique is very dangerous because there are NO warnings, the script just works without any messange, and the user don't even recognize it. It would be able to make a fully virus with this technique, which infects the users HD, and (s)he would not recognize it. Therefore such a creature could be easiely get in the wild.
That result makes me happy, because two new things has been discovered. I hope I gave you with that article some help or maybe new ideas for your next viruses...
- - - - - - - - - - - - - - - Second Part To Hell/[rRlf] www.spth.de.vu email@example.com written from november 2004 Austria - - - - - - - - - - - - - - -