All your base are belong to us

HTA : HTML Applications

Webbased scripts are executed in the security context of the browser, and thus can be prevented from accessing the local file system or execute local applications. That is why scripts from web pages such as this one will usually need additional tricks to really get control over a computer, and as Microsoft (slowly) fixes bugs and introduces more security in its Internet Explorer web browser, malicious web scripts need to be more complex to work around those constraints.

On the other hand, Microsoft has developped HTA, HTML Applications, wich is a technique intended to create webbased applications. These applications are executed in a browser, but have full access to the local system : it is a piece of cake to read or write files on the local computer, start programs, get a command prompt, etc from a HTML Application. The user starts the application by clicking a link (disguised as a 'click here to download ... ' or something similar) and will be asked only once to 'open' or 'execute' the application - if the user assumes this is necessary to get his download started, he won't think twice about it.

Next, the HTA will run, and can be used to send additional scripts or executable programs to the victim's computer, modify registry keys to run those programs at startup, etc. No other warnings will be given, no additional confirmation will be asked. The only limitation may be that the user may not have sufficient privilegues on his own computer. But a lot of users have Administrator rights so this will probably work most of the time. In fact, with access to the local file system, the command shell, and the possibility to upload and run executables (a mailer program, a telnet server, ... ), we can claim that this computer belongs to us.

Demo

This link will take you to a demo : you'll see a page that offers downloads of screensavers, smileys, custom mouse cursors etc. When you click the 'Download' link, a html application will start. If you decide to execute it, a script will be executed and the following will happen :

1. create a directory on your PC, where some files will be uploaded to. in 'real life', these would be put in your windows or system32 directory or some other place were they'd be harder to find.
2. upload some executable files, such as a visual basic script and a compiled executable.The demo script just shows a message, the exe is a command line mailer. Obviously, in real life, this could be just about any program
3. create a registry key. The demo is a 'RunOnce' key that will execute the script. Creating a 'Run' key that starts a service at every boot is just as easy.
4. create an additional administrator account. This can be used later for remote login or for "Run As" statements
5. collect information about the logged on user account, computer and domain
6. exectute "net view" and "netstat" commands and capture the output. This gives us an idea of what the LAN looks like and might reveil WAN and VPN connections, or new targets for further attacks.
7. collect all this information in a text file
8. a command line mailer such as bmail can then be used to mail the contents of this file to an email address of choice.

demo. The email executable has been replaced by a dos executable that will put some random green characters on your screen to show that we can download any binary executable. The collected information is shown on screen in message boxes. Obviously, real malware will be rather more stealthy, and less benevolent.