[Snort-sigs] FPs for 4166 (Shell.Explorer) - "common" print functions

Jeff Kell jeff-kell at ...922...
Wed Jan 11 16:27:07 EST 2006


Getting lots of alerts on sid:416, "Shell.Explorer ActiveX Object 
Access".  Using this object is perhaps walking on thin ice, but I am 
seeing it coming from what I would have thought to be legitimate 
sources.  Are these just legitimate cases of questionable scripting 
style?  Some of the flagged text from known sites:

jobsearch.ma.monster.com spits out this script fragment (3 different times):

>{
>var WebBrowser = '<OBJECT ID="WebBrowser1" WIDTH=0 HEIGHT=0 CLASSID="CLSID:8856F961-340A-11D0-A96B-00C04FD705A2"></OBJECT>';
>document.body.insertAdjacentHTML('beforeEnd', WebBrowser);
>WebBrowser1.ExecWB(6, 2);
>//Use a 1 vs. a 2 for a prompting dialog box
>WebBrowser1.outerHTML = "";  
>}
>
education.uoregon.edu gives us several variations of:

>if (da && !pr && !mac) with (document) {
>  writeln('<OBJECT ID="WB" WIDTH="0" HEIGHT="0" CLASSID="clsid:8856F961-340A-11D0-A96B-00C04FD705A2"></OBJECT>');
>  writeln('<' + 'SCRIPT LANGUAGE="VBScript">');
>  writeln('Sub window_onunload');
>  writeln('  On Error Resume Next');
>  writeln('  Set WB = nothing');
>  writeln('End Sub');
>  
>
www.smartcomputing.com (sic) has a similar fragment to monster.com's:

>{
>var WebBrowser = '<OBJECT ID="WebBrowser1" WIDTH=0 HEIGHT=0 CLASSID="CLSID:8856F961-340A-11D0-A96B-00C04FD705A2"></OBJECT>';
>document.body.insertAdjacentHTML('beforeEnd', WebBrowser);
>WebBrowser1.ExecWB(6, 2);//Use a 1 vs. a 2 for a prompting dialog box    WebBrowser1.outerHTML = "";  
>}
>
In fact, after seeing that www.cisco.com also spit out something 
similar, they all contain variations of this function (finally got it 
all in one packet):

>// Print Function
>function printit(){  
>if (window.print) {
>    window.print() ;  
>} else {
>    var WebBrowser = '<OBJECT ID="WebBrowser1" WIDTH=0 HEIGHT=0 CLASSID="CLSID:8856F961-340A-11D0-A96B-00C04FD705A2"></OBJECT>';
>    document.body.insertAdjacentHTML('beforeEnd', WebBrowser);
>    WebBrowser1.ExecWB(6, 2);
>// Use a 1 vs. a 2 for a prompting dialog box    WebBrowser1.outerHTML = "";  
>}
>  
>
And now after looking further still, all are variations on a procedure 
to print a document on various combinations of platforms and browsers.

Any further detail on what an "evil" incarnation of Shell.Explorer might 
contain to differentiate it from these examples?

Jeff




More information about the Snort-sigs mailing list