Remote infection of XML documents

                               by Rajaat
                      Written in Januark 1900 ;-)


Intro

  In the past month or so, I've been translating some Perl snippets I've
  written to VBScript, to show some friend how to do some simple XML
  parsing. After that he has written a VBScript virus that could be
  jumpstarted from an XSL stylesheet (hi to Ruzz!). During writing these
  little fragments of code an idea occured to me that VBScripters can
  use to let their code be remotely executed by a XML or HTML document
  using CSS or XSL. In this article I hope to present some techniques
  that will force the AV to have web scanning capabilities into their
  browser. Ideally, the VBScript will never leave your homepage, but
  documents gets referenced to it.

Prerequisites

  In the examples listed in this article you'll need to understand the
  relations between XML and XSL, so I recommend you to take a look at
  the web pages listed at the bottom of this article before even trying
  to understand how it works. Some of the tricks only work with IE5,
  since that is the only web browser known to me that currently supports
  XSL.

Linking to VBScript from XML using XSL
  If you load an XML document into IE5 it will normally be displayed in
  tree form, of which the branches can be expanded or collapsed by
  clicking at the [-] and [+] (like you would with the normal Windows
  explorer working in Tree mode). A typical XML document looks like
  this:

  <?xml version="1.0"?>
  <virusinfo>
    <writer handle="Rajaat" group="none">
      <virus name="Animo.518" href="http://www.avp.ch/avpve/file/a/animo.stm">
        A simple appending COM infector, written in Sphinx C-- (written by
        Peter Cellik).
      </virus>
      <virus name="Fick.7326" href="http://www.avp.ch/avpve/file/f/FICK.stm">
        A mcb tsr semi-stealth polymorphic fast-infecting appending COM & EXE
        infector, of which the largest part is written in Borland C++ 3.1 (not
        in Pascal, like Eugene Kaspersky assumes).
      </virus>
      <virus name="Uniform" href="http://www.avp.ch/avpve/boot/uniform.stm">
        A standard bootsector virus with read/write stealth.
      </virus>
    </writer>
  </virusinfo>

  If you would cut and paste the above piece in a file using .XML for
  extension and you would look at with with IE5 you will see the
  aforementioned tree structure.

  Now you can imagine XML would be a very nice way to store articles etc
  for displaying on the World Wide Web, if it only could present itself
  in a more readable way. The answer to this is XSL, a method to
  transform XML documents. XSL stylesheets are normally not part of a
  XML document, but are referred from it. With XSL you could choose to
  write a HTML <TABLE> in which the first column shows the virus writers
  handle, and the second contains a list of names of viruses he has
  written (which you can click to take you to the AVP website for more
  info). In fact, big companies use this technique is to format all
  kinds of information. An XSL stylesheet may reside anywhere on the
  internet, as long as the user that views the XML document that refers
  to the XSL stylesheet can access it (must be online) it will be used.

  This is where you come in play. What would happen if an XML document
  refers to a XSL stylesheet that is on your homepage and - besides the
  standard formatting HTML and XSL tags - also holds a piece of VBScript
  code that will add a reference to itself to other XML documents that
  can be found? The XML documents appear to be clean, as there is no
  viral code included, but loaded from a browser it will get started.

  Let's add such a reference to the example shown above. Insert the next
  line right below the <?xml version="1.0"?>:

  <?xml:stylesheet type="text/xsl" href="vinfo.xsl"?>

  Now we must create a stylesheet in the same directory as we created
  the XML document. In the example I will call this one vinfo.xsl.

  <?xml version="1.0"?>
  <HTML xmlns:xsl="http://www.w3.org/TR/WD-xsl">
    <HEAD>
      <TITLE>A dull example</TITLE>
    </HEAD>
      <SCRIPT LANGUAGE="VBScript">
        Function dull_message
          Document.Write "<H2>Instead of some stupid message like this "
          Document.Write "you could try to infect some other XML "
          Document.Write "documents on the current drive.</H2>"
        End Function
      </SCRIPT>
    <BODY>
      <h1 onMouseOver="dull_message()">Virus Writer info
        (mouseover this heading activates VBScript)</h1>
      <TABLE WIDTH="*">
        <xsl:for-each select="/virusinfo/writer">
          <TR>
            <TD bgcolor="#C0C0F0" colspan="2">
              <xsl:value-of select="./@handle"/>
              (group: <xsl:value-of select="./@group"/>)
            </TD>
          </TR>
            <xsl:for-each select="./virus">
              <TR>
                <TD bgcolor="#F0C0C0">
                  <xsl:value-of select="./@name"/>
                  <xsl:value-of select="./@href"/>
                </TD>
                <TD bgcolor="#C0F0C0">
                  <xsl:value-of select="./."/>
                </TD>
               </TR>
            </xsl:for-each>
        </xsl:for-each>
      </TABLE>
    </BODY>
  </HTML>

  Now when you load the XML file into IE5, it will automagically use the
  XSL stylesheet to format the data into a nice table. If you move with
  the mouse over the heading tag, the VBScript gets executed and will
  display a lame text.

  Another nice touch is that people cannot simply look up the VBScript
  code by right clicking on the page from within IE5, it disallows the
  page to be viewed in source form if it is processed by a XSL
  stylesheet.

  Now try adding some of your own stuff in it, like running Outlook (but
  where must it get the source from to mail it? You need to get it from
  the web yourself) or using the FileSystem object to "infect" other XML
  document by adding a reference to a XSL stylesheet that is on your
  homepage. Be inventive, I am sure the AV will appreciate it :-)

  Rajaat