Malware on Websites 2 – ActiveX and Facebook

“Drive-by” infections are possible through browser and plug-in vulnerabilities, which malware creators take advantage of. A vulnerability is a software or hardware weakness which can be a means in breaching the security of a target computer[1]. The web technologies most often exploited, i.e. taken advantage of, in terms of malware are AcvtiveX, JavaScrypt, Java, HTML, CSS, images and the PDF format. Each of these can be a means of running an arbitrary harmful code.

There have been cases where a highjacking of a legitimate and known website led to a spread of malware on the users visiting the site:

The user clicks on the link to a legitimate URL that was hijacked by the cyber criminal for a few days or hours. Then an ActiveX control tests the vulnerability of the user’s browser. If it detects a vulnerability, the malware attacks; if not, it downloads a file, tests for another vulnerability, downloads other files, and so on. Each session of the traffic appears to be benign, but the combined activities become a coordinated attack[2].

Recently, because of the growing popularity of social networking, a new and very fertile ground for malware breeders has emerged. Facebook. As in the real world, the higher density of people per square meter, the higher the probability of contracting a contagious disease. Facebook is no different. Through allowing third party developers to create rich in functionality and complexity applications, Facebook became a place where malware spreads[1].

Facebook applications are powerful scripts which have access to user account details and do execute within the browser. Such a script can easily do a malicious act of, let’s say, send a chat with a link to follow to all of the user’s friends who appear on-line. Those who were not on-line would receive an email inviting to follow the link, sent from the user in question. The only trick to do would be to encourage a Facebook user to choose to run the offered application by some seemingly interesting action the app performs, e.g. checks who of your friends visits your profile most and would give an exact number. The numbers would be fake, the list taken from the profile and sorted randomly. The link of course would redirect whoever opened it to a malware hosting server.

The ActiveX technology is an ideal means of  planting malware on the casual website visitor’s computer. ActiveX controls are small programmes, similar to Java applets, that are required to view the content of some websites in Internet Explorer. Other Microsoft products like MS Office or Windows Media Player also use this technology[3], which fortunately gives the upper hand to these products or browsers which don’t use it. To meet the requirement a user needs to agree to the installation, after being prompted by a pop-up window or a warning bar in the top part of Internet Explorer. It would be almost counter intuitive not to install the required component to view the web page we want, wouldn’t it?

Installing an ActiveX component is no different to double-clicking on an unfamiliar .exe file. By agreeing to download and install such a component, a user actually runs an executable which, speaking of malware, either is malware already or will start a chain reaction to download and install a number of malicious programmes from a malware hosting location. Here is an example of the use of IFRAME, which I described in the previous article, in combination with ActiveX to install malware:

(…) standard warning box that Internet Explorer provides users for ActiveX controls loaded by web sites. Unless they have changed the security settings for the Internet zone in Internet Explorer, users should see this warning box whenever they encounter a page that attempts to install an ActiveX control on their systems. This particular warning box resulted from a hidden IFRAME (a window within a window) in the HTML of the LyricsDomain home page. That IFRAME loaded another small page (count.htm) that itself used JavaScript to begin the installation of a 12 kb ActiveX control named download.mp3.exe from As we shall see, this small ActiveX control was a stub downloader that would be used to download and install several megabytes of other software — in total, eight different programs from at least three different vendors. That whole installation process, though, started with the automated installation of this small, innocuously named file described simply as “Software Plugin”[4].

The worst scenario for infections using ActiveX is when a user changes their security settings after being “annoyed” by the security warnings. By doing this he or she actually places a big “Welcome!” sign at the doorstep of their system for all ActiveX malware in the wild on the Internet, which will just install at will when being accidentally stumbled across.

Continue to Malware on Websites 3 →


1. Vulnerability_(computing)


3. ActiveX

4. The Anatomy of a “Drive-by-Download” by Eric L. Howes

Updated: May 27, 2019 — 10:33 am

Leave a Reply

Your email address will not be published. Required fields are marked *