Michele get’s hit by the Bloodhound exploit

Posted by on March 22, 2005

A friend’s blog was recently hit with a bug that caused some trouble for her. In her comments a reader asked how this could be possible. This page is for them and anyone else interested in the fun that can be had with Cross Site Scripting or XSS.

Consider this link:

When viewed in the browser it looks like this: Google

There’s all kinds of things we can put inside href=”HERE ” that can do fun things and…well…not so fun things.

We’ve all received the emails telling us that our bank wants to update certain information about us and requests that we go to their website. They are kind enough to include a link to the bank that might look like this:


But the real link sends you someplace else. By hovering your mouse over the link, right clicking, and selecting VIEW SOURCE or PROPERTIES or LINK PROPERTIES or whatever the equivalent is in your browser you would see something like this:

By clicking on the link you would end up on my site and not your bank. Typically this isn’t what you would want to happen but in this case it’s relatively safe. For those who are paranoid, we always check the source before we click unsolicited links…and most solicited links…and we would see that the actual target site isn’t the site where we want to go. There are ways around this as well. We’ll continue on with the NationalBank.com example:


Looks the same but…where are you going this time. Here’s the source:

It’s the same thing just encoded as hexidecimal.

Now…let’s get tricky. Some bloggers are relatively tech savvy. They know alittle about javascript and the power that can be had with it. Let’s include some javascript in a link and see what happens:


Again…looks fine in the browser but what about the source:

So now you have Javascript executing as a result of clicking a link. This can’t be good. But it’s visible in the source so we’re all good right? No.

Same link but encoded in hex: http://www.NationalBank.com/

I don’t know for certain as I didn’t do any analysis of the machine but I’m guessing a comment or trackback was left on the site that forced a malicious script on her blog. When people loaded the page the script was executed which forced some stuff to the readers computers…that stuff being a Compiled Windows Helpfile(*.CHM) which then executed beginning a big long nasty string of events ranging from antivirus programs being triggered to outright infections.

If you think you have been attacked by the bloodhound.exploit.6 exploit then you can find “cleanup” instructions here.

If you want to learn more about this exploit, the DShield list has a great writeup by Peter Stendahl-Juvonen.

Last modified on March 22, 2005

Categories: InfoSec

« | Home | »

2 Responses to “Michele get’s hit by the Bloodhound exploit”

  1. Knox Says:

    If I’m understanding correctly, you’re saying that ASV’s virus was due to javascript being loaded into one of the comments. Just putting a link wouldn’t do it; it takes live javascript. I do not know the mechanism for capturing comments, but it seems wrong for a site to allow live javascript to run because it got posted to a comment. This seems similar to SQL injection attacks on websites, where insufficient screening of inputs allows malicious users to run their own queries against the database. If other people’s javascript can run on your site, it could potential rewrite portions of the screen, cause popup ads and a whole lot more, not just attempting to infect visitors with a virus.

  2. pilgrim Says:

    See…this is what I get for not completing a post! You are quite right that this is a SQL injection attack. I’m thinking that their was javascript injected into the her database that, once loaded, fired up the XSS attack bringing in the nasty stuff.

    I’ve been looking around for the actual exploit code for the bloodhound bug with no joy. I’ll be moving this post to the top and finishing up the analysis soon.

    Thanks for the catch…you are dead on right.

%d bloggers like this: