#1scotty_ncc1701
scotty_ncc1701
- Members
- 520 posts
- OFFLINE
- Gender:Male
- Local time:09:00 AM
Posted 09 July 2014 - 06:26 AM
Important info about the above, researched after helping member in: http://www.bleepingcomputer.com/forums/t/540363/hello-i-think-i-have-a-virus-maybe/#entry3416831
Please read:
http://www.urbandictionary.com/define.php?term=hxxp
http://www.spywareinfoforum.com/topic/49293-hxxp/
http://www.edaboard.com/thread160169.html
Have a great day!
- Back to top
BC AdBot (Login to Remove)
- BleepingComputer.com
- Register to remove ads
#2myrti
myrti
- Malware Response Team
- 33,787 posts
- OFFLINE
Sillyberry
- Gender:Female
- Location:At home
- Local time:03:00 PM
Posted 09 July 2014 - 06:37 AM
Hi,
hxxp is not a prefix. As a matter of fact if you type hxxp://www.google.de into your browser (firefox in my case), you'll get an error message as follows:
The address wasn't understood
Firefox doesn't know how to open this address, because the protocol (hxxp) isn't associated with any program.
You might need to install other software to open this address.
Your browser doesn't know what hxxp is and therefore just does nothing. hxxp is not an official protocol and, as far as I know, noone uses it as a protocol.
It is however widely used to disable automatic linking of URLs. If I type just the text http://google.com into this window, it will be automatically turned into a link for you by the board software. (as you can see)
Since we are dealing with infected PCs quite a lot of the time and we don't always know what type of links will appear in a log, tools like DDS will automatically replace http with hxxp, thereby disabling the automatic linking and making it safe for you to click anywhere on the page without being redirected to a possibly malicious site. hxxp://google.com is not a clickable link as you can see.
Avast seems to be doing the same. The issue with the warning in the thread is not that it is pointing to hxxps (which it isn't by the way. Avast is using the same method as we are to block automatic links.. The website they blocked started with https:// not hxxps:// but they are displaying it differently to protect their users.
regards
myrit
is that a bird? a plane? nooo it's the flying blueberry!
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!
- Back to top
#3scotty_ncc1701
scotty_ncc1701
- Topic Starter
- Members
- 520 posts
- OFFLINE
- Gender:Male
- Local time:09:00 AM
Posted 09 July 2014 - 08:19 AM
Hi,
hxxp is not a prefix. As a matter of fact if you type hxxp://www.google.de into your browser (firefox in my case), you'll get an error message as follows:
The address wasn't understood
Firefox doesn't know how to open this address, because the protocol (hxxp) isn't associated with any program.
You might need to install other software to open this address.
Your browser doesn't know what hxxp is and therefore just does nothing. hxxp is not an official protocol and, as far as I know, noone uses it as a protocol.
It is however widely used to disable automatic linking of URLs. If I type just the text http://google.com into this window, it will be automatically turned into a link for you by the board software. (as you can see)
Since we are dealing with infected PCs quite a lot of the time and we don't always know what type of links will appear in a log, tools like DDS will automatically replace http with hxxp, thereby disabling the automatic linking and making it safe for you to click anywhere on the page without being redirected to a possibly malicious site. hxxp://google.com is not a clickable link as you can see.Avast seems to be doing the same. The issue with the warning in the thread is not that it is pointing to hxxps (which it isn't by the way. Avast is using the same method as we are to block automatic links.. The website they blocked started with https:// not hxxps:// but they are displaying it differently to protect their users.
regards
myrit
No disrespect, but it's a matter of semantics. Per ISO standards, the protocol (http, ftp, etc) aren't part of the URL. Since the protocol is added to the front of the URL, it is, by definition a prefix ("to fix or put before or in front"). For new people using computers, using the term "prefix" is better than using "protocol". Granted, "protocol" is the official term, but again, it is easier for new people to understand.
You should also keep in mind, that it is possible to directly access files on a web site, depending on the language used e.g. PHP, etc. The script on the webpage can easily remove the protocol (prefix), and replace it with for instance http, when the page internally says hxxp is on can easily replace it, and connect to the site anyway. PHP for example would use "str_replace". A very loose example:
$newurl = str_replace("hxxp", "http", oldurl, 1)
So although the site, the web browser, and in this case AVAST still thinks that the protocol (prefix) is hxxp, it is actually using http.
Simply put, I was using the KIS (Keep It Simple) method. But my comments about using the host file is still valid.
Have a great day.
- Back to top
#4myrti
myrti
- Malware Response Team
- 33,787 posts
- OFFLINE
Sillyberry
- Gender:Female
- Location:At home
- Local time:03:00 PM
Posted 09 July 2014 - 08:33 AM
Hi,
I meant to write "defined prefix" rather than just "prefix". Guess you caught me there.
You should also keep in mind, that it is possible to directly access files on a web site, depending on the language used e.g. PHP, etc. The script on the webpage can easily remove the protocol (prefix), and replace it with for instance http, when the page internally says hxxp is on can easily replace it, and connect to the site anyway. PHP for example would use "str_replace". A very loose example:
$newurl = str_replace("hxxp", "http", oldurl, 1)
This does not work. Either PHP tells the browser to load hxxp://url and then the load will fail. Or it tells the browser to load http://url and at that point everyone will know the protocol is http. It doesn't matter what the variable may have previously held, all that matters is the content of the variable at the moment that the browser/whatever program tries to acccess the path.
In addition Avast does not look at what is displayed on a website or the address bar and surely not how a path is stored internally on a server, since it does not have access to it on a normal server (Let's not assume that the server is so badly configured that you can read the php files directly..). It checks where the connection is made to, the GET request, this will include the protocol used and since hxxp isn't a protocol that won't be it.
In the instance we are discussing we're not even sure that this has anything to do with the browser the user had. It could be unrelated with another program/malware in the background making those connections via http.
regards
myrti
is that a bird? a plane? nooo it's the flying blueberry!
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!
- Back to top
#5scotty_ncc1701
scotty_ncc1701
- Topic Starter
- Members
- 520 posts
- OFFLINE
- Gender:Male
- Local time:09:00 AM
Posted 30 July 2014 - 07:21 AM
You misunderstood, this was just an example of changing a string, nothing more. The command executing the opening of $newurl still has to be executed. I've done this before. Although there was a typo, the concept is still valid. Here is the code to prove it.
<?php $oldurl = "hxxp://bleepingcomputer.com"; $newurl = str_replace("hxxp", "http", $oldurl); $fp = fopen($newurl, 'r'); $content = ''; while ($l = fread($fp, 1024)) $content .= $l; { fclose($fp); } echo $content;?>This is a really simple example, and because it is simple, it may not work on all pages. But of course this is only a script created in about 90 seconds. Hackers, spammers, etc would have a script that is way more complex, and be more robust.
Have a great day!
- Back to top
#6myrti
myrti
- Malware Response Team
- 33,787 posts
- OFFLINE
Sillyberry
- Gender:Female
- Location:At home
- Local time:03:00 PM
Posted 30 July 2014 - 07:23 AM
Yes and then what you tell the computer to visit is newurl, not oldurl. So the "string" that is actually send to your browser is "newurl" not "oldurl" hence hxxp is irrelevant. Avast will never know how you called that thing internally. The only thing that matters is what you send to fopen, which is http:// not hxxp.
regards
myrti
is that a bird? a plane? nooo it's the flying blueberry!
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!
- Back to top
#7scotty_ncc1701
scotty_ncc1701
- Topic Starter
- Members
- 520 posts
- OFFLINE
- Gender:Male
- Local time:09:00 AM
Posted 30 July 2014 - 07:50 AM
When I said "it may not work on all pages", it was met to mean that all pages may not display correctly, but of course, depending on the hacker, etc, they may not be displaying a page, just executing java script, downloading files, etc. Using something other than http, etc is how hackers, etc get around the checks of some security programs.
Have a great day!
- Back to top
#8myrti
myrti
- Malware Response Team
- 33,787 posts
- OFFLINE
Sillyberry
- Gender:Female
- Location:At home
- Local time:03:00 PM
Posted 30 July 2014 - 07:56 AM
This is just wrong. If you use this code:
$oldurl = "hxxp://bleepingcomputer.com"; $newurl = str_replace("hxxp", "http", $oldurl); $fp = fopen($newurl, 'r'); You are using http, because you replaced hxxp with http. Hxxp is not used at any point here except as a string somewhere in the internal processing of the server to which no AV has access to anyways. So nobody would ever know that it was called hxxp at some point, everybody would assum that the address was always http://bleepingcomputer.com. If you do fopen(http://.... it will work for all pages. If you do fopen(hxxp://... it will work for no page. That's why hxxp is used to disable links. It's not a hacking technique, it's not uesd by hackers and it can not be used to display a page, execute javascript or downlading files.
This brings me back to the previous statement "You can not use hxxp because it's not a valid protocol and no browser or javascript or anything really will know how to use it".
regards
myrti
is that a bird? a plane? nooo it's the flying blueberry!
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!
- Back to top
#9scotty_ncc1701
scotty_ncc1701
- Topic Starter
- Members
- 520 posts
- OFFLINE
- Gender:Male
- Local time:09:00 AM
Posted 30 July 2014 - 01:56 PM
Yes and then what you tell the computer to visit is newurl, not oldurl. So the "string" that is actually send to your browser is "newurl" not "oldurl" hence hxxp is irrelevant.
That is my point. Although originally coded as "hxxp", it changes it to "http" dynamically, and security software that looks for, as an example, "http:// + bad site name in a script will fail to detect it. You're concentrating strictly on AVAST, but I stated "security software", meaning in general.
Add to that, the "$OLDURL" was to emulate the bad url that a malicous script (for example) would use to bypass security software detecting a bad site, when using "hxxp". In the script "hxxp" can also be replaced with any string, including "astinkydog". The better way is to search for the domain name (e.g. fakesite.com) as a substring of whatever site its trying to go to, and then cause it to fail.
As I said, in my post, "The script on the webpage can easily remove the protocol (prefix), and replace it with for instance http, when the page internally says hxxp is on can easily replace it, and connect to the site anyway". I NEVER SAID THAT "HXXP" WAS A VALID PROTOCOL, but it in the protocol position. In the context provided, "protocol" (with quotes) is the same as "air quotes" when someone is talking, meaning that it shouldn't be taken as the word's literal meaning.
The point is, as it has been throughout this post, that even if a bad string is placed in position of "http", a hacker can, as the script proves, change it it dynamically, then access a site, depending on how the security software detects things. Also keep in mind my statement of "Hackers, spammers, etc would have a script that is way more complex, and be more robust". The example script was just to prove the concept that, in this case "hxxp", can be changed dynamically, and remote file can be accessed.
My script example is valid, because I used it.
Have a great day!
- Back to top
#10myrti
myrti
- Malware Response Team
- 33,787 posts
- OFFLINE
Sillyberry
- Gender:Female
- Location:At home
- Local time:03:00 PM
Posted 30 July 2014 - 02:08 PM
But the security software can not look at the string before it is send to your browser... It doesn't matter at all if you dynamically changed it or not. All that counts is the get-request with the address and either that's a http:// request and gets processed or it's hxxp:// and it gives you the error message above. There's no in between, there's no "i send it to the browser and then, mid evaluation I change it because...". The brwoser and the AV get it at the same time and they get the same thing.
What you're suggesting is that I'm walking down the street and looking for an address and then there's one malicious guy, that wants to show me the wrong way. But he decides to do it dynamically, so he thinks of a malicious address, then before he says it he changes it to the real address so I won't catch on to the wrong addres. So he tells me the real address and expects me to be fooled because he was thinking of a different address before. It just doesn't work.
regards
myrti
is that a bird? a plane? nooo it's the flying blueberry!
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!
- Back to top
