function activex_is_here()
{
try
{
return false;
}
catch(e)
{
;
}
return false;
}
This reminded me of an earlier occurrence of the same function in earlier pages, for instance the PornTube landing pages spammed in the first week of July. There, the function still did something:
function activex_is_here()
{
try
{
var testObject = new ActiveXObject("videoPl.chl");
return true;
}
catch(e)
{
;
}
return false;
}
It attempts to load "videoPl.chl", and if it fails, the exploit knows that the browser doesn't support ActiveX.
Interesting enough, but a little Googling never hurt anybody, so I Googled for "function activex_is_here()", thinking it might be a decent index for exploits. And of course, as always, when I got there, everybody else had already been. For instance, on the Kaspersky forum there's a lively discussion of adding bits and pieces of Javascript as virus sign, but I was more interested in the version of this function they cite:
function activex_is_here()
{
try
{
var testObject = new ActiveXObject("Ksec.Chl");
return true;
}
catch(e)
{
try {
var testObject = new ActiveXObject("KsecX.chl");
return true;
}
catch(e) {
;
}
}
return false;
}
That's dated June 8 of this year. It's even more complete. There's also a mention in April of 2007 at a PandaLabs blog.
So this is one component of an exploit pattern that's been in use for over a year (at least), and is otherwise not too interesting. I'd be tempted to say, however, that any page with a Javascript function activex_is_here should be examined for further signs of untrustworthiness.
