Recently I have noticed an increase in spam towards my blog. Looking at the BlogEngine discussion forums I found an entry that talked about an automated tool from BecPoster that automates the process of leaving comments on BlogEngine servers. I just had to see this for myself… So after looking over the details on the website it does indeed appear that a successful attack is being waged against our BlogEngine servers…
Looking at the website you can see there is little effort to conceal the intentions of the site owner. He has written a spamming tool and wants you to use it:
Looking inside the code with Reflector the attack steps are not too complicated:
this.WebBrowser1.Navigate(blogPart);
...
if (Strings.InStr(this.WebBrowser1.Document.Body.InnerHtml.ToString(), "ctl00_cphBody_CommentView1_txtName", 0) > 0)
{
this.WebBrowser1.Document.GetElementById("ctl00_cphBody_CommentView1_txtName").SetAttribute("value", str4);
this.WebBrowser1.Document.GetElementById("ctl00_cphBody_CommentView1_txtEmail").SetAttribute("value", str3);
this.WebBrowser1.Document.GetElementById("ctl00_cphBody_CommentView1_txtWebsite").SetAttribute("value", text);
this.WebBrowser1.Document.GetElementById("ctl00_cphBody_CommentView1_txtContent").SetAttribute("value", str2);
this.WebBrowser1.Document.GetElementById("btnSaveAjax").InvokeMember("CLICK");
...
if (this.chkVerifyLink.Checked)
{ ... }
...
}
It’s easy to see that this tool depends on locating the default elementID ctl00_cphBody_CommentView1_txtName. If it finds this element then the application populates the comment fields and submits the comment. Pretty clean and nifty.
It’s interesting to note that judging from the validation process the author of this application intends to sell this product to the world. In order to ensure his payment he has configured the application to phone home and validate that the application is registered correctly. This requires you to register for an account:
The key here is the Client ID value, which is actually information from your own computer. In the code you can see where the Client ID is generated from your MACAddress, VolumeSerial, and ProcessorID:
string str2 = this.GetMACAddress() + "-" + this.GetVolumeSerial("C") + "-" + this.GetProcessorId();
this.txtClientID.Text = str2;
string strText = client.DownloadString("http://www.becposter.com/query.asp?action=login&client_id=" + str2).ToString();
if (strText == "OK")
{
...
this.updateLabel(ref lblLoginStatus, "Valid Client ID");
...
}
else
{
this._isValidated = false;
...
}
Each function (GetMACAddress, GetVolumeSerial, and GetProcessorID) use WMI calls to get the necessary information:
ManagementObjectCollection instances = new ManagementClass("Win32_NetworkAdapterConfiguration").GetInstances();
string str2 = string.Empty;
foreach (ManagementObject obj2 in instances)
{
if (str2.Equals(string.Empty))
{
if (Conversions.ToBoolean(obj2.get_Item("IPEnabled")))
{
str2 = obj2.get_Item("MacAddress").ToString();
}
obj2.Dispose();
}
str2 = str2.Replace(":", string.Empty);
}
return str2;
All of this is a crude way to ensure that you can only run this tool on the same computer and not share it across multiple computers… But overcoming this kind of verification would be trivial by simply hijacking the http call and returning an OK status to the application.
So how can BlogEngine owners defeat this crafty tool? The short answer is, we can’t. This particular attack can only be stopped by changing the way BlogEngine verifies the commentor is an actual person. In the mean time one way to prevent spam from appearing is to moderate comments on your blog.
Fri, Jul 10, 2009
Technology