For Internet Explorer, it attempts to create several
instances of ActiveXObject to get the versions of
Flash, Shockwave, Java, RealPlayer, Windows Media
Player, and Microsoft Office (classified as either
2003, 2007, or 2010).
For non-Internet Explorer browsers, it attempts to get
a list of enabled plugins from navigator.mimeTypes.
For all browsers, it captures the user agent, whether
cookies are enabled, the OS, the size of the browser
window, and the timezone. It classifies browsers into
different versions, denoted by letters, based on the
existence and behavior of certain JavaScript methods.
The script attempts to exploit an information leak in
older versions of Tor Browser. We explore the
technique used in Section 3.5.
For Windows browsers (except Opera, and versions of
Internet Explorer before IE9), it sends a series of
XMLHttpRequests to 127.0.0.1, which we believe are
designed to deduce if the computer is running any one
of several specific antivirus programs. The code for
this appears to be borrowed from the JS-Recon port
scanning tool.21 The creator of JS-Recon presented the
tool at BlackHat Abu Dhabi in 2010.22 We explore such
techniques in more detail in Section 3.6.
