HTA script exploit loads RATs

THEY'RE BAA-ACK!


----------------------------------------------------------------------------
A little over two years ago, an exploit of Microsoft's "HyperText
Application" ("HTA") scripting capabilities surfaced, which allowed
rogue sites to load a script on the machines of victims and in turn,
that SCRIPT would create a Windows PROGRAM on their hard disk and then
RUN it. It took Microsoft a period of time after the exploit was
publicized before Microsoft did something about it, barely.

In the interim, while people were being victimized, we released a
freebie called "HTASTOP" which permitted people to BLOCK any attempts at
installing or even running an HTA script. This solved the problem for
the several months it required for Microsoft to deal with their problem.
While Microsoft's solution resolved the problem to a degree, it only
removed the danger from the "Internet Zone" and didn't ever deal with
the problem of the "Local Machine" or "My computer" security zone. Our
free HTAstop
however, DID protect all zones from rogue scripts exploiting HTA holes.

Fast forward this past month. After so many patches, so many
adjustments, and new versions of Windows, the problem has returned with
a vengeance. About a month ago, a few spam emails were reported which
contained various attachments with filenames like ERROR.HTA or
FREEPORN.HTA or other enticing "click on me" names. In the past couple
of days, and particularly TODAY, more variations on this theme are
appearing, claiming "returned email, click on the attachment for more
information" with respect to the
"undelivered email." So far, we've received reports from several hundred
of our customers telling us that our BOClean product applied the brakes
for them and found nasties on their machines where their antivirus
software DIDN'T.

What makes this twist even more of concern though is that the HTA
script is obfuscated within an MS javascript" which causes the
attachment to elude ALL antivirus programs unless they are redefined to
the specific characters in a specific attachment. We've examined about
16 of these and there's no opportunity for the typical "antivirus
pattern match" on these files.

They're all different, and unique. And the "zombie" which is downloaded
reports back to a site which tracks carefully which nations and specific
IP addresses it has been successfully installed to. Of primary interest
to the culprits are the US, UK, Russia and Australia specifically, but
other nations carry lesser "weight" and are also included after
reviewing the unprotected site and its files that the script kiddies
behind this are using to cull the data from their trojan and run their
scripts from.

The source of the file is the Mideast region although the specific
country has not yet been determined. However, the sheer number of
reports from our BOClean customers with respect to trojans found after
licking on these attachments has been nothing less than STUNNING,
especially considering that the nasties in question arrive in SPAM!
People still apparently OPEN SPAM, and even worse, CLICK on attachments
in SPAM!

The central theme of the various downloads are getting a "mass denial
of service bot" onto your system, then putting it to sleep awaiting
command from its "master." This portends of a serious situation ahead
and the sheer VOLUME of the emails indicates that if it's successful, it
will be a MASSIVE attack based on our examination of the DOWNLOADED
nasty once the exploit downloader successfully downloads same. The
downloader making the rounds has numerous download sites and fallback
opportunities to other sites
should any of the primaries be shut down. It has the ability to contact
many sites as well as IRC's "dalnet" in order to FIND "updates" as has
been typical for quite some time. What makes THIS different is its
apparent SUCCESS.

The most recently encountered HTA files contain a buried exploit of
Internet Explorer which causes it to visit various pre-programmed sites,
whereupon it begins to download a BACK DOOR TROJAN which is immediately
activated. The one we saw overnight downloads MIRC and sets up a
backdoor, a port flooder and a multiple instance denial of service
zombie which at this time "sleeps" for further activation. In examining
the downloaded "zombie" we've found additional obfuscation and "stealth"
which continues to
elude even the BEST antiviruses entirely, even when it RUNS.

Our BOClean antitrojan software detects and deals with all of these
items as of our most recent updates. HOWEVER, the HTA exploit is of
great concern since it appears to be sufficiently successful that it's
being exploited at an exponential rate at this time. Even MORE
disturbing is that, with all of the "security improvements" Microsoft
has claimed to make to Internet Explorer and Outlook Express in making
it nearly impossible to receive a LEGITIMATE file attachment in email,
the proprietary formats belonging
to Microsoft themselves have NEVER been "corralled" ... such as VBS, HTA
and others.

Since we made a free solution to this problem available back in April
of 2001, we highly recommend that anyone (including our customers)
download this free utility. HTAstop does not need to be installed or
uninstalled, it's a stand-alone program that turns HTA within Windows on
and off at will.

Over the time since we released this utility, HTA has STILL not been
widely used, therefore turning off HTA capabilities PERMANENTLY remains
the most effective solution to this long-standing exploit of Windows
(all versions from Win95 to XP) ... and if you KEEP the HTAstop utility
handy (it's VERY small) you can always reverse the system neutering
should there ever occur a LEGITIMATE need to run HTA. This exploit is
yet another of many reasons to NOT permit "scripting" to run AT ALL in
Windows. It's been a continuing
nightmare and security hole that is the basis of the majority of all
exploits ever since Microsoft released their "Internet Explorer"
browser.

These exploits and security holes haven't stopped after a good number of
years of Microsoft trying to fix them without disabling their "internet
integration" entirely, which would actually solve the problem.


WHY SHOULD I CARE ABOUT THIS?


----------------------------------------------------------------------------
PROPERLY PATCHED systems will still HIDE "file extensions" ... so
instead of seeing a link marked "FREEPORN.HTA" you will see "FREEPORN"
as something to click on. Reality has demonstrated that people WILL
click on it. This is what the authors of this malware DEPEND on. If you
have all "hide file
extensions" and "known safe programs" enabled (by default, Windows IS
this way) then you may be fooled and click on it.

File extensions CAN be shown:

http://www.cert.org/incident_notes/IN-2000-07.html

That alone will go a LONG way in DISCLOSING unknown, unsafe file
attachments. If a file attachment ends in .COM, .BAT, .PIF, .LNK, .WMA,
.EXE, .VBS, .SCR, .HTA or OTHER unsafe attachments, at least you'll now
SEE it!

If your system doesn't have ALL the patches (many Windows "fixes" are
NOT cumulative, if you missed the one that pops up an alert, then you're
NOT protected) or you've reloaded Windows and you're NO LONGER patched
AT ALL, then these HTA things will just RUN silently without so much as
a warning or whimper while they do their work completely hidden from
view.


OTHER EXPLOITS OF NOTE


----------------------------------------------------------------------------
Microsoft is also battling demons with their WEBDAV, IIS, and numerous
other components that are part of their "web servers" and WindowsNT,
2000, XP and certain machines that contain personal web servers, file
sharing tools such as KAZAA, GnuTella, WinMX, Napster and such. In fact
the record companies and others are exploiting the security holes in
these and Windows in general in order to SABOTAGE those running "file
sharing software."

If you're DELIBERATELY running a remote server on your machine, then
you're at serious risk of being "trojaned" and the federal courts of the
US are refusing to prosecute corporate sabotage if you're a "thief." And
all of the patches out of Microsoft and other vendors are playing a
"catch up" game with existing, readily exploited back door trojans. Even
this HTA outbreak's purpose is to install a trojan to take over your
system. And Microsoft is NOT fixing the holes, nor are they backfilling
your PRIOR "updates" if you find yourself needing to reload Windows with
all the pre-existing bugs and holes on your "repair disk."


ARE YOU UNPATCHED?


----------------------------------------------------------------------------
Most people who fall victim to old exploits (this one is STILL a risk,
Microsoft NEVER patched THIS one worth the proverbial "whistle") fall
victim to exploits because they're REINSTALLED WINDOWS! Sure you got
your machine all patched up once before. You did all the "Windows
updates" and kept Microsoft happy with your frequent visits.

When you "crash and burn" though, you end up reloading Windows again.
What about those patches? Whoops. A good number of Windows patches were
"one of a kind" releases and Microsoft is notorious for relocating their
pages and not maintaining them, so patches from a few years ago are
GONE! And Microsoft won't let you find them AGAIN if you're not using
their LATEST version. In other words, if you're running Win98, or ME, or
NT, you're SCREWED. FORGET Windows95, no patches at all!

Most people visit the "Windows update" site and allow Microsoft to
automatically install them. As a result, you don't HAVE a backup to use
the next time you reload Windows. If it's gone from their site, and you
don't know about the need for it, old exploits (like THIS two year old
one) come back to bite you. And Microsoft has NOT "cumulative patched"
many of these exploits. The HTA exploit has NEVER been fixed! The only
solution Microsoft has applied is a "script warning" *IF* you have it
turned on. Default
values in Internet Explorer and Outlook Express are "RUN IT!"

IF you use "Windows update" all you're doing is letting Microsoft
"check your inventory" and then download and install a program without
any means of future reloading. Instead, note the updates available and
then go to their CORPORATE SITE and MANUALLY download the updates!

http://corporate.windowsupdate.microsoft.com/

Natch, you have to turn on everything HERE, but at least you can RIGHT
CLICK and "Save Target As" and end up with a file to run that you can
copy to a BACKUP DISK FIRST ... THEN you can run it and patch youself
once you have a COPY of the patch for the NEXT time Windows crashes and
burns and you need to reload your world, completely UNPROTECTED. THIS is
the avenue by which most of these exploits function.


DOWNLOAD HTASTOP, IT'S FREE!


----------------------------------------------------------------------------
If you're not using BOClean, look for HTASTOP on our "freebies" page:

http://www.nsclean.com/freebies.html

Given the current popularity of HTA, we'd even recommend that our
CUSTOMERS download HTA stop and run it - while BOClean protects you
against back door trojans and similar nasties, the HTA exploiting going
on just might permit ordinary VIRUSES to slip past. Normally, incoming
nasties known to the Antivirus companies get stopped long before a
trojan is allowed to actually RUN where BOClean steps right up and
trashes it. BOClean is NOT a substitute for an antivirus program and the
current exploits of HTA _ARE_
successfully bypassing antivirus software. BOClean is intended to be a
second layer of defense for situations where a nasty slips past your
antivirus given the unique nature of backdoors and the continuing
inability of antivirus software to stop them once they've "implanted."

HTASTOP is provided FREE. Of course, we'd appreciate your looking at
our commercial software and considering buying a copy of what we make,
but there's no obligation, no spies, no nonsense with any of our
freebies. They have been provided to provide a limited subset of what
our commercial products provide, and are completely self-contained.
We'll never bother you if you choose to use one of our freebies, so feel
free to grab a copy and be safe without annoyance.

Please also understand that freebies are not supported officially,
support for our freebies are maintained on our website with all the
answers you'll need, links to them listed directly on the screen of the
freebies themselves to further ensure your privacy in not having to
contact us if you don't
want to. Since these have been around for QUITE some time and folks have
contacted us for support in the past, they're MOST reliable and won't
REQUIRE support.

 

Thanks Nancy !

For some good postings about the topic see also the DSLR-security-forum:
http://www.dslreports.com/forum/remark,6784614~root=security,1~mode=flat

 

Thanks for the interesting info and the thread.
Fortunately it confirms DCS WormGuard protects you against this HTA problem as well.

 

WormGuard, HTAStop, ScriptSentry, ScripTrap - any of these would be very handy to have around, especially with the appearance of the new variant of Inor.B floating around. Pete

 

hi pete

i've been running ScripTrap for almost one year now and feel pretty good about the extra layer of protection it provides.

any opinions on comparing HTAstop to ScripTrap, or any input regarding running them both?

and if i read Nancy's article right, it is advisable even for BOClean users (me) to install HTAstop?

regards



mark

 

To the best of my knowledge, if you're using HTAStop, ScripTrap will never see any HTA to "Trap" - thus, running them both together shouldn't present a problem re: which app is going to handle an hta alert.

And, yes, that's the way I read what Nancy said, too (although I don't really understand why, if you're already using BoClean, you'd actually need to apply the HTAStop fix).

Since I'm running WormGuard, I can't really help you any more than that, sorry. Pete

 

I am running BOClean, IEClean, and WormGuard.

IEClean (not free; also from the company of Nancy and Kevin) gives far more protection than HTAstop.
I would recommend it to any user of IE and OE, but that's -of course- up to the users themself (and, no secret, I'm a diehard fan of it).

With IEClean you can block:
- ActiveX
- MS-Java data
- MS-Javascript
- VBS Scripting Host

And, if you need one of these for some reason, you can very easily un-block them (you need to restart IE for it to take effect); see my screenshot.

Copy from the IEClean Helpfile about the VBS Scripting Host:
[hr]
"VBS" or "Windows Scripting Host" (WSH) is far and away the single most dangerous security problem in Windows to date. This is the primary mechanism for system intrusions and the spread of viruses. Prior to this version of IEClean, there was no clear cut solution to the problem other than the wholesale destruction of the VBS and WSH capabilities in Windows. To make matters worse though, any time you went to do a windows update, Microsoft would only put the files right back into your system, exposing you once again long after you thought the files were gone forever.

We've come up with a very unique way of dealing with these extremely dangerous mechanisms that have allowed viruses such as Melissa, BubbleBoy, ILOVEYOU, KAKWORM and hundreds more to spread. Instead of removing or disabling the functions, when this box is checked, IEClean will cause Windows to completely forget HOW TO USE THEM. With no files removed or renamed, Microsoft can't put them back and in the rare circumstance where you actually might need to use these functions, all you need to do is uncheck the box for as long as you need to have them enabled, then turn them back off again for safety while you surf.

McAfee's "clinic" and several other online services do use these (a very bad idea but we need to be able to support them) and thus the ability to turn them on when needed. When you check or uncheck this item, you will need to hit SAVE in order to cause the settings to change in Windows. This one feature alone should justify IEClean's price.

Scripting Functions controlled by this button include the following:

HTA
JS
JSE

SCT
SHB
SHS
VBE
VBS
WSC
WSF
WSH

Each of the above is a different specific file extension which invokes the Windows scripting host (WSH) or one of the other scripting hosts (CSCRIPT, JSCRIPT and others) as well as the particularly dangerous HTA (HyperText Application) format which has not been widely exploited YET. HTA is especially dangerous as it's designed to run locally as planted by a website and has absolutely NO security protections whatsoever. Microsoft only recently made detailed information on its use to the public at large on their MSDN site. When Microsoft publishes these "how to's" the trojan and virus makers aren't far behind. HTA will come into prominence very soon. We cover it now.

IEClean is Copyright 1996-2001 by Privacy Software Corporation

 

How does your set up fair against the Finjan scrap object test?

http://www.finjan.com/mcrc/demos/exe/demo.doc


Also good test here at computerbytesman:

http://www.computerbytesman.com/acctroj/iframe.htm

script defender kicks in for me on the iframe security hole.

another interesting test at grey magic dso exploit:

http://security.greymagic.com/adv/gm001-ie/simplebind.html

link to greymagic for more info:

http://security.greymagic.com/adv/gm001-ie/

more tests at finjan, which are pretty easy to defeat:

http://www.finjan.com/mcrc/sec_test.cfm