WSHOM.OCX Exploit

Yesterday evening, a new script exploit was brought to my attention. :-/

We grabbed a copy and analysed it overnight in our lab. This exploit disabled mouse, monitor and keyboard, edited the registry to remain in the system and then filled the hard disk swap space and memory. After this it formatted the C: drive. If you turned off your machine, it would write to WININIT.INI to continue on the next boot before Windows could start in order to finish its complete destruction of your system. A number of "web trojan downloader" exploits also make use of these functions to cause Internet Explorer to automatically download back door trojans without placing a screen to let you know that this was occurring. "dotNET" extensions when enabled in the Internet Zone are DANGEROUS. The WSHOM.OCX file is the core of this risk and is not easily removed owing to Microsoft's "system restore" which will put it back. This is a completely separate issue from "DataSource Object" exploits for which we created DSOStop although using our FREE DSOStop software and making certain that you've checked the "Internet Zone" protection will also help. That's why we included the "Internet Zone" in its coverage.
Our IEClean completes the protection package for this exploit if you don't wish to edit the
registry yourself.

Come to our website:

http://www.nsclean.com

and see for yourself. The test is PERFECTLY SAFE, it involves an attempt to open 3
instances of CALC (calculator) on your system. It does not send ANY information from your
system back to us either.  

 

I tried the test and nothing happened, is this OS specific? I am using XP Pro, I did have active X turned off, but I turned it on, and restarted my browser, cause I wanted to see the effects, I just saw the pop ups, telling me what would happen and presses ok, but after 7 times, I gave up, so that is why I am asking, is this OS specific.

 

These exploits try to take advantage of IE's weaknesses : Javascript, Scripting and ActiveX functions all originally intended to be permitted by Microsoft.

 

i just tried the test too; got the 2 pop-up warnings of what could happen...but i didn't get the 3 CACL.EXE things.

i gave it several tries in IE and still didn't get the 3 CACL.EXE pop-ups, so i tried it again in Netscape but only got the 2 pop-up boxes telling me what was/could about to happen...but no CACL.EXE appeared.

i do have javascript, active x, and scripting enabled (some set to prompt)...i know i know...but i NEED them enabled.....yes i do. ~lol~

was a li'l curious about this part though (sorry, not sure how to use the quote feature here yet)  but where it said: "The WSHOM.OCX file is the core of this risk and is not easily removed owing to Microsoft's "system restore" which will put it back."

ummm...i did a file search for that WSHOM.OCX and i don't have it on my Windows 98SE system....?  (i am guessing this is good huh?) ~nods~

 

WSH - Windows Scripting Host
People with WormGuard (www.diamondcs.com.au) are protected already. This is one of the reasons why we did not get those boxes in the test, besides other security settings, patches, whatever.....
With this it is not necessary to cripple windows/IE even more.
Thanks for the test and fine explanation.

The description in the GM test is not quite clear to me what is supposed to happen or not happen from the descriptions there.
It would certainly help a few lines in the pages to that description explaining that part. Thanks in advance!

 

For those of you who didn't catch this, here's a copy-and-paste of Kevins' GRC post relating to this:

"Rather than reply to an individual message, I'll put this up "blind" in
hopes that this will help to explain the various outcomes for all. My NEXT
message will describe how to interpret what you found in visiting our
site, but I felt it would also be useful to explain WHY we did all this in
the first place.

Sorry for the confusion and the wait, folks ... I really needed to get
some sleep after trying to figure out what we had here. I had *hoped* that
there wouldn't be many people for whom this exploit functioned, but what
was so disturbing about it for me is that it shouldn't work at ALL for
anybody. Before I explain what to make of the results, let me fill
everyone in on what this was about first and why we became sufficiently
concerned to put up this test in the first place.

On Saturday night, a well meaning soul posted a question on another
security forum wondering why only one antivirus program detected the
"Trojan.BAT.FormatCQ" javascript exploit and then posted a link to a live
site containing the nasty on it. It's always been my OWN understanding
that "WSHShell" functions could only be run on the local machine and that
it's supposedly not possible for it to run across the "Internet Zone" in
Internet Explorer. What became of this though was other people had
discovered that the script INDEED ran, and could run WITHOUT AN ACTIVEX
warning all by its lonesome.

Further discussion turned to "I get a warning with IE5 but with IE6 it
just runs." The exploit in question deletes registry keys, stuffs memory,
and then quietly begins formatting the C: drive with the /Q switch. In
addition, the exploit makes other changes to windows so that it could not
be rebooted and by disabling the mouse, keyboard, monitor and PCMCIA card
(though PCMCIA was spelled incorrectly). FORTUNATELY the script in
question had some flaws in it that prevented it from doing all it was
advertised to do although it DID start formatting the C: drive. The VAST
majority of people said that they only received a blank page that did
nothing while others said it popped right up and started going. THAT was
what raised my own concerns about it since we had just dealt with the
"data source object" issue just a day or two ago and this was SOMETHING
ELSE.

After that discussion, I received email from some other people who had
fallen victim to that exploit in other places and they informed me that
they were using IE6, had all their patches, and it still trashed their
system without any warning whatsoever. Others indicated that they had
received a "This page contains ActiveX content that might be dangerous to
other elements on this page" (whatever THAT means) and did what they
usually do ... they let it RUN after getting a warning box. It was that
some never got the warning box at all that was a major concern in my eyes.
So for a number of hours, we played with it among our lab rats in
"BOCleanville" and one XP machine that had its recent Microsoft updates
(most of our machines stay unpatched for trojan testing in worst-case
scnarios and run across all versions of browsers and OS versions with and
without patches, a pretty good "sample" of what normal people have and do)
went and ran the emasculated nasty we edited from the original (we changed
FORMAT C: /Q to CALC) from a server in the Internet zone and up came CALC.
We finally reproduced it on *ONE* machine here our of our entire
laboratory.

So what we determined HERE was that it WAS possible for the script to run
"across the Internet" (WSHShell should NOT) and that on MOST machines, an
"ActiveX warning box" DID appear. Only on one machine did it NOT. When
"Yes" was selected on the ActiveX warning box, the CALCs appeared. If you
hit cancel, it didn't. Assuming you were given the choice to refuse it of
course. This generated my own concern. But there were more and I'll get to
those later.

What I didn't understand is that WSHShell isn't supposed to do ANYTHING
if it's in the Internet Zone, and yet there it was doing it. Given what we
saw and what was reported by others, we put together a SAFE version of the
exploit to allow people to test their own machine based on what we
observed with the actual nasty. What we DO know is that turning off
ActiveX and Javascripting in the Internet Zone does stop this puppy.
Unfortunately since we were looking at this exploit directly and we use
IEClean here, we did NOT take the time to determine WHICH "Security Zone
settings" were involved - in our testing, we let IEClean handle a number
of ActiveX and Javascript things the way IEClean handles it. Others are
welcome to play with their own Internet Explorer settings in hopes of
determining which security zone settings will affect this vulnerability.

Some information on the capabilities that the WSHShell exposes can be
read here:

  http://www.winguides.com/scripting/reference.php?category=3

Now if you really want to get nervous, try this ... go back to our site
at:

 http://www.nsclean.com/exploit.htm

And SAVE the file to your desktop. Go offline and then open it locally.
It will DEFINITELY run in Internet Explorer and may or may not produce
that "ActiveX" warning. Now be mindful of course that this "WSHShell"
stuff SHOULD be able to work on your local machine. However, let's bear in
mind that a website could drop this in your CACHES and then invoke it
locally using the DSO exploit or one of many others. Even with your
internet protections, now that a WEB PAGE is on your local machine, this
second step of a local copy (there'll be one in your caches just by
visiting our site on the internet) will now allow the exploit to work on
just about any copy of Internet Explorer. While this scenario is
far-fetched (is it really?) this will complete the picture of why I found
this whole thing a bit worrisome.
--
NSClean Privacy Software division
Privacy Software Corporation
http://www.nsclean.com
kevinmca@nsclean.com

 

Kevins' explanation of the results:

"INTERPRETING THE WSHOM.OCX TEST

The OBJECTIVE of the test is to see whether or not three copies of the
Windows Calculator (CALC.EXE) appear on your screen. The appearance of the
instances of the CALC program means that your machine is exposed to this
exploit and you are vulnerable. The WSHShell exploit can ONLY work under
Internet Explorer. Netscape, Mozilla, Opera and other browsers that do NOT
use Microsoft's scripting are safe and this vulnerability does not exist
under Netscape, newer versions of Opera or Mozilla.

If you were offered a warning that says in effect "An ActiveX control on
this page might be unsafe to interact with other parts of this page. Do
you want to allow this interaction?" (a rather vague warning that
certainly doesn't indicate that the script may destroy your machine) that
warning indicates that you have ActiveX enabled (in prompt mode) and if
you click on YES, then the 3 calculator instances will appear. If you clik
on NO, then the script won't run and CALC won't appear. If the "ActiveX
warning" doesn't appear, then ActiveX is turned off on your machine and
you are safe.

If this box appears but CALC doesn't, then either you've removed the CALC
application from Windows or you have removed Windows Scripting Host.
However, the WSHOM.OCX file is *NOT* removed if you uninstall Windows
Scripting Host. It is WSHOM.OCX that is responsible for this
"functionality."

Prior to the attempt to run the 3 copies of CALC, there is a "javascript"
popup window that first explains that we're going to try to run 3 copies
of CALC and indicates that no harm will occur if you allow it to run.
That'll be the first popup you see before CALC runs. After CALC either
runs or doesn't run, a second popup appears that starts with "In this
test, we only opened 3 copies of CALCULATOR" ... if you don't see the CALC
program three times on your screen, then the WSHShell exploit is disabled
on your machine and you're safe.

Because we didn't want to have your machine interacting with our server,
we did not come up with a means of determining whether or not the exploit
was successfully run on your machine. The second "popup" screen's purpose
is to let you know that the test had been done and indicates that if you
DID see the three copies of CALC running, then there's a problem with
scripting on your machine.

Thus, if you DIDN'T see the three copies of CALC, then you're safe from
this exploit. The two popups are done in plain "javascript" and while we
consider "javascript" dangerous too, it's not as dangerous as ActiveX. If
you didn't get the popups EITHER, then you should have seen a message on
the page itself that says:
--------------------------------------------------------------------------------
You are immune to the "WSHOM.OCX" exploit ... congratulations on SAFE
computing!
You have both ActiveX and "Scripting" disabled on your computer.
--------------------------------------------------------------------------------

If you got the above message, it means that you have both ActiveX and
javascripting turned off in your "internet zone" and are extremely safe.
Safe computing suggests that you should always have both javascript and
ActiveX turned off entirely in the "Internet zone" and any sites that you
visit that require either of these should be moved to the TRUSTED SITES
zone. This method offers the maximum possible security since you never
know when you might get redirected to a rogue site by one you visit. (X-10
pop-unders anyone?)

Another thing we've been getting a few reports of is the Internet
Explorer browser literally GAGGING on the script. My best guess is that
this is because the scripting host or WSHOM.OCX is missing or being
blocked by something else. But for most people, it either is ignored, or
it works. This is something else we're trying to see by doing this test so
you can have an idea of what YOUR machine will do should it encounter this
exploit from a malevolent site.

Finally - this exploit ONLY applies to Internet Explorer and browsers
derived from Microsoft's browser objects. Netscape, Mozilla and recent
versions of Opera are SAFE all by themselves because they CANNOT run
ActiveX unless you have installed the "ActiveX plug-in for Netscape."

Hope this helps ..."

 

Hi all !
        Well I'm running Win98SE and SPF 4.2.
I've tried the "WSHOM.OCX Exploit Test Page", and I get the same thing...no 3 calc.exe's, and no prompt asking me to allow a Java script or Active x app.
I do have WSHOM.OCX on my system. Is the FIREWALL interfering with this test ?
Sorry, I don't get it !!
            Bill

 

Do you have 'Calc' installed?

Do you run any program such as NoScript (from Symantec)?

Is WSH installed on your computer? Pete

 

Wscript.exe is Windows scripting host for Win98SE

 

 Yes, I have CAL installed, I don't use any Symantec products, and I have WSH installed on my PC !! :-/
     billmac

 

Ok I copied the script to my desktop, saved it in notepad, as  test.html, Then I activated it, NAV2002, stop it dead in it's tracks, but I went ahead and told NAV2002, to allow it, one time, and the cal.exe popped up once.

So my firewall, is probably preventing it from activating via internet, but if it did activate NAV2002 would have stopped it.

Here is a pic of NAV2002 stopping it. http://server49.hypermart.net/vampirefo/NAV.gif

 

A poster at GRC called "reader" has set up a flowchart.

His posting:
https://grc.com/x/news.exe?cmd=article&group=grc.security&item=45417&utag=

His flowchart:
http://www.geocities.com/exploitflowchart/

 

i'm in the same boat as billmac...i don't get it

i tried the text again with both browsers in several different ways and each time it would be the same results:  i'd get the first pop-up telling me it was going to see if it could create the 3 copies of CALC and that i should see an Active X warning too....(i never did see any Active X warnings though).....then i'd get the 2nd pop-up saying "in this test we only opened 3 copies of Calculator......"  (but there were no copies of Calculator or anything else but that 2nd pop-up box)

Mickey, i did a search again on my Win98SE using the File Find...and then going in manually and searching the drive too...and no where do i have a file called WSHOM.OCX.....i don't even have the file called Wscript.exe.  i have no idea why though because i do have Wsh installed and the Calc.exe file installed.

Win98SE
Wscript.exe and WSHOM.OCX (not on system)
Calc.exe and Wsh - installed
McAfee Ver 4.0.4194, On-Line (just updated Dats prior to testing)
SPF Ver 4.2 - active
WG - active
HTAstop - active
TDS-3 - active
IE 5.50 - all patches installed, Internet Zone at Med Security, ActiveX & Scripting Enabled.
NetScape 4.76 with Java Script Enabled.

(then tested the other pc)
WinXP-Home
Wscript.exe, WSHOM.OCX, Calc.exe, Wsh all installed on system.
NOD32 Ver 4.2 - active
SPF Ver 4.2 - active
IE 6.0 - no patches installed (i just got this thing), Internet Zone at Med. Security, ActiveX & Scripting at Default Settings.

i am still a bit lost with this test....from what i've read it's a good thing that the 3 Calcs didn't appear, but i am still unsure if i am vulnerable to this exploit, or not, or to what degree, since i didn't get the "You're immune verdict" either.  :-/

 

Mickey, it'd be damned hard to exploit IE's strengths - it hasn't got any!

 

Like written above, if you've WormGuard installed you're protected. Had hoped for WG popping up with a warning maybe, but a lot is blocked in the background.
You can try to disable WG a moment and do the test again and see if you come through it now?
After don't forget to enable and test it again!

 

snapdragin,

Wscript.exe is the Windows scripting host for Win98SE

http://service4.symantec.com/SUPPORT/nav.nsf/docid/2000050512031906&src=n