Interesting attack , by-passed FF & Noscript

Interesting attack .

I was watching some of Matt's exploit tests and decided to try one of the links he used.

It was the third one on his recent Panda review , you can see it at 10.17.

http://www.youtube.com/watch?v=tAi57MTW5qM&feature=channel_page.

I was using FF and No script.
It attempted to copy an exe to my hard drive without any intervention on my part.

I also use AE v2 , and turned on its copy prevention , so that stopped the malware running.

might be interesting to check out vs your security set up , of course not a live pc though !



Edit :
1.
There was definately some copy attempt that AE blocked.
2.
After that I got the standard "do you want to run this file blah.exe".
3.
I don't remember if the copy was just the "blah.exe.part" download that sometimes AE blocks or a full exe file.

So may have overstated this exploit a bit..

sorry.

 

A classic example of just how useless AV's really are. even tho Panda detects the malware just like other AV's it is too late the malware is fast at executing and has already done its dirty work.

And yes you are right even with no script some still gets thru.

 

Only 2 links from the Video worked for me.

The first brought up the prompt dialogue box and AE2 alerted to an attempt to download an executable to the temp directory:

​

Disabling AE's Copy Prevention, I connect again to the site and observe a file in the temp directory:
(the etilqs file is a Firefox file)

​

If I SAVE or CANCEL the prompt, the file disappears.

​

If I SAVE, the file is saved to disk but does not run automatically. In the Video, the person chooses to RUN the file
because he is testing the action of the AV.

The second link prompts but does not download anything to the temp directory:

​

None of the remote code execution sites that he tested were working when I tried them. However, one link, the liteautobestguide site, appeared in another exploit a few days ago which I tested, and it served up IE exploits and did not work in Opera or Firefox. The Video narrator mentioned at the outset that he was using IE because some exploit links would not work in Firefox, and his purpose was to get the malware files on to disk to test the AV.

----
rich

 

I've tested the third link, and NoScript block all script and object in that page. If you alow object and then click on it, you will receive a download prompt from the browser.
So Noscript is not bypassed.

 

Changed the title of the thread as I'm not sure if it was a full exe or just the exe.temp file which Rmus mentioned that was downloaded.

 

Mystery of xxxx.exe.part -- Solved

It's my fault for not completely understanding how Firefox works -- I don't use it often - just for testing web sites.

Normally, my AE2's Copy Prevention is disabled because I want files to cache to disk in these types of tests. In this case, however, because the prevailing thought was that Firefox had been bypassed, I wanted to follow all of the steps. Hence, it alerted to the xxxx.exe.part file (where xxxx is a random-generated filename) apparently attempting to download without a Prompt.

All browsers begin to cache a file even when a download Prompt box appears. It turns out that Firefox (the version I'm using) caches a xxxx.exe.part file to the user's Temp directory. This speeds up the download.

Using a notepad replacement, I download with Firefox 3.0.8. The file is 76K:





It I CANCEL the download, the xxxx.exe.part file is deleted. If I select SAVE, this cached file is moved to the location
I specify, renamed with the original filename.

Then with IE6.



The same thing with Opera:



Note that IE and Opera do not cache the complete download until the user selects SAVE.

In all cases, the browser has not been bypassed, rather, a Prompt box appears. It's just that the three browsers handle caching of a downloaded executable a bit differently. Firefox and Opera assign a cached filename, and IE6 uses the original filename with [1] added.

----
rich

 

Re: Mystery of xxxx.exe.part -- Solved

This is a classic example of why programs should not be run unless you know for sure what it is.

I do realized that this was testing but the bottom line all of those infestations occurred only because Run was selected. Save or Cancel would have stopped them cold. It took user intervention to infect.

 

Re: Mystery of xxxx.exe.part -- Solved

True for most of the exploits. However, there were several remote code execution exploits in the Video that executed using IE and infected w/o any user intervention.

That these also were successful using Firefox has been suggested. Unfortunately, those links no longer work, so cannot be further tested.

I will go out on a limb and say that they would not work on Firefox.

----
rich

 

Re: Mystery of xxxx.exe.part -- Solved

It seemed as though he was also running as administrator.

 

I assume so. He kept saying that he was letting the malware run so as to test the effectiveness of the AV.

----
rich