Anyone see this? "I Love You" .jpg exploit

i first saw it browsing a mac site, but apparently it's not only limited to macs ( i mean they are discussing it on a video game board) :
http://forum.teamxbox.com/showpost.php?p=10982646&postcount=89

the link to it is found on the page above, i know the there's rules against posting direct links to exploits and stuff on the forum.

basically it's a jpg that opens up a new window with an error message and then opens up outlook express with an "i love you" message to george bush.

anyone hear of this?

 

Saving it to the desktop (Debian), and opening it, i get this:

 

saving it to a desktop in windows xp opens up outlook express with the "i love you" message to george bush.

also clicking on the link provided by the teamxbox member also opens up outlook express with the message (but not before getting a blank internet page with an error message in it).

this is kind of scary, suppose next time someone uses this exploit to run other executables on your pc like format or something else potentially destructive.

 

You're using SRP, don't sweat it too much
The only possible problem, is an extension you didn't add to SRP. I don't know how the executable-extensions business works.

Oh i forgot, clicking from IceWeasel (Firefox) does open Evolution, so i suppose there it's a browser thing. Which makes sense.

 

Me confused.

When I download it my firewall asks if I want to open outlook express (and I say no since I don't use it). But this only happens when I download it (without actually clicking on it). If my firewall is off my HIPS catches it.

When I actually try to open it (once it's downloaded), nothing happens, even with my firewall turned off.

I have to say. I've had it up to here (touching my forehead) with malware that doesn't work right on my system. I'm about to just give up and toss my computer in the garbage.

 

i don't know what to say. here is a pic of it in action on my pc in a limited user account:
http://i227.photobucket.com/albums/dd84/zopzop/screenshot.jpg

it works on macs too.

 

As shown in the link in the first post, this is nothing more than an html file spoofed as a jpg,
whose code is the mailto: tag set to trigger upon viewing the file.

The mailto: tag opens the default mail program, inserts the TO, Subject, and message body.

People with web pages use this feature all of the time - I do also - it's a shortcut for starting an email message
from within a web page.

This is done automatically unless the user has something in place to block the action,
as malwaretesting indicated.


----
rich

 

So, apparently this is an issue with browsers (not really a vulnerability since nothing is actually sent). Code is executed when the browser downloads the file. Apparently it's not an issue after it's actually downloaded.

But, why does Firefox execute anything at all. I just asked it to download the file and save it on my computer. I never asked it to open the file or scan it in any way. It seems to me the browser should be totally neutral to the contents of a file you ask it to download. I would understand this scenario if I had actually asked Firefox to open the file.

So, that's why it doesn't make sense to me. But it's not really a huge issue. I don't think it could actually do anything malicious, but I'm not certain.

 

There was an element of tongue in cheek in my post. I guess it didn't come across like that. I'm sure if I disabled my security software, I would get the same result you showed in your screenshot.

 

yes i understand this version is harmless. but what i was scared of is if there's a way someone could use this to launch format.com or something similar?

 

You would have to ask someone who has all of the code to see if this would be possible in this case.


----
rich

 

This is a browser issue, isn't it? Can a browser launch any random program, or does it just launch your mail client? I'm not sure of this, but I don't think a browser can just launch any random program. E-mail is the obvious exception (due to the relationship between a browser and mail client), which is why I think this "exploit" was made like this.

 

URI scheme
The mailto URL scheme

 

Yes, many exploits have been set up as PoC to demonstrate launching of the calculator program - the .wmf exploit from a couple of years back, for example.

Here is another one using the browser directly - the old MS06-014 MDAC exploit, now requiring an unpatched IE to run.

The exploit downloaded an executable, renamed it to svchost.exe, then copied it to the tmp directory
and launched it.

I modified it to launch notepad.exe directly from the system. Partial code (won't work as is):

Code:

<html>
<script language="VBScript">

<snip>

fname1="C:\WINNT\notepad.exe"

<snip>

ShellExecute fname1

S.close
</script>
</html>

I created the file script.html and ran it in the browser:


_________________________________________________________________

So, scripts in html code can do many things.

I never saw an instance in the wild where any of these exploits like .wmf launched a program already on the computer, or did damage to the computer.

(I would like to know if anyone has seen such examples of attacks in the wild)

Why trash the computer? The money to be made is in getting a rogue program on to the victim's computer.


----
rich

 

I've not seen an example myself, but I can imagine exploit code launching another instance of the browser and use it as the downloader for the payload.

 

Yes, this is a bit different, and you may remember the Google redirect exploit, where IE crashes, then a hidden instance of IE starts which then connects out to download stuff.

The victim could restart IE and continue on, not realizing what is happening in the background.

But again, the end result is to download malware.

I'm thinking of exploits which do something besides that.


----
rich

 

Those exploits are nothing more than PoCs like the one you've just analyzed. As you said, destructive payloads aren't interesting right now. But the possibility is there: browser exploit > launch script engine (e.g., wscript.exe) > do nasty things (deleting files, etc)

 

Hi,

You should disable the browser's ability to automatically launch an external mail client:

In Firefox:

about:config

>> Completely disable:
network.protocol-handler.external.mailto set to false

Or at the very least:

>> Warn before launching:
network.protocol-handler.warn-external.mailto set to true

Mrk


P.S. I will even write a little article about this ...

 

This brings to mind a pertinent question: in planning for security, how much weight should one give to possibilities?

One's mind can think of endless possibilities, which, if left to imagine the worst, can lead to never turning on one's computer!

In your example, one can disable the script engines. In considering more possibilities, one could end up crippling most of the functions of the computer, depending on what was disabled.

Here is one possibility I discussed recently with a friend:

Microsoft Security Bulletin MS08-021 – Critical
http://www.microsoft.com/technet/security/bulletin/ms08-021.mspx

If someone came to you (anyone here) having seen this security advisory, what would you advise? At this point, a patch has not yet been released. (I'll give my response later)

(One could substitute this thread's example of the mailto: exploit -- what would you advise someone who is concerned about this? Mrk's suggestion is for FireFox users)


----
rich

 

Hello,

Similar for Opera, about:config, mail, set handler to 0.

For IE users, this is a problem, because IE does not like mail handler being disabled. Best solution for IE seems to be:

-LUA (+SRP).
-DropMyRights if you use admin (with C or U token rather than N).
-Disabling Outlook Express and using other mail clients, with messages set to text only; disabling Outlook Express and not just using a different mail client, because IE might decide to open the links in OE anyhow.
- Not using IE ...

You can all test this at home - this is a benign example:

Here's html code, just copy-paste to a text editor, save as html, open in any of the browsers and see what happens:

<html>
<body>
<a href="mailto:mailaddress@somedomain.com">Click here</a>
</body>
</html>

If you set handler to 0 in Opera, Firefox, nothing happens.
If you set to warn in Firefox, you are asked whether you want to launch an external application - and which.

Mrk

 

What do you see as a potential threat in the use of the mailto: tag?


----
rich

 

Hello,
Haven't really thought about it in depth.
Gimme a few hours to ponder.
Mrk

 

If no real threat, why disable a useful function of the browser?

If the possibility of a threat exists, I would like to see where an attack used it.


----
rich

 

IMO, it depends on the user's risk exposure and his/her level of paranoia. For example, I'd call hardware/BIOS rootkits a no threat for everybody (at least for now). On the other hand, I'd call destructive payloads as a very low risk threat for almost everybody. The risk would be higher for an user who:
- manages critical information (information that, if deleted/corrupted/hijacked, would bring great losses).
- doesn't know the state (up-to-date, outdated) of his/her backups or has no backups at all.
- has computer habits that make him/her prone to encounter malware-infested content (happy-clicking).
For security-conscious users, destructive payloads aren't a threat.