Failure of HIPS?

(Of course replace hxxp with http.)

Absolutely nothing happens, no even "it" happens...

1) The IE 6 screen does nothing (I only see "Opening page http..." in the bottom status bar)
2) no stuff in C:\Documents and Settings\All Users\Start Menu\Programs\Startup
3) no stuff in C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files
4) Tiny Watcher says nothing changed anywhere
5) no stuff added in C:\WINDOWS\system32
6) Fiddler show this as the request header

Code:

GET /ind.htm?src=250&surl=www.sloantreefarms.com&sport=80&suri=%2Findex%2Ehtml HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: 85.255.115.221
Proxy-Connection: Keep-Alive

7) Fiddler show this as the response header

Code:

HTTP/1.1 302 Found
Date: Tue, 29 May 2007 01:08:47 GMT
Server: Apache/1.3.33 (Unix) PHP/4.3.2-RC1
X-Powered-By: PHP/4.3.2-RC1
Location: http://www.sloantreefarms.com/index.html
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

0

My IE 6 "settings..."
1) Local System Policy as "Basic User"
2) IE Internet Zone set to High
3) IE is NOT my default browser

I see nothing good or bad doing anything anywhere.

Now what?

Mike

P.S. I only have the HW Stateful Firewall at my cable modem, the XP/SP2 "firewall", NO AntiVirus, PowerShadow is NOT running, Sandboxie is NOT running.

 

Hi Mike,

Can you take a screen shot of the IE window and either post it or write down the URL of the opening page.

Thanks,

-rich

 

OK (I can not use just OK, it needs to be at least 5 characters.)

 

How did you get a Google page?

I would like to see your IE screen with your status bar showing the URL of the page loading.

Start with a blank IE window.

-rich

 

Dahhhhhhh... Google is was my startup home page!

Mike

 

You didn't snag the screen shot in time: the Status Bar shows Done.

I would like to see the "Opening page..." in the Status bar.

-rich

 

I can not do a screen print that fast!

Did you see the GET header info from Fiddler?

Mike

 

You should be able to snag it - the page loads slowly.

First you see this:

http://www.urs2.net/rsj/computing/imgs/sloan-opening.gif

and finally the page loads:

http://www.urs2.net/rsj/computing/imgs/sloan-opening2.gif

Your screen shots show that something is preventing the page from loading. That is why you see
nothing in the cache. Until you get the page to load and attempt to download junk,
you can't really test your setup. Is your Site Advisor blocking?

This exploit is very clever: I have to disconnect-reconnect between tries because the
site will not permit two simultaneous connections from the same IP. At least that is the way it is
here.

 

Real, Live Malware Example for HIPS Users

EDIT:

I had suggested a test for HIPS users to help determine how the hijacked IExplore process
was invoked in the SloanTreeFarm redirect exploit.

However, I realize that users would have to permit three different instances of executables to
load before this Process starts. Not a very realistic test.

So I poked around inside some of the files of the exploit.

The first two files that do the work of the exploit are:

http://www.urs2.net/rsj/computing/imgs/gif-files.gif

In looking inside the *.tmp file, I found this string:

Code:

SetWindowsHookExACallNextHookExUSER32.dll

which I assume is part of the hijacking of the IE process. This would have been flagged
by a HIPS program, I assume.

It also adds an entry in the AppPaths Key in the Registry, which launches IExplore:

http://www.urs2.net/rsj/computing/imgs/ie_app-paths.gif


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

I encountered this also. I cleaned by IE cache and changed my ISP no on dial up, on each attempt to get it work.

 

No such option in XP Home.

 

My bottom status bar only shows stuff for 1/2 second or less.

WAC.. Works As Coded! That is THE point... right?

Seems to me, it tests just fine.

No... the bar is a gray color... it would be red if SA was going crazy. (That is assuming SA has "tested" that site. )

Mike

 

This is very interesting!!

Because since the page does not load and you see nothing in the cache, it means that running as Basic User prevents malware sites from loading. This implies that the page code is somehow scanned and determined to be bad.

You wrote earlier,

But how does "Basic User" stop anything from being cached?

I looked at the article you referenced:

http://msdn2.microsoft.com/en-us/library/ms972802.aspx

but did not find anything dealing with web pages - just how policy restrictions deal with what is already on the system.

If you are set up to test, can you turn off "Basic User" and try the URL and see if the page loads?

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

OK... Unrestricted... still not run...

1) No files in C:\Documents and Settings\All Users\Start Menu\Programs\Startup
2) No files in C:\Documents and Settings\Mike\Local Settings\Temp
3) No new files in C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files
4) No files in %TEMP% or %TMP% (Both point to C:\TEMP)
5) No new files in C:\WINDOWS\system32 (last changed/new file is about 2.5 hours ago)

(Notice how the upper right is RED and says "Administrators". (See http://blogs.msdn.com/aaron_margosis/archive/2005/10/13/480901.aspx)

Mike

P.S. Hmmm... look at the 1st line, last part of my signature... HW Stateful Firewall... maybe?

 

Hmmm, I also have a custom cookie xml file (from XML-MENU Eric Howes, xml-menu_09282001.zip)

Code:

Note: alwaysAllowSession="yes" for both zones in first-party contexts only. This option
      unconditionally permits session cookies in first-party contexts. Third-party session
      cookies are still evaluated in the same way as persistent cookies.

----    ----------------------------------------|----------------------------------------|
XML                   ** Internet **            |                 ** Trusted **          |
File    1-noPolicy 1-noRule 3-noPolicy 3-noRule | 1-noPolicy 1-noRule 3-noPolicy 3-noRule|
----    ---------- -------- ---------- -------- | ---------- -------- ---------- --------|
4d-s    Session    Session  reject     reject     First      First    reject     reject

I also have a custom Restricted Zone file (from IE-SPYAD Eric Howes, ie-spyad_zo_20070120.zip).

Mike

 

Well, that is quite an arsenal you have! Sometime when you have nothing better to do, you can disable everything and try one at a time to see what is doing the work!

Does this work for all sites that have malware?

Hard to tell what is going on here - there are many variables in this exploit. Something about the appended URL perhaps.

BTW - you can substitute anything for sloantreefarms.com. One of it's purposes is to bounce back to that site if two successive attempts with the same IP are used. This is why I have to disconnect-reconnect between attempts.

Here, I substitute somewherenow.com and try twice in succession.

hxxp://85.255.115.221/ind.htm?src=250&surl=www.somewherenow.com&sport=80&suri=%2Findex%2Ehtml

The first part of the URL retrieves the ind.htm page which calls out for the other pages.

The appended part will redirect back to that URL if the bad site sees the same IP twice in succession.

My first attempt loads the bad page. The second attempt:

http://www.urs2.net/rsj/computing/imgs/ie_somewherecom.gif


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Rich, you have no idea how much I appreciate that coming from you.

Of course, nothing happens on my system.

Mike

 

Congratulations on your solution!

Does it work for other malware sites?

regards,

-rich

 

OK, you got me... what/where other malware sites? (use PM if need be).

Mike

 

All of the ones that I have are no longer working. Most get taken down pretty quickly these days.

Check sans.org diary daily - that's where I find most of mine:

http://isc.sans.org/diary.html

regards,

-rich

 

flinchlock,
Perhaps you have an IP blacklist in IPCop? Are you also using Copfilter?
SiteAdvisor doesn't flag this exploit, Link Scanner does flag it.