HTA script exploit loads RATs

Discussion in 'other anti-trojan software' started by Nancy_McAleavey, May 8, 2003.

Thread Status:
Not open for further replies.
  1. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Feb 10, 2002
    Voorheesville, NY, USA

    A little over two years ago, an exploit of Microsoft's "HyperText
    Application" ("HTA") scripting capabilities surfaced, which allowed
    rogue sites to load a script on the machines of victims and in turn,
    that SCRIPT would create a Windows PROGRAM on their hard disk and then
    RUN it. It took Microsoft a period of time after the exploit was
    publicized before Microsoft did something about it, barely.

    In the interim, while people were being victimized, we released a
    freebie called "HTASTOP" which permitted people to BLOCK any attempts at
    installing or even running an HTA script. This solved the problem for
    the several months it required for Microsoft to deal with their problem.
    While Microsoft's solution resolved the problem to a degree, it only
    removed the danger from the "Internet Zone" and didn't ever deal with
    the problem of the "Local Machine" or "My computer" security zone. Our
    free HTAstop
    however, DID protect all zones from rogue scripts exploiting HTA holes.

    Fast forward this past month. After so many patches, so many
    adjustments, and new versions of Windows, the problem has returned with
    a vengeance. About a month ago, a few spam emails were reported which
    contained various attachments with filenames like ERROR.HTA or
    FREEPORN.HTA or other enticing "click on me" names. In the past couple
    of days, and particularly TODAY, more variations on this theme are
    appearing, claiming "returned email, click on the attachment for more
    information" with respect to the
    "undelivered email." So far, we've received reports from several hundred
    of our customers telling us that our BOClean product applied the brakes
    for them and found nasties on their machines where their antivirus
    software DIDN'T.

    What makes this twist even more of concern though is that the HTA
    script is obfuscated within an MS javascript" which causes the
    attachment to elude ALL antivirus programs unless they are redefined to
    the specific characters in a specific attachment. We've examined about
    16 of these and there's no opportunity for the typical "antivirus
    pattern match" on these files.

    They're all different, and unique. And the "zombie" which is downloaded
    reports back to a site which tracks carefully which nations and specific
    IP addresses it has been successfully installed to. Of primary interest
    to the culprits are the US, UK, Russia and Australia specifically, but
    other nations carry lesser "weight" and are also included after
    reviewing the unprotected site and its files that the script kiddies
    behind this are using to cull the data from their trojan and run their
    scripts from.

    The source of the file is the Mideast region although the specific
    country has not yet been determined. However, the sheer number of
    reports from our BOClean customers with respect to trojans found after
    licking on these attachments has been nothing less than STUNNING,
    especially considering that the nasties in question arrive in SPAM!
    People still apparently OPEN SPAM, and even worse, CLICK on attachments
    in SPAM!

    The central theme of the various downloads are getting a "mass denial
    of service bot" onto your system, then putting it to sleep awaiting
    command from its "master." This portends of a serious situation ahead
    and the sheer VOLUME of the emails indicates that if it's successful, it
    will be a MASSIVE attack based on our examination of the DOWNLOADED
    nasty once the exploit downloader successfully downloads same. The
    downloader making the rounds has numerous download sites and fallback
    opportunities to other sites
    should any of the primaries be shut down. It has the ability to contact
    many sites as well as IRC's "dalnet" in order to FIND "updates" as has
    been typical for quite some time. What makes THIS different is its
    apparent SUCCESS.

    The most recently encountered HTA files contain a buried exploit of
    Internet Explorer which causes it to visit various pre-programmed sites,
    whereupon it begins to download a BACK DOOR TROJAN which is immediately
    activated. The one we saw overnight downloads MIRC and sets up a
    backdoor, a port flooder and a multiple instance denial of service
    zombie which at this time "sleeps" for further activation. In examining
    the downloaded "zombie" we've found additional obfuscation and "stealth"
    which continues to
    elude even the BEST antiviruses entirely, even when it RUNS.

    Our BOClean antitrojan software detects and deals with all of these
    items as of our most recent updates. HOWEVER, the HTA exploit is of
    great concern since it appears to be sufficiently successful that it's
    being exploited at an exponential rate at this time. Even MORE
    disturbing is that, with all of the "security improvements" Microsoft
    has claimed to make to Internet Explorer and Outlook Express in making
    it nearly impossible to receive a LEGITIMATE file attachment in email,
    the proprietary formats belonging
    to Microsoft themselves have NEVER been "corralled" ... such as VBS, HTA
    and others.

    Since we made a free solution to this problem available back in April
    of 2001, we highly recommend that anyone (including our customers)
    download this free utility. HTAstop does not need to be installed or
    uninstalled, it's a stand-alone program that turns HTA within Windows on
    and off at will.

    Over the time since we released this utility, HTA has STILL not been
    widely used, therefore turning off HTA capabilities PERMANENTLY remains
    the most effective solution to this long-standing exploit of Windows
    (all versions from Win95 to XP) ... and if you KEEP the HTAstop utility
    handy (it's VERY small) you can always reverse the system neutering
    should there ever occur a LEGITIMATE need to run HTA. This exploit is
    yet another of many reasons to NOT permit "scripting" to run AT ALL in
    Windows. It's been a continuing
    nightmare and security hole that is the basis of the majority of all
    exploits ever since Microsoft released their "Internet Explorer"

    These exploits and security holes haven't stopped after a good number of
    years of Microsoft trying to fix them without disabling their "internet
    integration" entirely, which would actually solve the problem.


    PROPERLY PATCHED systems will still HIDE "file extensions" ... so
    instead of seeing a link marked "FREEPORN.HTA" you will see "FREEPORN"
    as something to click on. Reality has demonstrated that people WILL
    click on it. This is what the authors of this malware DEPEND on. If you
    have all "hide file
    extensions" and "known safe programs" enabled (by default, Windows IS
    this way) then you may be fooled and click on it.

    File extensions CAN be shown:

    That alone will go a LONG way in DISCLOSING unknown, unsafe file
    attachments. If a file attachment ends in .COM, .BAT, .PIF, .LNK, .WMA,
    .EXE, .VBS, .SCR, .HTA or OTHER unsafe attachments, at least you'll now
    SEE it!

    If your system doesn't have ALL the patches (many Windows "fixes" are
    NOT cumulative, if you missed the one that pops up an alert, then you're
    NOT protected) or you've reloaded Windows and you're NO LONGER patched
    AT ALL, then these HTA things will just RUN silently without so much as
    a warning or whimper while they do their work completely hidden from


    Microsoft is also battling demons with their WEBDAV, IIS, and numerous
    other components that are part of their "web servers" and WindowsNT,
    2000, XP and certain machines that contain personal web servers, file
    sharing tools such as KAZAA, GnuTella, WinMX, Napster and such. In fact
    the record companies and others are exploiting the security holes in
    these and Windows in general in order to SABOTAGE those running "file
    sharing software."

    If you're DELIBERATELY running a remote server on your machine, then
    you're at serious risk of being "trojaned" and the federal courts of the
    US are refusing to prosecute corporate sabotage if you're a "thief." And
    all of the patches out of Microsoft and other vendors are playing a
    "catch up" game with existing, readily exploited back door trojans. Even
    this HTA outbreak's purpose is to install a trojan to take over your
    system. And Microsoft is NOT fixing the holes, nor are they backfilling
    your PRIOR "updates" if you find yourself needing to reload Windows with
    all the pre-existing bugs and holes on your "repair disk."


    Most people who fall victim to old exploits (this one is STILL a risk,
    Microsoft NEVER patched THIS one worth the proverbial "whistle") fall
    victim to exploits because they're REINSTALLED WINDOWS! Sure you got
    your machine all patched up once before. You did all the "Windows
    updates" and kept Microsoft happy with your frequent visits.

    When you "crash and burn" though, you end up reloading Windows again.
    What about those patches? Whoops. A good number of Windows patches were
    "one of a kind" releases and Microsoft is notorious for relocating their
    pages and not maintaining them, so patches from a few years ago are
    GONE! And Microsoft won't let you find them AGAIN if you're not using
    their LATEST version. In other words, if you're running Win98, or ME, or
    NT, you're SCREWED. FORGET Windows95, no patches at all!

    Most people visit the "Windows update" site and allow Microsoft to
    automatically install them. As a result, you don't HAVE a backup to use
    the next time you reload Windows. If it's gone from their site, and you
    don't know about the need for it, old exploits (like THIS two year old
    one) come back to bite you. And Microsoft has NOT "cumulative patched"
    many of these exploits. The HTA exploit has NEVER been fixed! The only
    solution Microsoft has applied is a "script warning" *IF* you have it
    turned on. Default
    values in Internet Explorer and Outlook Express are "RUN IT!"

    IF you use "Windows update" all you're doing is letting Microsoft
    "check your inventory" and then download and install a program without
    any means of future reloading. Instead, note the updates available and
    then go to their CORPORATE SITE and MANUALLY download the updates!

    Natch, you have to turn on everything HERE, but at least you can RIGHT
    CLICK and "Save Target As" and end up with a file to run that you can
    copy to a BACKUP DISK FIRST ... THEN you can run it and patch youself
    once you have a COPY of the patch for the NEXT time Windows crashes and
    burns and you need to reload your world, completely UNPROTECTED. THIS is
    the avenue by which most of these exploits function.


    If you're not using BOClean, look for HTASTOP on our "freebies" page:

    Given the current popularity of HTA, we'd even recommend that our
    CUSTOMERS download HTA stop and run it - while BOClean protects you
    against back door trojans and similar nasties, the HTA exploiting going
    on just might permit ordinary VIRUSES to slip past. Normally, incoming
    nasties known to the Antivirus companies get stopped long before a
    trojan is allowed to actually RUN where BOClean steps right up and
    trashes it. BOClean is NOT a substitute for an antivirus program and the
    current exploits of HTA _ARE_
    successfully bypassing antivirus software. BOClean is intended to be a
    second layer of defense for situations where a nasty slips past your
    antivirus given the unique nature of backdoors and the continuing
    inability of antivirus software to stop them once they've "implanted."

    HTASTOP is provided FREE. Of course, we'd appreciate your looking at
    our commercial software and considering buying a copy of what we make,
    but there's no obligation, no spies, no nonsense with any of our
    freebies. They have been provided to provide a limited subset of what
    our commercial products provide, and are completely self-contained.
    We'll never bother you if you choose to use one of our freebies, so feel
    free to grab a copy and be safe without annoyance.

    Please also understand that freebies are not supported officially,
    support for our freebies are maintained on our website with all the
    answers you'll need, links to them listed directly on the screen of the
    freebies themselves to further ensure your privacy in not having to
    contact us if you don't
    want to. Since these have been around for QUITE some time and folks have
    contacted us for support in the past, they're MOST reliable and won't
    REQUIRE support. :)
  2. FanJ

    FanJ Guest

  3. Jooske

    Jooske Registered Member

    Feb 12, 2002
    Netherlands, EU near the sea
    Thanks for the interesting info and the thread.
    Fortunately it confirms DCS WormGuard protects you against this HTA problem as well.
  4. spy1

    spy1 Registered Member

    Dec 29, 2002
    Clover, SC
    WormGuard, HTAStop, ScriptSentry, ScripTrap - any of these would be very handy to have around, especially with the appearance of the new variant of Inor.B floating around. Pete
  5. mr.mark

    mr.mark Guest

    hi pete

    i've been running ScripTrap for almost one year now and feel pretty good about the extra layer of protection it provides.

    any opinions on comparing HTAstop to ScripTrap, or any input regarding running them both?

    and if i read Nancy's article right, it is advisable even for BOClean users (me) to install HTAstop?



  6. spy1

    spy1 Registered Member

    Dec 29, 2002
    Clover, SC
    To the best of my knowledge, if you're using HTAStop, ScripTrap will never see any HTA to "Trap" - thus, running them both together shouldn't present a problem re: which app is going to handle an hta alert.

    And, yes, that's the way I read what Nancy said, too (although I don't really understand why, if you're already using BoClean, you'd actually need to apply the HTAStop fix).

    Since I'm running WormGuard, I can't really help you any more than that, sorry. Pete
  7. FanJ

    FanJ Guest

    I am running BOClean, IEClean, and WormGuard.

    IEClean (not free; also from the company of Nancy and Kevin) gives far more protection than HTAstop.
    I would recommend it to any user of IE and OE, but that's -of course- up to the users themself (and, no secret, I'm a diehard fan of it).

    With IEClean you can block:
    - ActiveX
    - MS-Java data
    - MS-Javascript
    - VBS Scripting Host

    And, if you need one of these for some reason, you can very easily un-block them (you need to restart IE for it to take effect); see my screenshot.

    Copy from the IEClean Helpfile about the VBS Scripting Host:
    "VBS" or "Windows Scripting Host" (WSH) is far and away the single most dangerous security problem in Windows to date. This is the primary mechanism for system intrusions and the spread of viruses. Prior to this version of IEClean, there was no clear cut solution to the problem other than the wholesale destruction of the VBS and WSH capabilities in Windows. To make matters worse though, any time you went to do a windows update, Microsoft would only put the files right back into your system, exposing you once again long after you thought the files were gone forever.

    We've come up with a very unique way of dealing with these extremely dangerous mechanisms that have allowed viruses such as Melissa, BubbleBoy, ILOVEYOU, KAKWORM and hundreds more to spread. Instead of removing or disabling the functions, when this box is checked, IEClean will cause Windows to completely forget HOW TO USE THEM. With no files removed or renamed, Microsoft can't put them back and in the rare circumstance where you actually might need to use these functions, all you need to do is uncheck the box for as long as you need to have them enabled, then turn them back off again for safety while you surf.

    McAfee's "clinic" and several other online services do use these (a very bad idea but we need to be able to support them) and thus the ability to turn them on when needed. When you check or uncheck this item, you will need to hit SAVE in order to cause the settings to change in Windows. This one feature alone should justify IEClean's price.

    Scripting Functions controlled by this button include the following:



    Each of the above is a different specific file extension which invokes the Windows scripting host (WSH) or one of the other scripting hosts (CSCRIPT, JSCRIPT and others) as well as the particularly dangerous HTA (HyperText Application) format which has not been widely exploited YET. HTA is especially dangerous as it's designed to run locally as planted by a website and has absolutely NO security protections whatsoever. Microsoft only recently made detailed information on its use to the public at large on their MSDN site. When Microsoft publishes these "how to's" the trojan and virus makers aren't far behind. HTA will come into prominence very soon. We cover it now.

    IEClean is Copyright 1996-2001 by Privacy Software Corporation

    Attached Files:

  8. peakaboo

    peakaboo Registered Member

    Oct 20, 2002
    How does your set up fair against the Finjan scrap object test?

    Also good test here at computerbytesman:

    script defender kicks in for me on the iframe security hole.

    another interesting test at grey magic dso exploit:

    link to greymagic for more info:

    more tests at finjan, which are pretty easy to defeat:
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.