Interesting attack , by-passed FF & Noscript

Discussion in 'malware problems & news' started by Joeythedude, May 24, 2009.

Thread Status:
Not open for further replies.
  1. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Interesting attack .

    I was watching some of Matt's exploit tests and decided to try one of the links he used.

    It was the third one on his recent Panda review , you can see it at 10.17.

    http://www.youtube.com/watch?v=tAi57MTW5qM&feature=channel_page.

    I was using FF and No script.
    It attempted to copy an exe to my hard drive without any intervention on my part.

    I also use AE v2 , and turned on its copy prevention , so that stopped the malware running.

    might be interesting to check out vs your security set up , of course not a live pc though !



    Edit :
    1.
    There was definately some copy attempt that AE blocked.
    2.
    After that I got the standard "do you want to run this file blah.exe".
    3.
    I don't remember if the copy was just the "blah.exe.part" download that sometimes AE blocks or a full exe file.

    So may have overstated this exploit a bit..

    sorry.
     
    Last edited: May 26, 2009
  2. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    A classic example of just how useless AV's really are. even tho Panda detects the malware just like other AV's it is too late the malware is fast at executing and has already done its dirty work.

    And yes you are right even with no script some still gets thru.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Only 2 links from the Video worked for me.

    The first brought up the prompt dialogue box and AE2 alerted to an attempt to download an executable to the temp directory:

    ffEXE-3.gif

    Disabling AE's Copy Prevention, I connect again to the site and observe a file in the temp directory:
    (the etilqs file is a Firefox file)

    temp-1.gif


    If I SAVE or CANCEL the prompt, the file disappears.

    temp-2.gif

    If I SAVE, the file is saved to disk but does not run automatically. In the Video, the person chooses to RUN the file
    because he is testing the action of the AV.

    The second link prompts but does not download anything to the temp directory:

    ffEXE-2.gif

    None of the remote code execution sites that he tested were working when I tried them. However, one link, the liteautobestguide site, appeared in another exploit a few days ago which I tested, and it served up IE exploits and did not work in Opera or Firefox. The Video narrator mentioned at the outset that he was using IE because some exploit links would not work in Firefox, and his purpose was to get the malware files on to disk to test the AV.

    ----
    rich
     
  4. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    I've tested the third link, and NoScript block all script and object in that page. If you alow object and then click on it, you will receive a download prompt from the browser.
    So Noscript is not bypassed.
     
    Last edited: May 26, 2009
  5. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Changed the title of the thread as I'm not sure if it was a full exe or just the exe.temp file which Rmus mentioned that was downloaded.
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Mystery of xxxx.exe.part -- Solved

    It's my fault for not completely understanding how Firefox works -- I don't use it often - just for testing web sites.

    Normally, my AE2's Copy Prevention is disabled because I want files to cache to disk in these types of tests. In this case, however, because the prevailing thought was that Firefox had been bypassed, I wanted to follow all of the steps. Hence, it alerted to the xxxx.exe.part file (where xxxx is a random-generated filename) apparently attempting to download without a Prompt.

    All browsers begin to cache a file even when a download Prompt box appears. It turns out that Firefox (the version I'm using) caches a xxxx.exe.part file to the user's Temp directory. This speeds up the download.

    Using a notepad replacement, I download with Firefox 3.0.8. The file is 76K:

    ff-notepadPrompt.gif

    ff-notepadTemp.gif

    It I CANCEL the download, the xxxx.exe.part file is deleted. If I select SAVE, this cached file is moved to the location
    I specify, renamed with the original filename.

    Then with IE6.

    ff-notepadIE.gif

    The same thing with Opera:

    ff-notepadOpCache.gif

    Note that IE and Opera do not cache the complete download until the user selects SAVE.

    In all cases, the browser has not been bypassed, rather, a Prompt box appears. It's just that the three browsers handle caching of a downloaded executable a bit differently. Firefox and Opera assign a cached filename, and IE6 uses the original filename with [1] added.

    ----
    rich
     
    Last edited: May 26, 2009
  7. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    Re: Mystery of xxxx.exe.part -- Solved

    This is a classic example of why programs should not be run unless you know for sure what it is.

    I do realized that this was testing but the bottom line all of those infestations occurred only because Run was selected. Save or Cancel would have stopped them cold. It took user intervention to infect.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Re: Mystery of xxxx.exe.part -- Solved

    True for most of the exploits. However, there were several remote code execution exploits in the Video that executed using IE and infected w/o any user intervention.

    That these also were successful using Firefox has been suggested. Unfortunately, those links no longer work, so cannot be further tested.

    I will go out on a limb and say that they would not work on Firefox.

    ----
    rich
     
  9. wat0114

    wat0114 Guest

    Re: Mystery of xxxx.exe.part -- Solved

    It seemed as though he was also running as administrator.
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I assume so. He kept saying that he was letting the malware run so as to test the effectiveness of the AV.

    ----
    rich
     
Loading...
Thread Status:
Not open for further replies.