Internet Explorer ‘feature’ causing drive-by malware attacks

Discussion in 'other security issues & news' started by MrBrian, Jun 28, 2008.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Internet Explorer ‘feature’ causing drive-by malware attacks

     
  2. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Re: Internet Explorer ‘feature’ causing drive-by malware attacks

    Would turning scripting off in IE have prevented this?
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Any POC? Any live exploit site of it? Pls PM e.

    Thanks
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Just sent.

    The site was reported on another forum on Wednesday. The .gif file still displays:

    groover_1.gif
    ____________________________________________

    Here is the code of the .gif file with the i-frame at the bottom:

    groover_2.gif
    _________________________________________________________________

    There was no execution of the .gif file when I tried the link Wednesday.
    The URL in the code was shut down when I tried it:

    groover_3.gif

    Yesterday this exploit was also analyzed here - same .gif file and code:

    IE feature exploited ITW
    http://www.viruslist.com/en/weblog?weblogid=208187540

    I posted a comment asking what the "certain circumstances" were which would exploit the .gif file.
    I'm hoping to get an answer.

    Note this in the blog:

    If the i-frame were in the HTML code itself, it would be easily flagged. By hiding it inside another file, that file itself would have to be scanned, as it already has been. Here is one analysis:

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=HTML_IFRAME.AZ&VSect=T

    Goldwindos2000.com is not exactly a family organization:

    goldwindos2000.com
    http://www.siteadvisor.com/sites/goldwindos2000.com/summary/


    ----
    rich
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi Rmus, thanks for the links and details. Unfortunately the exploit is not working as ususall.

    Nice screenshots and explanation by you as always. :thumb:
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello aigle,

    You are welcome, and yes, too bad that we can't see how this works. Microsoft evidently isn't concerned about this "feature" and the person who discovered this is vague in his blog about it needing "certain circumstances" to work.

    Anyway, it uses a double trigger: the .gif file triggers an iframe which triggers the connection to the malicious site to download the payload.

    When I saw the file hker.htm I thought I recognized the name, but not until looking more closely at the McAfee SiteAdvisor page did I see this other file stored at windos2000.com:

    test.chm

    Both of these files were used in the BellSouth.com exploit which I looked at early last year, where BellSouth users were hit by the attack when viewing their Support page. There were actually five different exploits bundled together attempting to find a vulnerability in the user's computer.

    It's possible that this is a repackaging of an old exploit in a new bottle - a .gif file. At that time the executable payload was identifed as Trojan-Downloader.Win32.Small.

    We'll have to watch to see if this particular .gif exploit surfaces in other places.

    There are still a couple of live links for this hker.htm file if you want to look at it, but it requires IE unpatched to make it work, since it exploits MS06-014 (MDAC function) vulnerability to download the executable.


    ----
    rich
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Pls PM ,e and i will try.

    By the way, what if i change the URL in the gif file to a working legit download link and open it via IE? I did this and nothing happened. Seems a stupid guess by me.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    It 's not a stupid guess - we just don't know how this "feature" is supposed to work. I change the URLS often in exploits when the existing one has been taken down - just to watch the code at work. Here, until we know more, we are left wondering...

    I sent you a working URL for the hker.htm file - it's useful exercise for a couple of things.

    First, to see the difference between a direct download, and a remotely executed download, of an executable.

    Here is the pertinent part of the code of the hker.htm file - it uses the MS06-014 (MDAC function) vulnerability:

    --> gives the URL for the download of the executable, here, masquerading as an .html file (test.htm) to avoid flagging by extension
    --> sets the attribute for MDAC
    --> sets the path to the /temp folder and assigns a filename (svchost.exe)
    --> copies the .htm file to /temp and opens as svchost

    hker-code.gif
    _____________________________________________________________


    If I take the URL from the code and attempt to download directly, IE dutifully displays the Download Prompt:

    hker_1.gif
    ______________________________________________________________


    However, if I go to the link for the hker.htm file, I can simulate what could happen if this .gif "feature" did work
    as described in the article MrBrian linked to.

    The exploit bypasses any call for the Download Prompt. Svchost cannot execute because the executable
    file has been prevented from downloading:

    hker_2.gif
    ________________________________________________________________


    So, the second point is that even though the "trigger" of the exploit (the .gif file in this case) may not be blocked,
    if the payload is a malicious executable, other protection in place will prevent the exploit from completing its task.

    If aigle can get this to run, we'll see how Geswall stops it.


    If the hker.htm file tested is the same used in this exploit, then we can say that in its present form,
    it depends on two vulnerabilities, both requiring IE:

    1) the .gif "feature"

    2) MS06-014 unpatched

    For example, trying to use the hker.htm link in Opera fails, because the MDAC vulnerability is specific to IE


    ----
    rich
     
    Last edited: Jun 29, 2008
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi Rumus, thanks for the links. It worked with IE 6 but not IE7. Interesting.

    Here are the alerts by CFP. I allowed everything except the last action. Sorry as I have no time to write down the nice details like you. Have to take some sleep brfore duty. Alerts are self explanatory.

    Good to see again CFP flagging malicious files by heuristics( see second alert pop up and the last alert). :thumb: :thumb: :thumb: It seems to have good heuristics as I see flagging it many malicious files.

    1.jpg
    1 (1).jpg
    1 (2).jpg
     
    Last edited: Jun 30, 2008
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Here are the same alserts by EQS but I denied creation of file index.htm in system 32 folder, the last pop up.

    1.jpg
    3.jpg
     
    Last edited: Jun 30, 2008
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Here is GesWall,s log and Attack Notification. It stops the malware from creating file in system 32 folder and malicious process dies at this step.

    Excellent silent protection against driveby attacks. No popups and works out of the box. :thumb: :thumb: I have just added a global rule in it to stop network access of all isolated applications and then allowed individual applications like browsers, messengers etc as needed.
    g1.jpg
    g3.jpg
    taskmgr.jpg
     
    Last edited: Jun 30, 2008
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Lastly I tried ThreatFire. It detected the attempt of execution of svchost.exe by IE in an unusuall manner. :thumb:

    Will post the screenshot later. I lost it. :mad:

    Here is the screenshot. Kill and quarantine actually just terminates IE and stops execution of malicious svchost.exe.
     

    Attached Files:

    • ch.jpg
      ch.jpg
      File size:
      43.5 KB
      Views:
      228
    Last edited: Jun 30, 2008
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Good old Neoava Guard. :thumb: I really miss it. :mad:

    ng (1).jpg
    ng (2).jpg
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    OA free
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      90.3 KB
      Views:
      2
    • 3.jpg
      3.jpg
      File size:
      80.5 KB
      Views:
      1
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    SafeSpace isolated all files in virtual HD and files were deleted on purging the SafeSpace. But as the malware was allowed to execute fully via virtualization it did try for outbound internet access unlike GW where the malware died before it could ask for outbound network access.

    SBIE works same as SafeSpace.

    I think it,s time for SafeSpace people to add some sort of outbound network access control for isolated application( allowing only for needed applications via default or custom made rules).

    06-30_0017.jpg
    06-30_0019.jpg
     
    Last edited: Jun 30, 2008
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi aigle,

    Thanks for all of your work to run these tests!

    I assume this is because IE7 has incorporated all previous patches for exploits, including this one - MS06-014

    It's evident from your tests how many different solutions there are to prevent malicious executables from being remotely executed from the internet -- or other media, such as USB drives.

    To this list I can add:

    SRP (tested by SpikeyB) - he said that he received the usual message that svchost.exe
    was blocked by SRP, please contact system administrator.

    I'm sure there are more solutions.

    It's interesting to see how the various products handle the steps of the exploit. Svchost, of course is not the Windows svchost, but the original malicious file test.htm renamed and copied to the /temp directory. Here again are the steps in the code of the exploit:

    --> gives the URL for the download of the executable, test.htm
    --> sets the attribute for MDAC
    --> sets the path to the /temp folder and assigns a filename (svchost.exe)
    --> copies the .htm file to /temp and opens as svchost.exe

    I noticed that Comodo (post #9) and OA (post #14) both of which have firewalls, picked up the attempt by svchost to connect out to the internet.

    These tests are a great comparison of the differences in the approach to handling malware. Users today have many solutions available. I've sent this link to a couple of people to test with AV. However, since the link is more than 1 year old, it certainly should be flagged by most AV.

    If the .gif "feature" reported in the article posted by MrBrian were to execute its code, this scenario is one possibility as to what could happen to a user redirected to a malicious site to download malware by remote code execution.

    Thanks again for taking the time to do this. I'll contact you by PM to see about using your screenshots in another writeup I'm doing.


    ----
    rich
     
    Last edited: Jun 30, 2008
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks Rmus!

    Can you tel me how you opened the code in notepad?

    Thanks
     

    Attached Files:

  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I tried HauteSecure. It seems an interesting hybrid sandbox for ordinary users. Seems good against driveby attacks. :thumb: See the screenshots.

    1.jpg
    2.jpg
    3.jpg
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I am curious to know how PRSC will act against this driveby attack?

    Anyone please? Thanks
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Re: Internet Explorer ‘feature’ causing drive-by malware attacks

    You are welcome.

    Yes - the hker.htm file should be in the cache (Temporary Internet Files). I r-click on the file and open in a text editor.


    ----
    rich
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmmm... That was simple. I thought some way you got the code from web page. :)

    Thanks
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    BTW OA run safer option also stops it. Malicious svchost.exe executes but dies shortly. It fails to create any file in system32 folder and no outbount network access attempt as well.
     
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Re: Internet Explorer ‘feature’ causing drive-by malware attacks

    Actually, it is the web page but opening in IE triggers the exploit.

    Opening the link in Opera -- nothing happens and you can view the page source.


    ----
    rich
     
  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    What is PRSC?

    I mentioned above that I sent this link to SpikeyB to test with Software Restriction Policies,
    and was curious as to what the alert messages look like, so he sent me some screen shots.
    Later I thought maybe others who don't use SRP might like to see.

    You will notice that SRP works on the Default-Deny Principle - there is no prompt to Allow-Block:


    SRP_1.gif
    ________________________________________________

    SRP_2.gif
    ________________________________________________
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
Loading...
Thread Status:
Not open for further replies.