Malware creators can remotely check the antivirus through ActiveX

Discussion in 'malware problems & news' started by TNT, Apr 24, 2006.

Thread Status:
Not open for further replies.
  1. TNT

    TNT Registered Member

    Sep 4, 2005
    While doing some research about blog/guestbook spam, I ran into a classical CWS iframe exploit; the most notable thing I noticed is that it clearly attempts (and, I guess, successful so) to determine, through the use of an ActiveX object, what's the antivirus on the remote machine.

    Is anyone aware of this technique being used before? Doesn't that leave another hole in the system (the remote exploit can avoid loading elements that are known to be detected, thereby avoiding detection accordingly)? It seems quite a puzzling behavior to me.

    If anyone wants some details, they're here.
    Last edited: Apr 25, 2006
  2. StevieO

    StevieO Registered Member

    Feb 2, 2006
    Hi TNT,

    Nice write up thanks, Rmus would be proud of you i'm sure. Interesting how they are getting more and more devious to try and work around things. And the trouble is, in my experience, people do have Active everything enabled by default. So it's no wonder these exploits work, and will continue to do so for some time yet !

    All the best with your new blog.

  3. Togg

    Togg Registered Member

    Jun 24, 2003
    Well the advice to stop using IE has been around for years, with even the US Dept of Homeland Security joining in, so, if people still aren't listening, what can be done?

    Perhaps it's because you have to keep IE for updates that many people who don't lurk around forums like this assume they must use it for everything else as well.
  4. lotuseclat79

    lotuseclat79 Registered Member

    Jun 16, 2005
    Well, strictly speaking, you don't have to use IE for Windows updates:

    * Use Firefox for Windows Updates from this website: (old info)
    * Allow Netscape/Opera browsers to access Windows Updates via a plugin

    Haven't been to the website is some time, and just now, it appears that the plugin might also be needed by Firefox browser for it to work.

    -- Tom
  5. Togg

    Togg Registered Member

    Jun 24, 2003
    Thanks lotuseclat79,every day I learn more (problem is I forget more as well!)

    That is very useful to know and, hopefully, any reluctant IE users who happen upon this thread will be able to take advantage. Unfortunately, it's probably not worth my while to adapt my Opera or Firefox browsers now, as I'm still using 98 and so won't be visiting Updates for much longer.
  6. crackman

    crackman Registered Member

    Jul 6, 2005
    Southern California

    Among others, I have seen DOXDESK, as part of their parasite test, use Javascript to sequence through a list of malware ActiveX CLSIDs in order to determine if there are bad ActiveX controls in your system. You can link to their Parasite page to test your own system. You do need Medium Internet Zone security (Active Scripting, ActiveX, and scripting of safe ActiveX) for this (safe) test to run. The only internal ActiveX actually needed to run the test itself is Tabular Data Control {333C7BC4-460F-11D0-BC04-0080C7055A83}; but numerous illegitimate CLSIDs are sequenced to see if they are installed. The program itself (parasite.js) is an instructive study in what can be done with Javascript; you can fetch it either via Doxdesk's own link or by pulling the script out of your cache after linking to the parasite test. Also, I have seen use what appears to be the same or similar script to check for a small set of spyware controls. Among them is ZyncosMark {F0DC0CFE-D11A-489B-84C0-63748AFAABF3} according to my notes taken last January. I haven't visited the site since then, so whether or not they are still doing this check is unknown to this writer.

    Now, for what the script can and cannot do. I ran this test twice; first with Doxdesk in the Internet Zone with Medium security. Registry monitor (REGMON) showed that most of the 380 tested CLSIDs had kill bits due to the fact that I still use SpywareBlaster (though I feel that program is redundant in my own setup). Those that didn't were tested and, fortunately, found missing in this machine:


    The second test was with Doxdesk in my default browsing zone, where ActiveX is limited to a set of about 30 controls. Here, the script had access to no controls and, thus, could test none of them. Since I find Doxdesk to be a useful site, they are trusted to me and thus have regular Internet privileges. However, TNT's CWS site would not enjoy the same privileges and thus would not be able to employ script to test this system for ActiveX. If ActiveX is fully-enabled, then they could detect any ActiveX control associated with any anti-virus or anti-spyware program. In particular, they could detect that this machine has McAfee's VirusScan and, perhaps, deploy some as yet unknown attack against it.

    There is no inherent danger in fully-enabling the ActiveX "master switch" (Run ActiveX controls and plug-ins) so long as one restricts downloads and disables controls that are not marked safe for scripting. However, as was demonstrated, people can snoop on your system. The second test demonstrates the effectiveness of white-listing ActiveX -- either via Group Policy or via "Manage Add-ons" limitations. Personally, I do not block ActiveX or script in the Limited User account that I use for casual browsing; however, nobody outside of trusted sites can determine the existence of any controls beyond those that are in the AllowedControls list.

    Please, don't misconstrue this! Doxdesk provides an excellent service via an excellent, powerful script that takes advantage of the very same capability mentioned in TNT's original post. However, this same capability can be misused, and thus I prefer not to allow just anyone to examine my machine at will.

    Last edited: Apr 28, 2006
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.