Warning: zero day exploit

Discussion in 'other security issues & news' started by Pieter_Arntz, Mar 25, 2006.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,433
    Location:
    Netherlands
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_DLOADER.BXR&VSect=T

    http://vil.nai.com/vil/content/v_139048.htm

    SpywareWarriors' suzi found one active on a Dutch site and asked if I could assist in getting it removed.

    Added a screenshot where you can see how much memory iexplore was using just before the VM crashed.

    Although I saw no warning for this anywhere visiting that site using Opera also crashed the VM after a few prompts that I was low on virtual memory.

    Regards,

    Pieter
     

    Attached Files:

  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    64,665
    Location:
    Texas
    WMF-Like Zero-Day Attack Underway

    Story
     
  3. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    WMF-Like Zero-Day Attack Underway

    . . .

    Oh no not more rutekites !


    StevieO
     
    Last edited by a moderator: Mar 31, 2006
  4. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549

    Yeah, i pretty much yawned when i look at the post. Zero day exploits kind of dangerous i guess, particularly ones that can install all kinds of payloads without user interaction. Still not a big deal as long as we don't talk about rootkits.

    But this one can actually do *rootkits*! That's damn unique!!

    Thank god Stevio (who is pretty much is a bloodhound when we talk about news reports containing the word 'rootkit') saw this, and brought it to our attention that a zero day exploit that can do remote execution code can allow install rootkits! We would never have known otherwise.

    ;)
     
  5. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    Due to the increased threat in regards to 2 0-Day IE Exploits, I've decided to take some time from schoolwork and work on two filters to address these two issues, while not being overkill:

    Code:
    [Patterns]
    Name = "IE: Kill Excessive JS Event Handlers [hpguru] {Kye-U}"
    Active = TRUE
    Multi = TRUE
    URL = "($TYPE(htm)|$TYPE(js))"
    Limit = 512
    Match = "(\son[a-z]+{3,16}=$AVQ(*))++{20,*}"
    Replace = "\k$ALERT(Excessive JS Event Handlers have been detected and killed on:\n\n\u\n\nThe page will not be displayed properly.)"
    
    Name = "IE: Detect createTextRange() Function [Kye-U]"
    Active = TRUE
    URL = "($TYPE(htm)|$TYPE(js))"
    Limit = 17
    Match = ".createTextRange\("
            "$CONFIRM(The function "createTextRange()" has been detected on:\n\n\u\n\nWould you like this function to be removed?)"
    Replace = ".Shonenscape\("
    Feel free to comment on these two filters as I look for more exploits to knock down in my next KBSP release!

    Test JS Event Handler here:

    http://testing.onlytherightanswers.com/iedie.html

    Test "createTextRange" filter here:

    http://testing.onlytherightanswers.com/TextRange.html
     
    Last edited: Mar 27, 2006
  6. sosaiso

    sosaiso Registered Member

    Joined:
    Nov 12, 2005
    Posts:
    601
    How serious is this threat? I was punching along the other day when I encountered a site that caused my VM to crash when using Firefox. Should I do repeated full system scans now in fear? HIPS and all are in place at the time of incident. I must figure out proximitron soon.
     
  7. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    There are many reasons that VM could crash, but just because it crashed doesn't meant it broke out and infected your system. If you're worried about it, you could restore a VM snapshot.
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,247
    Hello,
    I tried the test pages - with Firefox.
    Nothing special happened within FF - on the other hand, the anti-virus found a bloodhound exploit in a cached file from the visited page and removed it...
    Mrk
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,982
    Location:
    California
    Do you remember the filename of that bloodhound exploit?
     
  10. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    If it just detected the exploit, it would have just been the cached HTML page.
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,247
    Hello,
    I don't remember, but I could try again.
    And it's prolly what Notok say. Brb.
    Mrk

    EDIT: The exploit was Bloodhound. Exploit.60. The file - just a cached html file, random name like 0E67....and some more letters numbers. The testing page is offline, btw.
     
    Last edited: Mar 30, 2006
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,982
    Location:
    California
    OK, I misunderstood you - I thought you were referring to the test sites in Kye-U's post, which cache only three items.
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.