Warning: zero day exploit

Discussion in 'other security issues & news' started by Pieter_Arntz, Mar 25, 2006.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_DLOADER.BXR&VSect=T

    http://vil.nai.com/vil/content/v_139048.htm

    SpywareWarriors' suzi found one active on a Dutch site and asked if I could assist in getting it removed.

    Added a screenshot where you can see how much memory iexplore was using just before the VM crashed.

    Although I saw no warning for this anywhere visiting that site using Opera also crashed the VM after a few prompts that I was low on virtual memory.

    Regards,

    Pieter
     

    Attached Files:

  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
    WMF-Like Zero-Day Attack Underway

    Story
     
  3. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    WMF-Like Zero-Day Attack Underway

    . . .

    Oh no not more rutekites !


    StevieO
     
    Last edited by a moderator: Mar 31, 2006
  4. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549

    Yeah, i pretty much yawned when i look at the post. Zero day exploits kind of dangerous i guess, particularly ones that can install all kinds of payloads without user interaction. Still not a big deal as long as we don't talk about rootkits.

    But this one can actually do *rootkits*! That's damn unique!!

    Thank god Stevio (who is pretty much is a bloodhound when we talk about news reports containing the word 'rootkit') saw this, and brought it to our attention that a zero day exploit that can do remote execution code can allow install rootkits! We would never have known otherwise.

    ;)
     
  5. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    Due to the increased threat in regards to 2 0-Day IE Exploits, I've decided to take some time from schoolwork and work on two filters to address these two issues, while not being overkill:

    Code:
    [Patterns]
    Name = "IE: Kill Excessive JS Event Handlers [hpguru] {Kye-U}"
    Active = TRUE
    Multi = TRUE
    URL = "($TYPE(htm)|$TYPE(js))"
    Limit = 512
    Match = "(\son[a-z]+{3,16}=$AVQ(*))++{20,*}"
    Replace = "\k$ALERT(Excessive JS Event Handlers have been detected and killed on:\n\n\u\n\nThe page will not be displayed properly.)"
    
    Name = "IE: Detect createTextRange() Function [Kye-U]"
    Active = TRUE
    URL = "($TYPE(htm)|$TYPE(js))"
    Limit = 17
    Match = ".createTextRange\("
            "$CONFIRM(The function "createTextRange()" has been detected on:\n\n\u\n\nWould you like this function to be removed?)"
    Replace = ".Shonenscape\("
    Feel free to comment on these two filters as I look for more exploits to knock down in my next KBSP release!

    Test JS Event Handler here:

    http://testing.onlytherightanswers.com/iedie.html

    Test "createTextRange" filter here:

    http://testing.onlytherightanswers.com/TextRange.html
     
    Last edited: Mar 27, 2006
  6. sosaiso

    sosaiso Registered Member

    Joined:
    Nov 12, 2005
    Posts:
    601
    How serious is this threat? I was punching along the other day when I encountered a site that caused my VM to crash when using Firefox. Should I do repeated full system scans now in fear? HIPS and all are in place at the time of incident. I must figure out proximitron soon.
     
  7. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    There are many reasons that VM could crash, but just because it crashed doesn't meant it broke out and infected your system. If you're worried about it, you could restore a VM snapshot.
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    I tried the test pages - with Firefox.
    Nothing special happened within FF - on the other hand, the anti-virus found a bloodhound exploit in a cached file from the visited page and removed it...
    Mrk
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Do you remember the filename of that bloodhound exploit?
     
  10. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    If it just detected the exploit, it would have just been the cached HTML page.
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    I don't remember, but I could try again.
    And it's prolly what Notok say. Brb.
    Mrk

    EDIT: The exploit was Bloodhound. Exploit.60. The file - just a cached html file, random name like 0E67....and some more letters numbers. The testing page is offline, btw.
     
    Last edited: Mar 30, 2006
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    OK, I misunderstood you - I thought you were referring to the test sites in Kye-U's post, which cache only three items.
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.