TREND MICRO: The Protector Becomes The Vector [technical exercise: cross-application-scripting]
Thursday, June 03, 2004
The following represents an interesting technical examination
when the so-called "Anti-Virus" protector becomes the
Virus "Vector". Naturally this is the result of relying on
the "plug and play" or "module" of one Internet Explorer browser
and operating system from a product "innovator" called
Microsoft.
Trend Micro [ http://www.trendmicro.com ], a purveyor of
gadgetry designed to 'protect' the little people on the
Information Super Highway from a seemingly endless stream of
traffic of obstacles collectively known as "malware", has a very
nice little apparatus to achieve this.
The "Trend Micro Internet Security model no. 1120 1311 engine
version: 7.100" with all the bells and whistles. Lengthy
examination confirms that it does its job and it does its job
quite well.
However:
For whatever inexplicable reason, it [and perhaps others] relies
on the time-tested insecure device known as the Microsoft
Internet Explorer. It uses this incredible derelict 'thing' to
generate its reports; that is when the "Anti-Virus" gadget
encounters an opponent, the "malware" of the day, it alerts and
indicates precisely what the problem is.
Sounds Good:
Knowing what it uses and where it uses it, we then have to work
backwards and devise a method to 'cross-application-scripting'
our arbitrary code into the device in order to coax it to do our
work for us.
Specifically:
1. When the product alerts it creates an html file in the
temporary file of the user's machine [the so-called "local zone"]
[screen shot: http://www.malware.com/public/weallcar.png 29KB ]
This html file is viewed from an Internet Explorer "browser
object" and indicates what file is problematic.
2. Technically [so far] in order to make use of all of this we
need to name our problematic file a suitable name with suitable
html tags to render as we require. At present the actual browser
and operating system automatically filter this {<script>.com
becomes _script_.com].
3. We need a container to achieve this and do so like this:
PK
à?¸(<ÏQhD D <img>.comX5O!P%@AP[4[snip ](P^)7CC)7}
$EICAR-STANDARD-ANTIVIRUS-TEST-FILE![snip] +H*PK
à?¸(<ÏQhD D eicar.comPK 7
k
4. Now when our so-called "real time scan" encounters our
problematic file it will alert like so:
[screen shot: http://www.malware.com/ucar.png 43KB]
5. And as has been demonstrated now at bare minimum 4 years
[see: http://www.malware.com for a small smattering of examples]
anything run from the local computer zone, the so called
Microsoft "My Computer" zone in the integrated Explorer can
effectively take full and complete control of the users computer.
CAREFULLY NOTE:
a) the default setting of this particular Trend Micro device
does not automatically scan inside .zip files on download
for demonstration purposes it must be enabled.
b) manual re-construction of the .zip file in order to meet the
checksum which would allow script writing back into the temp
file would be required
Working Example:
http://www.malware.com/icar.html
Notes:
1. This is a technical exercise demonstrating 'cross-application
scripting'. Practical implementation at present should prove
impractical
2. Developers do not ! put your html files in the temp folders
End Call
--
http://www.malware.com