<<< Date Index >>>     <<< Thread Index >>>

TREND MICRO: The Protector Becomes The Vector [technical exercise: cross-application-scripting]




Thursday, June 03, 2004

The following represents an interesting technical examination 
when the so-called "Anti-Virus" protector becomes the 
Virus "Vector". Naturally this is the result of relying on 
the "plug and play" or "module" of one Internet Explorer browser 
and operating system from a  product "innovator" called 
Microsoft.

Trend Micro [ http://www.trendmicro.com ], a purveyor of 
gadgetry designed to 'protect' the little people on the 
Information Super Highway from a seemingly endless stream of 
traffic of obstacles collectively known as "malware", has a very 
nice little apparatus to achieve this. 

The "Trend Micro Internet Security model no. 1120 1311 engine 
version: 7.100" with all the bells and whistles. Lengthy 
examination confirms that it does its job and it does its job 
quite well. 

However:

For whatever inexplicable reason, it [and perhaps others] relies 
on the time-tested insecure device known as the Microsoft 
Internet Explorer. It uses this incredible derelict 'thing' to 
generate its reports; that is when the "Anti-Virus" gadget 
encounters an opponent, the "malware" of the day, it alerts and 
indicates precisely what the problem is.

Sounds Good:

Knowing what it uses and where it uses it, we then have to work 
backwards and devise a method to 'cross-application-scripting' 
our arbitrary code into the device in order to coax it to do our 
work for us.

Specifically:

1. When the product alerts it creates an html file in the 
temporary file of the user's machine [the so-called "local zone"]

[screen shot: http://www.malware.com/public/weallcar.png 29KB ]

This html file is viewed from an Internet Explorer "browser  
object" and indicates what file is problematic.

2. Technically [so far] in order to make use of all of this we 
need to name our problematic file a suitable name with suitable 
html tags to render as we require. At present the actual browser 
and operating system automatically filter this {<script>.com 
becomes _script_.com].

3. We need a container to achieve this and do so like this:

PK
     à?¸(<ÏQhD   D       <img>.comX5O!P%@AP[4[snip ](P^)7CC)7}
$EICAR-STANDARD-ANTIVIRUS-TEST-FILE![snip] +H*PK
     à?¸(<ÏQhD   D                    eicar.comPK      7   
k     

4. Now when our so-called "real time scan" encounters our 
problematic file it will alert like so:

[screen shot: http://www.malware.com/ucar.png 43KB]

5.  And as has been demonstrated now at bare minimum 4 years 
[see: http://www.malware.com for a small smattering of examples] 
anything run from the local computer zone, the so called 
Microsoft "My Computer" zone in the integrated Explorer can 
effectively take full and complete control of the users computer.

CAREFULLY NOTE: 

a) the default setting of this particular Trend Micro device 
does not automatically scan inside .zip files on download 
for demonstration purposes it must be enabled.

b) manual re-construction of the .zip file in order to meet the 
checksum which would allow script writing back into the temp 
file would be required

Working Example:

http://www.malware.com/icar.html

Notes:

1. This is a technical exercise demonstrating 'cross-application 
scripting'. Practical implementation at present should prove 
impractical

2. Developers do not ! put your html files in the temp folders



End Call

-- 
http://www.malware.com