Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: How often are IE security holes exploited?
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 13 Dec 2002 18:01:17 +1300

Richard Smith wrote:

Has anyone ever looked into how often security holes in Internet
Explorer are actually used in viruses, worms, Trojan horses, and other
malware?  ...

Not systematically, but this is an issue of some interest to me 
too...

...  My sense is that very few of them are actually used in the
wild.  ...

Ditto.

What happens is one or two exploits become commonly used after a 
virus using them is itself somewhat "successful" (always a relative 
term) at spreading in the wild.  My impression is that this is 
largely a function of lack of skill/interest/inspiration on the part 
of the virus writers.  (Many familiar with my views on the typical 
skill levl of virus writers are likely to be getting all riled up 
about now, but please engage your thinking processes and bear 
with me...)

In general, most viruses are derivative works, drawing on what has 
gone before.  This is alsmot equally true of "new" families of 
viruses as it is of the hoardes of (mainly) trivial variants of 
existing viruses we continually see.  This is not to say that all 
virus writers are clueless and unimaginative, but for many even the 
notion that adding "C:\WINNT" to the hard-coded list of Windows 
installation directories they test for the existence of whatever is 
more than they are capable of...

So, imagine what happens when one virus writer "imaginatively" adds 
an exploit for some IE security hole that allows "auto-run simply 
from reading an Email message" functionality to a self-mailing virus?

That's right -- a few other virus writers copy the idea.  Do they do 
it by looking through the Bugtraq archives to find a _different_ 
exploitable security hole and tweaking an exploit to their needs?

Nah -- they grab the virus' source code if it is available, or an 
Email message "infected" with the virus in question if it became at 
all widespread and they thus have access to a sample, and they more 
or less copy what they see.  Of course, those who think of themselves 
as especially imaginative will add a random string generator so the 
MIME section headers will not be the same in all messages their virus 
generates, but that's about the extent of "innovation" we see.

Thus, at any point in history, just one or two exploits will be 
"fashionable".  Way back when Kak was at its prime, a few other 
viruses copied the Scriptlet/TypeLib exploit it used (and many admins 
of "dubious" web sites wrote trivial IE configuration changing 
Trojans that were dropped onto the sites' visitors' machines via 
exploits of that same vulnerability).

Of late the "Incorrect MIME Header" (MS01-020) and the "Java 
Exception Exploit" (MS00-075 from memory) bugs have been most widely 
used.

...  The KaK and Klez worms both use IE security holes to do their
dirty work, but most other Windows viruses seem to rely on social
engineering and standard features of Microsoft products.

I disagree, at least for the things that have had any degree of 
"success".  For example, just recently, at least some varaiants of 
the Bugbear, Oror, Winevar, Holar, Braid, Frethem and Yaha families 
have used one or other (and some both) of the vulnerabilities I 
mentioned above.  And going back a bit further, BadTrans, Nimda and
SirCam all spring to mind (though I haven't checked).

Oh, and don't forget CodeRed (and Nimda also exploited the same 
vulnerability).  And the "new" Opaserv family is the first (and so 
far only) one to exploit the (old) MS00-072 share-level password 
vulnerability in Win9x/ME.  (I suspect that this has not become a 
more commonly used technique because Opaserv's code has not been 
published -- it is certainly a _very_ effective method as it is the 
only one Opaserv uses and Opaserv has been much more successful than 
most mass-mailers in the last year or so, with Klez being the obvious 
exception.)

If folks know of other malware that make use of IE security holes,
please let me know.  I'm putting together a little list.

Note that MS does not consider the vulnerability used in the "Java 
Exception Exploit" an IE hole but rather a Microsoft VM hole (the fix 
is to install an updated version of the MS VM).  My understanding is 
that it is really a problem in the MS VM's flawed handling of a 
"feature" MS added all of its own volition with its security zones 
feature in IE and the decision to make the VM configurable on a zone 
by zone basis.  This it does not seem misleading to refer to it as an 
"IE linked" vulnerability.

Further to all these, there are semi-automated "scan and compromise" 
tools looking for MS SQL with null admin passwords, Windows boxes 
with open shares and such like.  These seem to be mainly being used 
by the "web pirates" -- drive space and badnwidth stealers looking 
for free hosting space and bandwidth -- and various bot and DDoS net 
builders.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]