mailing list archives
Re: How often are IE security holes exploited?
From: Blue Boar <BlueBoar () thievco com>
Date: Fri, 13 Dec 2002 08:35:26 -0800
Nick FitzGerald wrote:
What happens is one or two exploits become commonly used after a
virus using them is itself somewhat "successful" (always a relative
term) at spreading in the wild. My impression is that this is
largely a function of lack of skill/interest/inspiration on the part
of the virus writers. (Many familiar with my views on the typical
skill levl of virus writers are likely to be getting all riled up
about now, but please engage your thinking processes and bear
In general, most viruses are derivative works, drawing on what has
gone before. This is alsmot equally true of "new" families of
viruses as it is of the hoardes of (mainly) trivial variants of
existing viruses we continually see. This is not to say that all
virus writers are clueless and unimaginative, but for many even the
notion that adding "C:\WINNT" to the hard-coded list of Windows
installation directories they test for the existence of whatever is
more than they are capable of...
I would tend to agree with you. I think another reason for poor coding on
malicious code in general is that I imagine it can be somewhat difficult to
test. I'd guess that most malicious code authors don't a lab environment
that allows them to sufficiently simulate the Internet and the combinations
of OSes, etc.. that they want to target.
So, imagine what happens when one virus writer "imaginatively" adds
an exploit for some IE security hole that allows "auto-run simply
from reading an Email message" functionality to a self-mailing virus?
That's right -- a few other virus writers copy the idea. Do they do
it by looking through the Bugtraq archives to find a _different_
exploitable security hole and tweaking an exploit to their needs?
Nah -- they grab the virus' source code if it is available, or an
Email message "infected" with the virus in question if it became at
all widespread and they thus have access to a sample, and they more
or less copy what they see. Of course, those who think of themselves
as especially imaginative will add a random string generator so the
MIME section headers will not be the same in all messages their virus
generates, but that's about the extent of "innovation" we see.
Nimda uses the X-audio exploit to try to autorun when you render the HTML
in IE or Outlook. Earlier this year, there was another bug in the same
vein that was a direct functional equivalent, but because it came later,
wasn't patched, etc... I fully expected it to get used quickly, and I don't
think it did.
... The KaK and Klez worms both use IE security holes to do their
dirty work, but most other Windows viruses seem to rely on social
engineering and standard features of Microsoft products.
I disagree, at least for the things that have had any degree of
"success". For example, just recently, at least some varaiants of
the Bugbear, Oror, Winevar, Holar, Braid, Frethem and Yaha families
have used one or other (and some both) of the vulnerabilities I
mentioned above. And going back a bit further, BadTrans, Nimda and
SirCam all spring to mind (though I haven't checked).
Don't forget that if you're patched against the vulnerability, you usually
still have the opportunity to manually launch the attachment. Thus, the SE
method is still there as a backup, and I'd say a large portion of them can
still be counted as using it.
As an interesting side-effect, when they attach things in such a way as to
take advantage of IE-isms, they often break the attachment on other
platforms. Most of my MC mail I get in my Mozilla mail client just shows
as a dot. If I want the attachment, I have to manually decode it.
Oh, and don't forget CodeRed (and Nimda also exploited the same
Code Red and Nimda did not take advantage of any of the same
vulnerabilities. Code Red was strictly a single-vulnerability worm, and
affected only IIS servers, didn't have any IE exploit. Now, Nimda did try
to look for root.exe (CodeRed2, Sadmind, manual attacks from "China Cyber
War") and the /C and /D mappings (CodeRed2) backdoors, but that's not quite
the same thing.
Full-Disclosure - We believe in it.