Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: How often are IE security holes exploited?
From: Blue Boar <BlueBoar () thievco com>
Date: Fri, 13 Dec 2002 08:35:26 -0800

Nick FitzGerald wrote:
What happens is one or two exploits become commonly used after a virus using them is itself somewhat "successful" (always a relative term) at spreading in the wild. My impression is that this is largely a function of lack of skill/interest/inspiration on the part of the virus writers. (Many familiar with my views on the typical skill levl of virus writers are likely to be getting all riled up about now, but please engage your thinking processes and bear with me...)

In general, most viruses are derivative works, drawing on what has gone before. This is alsmot equally true of "new" families of viruses as it is of the hoardes of (mainly) trivial variants of existing viruses we continually see. This is not to say that all virus writers are clueless and unimaginative, but for many even the notion that adding "C:\WINNT" to the hard-coded list of Windows installation directories they test for the existence of whatever is more than they are capable of...

I would tend to agree with you. I think another reason for poor coding on malicious code in general is that I imagine it can be somewhat difficult to test. I'd guess that most malicious code authors don't a lab environment that allows them to sufficiently simulate the Internet and the combinations of OSes, etc.. that they want to target.

So, imagine what happens when one virus writer "imaginatively" adds an exploit for some IE security hole that allows "auto-run simply from reading an Email message" functionality to a self-mailing virus?

That's right -- a few other virus writers copy the idea. Do they do it by looking through the Bugtraq archives to find a _different_ exploitable security hole and tweaking an exploit to their needs?

Nah -- they grab the virus' source code if it is available, or an Email message "infected" with the virus in question if it became at all widespread and they thus have access to a sample, and they more or less copy what they see. Of course, those who think of themselves as especially imaginative will add a random string generator so the MIME section headers will not be the same in all messages their virus generates, but that's about the extent of "innovation" we see.

Nimda uses the X-audio exploit to try to autorun when you render the HTML in IE or Outlook. Earlier this year, there was another bug in the same vein that was a direct functional equivalent, but because it came later, wasn't patched, etc... I fully expected it to get used quickly, and I don't think it did.

...  The KaK and Klez worms both use IE security holes to do their
dirty work, but most other Windows viruses seem to rely on social
engineering and standard features of Microsoft products.

I disagree, at least for the things that have had any degree of "success". For example, just recently, at least some varaiants of the Bugbear, Oror, Winevar, Holar, Braid, Frethem and Yaha families have used one or other (and some both) of the vulnerabilities I mentioned above. And going back a bit further, BadTrans, Nimda and
SirCam all spring to mind (though I haven't checked).

Don't forget that if you're patched against the vulnerability, you usually still have the opportunity to manually launch the attachment. Thus, the SE method is still there as a backup, and I'd say a large portion of them can still be counted as using it.

As an interesting side-effect, when they attach things in such a way as to take advantage of IE-isms, they often break the attachment on other platforms. Most of my MC mail I get in my Mozilla mail client just shows as a dot. If I want the attachment, I have to manually decode it.

Oh, and don't forget CodeRed (and Nimda also exploited the same vulnerability).

Code Red and Nimda did not take advantage of any of the same vulnerabilities. Code Red was strictly a single-vulnerability worm, and affected only IIS servers, didn't have any IE exploit. Now, Nimda did try to look for root.exe (CodeRed2, Sadmind, manual attacks from "China Cyber War") and the /C and /D mappings (CodeRed2) backdoors, but that's not quite the same thing.


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]