Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Spyware installs with no interaction in IE on fully patched XP SP2 box
From: "Castigliola, Angelo" <ACastigliola () unumprovident com>
Date: Tue, 5 Oct 2004 10:50:02 -0400

I am sure there is a configuration setting or software (perhaps the
software made the configuration change) that is preventing this from
installing on your computer. 

I tested with a default XP SP1 install with all the Microsoft Updates
that have been applied to stop this type of IE hack. The spyware still
installs itself on the machine.

XP SP1 with the following patches:
http://support.microsoft.com/default.aspx?scid=kb;en-us;814078
http://support.microsoft.com/default.aspx?scid=kb;en-us;816093
http://support.microsoft.com/default.aspx?scid=kb;en-us;823182
http://support.microsoft.com/default.aspx?scid=kb;en-us;825119
http://support.microsoft.com/default.aspx?scid=kb;en-us;832894
http://support.microsoft.com/default.aspx?scid=kb;en-us;835732
http://support.microsoft.com/default.aspx?scid=kb;en-us;840374
http://support.microsoft.com/default.aspx?scid=kb;en-us;840315
http://support.microsoft.com/default.aspx?scid=kb;en-us;839645
http://support.microsoft.com/default.aspx?scid=kb;en-us;867801

These are _ALL_ the Microsoft Updates that specifically patch up IE
holes. 

My question to the forum is: If this is not a 0-day IE exploit that
allows software to install on a computer with no user interaction then
what Microsoft Update applies to this exploit?

Again I fear there is no Microsoft Update available that will fix this
hole.

Can someone confirm that a Default install of XP SP2 with all patches
will not stop spyware from themexp.org from installing?

Angelo Castigliola III
Operations Technical Analyst I
UnumProvident IT Services
207.575.3820

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Alla
Bezroutchko
Sent: Tuesday, October 05, 2004 7:01 AM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Spyware installs with no interaction in
IE on fully patched XP SP2 box


Carr, Robert wrote:
Interesting...

I just went there, and he's right. Atpartners.cab installed without 
permission. My McAfee picked it right up as Atpartners.dll, downloaded

to Temp Internet files. Spyware detected as NetPals. On the other 
hand, I'm admin of my machine, I wonder if a "user" would get an error

message about not having the correct rights...

I have tested it on Windows XP SP2 and on fully patched Windows 2000. In

both cases _nothing_ gets run or installed. Both systems are more or 
less standard installations without any special IE hardening (except 
patches).

When I surf to the site with Windows XP "Installing components... 
ATpartners.cab" briefly appears in the status bar and then the site gets

displayed. Under the normal browser bars there is a message saying "The 
site might require the following ActiveX control: FREE on-line games and

special offers from... Click here to install...". I don't click on it. 
Searching the disk for atpartnets.cab or atpartners.dll finds nothing. 
The CLSID of the ActiveX control only appears in the registry in 
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\"
.

With Windows 2000 I also get "Installing components... ATpartners.cab" 
in the status bar and then the dialog box asking if I want to install 
"Free online games from ATgames.com". This is a usual dialog box you get

when a page attempts to install an ActiveX control. If I click "No", 
nothing gets installed, no atpartners files on the file system, no 
traces of the CLSID in the registry.

I suppose the cab file gets downloaded so that Windows can read and 
display the signature of the file. It does not get run or installed 
unless explicitly  permitted by user.

So, as far as I can see this is no 0-day.

Alla.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]