Wednesday, August 29, 2001 Trivial file attachment execution on the new Outlook Express 6.00 mail and news client. This can be achieved with an amount of engineering and all new so-called security features enabled. The manufacturer http://www.microsoft.com has done a splendid job (so far)of beefing up the security of her brand new Outlook Express mail and news client: a) default installation with setting in the so-called "restricted zone" b) ability to "do not allow attachments to be saved or opened that could potentially be a virus" c) other "stuff" Be that as it may, we can still force an attached *.exe file to rear its ugly head and with an amount of engineering execute! it. We once again embed our file in base64 inside a simple html frame: <frameset rows="100%,*"> <frame src="malware.exe"> </frameset> We then send that as an html mail message to the target computer. Upon receipt, the *.exe which should be disallowed by the new so-called security feature, instead asks what the recipient would like to do with it. (screen shot: http://www.malware.com/ohno.jpg 27KB) what we do is manipulate the file extension to suggest that what we have on offer is an innocent file. This coupled with our original message should prove quite successful. The problem is three-fold. 1) Even with the new so-called security feature setting: "do not allow attachments to be saved or opened that could potentially be a virus", by forcing our file in-between an html frameset, it defeats this so-called security feature and automatically retrieves the attachment from the temp file folder inviting the recipient to interact with it. 2. By simply renaming an *.exe to a *.bat, the file if accepted is automatically opened vs. being asked whether installation should take place which would then suggest caution. 3. By attaching the constructed mail message to a legitimate mail message, we can slip in under the so-called new security feature setting: "do not allow attachments to be saved or opened that could potentially be a virus" and manipulate the recipient from there. It appears a message/rfc822 is considered safe by the so-called security feature. Self Explanatory Working Example: A 'general purpose' mail message with attached constructed mail message. Harmless *.exe included. right-click and save to disk, open in the mail client http://www.malware.com/nocigar.eml Notes: a) Tested on IE6.00 with OE6.00 "RELEASE" version and Windows 98 b) All so-called security settings in both IE6.00 and OE6.00 set to disable including all new so-called security features ENABLED in the mail client. c) Probably does not require to be trojanised and should work if sent directly to the target computer in one mail message. d) It appears that only an assembly coded *.exe when changed to a *.bat functions in this manner. e) None of this is new. Reference 12 months ago: http://www.malware.com/yoko.html). --- http://www.malware.com _______________________________________________________ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/
This archive was generated by hypermail 2b30 : Wed Aug 29 2001 - 22:08:05 PDT
