|
Contents : |
www.i
Milly.com
|
| News! The new (October 3, 2003)
Microsoft IE Cumulative
Patch MS03-040, which supersedes
Patch MS03-032 (which is the ineffective patch discussed
throughout this page), appears to fix this "Object Tag
Vulnerability" hole. If you surf with IE, you ought to
install
MS03-040 - and/or superseding patches - as soon as possible. |
Are you trying to get to Google?
Is that phrase familiar? Are you trying to get to Google, but your browser
shows you a page asking that question? This page? :
http://64.191.95.139/ which looked like
this :-
Are you trying to get to Google?
Your computer is running software that doesn’t allow you to use
Google.
You’re seeing this page because your computer is trying to send you
to a website that is pretending to be Google. Over the past few
weeks, you may have seen a website that looks like Google, but
launches pop-up windows and does not work like Google. That page is
not affiliated with Google in any way and is intended to deceive
you.
Why is this happening?
Most likely a program was installed on your computer automatically
and without your knowledge when you downloaded an otherwise harmless
piece of software. Or you may have been tricked into clicking on a
disguised download button while visiting a website.
What can I do about it?
This problem can be fixed fairly easily, but will require that you
make changes in a file that is part of your computer’s operating
system. You should always be cautious when making these kinds of
adjustments, as they may affect the performance of your computer. If
you are not comfortable doing this yourself, you may want to print
out this page and show it to someone whose technical knowledge you
trust. etc ... |
Or this (which has appeared in its place lately,
for this reason) ...
Are you looking for a search engine?
If you are seeing this page, it is because you have downloaded a
malicious program that is keeping you from visiting the page you
intended.
Please visit the following URL for information on fixing this
problem:
http://www.tweakxp.com/forum/forum_posts.asp?TID=3367 |
Then I'm afraid you've contracted a Trojan, most likely this one ...
http://www.europe.f-secure.com/v-descs/delude.shtml :-
NAME: Delude
ALIAS: Trojan.BAT.Startpage.a
Delude is a trojan that is available on a web page. The web page
contains a code that uses a vulnerability in the Internet
Explorer (MS03-032) to execute.
More information about the vulnerability, including a fix, is
available from Microsoft at: http://www.microsoft.com/security/security_bulletins/ms03-032.asp
VARIANT: Delude.A
The HTA code available on a web page downloads a file "partyboy.exe"
from an ftp site and runs it. This file is is packed with UPX.
It is a batch file which was compiled to executable binary
(".exe") using a BatToExe tool.
When executed, it changes the Internet Explorer start page to
find-now.info. It prevents access to the most major search
engines such as Google, Yahoo, Lycos, MSN and AltaVista. To do
this it replaces the following file:
%windir%\system32\drivers\etc\hosts
[...]
At the time of writing this description the
above mentioned patch MS03-032 does not fix the vulnerability
that Delude uses. |
What to do? (4
easy steps)
1. Install this patch :
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
2. Find your Hosts file. Right-click on
it and select Properties; uncheck the box that says "Read Only"; click
OK.
On Windows XP it's likely to be at :
On NT or 2000 it's likely to be at :
On 98 or ME it's likely to be at : |
C:\Windows\System32\Drivers\etc\hosts.
C:\Winnt\System32\Drivers\etc\hosts.
C:\Windows\hosts. |
Do a file search for "hosts" (without the quotes) if in doubt.
It doesn't have a file extension (as most files usually do), and
Hosts.sam is not it. |
3. Then open Hosts with Notepad, and delete
every line which contains a reference to Google, or any other search engine,
or includes the IP number 64.191.95.139, then Save (making sure that Notepad
saves it as just Hosts and not Hosts.txt - you may need to change the name in
Explorer after saving it. Oh, and if you're still actually using Notepad, you
should take a
look here). This is what my Hosts file looks
like (you probably don't need anything more, but have a good look at
your own in case anything else seems sensible and helpful to your particular
setup) :-
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for
Windows.
#
# This file contains the mappings of IP addresses to host names.
Each
# entry should be kept on an individual line. The IP address
should
# be placed in the first column followed by the corresponding
host name.
# The IP address and the host name should be separated by at
least one
# space.
#
# Additionally, comments (such as these) may be inserted on
individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost |
4. Reboot. Try to surf
to Google, which
should now appear as usual.
In due
course, people better able and
resourced than me will publish a fuller analysis of this exploit, which will
no doubt include some fuller cleanup instructions (for example, perhaps to delete
some remaining debris such as partyboy.exe, o.bat, gameboy.exe and maybe
more, and some CLSID entries). Keep an eye out on the websites of your usual anti-virus,
anti-trojan and/or anti-spyware software. Or see the links
at the bottom of this page.
At the time of writing, the
http://64.191.95.139/ page leads to this link
www.tweakxp.com/hostsfix.htm, which includes this advice:-
| 3. The final step is to try to remove this program that is
hijacking your “hosts” file. As of 10:00 AM September 25 there
is no program that will just remove the malicious program yet.
In the mean time, download Spybot Search & Destroy by clicking
here. Once you have the program installed, open SpyBot and
select the "immunize" icon on the left and then check the box
"lock hosts file read-only as protection against hijackers".
This will stop the program from modifying your "hosts" file
again. |
Which is okay, I suppose (and they do also say this :
"Click here to learn
how to protect your computer from future attacks"
which includes some similar advice as this page). But not having your Hosts
file hijacked ain't the real problem. That Trojan could have done
anything to your computer. You need to stop it and any others using the
same method from getting in again ... so read on.
How Did This Happen?
Most likely, you were hijacked by an Internet Explorer exploit when
visiting a web page, which was
not properly fixed by
a recent
IE Cumulative
patch (or you hadn't applied the patch anyway). The bad
news is that it could easily happen again today - the available patches
simply do not work adequately. More information below.
Update: New
patch released. Fingers crossed.
What Can I
Do To Stop This Happening Again?
Update: New
patch released. Fingers crossed.
Consider disabling ActiveX and scripting in the Internet Zone as detailed
here (with more detailed advice and guidance
here
at Eric Howes' awesome site.
Or use Eric's
Enough is Enough tool, which automates the whole process for you ...
http://www.spywarewarrior.com/uiuc/resource6.htm
Have you just about had it with sneaky spyware
installations, pesky third-party cookies from pushy advertisers
and marketers, and the unending blizzard of popups and popunders
from web sites? Haven't you really had just about enough of
these obnoxious, invasive practices that trash your computer and
violate your privacy?
Then it's time you said, "Enough is Enough!"
Enough is Enough! is a lockdown utility for Internet Explorer 5
and 6. When you install Enough is Enough!, it will:
Lock down your Internet and Restricted sites zones with
restrictive settings for dangerous options like ActiveX, Java,
scripting, and a few others.
Severely restrict the use of cookies (but not completely disable
them for trusted web sites or for single session use).
Disable several Advanced settings, including Install on Demand
and Third-party Browser Extensions.
Install Microsoft's IE PowerTweaks WebZone Accessory, putting
two new options on your IE Tools menu, with corresponding
buttons on your Toolbar: "Add to Trusted Zone" and "Add to
Restricted Zone."
With these new Internet Explorer settings you will be protected
from the more dangerous elements of the web without having to
worry about putting known nasties into your Restricted sites
zone:
You'll be protected from rogue crapware installations (e.g.,
Gator, BonziBuddy, WebHancer, Lop.com, and the like).
You won't be accepting cookies from direct marketing outfits who
seek to monitor and track your travels around the Net.
You'll put an end to annoying, useless popups at most web sites
by default.
You'll put all web sites on a "short leash" until you trust them
enough to add them to your Trusted sites zone.
In short, Internet Explorer will start behaving as YOU want it
to behave, not as direct marketers and spyware pushers want it
to behave. What you do with Enough is Enough! is enforce your
very own "opt-in" policy: no web sites get to use permanent
cookies, ActiveX, Java, JavaScript and other dangerous Internet
Explorer options until you explicitly give them the go-ahead by
putting those sites into your Trusted zone. |
But think about this: that little Trojan which probably did nothing but
try to redirect your searches to somewhere else,
could have done anything
to your computer. Trashed your disk. Stolen your confidential data. Used
your machine to attack others on the Net. Downloaded porn (any and
every type) and made it available to others. Anything. And if your IE
settings (or its unpatched or ineffectively patched holes) allow, that could all
happen again today.
And use
Windows Update, and
sign up to receive email notifications from MS of new patches. They
aren't always good, but they're all we've got.
If you use Proxomitron,
there are a couple of
handy filters here.
| Or change browsers. Getting
used to another browser is a pain too, and
all have some security problems from time to time, but none of the other
main browsers have anywhere near as many problems as IE, nor require such
time and effort to keep them up-to-date with patches. That's not anti-MS
rhetoric (I like and use a lot of MS software), just a sad fact. Isn't life
too short to put up with this level of hassle, risk and maintenance? So ...
Mozilla,
Firefox,
Netscape,
Opera,
others.
Remember that if you continue to use
Outlook or Outlook Express, they
still use IE to render HTML (and related exploits!) Just make sure they are
set to use the Restricted Zone, and that everything in that Zone is
disabled. And keep up with the
IE/OE/Outlook patches.
|
F.A.Q.s
1. Am I alone with this blight?
Oh no, you sure aren't ...
http://www.google.com/search?&q="Your+computer+is+running+software+that+doesn't+allow+you+to+use+Google"&filter=0
http://groups.google.com/groups?q="Your+computer+is+running+software+that+doesn't+allow+you+to+use+Google"&filter=0
http://groups.google.com/groups?q="If+you+are+seeing+this+page,+it+is+because+you+have+downloaded+a+malicious+program"&filter=0
2. Are you sure this thing is exploiting the ineffective MS
patch?
Update: New
patch released. Fingers crossed.
Pretty sure ...
http://www.forums.governmentsecurity.org/index.php?showtopic=2640
http://groups.google.com/groups?&th=dbde307f3fe9c757&seekm=Xns93FAC91036ADty54y7hndfy634555@216.168.3.30&frame=off
If allowed to run, the malware tries to download a Trojan from an FTP
site ...
http://216.122.217.104/
(currently dead, it appears) ...
... (formerly/still?) controlled by these savoury
folk ...
http://centralops.net/co/DomainDossier.vbs.asp?addr=216.122.217.104&dom_whois=true&dom_dns=true&net_whois=true&svc_scan=true
3. Is anything else exploiting this ineffective MS
patch?
Update: New
patch released. Fingers crossed
Oh my, yes ...
http://vil.nai.com/vil/content/v_100719.htm
http://www.sarc.com/avcenter/venc/data/trojan.qhosts.html
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0310&L=NTBUGTRAQ&P=R1310
Or any number of others which may or may not have been identified
and
analysed by the anti-virus and anti-trojan industry at the time you read
this page. The bad guys are driving a coach and horses through the holes
which the recent
IE Cumulative
patch
tries but fails to close.
Update: New patch released. Fingers crossed
If
you're here because your Google or other searches were hijacked to
http://64.191.95.139 , then you know you
are or have been vulnerable to this type of exploit, and other malware may
already have got in and wreaked some havoc. You really need to read the
links on this page, and other links from those pages, to see if other
symptoms are apparent. And you need to update your anti-virus/anti-trojan
software and do a full scan, and keeping doing so often, for the time being,
as the AV/AT vendors catch up with all these exploits. One thing you could
do manually, is to search (using Windows' standard Search or Find tool) for
other Hosts files on your PC (in different locations than described
above). If you find any (just called
Hosts ,
not with any file extension like .sam or .txt) then another variant of this
Trojan probably got in too: see the links in this section for remedial and
preventative measures).
4. So this MS patch is definitely ineffective then?
Update: New
patch released. Fingers crossed
Partly ineffective, it seems very clear ...
http://www.kb.cert.org/vuls/id/865940
http://www.microsoft.com/technet/security/bulletin/MS03-032.asp
Microsoft originally issued this bulletin on August 20th, 2003.
Subsequent to issuing the security bulletin, Microsoft received
reports that the patch provided with this bulletin does not properly
correct the Object Type Vulnerability (CAN-2003-0532).
Microsoft is investigating these reports and will re-issue this
bulletin with an updated patch that corrects these problems.
What
could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to cause Internet
Explorer to execute code of the attacker's choice. This would allow
an attacker to take any action on a user's system in the security
context of the currently logged-on user.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by hosting a
specially constructed Web page. If the user visited this Web page,
Internet Explorer could fail and could allow arbitrary code to
execute in the context of the user. Alternatively, an attacker could
also craft an HTML–based e-mail that attempts to exploit this
vulnerability.
Workarounds
Are there any workarounds that can be used to block exploitation of
this vulnerability until a patch is re-released?
Yes. It should be noted that these workarounds should be considered
temporary measures as they just help block paths of attack rather
than correcting the underlying vulnerability. Microsoft encourages
installing the patch at the earliest opportunity once it becomes
available. |
http://www.reuters.com/printerFriendlyPopup.jhtml?type=topNews&storyID=3518056
| Security holes in Microsoft's Internet Explorer browser have
been exploited by hackers to hijack AOL instant messaging accounts
and force unsuspecting Web surfers to run up massive phone bills,
computer experts cautioned on Friday. Some Internet Explorer
users are also finding that malicious Web
sites are secretly slipping trojan programs onto their computers,
which could prove an even more dangerous exploit, said Drew Copley,
a research engineer at Aliso Viejo, California-based eEye Digital
Security, who discovered the original security vulnerability.
Such stealth programs can include keystroke loggers that record
everything a person types or software to erase the hard drive, among
other things, he said.
Microsoft has released a patch for the original
hole, which
was reported about a month ago, said Stephen Toulouse, security
program manager for Microsoft's Security Response Center. The
company is looking into what it says are variations of the original
hole that have been discovered since then that the patch does not
fix, Toulouse said.
"We will release a fix for the variations,"
he said.
Security experts are reporting the variations as new security holes,
disclosed within the past three weeks and used for different types
of attacks, Copley said.
Microsoft and eEye Digital Security said they
have issued
information for temporary workarounds.
In general, the attacks are accomplished
by leading Internet
Explorer users to a malicious Web site, either by sending an e-mail
with a link to the Web page or distributing a link through instant
messaging, Copley said.
When the Web site appears, it downloads code that
can execute
commands on its own onto the unsuspecting computer user's machine,
according to Copley. |
http://www.secunia.com/MS03-032/
http://www.eeye.com/html/Research/Advisories/AD20030820.html
http://lists.netsys.com/pipermail/full-disclosure/2003-September/009639.html
http://lists.netsys.com/pipermail/full-disclosure/2003-September/009657.html
http://lists.netsys.com/pipermail/full-disclosure/2003-September/009658.html
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A1=ind0310&L=ntbugtraq#2
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A1=ind0310&L=ntbugtraq#3
http://groups.google.com/groups?q="69.57.146.14"+dns&filter=0
5. But if I disable ActiveX
I'll be fine?
Update: New
patch released. Fingers crossed
Not necessarily for this particular exploit ...
http://www.kb.cert.org/vuls/id/865940
| Note that there may be other attack vectors that are not
governed by the "Run ActiveX controls and plug-ins" setting.
|
http://pivx.com/larholm/unpatched/
Re-evaluating HTML elavation data
Description: Allows execution of arbitrary commands in Local Zones
Detail: This bug is related to the codebase local path bug, but
details the actual issue and runs without scripting or ActiveX
enabled
Published: February 28th 2002
Reference: http://security.greymagic.com/adv/gm001-ie/
Example exploit: http://security.greymagic.com/adv/gm001-ie/advbind.asp
Note: See 6th May 2003 Notes.
Notes September 2003:
Renamed and re-added, symptom fixed instead of problem. Now
demonstrates how to reach HTA functionality.
Reference: http://msgs.securepoint.com/cgi-bin/get/bugtraq0309/83.html
Example exploit: http://www.malware.com/badnews.html
Example exploit without scripting: http://www.malware.com/greymagic.html
Temporary workaround: Change the mime-type application/hta to
something else |
http://pivx.com/larholm/unpatched/6may03notes.html
For the last few years, it has been the stated policy of
Microsoft to fix cross-domain/protocol/zone vulnerabilities instead
of fixing or restricting the underlying functionality exposed
through local zones which these vulnerabilities aim to reach. As we
have witnessed time and again, we will continue to see new
vulnerabilities being exposed that allow these zone breaches.
The codeBase vulnerability component, public knowledge for almost 3
years now, enabled limitless arbitrary command execution through
plain HTML viewed in the Internet Zone by referencing (and thus
executing) local executables. Following public attention in early
2002, Microsoft released the MS02-015 patch which removed this
malfunctioning aspect of the codeBase HTML attribute - but only in
the Internet Zone. According to Microsoft, this functionality is
somehow still needed in the local zone. This is despite the fact
that ActiveX objects can undergo safe instantiation and security
checks without needless prior execution, which already happens in
the Internet Zone.
Since MS02-015, nearly all cross-domain/protocol/zone
vulnerabilities have aimed to subsequently exploit the codeBase HTML
attribute. Playing an ever-increasing game of Whack-A-Mole,
Microsoft has gone to great lengths to fix each of these
vulnerabilities separately as they were being exposed to the public,
instead of crippling or removing the unnneccessary Local Zone
functionality that each of these depended on.
Later, vulnerabilities in the Local-Zone-dependant HTML Help
application has lowered the barrier for malicious programmers
seeking to exploit users, by removing the redundancy to first store
an executable in a known location and instead directly allowing
parameters to be passed. The impact was the same, escaping
browser-level security and gaining application-level functionality,
but the interim obstacles were lowered.
All of this is part of the reason why I have now chosen to add
codeBase on my Unpatched listing once again. Microsoft have to
realize that the current tight integration of innocent browser-level
functionality cannot peacefully coexist with the application-level
functionality ( such as executing commands and reading files) that
local zones expose. The Internet Zone and Local Zones should not
both be exposed through Internet Explorer. In fact, I would
recommend that Local Zones should be severely crippled in the short
term, and completely removed in the long term. Everything that
application-level Local Zone documents and help files require can
already be accomplished through the use of HTML Applications - which
have already existed for years as well.
It is time to cut the deprecated ties in Internet Explorer. Cripple
the Local Zone in the short run, remove it completly in the long
run. |
And (reportedly) definitely not for other exploits of the same
ineffectively patched hole ...
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0310&L=NTBUGTRAQ&P=R1310
| It is worth noting that disabling ActiveX
(any of the number IE entries which relate to ActiveX) will do
nothing to prevent exploitation of this vulnerability. The
problem lies in the way IE perceives the content, and while it
should recognize it as ActiveX, it does not. Hence disabling
ActiveX will not provide a mitigator. |
6. What is this darn Hosts file, anyway?
http://www.accs-net.com/hosts/what_is_hosts.html
7. Got some handy and helpful links?
Surely ...
Update:
New patch released. Fingers crossed
http://www.spywarewarrior.com/uiuc/main.htm
8. Where can I ask for help?
The GRC groups are good ...
http://www.imilly.com/noregrets.htm
And there's more listed at the bottom of this page at Andrew Clover's
terrific site ...
http://www.doxdesk.com/parasite/
9. Credits
Thanks to contributors to the
GRC
newsgroups, in particular Jack for the heads-up about
the shortcomings in
MS03-032
and the
Cert
link, and Kevin for loads
of good stuff from Bugtraq.
That's it for now. Surf safely ...
|
Milly
|
|