[Dshield] QHOSTS-1 - DNS/Hosts file issues

wbeckham wbeckham at yahoo.com
Thu Oct 2 14:35:15 GMT 2003


I got the following from Trusecure this morning.  

- WB

---------------------------------
TruSecure Radar Notice

PROBLEM: Unpatched IE Vulnerability is being exploited

PLATFORM: Windows ME, Windows NT, Windows 2000, Windows XP (tested), Windows
9x (probably), Windows Server 2003 (not tested)

DAMAGE: DNS Server settings are modified, possible information leakage,
client browsing disruptions, future use.

SOLUTION:   See mitigators

VULNERABILITY ASSESSMENT: Important


Summary:
Yesterday TruSecure began to observe evidence of an active attack against
users of Internet Explorer 6.0. The attack comprised of a banner, hosted by
FortuneCity.com, which in turn used JavaScript to redirect the self-closing
"pop-under" banner to a site hosted by EV1.NET (Everyone's Internet.) An
EV1.NET site then delivered executable code which in turn invoked the HTA
vulnerability.  

The HTA vulnerability is a known and as yet unpatched vulnerability in IE.

When the Object Data vulnerability is exercised, IE renders and executes the
ActiveX object reference in the JavaScript code. During the check to
determine whether the content is safe, IE mistakenly believes the ActiveX
object code to be simple HTML/Jscript. Therefore, it does not prompt to save
to disk. Subsequently, it remembers it is HTA content, and invokes MSHTA.EXE
to drop and execute the object code. That code is x[1].hta, which in turn
creates and executes AOLFIX.exe.

AOLFIX.EXE is downloaded into the \temp directory and executed, and deleted.

It caused a variety of actions;

1. It created empty directories called;

 %systemdrive%:\bdtemp
 %systemdrive%:\bdtemp\temp


2. It deleted AOLFIX.EXE

3. It created the following file, which contains the letter "A";

 %systemdrive%:\%systemroot%\winlog

4. It created a hosts file in the \%systemroot%\help directory which
contains numerous static IP address to search engine website mappings.

5. It created the following registry entries;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter
faces\windows]
"r0x"="your s0x"
"NameServer"="69.57.146.14"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter
faces\{45F95E82-B443-428B-9EB7-4C65CDCD9006}]
"NameServer"="69.57.146.14"

HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"DataBasePath"="%SystemRoot%\help"

At last check (8:15pm EDT 10/1/2003) the banner page at FortuneCity.com was
still serving up the banner which leads to the malcode.

We have received reports from many locations around the world indicating
they have had the effects of this. NAI is calling this QHOSTS-1, see
http://vil.nai.com/vil/content/v_100719.htm for more details.

MITIGATIONS:

- - Disable Active Scripting:
 Disabling Active Scripting will prevent the pages from executing which in
turn deliver the exploit.

- - Perimeter Default Deny:
 While not preventing the exploit, it will prevent information leakage and
misdirection of DNS queries. Affected users will experience DNS resolution
problems, the perimeter can log failed DNS lookups from none DNS servers to
identify infected clients.

- - Personal Firewalls:
 Client systems with personal firewalls capable of denying network access to
applications can ensure that MSHTA.EXE does not gain network access (at
least temporarily, as this may cause other, legitimate uses of MSHTA.EXE to
function.)

- - Disable the HTA MIME Type:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content
Type\application/hta should be temporarily removed. It can be saved to disk
and restored later. This will disable the attempt by the exploit to serve IE
an HTA application, thereby stopping code execution.

It is worth noting that disabling ActiveX (any of the number IE entries
which relate to ActiveX) will do nothing to prevent exploitation of this
vulnerability. The problem lies in the way IE perceives the content, and
while it should recognize it as ActiveX, it does not. Hence disabling
ActiveX will not provide a mitigator.

TruSecure Note:

In the TruSecure methodology of mitigating significant risks with easy to
implement synergistic controls, TruSecure has initiated a non-invasive
independent testing on a sample of our clients.  These assessments will
attempt to verify the current state of this exploit, and assess the
potential for successful exploit of this and other common attacks.  These
are non-intrusive non-penetrating assessments.  

When this testing occurs, the testing will originate from the ICSA Labs and
TruSecure network addresses from the netblock 12.36.173.0/24.

DISCLAIMER:
Copyright 2003 TruSecure Corporation.  All rights reserved.  This Alert is
the property of the TruSecure Corporation.  It may not be redistributed
except within your own company or organization.  This Alert is being
provided for informational purposes only and is provided AS IS."  The
TruSecure Corporation makes no warranties of any kind, express or implied,
including, but not limited to warranties of merchantability, fitness for a
particular purpose, non-infringement, and
warranties arising out of any course of dealing or course of conduct.   

Impenetrable security is unattainable in real world environments; the
TruSecure Corporation cannot and does not guarantee protection against
breaches of security. 

IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS
INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY KIND,
HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE THE
INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE ANY PRIOR
OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE TRUSECURE CORPORATION HAS
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP3uCsd80fuPgyoD/EQI3aACgq8wQjXFPA8L1KIU26kaAE2wCeScAoOO3
L+7L+trOnU8eCJbJA3j8vwyk
=hWkd
-----END PGP SIGNATURE-----

_______________________________________________
TSRadar mailing list
TSRadar at postal.trusecure.com
http://postal.trusecure.com/mailman/listinfo/tsradar





More information about the list mailing list