[Dshield] QHOSTS-1 Trojan & MSIE6 Vulnerability

Benjamin M.A. Robson ben at robson.ph
Thu Oct 2 18:13:46 GMT 2003


All,

Since I am on a bit of a role with these postings, here's another one.

(If they are getting to be a bit much to bear let me know and I will shut-up for a while)  ;-P

BenR.


Purpose:                Security Officer Alert
Subject:                Internet Explorer 6 Vulnerability and Exploit
                                Trojan: Qhosts-1
                                      (possible variant of 'Delude')
Threat Level:		Medium
Date:			3rd October 2003
Systems Affected:    Windows NT, Windows ME, Windows 2000,
                           Windows XP, Windows 9x (TBC),
                           Windows Server 2003 (TBC)

Summary:
============

      The Internet community has recently been observing a new attack
against Microsoft Windows systems running Internet Explorer 6 (MSIE6) in
the form of a JavaScript triggered worm.  The current release of
Microsoft Internet Explorer 6 contains an un-patched vulnerability
within its ObjectData handling method(s).

      The currently detected worm carries out a range of actions upon
successfully exploiting a victim, most notable of which is the
alteration of the systems DNS settings. The result is that instead of
attempting DNS resolution via previously configured servers, the victim
host now uses an alternate set of DNS servers.  This allows the attacker
to control where users are browsing by redirecting their web browsing
and other Internet activities to alternate addresses.

      A possible scenario might be that the attacker alters the victim's
DNS settings and the user attempts to browse Amazon.com.  When their
system does a DNS lookup instead of sending the user to the correct page
the alternate DNS server may send the user to a page pretending to be
Amazon.  As a result when the user enters their credit card details to
purchase a book they may in-fact be giving them to the attacker
instead.  (This example is hypothetical in nature and not based on any
observed reality.)

      When the vulnerability within the ObjectData handling method(s) is
exploited by the now active Trojan, MSIE6 executes a contained ActiveX
object within a piece of JavaScript.  MSIE6 is programmed to check
whether this ActiveX code is 'safe' and during this process MSIE6
determines that the ActiveX code is, in fact, simple HTML/Jscript.  As a
result it does not prompt the user to save the data to disk, but instead
remembers it as HyperText Application (HTA) content and invokes the
MSHTA.EXE process to execute the 'simple HTML/Jscript' code.  This code
is x[1].hta which creates and executes AOLFIX.EXE.  AOLFIX.EXE is
downloaded in to the victim systems \temp directory, executed and
deleted.  The final result is the user's system settings being altered
and DNS settings changed.


Who is Affected:
============

      All users who have Microsoft Internet Explorer version 6 are
likely vulnerable to this attack.  This issue has been proven to work on
Microsoft Window ME, Windows NT, Windows 2000, and Windows XP.  It is
also considered likely to work on Microsoft Windows 9x and Windows
Server 2003.


Symptoms if Exploited or Targeted:
===================================

      Users that have been affected by this Trojan will notice a series
of changes to their system, and changes in system behaviour when
attempting to access certain web sites or domain names.  Behavioural
changes will most likely manifest themselves as pages not resolving, or
not appearing correct.

      Directories Created:
      --------------------

      %systemdrive%:\bdtemp
      %systemdrive%:\bdtemp\temp

      Files Created:
      --------------

      AOLFIX.EXE
                  -      Deleted immediately upon execution.
      %systemdrive%:\%systemroot%\winlog
                  -      Contains the letter 'A'
      %systemdrive%:\%systemroot%\help\hosts
                  -      Contains static DNS mappings to many IP
addresses of popular search engines.  See 'Details' section below for
list of addresses mapped.

      Registry Entries:
      -----------------

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter
faces\windows]
"r0x"="your s0x"
"NameServer"="69.57.146.14"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter
faces\{45F95E82-B443-428B-9EB7-4C65CDCD9006}]
"NameServer"="69.57.146.14"

HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"DataBasePath"="%SystemRoot%\help"

        

Actions:
============

      Disabling ActiveX functions withing the MSIE6 browser will not
provide any level of protection against this vulnerability.

      Mitigation:
      -----------

      - Disable Active Scripting within the MSIE6 (& Outlook)
application(s).  This will prevent execution of the pages delivering the
exploit.

      - Ensure firewalls (perimeter defences) are configured to block
unauthorised outbound traffic as well as inbound traffic.  This will
prevent users from using unauthorised DNS servers.  As such victim
systems will reveal themselves very quickly as they fail to look up
Internet domain names.

      - Configure host firewalls (personal firewalls) that can control
application level access to the network (such as ZoneAlarm) to deny
access to the network for MSHTA.EXE.

      - Disable HTA MIME types from within the Windows System Registry. 
To do this remove the entry
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\ContentType\application/hta".
This can be restored later, once a patch is available and applied.

      - Configure IDS (intrusion detection systems) to monitor for
suspicious traffic that may alert the administrator to the attack or
victim systems.  A sample rule set for Snort might be:

          snort.conf:
             var MAL_DNS [216.127.92.38/32,69.57.146.14/32,69.57.147.175/32]

          dns.rules:
          alert tcp any any <> $MAL_DNS 53 (msg:"Malicious DNS Traffic";
sid:900027; rev:1;)      
          alert udp any any <> $MAL_DNS 53 (msg:"Malicious DNS Traffic";
sid:900027; rev:1;)


      Fix:
      ----

      No patch is currently available for this issue.  The patch
MS03-032 does not address this issue.


Details:
=============

      List of entries in hosts file;
      ------------------------------

88.88.88.88 elite 
207.44.194.56 www.google.akadns.net
207.44.194.56 www.google.com
207.44.194.56 google.com 
207.44.194.56 www.altavista.com
207.44.194.56 altavista.com 
207.44.194.56 search.yahoo.com 
207.44.194.56 uk.search.yahoo.com 
207.44.194.56 ca.search.yahoo.com 
207.44.194.56 jp.search.yahoo.com 
207.44.194.56 au.search.yahoo.com 
207.44.194.56 de.search.yahoo.com 
207.44.194.56 search.yahoo.co.jp 
207.44.194.56 www.lycos.de
207.44.194.56 www.lycos.ca
207.44.194.56 www.lycos.jp
207.44.194.56 www.lycos.co.jp
207.44.194.56 alltheweb.com 
207.44.194.56 web.ask.com 
207.44.194.56 ask.com 
207.44.194.56 www.ask.com
207.44.194.56 www.teoma.com
207.44.194.56 search.aol.com 
207.44.194.56 www.looksmart.com
207.44.194.56 auto.search.msn.com 
207.44.194.56 search.msn.com 
207.44.194.56 ca.search.msn.com 
207.44.194.56 fr.ca.search.msn.com 
207.44.194.56 search.fr.msn.be 
207.44.194.56 search.fr.msn.ch 
207.44.194.56 search.latam.yupimsn.com 
207.44.194.56 search.msn.at 
207.44.194.56 search.msn.be 
207.44.194.56 search.msn.ch 
207.44.194.56 search.msn.co.in 
207.44.194.56 search.msn.co.jp 
207.44.194.56 search.msn.co.kr 
207.44.194.56 search.msn.com.br 
207.44.194.56 search.msn.com.hk 
207.44.194.56 search.msn.com.my 
207.44.194.56 search.msn.com.sg 
207.44.194.56 search.msn.com.tw 
207.44.194.56 search.msn.co.za 
207.44.194.56 search.msn.de 
207.44.194.56 search.msn.dk 
207.44.194.56 search.msn.es 
207.44.194.56 search.msn.fi 
207.44.194.56 search.msn.fr 
207.44.194.56 search.msn.it 
207.44.194.56 search.msn.nl 
207.44.194.56 search.msn.no 
207.44.194.56 search.msn.se 
207.44.194.56 search.ninemsn.com.au 
207.44.194.56 search.t1msn.com.mx 
207.44.194.56 search.xtramsn.co.nz 
207.44.194.56 search.yupimsn.com 
207.44.194.56 uk.search.msn.com 
207.44.194.56 search.lycos.com 
207.44.194.56 www.lycos.com
207.44.194.56 www.google.ca
207.44.194.56 google.ca 
207.44.194.56 www.google.uk
207.44.194.56 www.google.co.uk
207.44.194.56 www.google.com.au
207.44.194.56 www.google.co.jp
207.44.194.56 www.google.jp
207.44.194.56 www.google.at
207.44.194.56 www.google.be
207.44.194.56 www.google.ch
207.44.194.56 www.google.de
207.44.194.56 www.google.se
207.44.194.56 www.google.dk
207.44.194.56 www.google.fi
207.44.194.56 www.google.fr
207.44.194.56 www.google.com.gr
207.44.194.56 www.google.com.hk
207.44.194.56 www.google.ie
207.44.194.56 www.google.co.il
207.44.194.56 www.google.it
207.44.194.56 www.google.co.kr
207.44.194.56 www.google.com.mx
207.44.194.56 www.google.nl
207.44.194.56 www.google.co.nz
207.44.194.56 www.google.pl
207.44.194.56 www.google.pt
207.44.194.56 www.google.com.ru
207.44.194.56 www.google.com.sg
207.44.194.56 www.google.co.th
207.44.194.56 www.google.com.tr
207.44.194.56 www.google.com.tw
207.44.194.56 go.google.com 
207.44.194.56 google.at 
207.44.194.56 google.be 
207.44.194.56 google.de 
207.44.194.56 google.dk 
207.44.194.56 google.fi 
207.44.194.56 google.fr 
207.44.194.56 google.com.hk 
207.44.194.56 google.ie 
207.44.194.56 google.co.il 
207.44.194.56 google.it 
207.44.194.56 google.co.kr 
207.44.194.56 google.com.mx 
207.44.194.56 google.nl 
207.44.194.56 google.co.nz 
207.44.194.56 google.pl 
207.44.194.56 google.com.ru 
207.44.194.56 google.com.sg 
207.44.194.56 www.hotbot.com
207.44.194.56 hotbot.com 


      Point of entry for exploit:
      ---------------------------

      The point of exploit for this vulnerability is initiated via a
banner advertisement hosted by FortuneCity.com.  This banner contains
JavaScript code which opens a self closing pop-under banner to a site
hosted by Everyone's Internet (ev1.net).  The ev1.net hosted web site
then delivers the executable code, in turn invoking the HTA ObjectData
vulnerability.


References:
=============

      DShield General Discussion List:
         - wbeckham : "[Dshield] QHOSTS-1 DNS/Hosts file issues" :
02-10-03

      Full-Disclosure Mail List:
         - Paul Tinsley : "Re: [Snort-sigs] Re: [Full-Disclosure]
Mystery DNS Changes" : 02-10-03
         - Harris, Michael C. : "RE: [Full-Disclosure] Myster DNS
Changes" : 01-10-03

      Network Associates (www.nai.com) :
http://vil.nai.com/vil/content/v_100719.htm






More information about the list mailing list