[unisog] Spamming machines: a mystery dll?

Gary Flynn flynngn at jmu.edu
Mon Sep 29 19:48:13 GMT 2003



Matt Crawford wrote:

>> Also, if you have Snort or another IDS/packet capture device
>> at your border, you may want to watch for application/hta:
>>
>> alert tcp any 80 -> any any (msg:"HTA MIME Content in  
>> HTML";content:"Content-Type\:";nocase;content:"application/ hta";nocase;)
>> alert tcp any any -> any 25 (msg:"HTA MIME Content in  
>> SMTP";content:"Content-Type\:";nocase;content:"application/ hta";nocase;)
> 
> 
> The bad guy can hide from that!

Granted. I wasn't suggesting monitoring that string as an overall
detection method. I was suggesting it so they could collect some
samples of possible HTA Object exploits and compare it to the
systems and files they were having problems with. I suspect they
won't have any problems finding unhidden ones.

I've seen WHAT APPEARS TO BE attempts at a few different downloads,
one binary encoded one, some scrapping of email addresses from the
registry, start page hijacking, and favorites manipulation. I seem
to recall at least one using what looked like the reported unpatched
XML exploit.

Anyone else seeing activity?

This doesn't appear isolated:

http://www.cnn.com/2003/TECH/internet/09/27/microsoft.browser.reut/index.html
http://www.computerworld.com/securitytopics/security/story/0,10801,84675,00.html?SKC=home84675

I'm hoping Microsoft will release a patch Wednesday. I'll have a heck of a
time telling people to turn off scripts, ActiveX, and delete the HTA MIME
association. And telling them that browsing the web or clicking links in
email and instant messaging is unsafe isn't very desirable either.

Russian Roulette anyone?

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe



More information about the unisog mailing list