Last Updated: 2004-07-03 00:10:09 UTC
by Cory Altheide (Version: 1)
Today's big news revolves around Microsoft releasing an out-of-cycle fix for the vulnerabilities recently exploited by the Download.Ject malware (among others).
This patch will turn off the ADODB.Stream ActiveX Control, which has been used
in conjunction with last weeks russian web site defacements to install malware
on unsuspecting user's PCs. Given the urgency demonstrated by last weeks exploits, Microsoft release this patch ahead of its next "Patch Day" (July 13th). However, as demonstrated by the proof of concept code below, even after 'ADODB.Stream' is disabled, it is still possible to launch programs on the
users system without user interaction.
(Note: We verified the link and the proof of concept code appears harmless.
It will open a cmd.exe shell and wait for the user to press a key. However,
we do have no control over the exploit site and the code may change at any
The underlying issue was first made public on Bugtraq about 10 month ago.
If you are using Microsoft Internet Explorer to browse the Internet, it
is suggested that you set the security level for your 'Internet Zone'
to high. This will disable the functions that lead to the exploit. However,
it will also disable windows update, unless you add the windows update
server to your list of secure sites.
* Be very picky about adding sites
to your set of secure sites. While the administrator may be well intended,
the russian web defacements showed that even regular sites can harbor
* Do not follow links to untrusted sites and be careful
in inspecting links sent to you via email.
* Run an up to date virus scanner. Not a 100% fix given the rapid deployment of malware, but it may help.
* Run a firewall with tight outbound traffic control. This will not fix the initial infection, but it may prevent a trojan from calling home and downloading additional components. It will also alert you of the malware once it attempts to call home.
Continuing MSIE exploit reports
Additionally, the ISC is continuing to receive numerous reports of malware compromising systems via Internet Explorer vulnerabilities. If you experience this (especially post-patch) please submit the relevant information for dissection by our malware analysis group.
Download.Ject referenced here:
The Microsoft press release:
*** POC EXPLOIT --- FOLLOW THIS LINK WITH CARE ****
SANSFIRE: Hug^H^H^H Meet an ISC Handler
In case you've missed the banner hovering above this text, SANSFIRE 2004 begins this upcoming Tuesday in Monterey, California. Many of the ISC's handlers will be in attendance, so be sure to stop by the and say hello. Handlers expected to be present include Marc Sachs, Johannes Ullrich, Ed Skoudis, Lenny Zeltser, Toby Kohlenberg, Pedro Bueno, Mike Poor, and last and certainly least, yours truly, Cory Altheide. The IPNET is the official handlers' pen, but handlers can usually be found in the proximity of any bar with WiFi access.
See you next week!
Handler on Duty
Please choose a specific diary above to comment