Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Killbit apps for current IE exploit

Published: 2006-09-18
Last Updated: 2006-09-18 14:19:45 UTC
by Tom Liston (Version: 2)
0 comment(s)
Update: I posted this late on Friday (9/15) evening, so I wanted to pull it back onto the front page again.  This looks to me like a perfect avenue for malware drive-bys, and with the likelihood being that this won't be addressed until the next MS monthly patch cycle (gee... who would EVER have thought that the bad guys would start timing THEIR releases to maximize exposure until the next patch-day?!?) we're probably going to be seeing a whole lot of this stuff:

To make life a little easier, I put together two small apps to set and unset the appropriate "kill bit" to block the actions of the current "daxctle.ocx" IE exploit.  They can be found here:

http://handlers.sans.org/tliston/DAXCTLE.OCX_KillBit.exe  - Standard Windows executable
(MD5: 599a2e48602f63a5330eea8259216584)

http://handlers.sans.org/tliston/DAXCTLE.OCX_KillBit_cmd.exe - Command line version
(MD5: 571a19cf51f713b81545ebd6a007d792)

The command line version, when run without any parameters, will set the "kill bit".  When run with any parameter (i.e. something like "/r"), will remove the "kill bit."

The standard Windows executable, when run, will tell you the current status of the kill bit and offer you the option of changing it.

Hope these help...

--------------------------------------------------------------------------
Tom Liston
ISC Handler
Senior Security Analyst - Intelguardians (http://www.intelguardians.com)

Keywords:
0 comment(s)
Diary Archives