[Full-Disclosure] How often are IE security holes exploited?

From: Blue Boar (BlueBoar@thievco.com)
Date: 12/13/02

From: BlueBoar@thievco.com (Blue Boar)
Date: Fri, 13 Dec 2002 08:35:26 -0800

Nick FitzGerald wrote:
> What happens is one or two exploits become commonly used after a
> virus using them is itself somewhat "successful" (always a relative
> term) at spreading in the wild. My impression is that this is
> largely a function of lack of skill/interest/inspiration on the part
> of the virus writers. (Many familiar with my views on the typical
> skill levl of virus writers are likely to be getting all riled up
> about now, but please engage your thinking processes and bear
> with me...)
> In general, most viruses are derivative works, drawing on what has
> gone before. This is alsmot equally true of "new" families of
> viruses as it is of the hoardes of (mainly) trivial variants of
> existing viruses we continually see. This is not to say that all
> virus writers are clueless and unimaginative, but for many even the
> notion that adding "C:\WINNT" to the hard-coded list of Windows
> installation directories they test for the existence of whatever is
> more than they are capable of...

I would tend to agree with you. I think another reason for poor coding on
malicious code in general is that I imagine it can be somewhat difficult to
test. I'd guess that most malicious code authors don't a lab environment
that allows them to sufficiently simulate the Internet and the combinations
of OSes, etc.. that they want to target.

> So, imagine what happens when one virus writer "imaginatively" adds
> an exploit for some IE security hole that allows "auto-run simply
> from reading an Email message" functionality to a self-mailing virus?
> That's right -- a few other virus writers copy the idea. Do they do
> it by looking through the Bugtraq archives to find a _different_
> exploitable security hole and tweaking an exploit to their needs?
> Nah -- they grab the virus' source code if it is available, or an
> Email message "infected" with the virus in question if it became at
> all widespread and they thus have access to a sample, and they more
> or less copy what they see. Of course, those who think of themselves
> as especially imaginative will add a random string generator so the
> MIME section headers will not be the same in all messages their virus
> generates, but that's about the extent of "innovation" we see.

Nimda uses the X-audio exploit to try to autorun when you render the HTML
in IE or Outlook. Earlier this year, there was another bug in the same
vein that was a direct functional equivalent, but because it came later,
wasn't patched, etc... I fully expected it to get used quickly, and I don't
think it did.

>>... The KaK and Klez worms both use IE security holes to do their
>>dirty work, but most other Windows viruses seem to rely on social
>>engineering and standard features of Microsoft products.
> I disagree, at least for the things that have had any degree of
> "success". For example, just recently, at least some varaiants of
> the Bugbear, Oror, Winevar, Holar, Braid, Frethem and Yaha families
> have used one or other (and some both) of the vulnerabilities I
> mentioned above. And going back a bit further, BadTrans, Nimda and
> SirCam all spring to mind (though I haven't checked).

Don't forget that if you're patched against the vulnerability, you usually
still have the opportunity to manually launch the attachment. Thus, the SE
method is still there as a backup, and I'd say a large portion of them can
still be counted as using it.

As an interesting side-effect, when they attach things in such a way as to
take advantage of IE-isms, they often break the attachment on other
platforms. Most of my MC mail I get in my Mozilla mail client just shows
as a dot. If I want the attachment, I have to manually decode it.

> Oh, and don't forget CodeRed (and Nimda also exploited the same
> vulnerability).

Code Red and Nimda did not take advantage of any of the same
vulnerabilities. Code Red was strictly a single-vulnerability worm, and
affected only IIS servers, didn't have any IE exploit. Now, Nimda did try
to look for root.exe (CodeRed2, Sadmind, manual attacks from "China Cyber
War") and the /C and /D mappings (CodeRed2) backdoors, but that's not quite
the same thing.


Relevant Pages

  • Re: Anti-Virus Software is like Adult Diapers
    ... Who said the vulnerabilities weren't actively being exploited? ... thunderbird and firefox myself and I've never seen a security hole in ... Hey don't get me wrong, if you've got a virus, get rid of it. ... Any program that allows viruses in and doesn't get patched for months ...
  • Re: Trojan keeps coming back. Cant find source.
    ... I couldn't get rid of ... but the virus from hell just kept ... to clean up a Nimda infection. ... I have an unpdated antivirus program running in the background. ...
  • Re: How to delete Guest User Account
    ... get rid of the Nimda virus but Norton Anti Virus ... what do I do to get rid of Nimda? ... >> Guest account and give it Administrator privileges. ...
  • Re: Nimda
    ... The McAfee Stinger worm removal tool can find and remove Nimda. ... Dave ... | I recently purchased Norton Antivirus 2004 and it appears ... | somewhere that the virus can attack anti-virus software. ...
  • Illegal User Account Added
    ... Even though Norton Anti-Virus software was loaded and ... It appears to be a variant of Nimda. ... virus from my PC and fortunately from my network drive. ...