[Full-Disclosure] TREND MICRO: The Protector Becomes The Vector [technical exercise: cross-application-scripting]

http-equiv_at_excite.com
Date: 06/03/04

  • Next message: Nicolas Rachinsky: "Re: [Full-Disclosure] Strange TCP/IP DNS traffic"
    To: <full-disclosure@lists.netsys.com>
    Date: Thu, 3 Jun 2004 16:28:39 -0000
    
    

    Thursday, June 03, 2004

    The following represents an interesting technical examination
    when the so-called "Anti-Virus" protector becomes the
    Virus "Vector". Naturally this is the result of relying on
    the "plug and play" or "module" of one Internet Explorer browser
    and operating system from a product "innovator" called
    Microsoft.

    Trend Micro [ http://www.trendmicro.com ], a purveyor of
    gadgetry designed to 'protect' the little people on the
    Information Super Highway from a seemingly endless stream of
    traffic of obstacles collectively known as "malware", has a very
    nice little apparatus to achieve this.

    The "Trend Micro Internet Security model no. 1120 1311 engine
    version: 7.100" with all the bells and whistles. Lengthy
    examination confirms that it does its job and it does its job
    quite well.

    However:

    For whatever inexplicable reason, it [and perhaps others] relies
    on the time-tested insecure device known as the Microsoft
    Internet Explorer. It uses this incredible derelict 'thing' to
    generate its reports; that is when the "Anti-Virus" gadget
    encounters an opponent, the "malware" of the day, it alerts and
    indicates precisely what the problem is.

    Sounds Good:

    Knowing what it uses and where it uses it, we then have to work
    backwards and devise a method to 'cross-application-scripting'
    our arbitrary code into the device in order to coax it to do our
    work for us.

    Specifically:

    1. When the product alerts it creates an html file in the
    temporary file of the user's machine [the so-called "local zone"]

    [screen shot: http://www.malware.com/weallcar.png 29KB ]

    This html file is viewed from an Internet Explorer "browser
    object" and indicates what file is problematic.

    2. Technically [so far] in order to make use of all of this we
    need to name our problematic file a suitable name with suitable
    html tags to render as we require. At present the actual browser
    and operating system automatically filter this {<script>.com
    becomes _script_.com].

    3. We need a container to achieve this and do so like this:

    PK
         (<QhD D <img>.comX5O!P%@AP[4[snip ](P^)7CC)7}
    $EICAR-STANDARD-ANTIVIRUS-TEST-FILE![snip] +H*PK
         (<QhD D  eicar.comPK   7
    k

    4. Now when our so-called "real time scan" encounters our
    problematic file it will alert like so:

    [screen shot: http://www.malware.com/ucar.png 43KB]

    5. And as has been demonstrated now at bare minimum 4 years
    [see: http://www.malware.com for a small smattering of examples]
    anything run from the local computer zone, the so called
    Microsoft "My Computer" zone in the integrated Explorer can
    effectively take full and complete control of the users computer.

    CAREFULLY NOTE:

    a) the default setting of this particular Trend Micro device
    does not automatically scan inside .zip files on download
    for demonstration purposes it must be enabled.

    b) manual re-construction of the .zip file in order to meet the
    checksum which would allow script writing back into the temp
    file would be required

    Working Example:

    http://www.malware.com/icar.html

    Notes:

    1. This is a technical exercise demonstrating 'cross-application
    scripting'. Practical implementation at present should prove
    impractical

    2. Developers do not ! put your html files in the temp folders

    End Call

    -- 
    http://www.malware.com
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Nicolas Rachinsky: "Re: [Full-Disclosure] Strange TCP/IP DNS traffic"

    Relevant Pages

    • TREND MICRO: The Protector Becomes The Vector [technical exercise: cross-application-scripting]
      ... when the so-called "Anti-Virus" protector becomes the ... the "plug and play" or "module" of one Internet Explorer browser ... This html file is viewed from an Internet Explorer "browser ... need to name our problematic file a suitable name with suitable ...
      (Bugtraq)
    • TREND MICRO: The Protector Becomes The Vector [technical exercise: cross-application-scripting]
      ... the "plug and play" or "module" of one Internet Explorer browser ... This html file is viewed from an Internet Explorer "browser ... need to name our problematic file a suitable name with suitable ... Patch Automation v6.0 by Mobile Automation, ...
      (NT-Bugtraq)
    • ASP.NET Development Server not functioning properly.
      ... I was using a regular HTML file to build the interface for my website ... Images are stored in the Images subdirectory under my website and my ... weren't showing up in the design mode or in the debug mode. ... Internet explorer sure enough comes up. ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: Automating Internet Explorer
      ... email me and I'll email back the code to create the .hta. ... > I need to automate Internet Explorer in a very simple way. ... > I have managed to do the above with a windows macro tool, ... > HTML file which will open IE and then interact with it (because IE ...
      (microsoft.public.vb.general.discussion)
    • Re: Importing favorites from desktop to laptop
      ... MS MVP Windows - Internet Explorer ... Yes I did export to a single html file. ... >appears- have no permission to do this, ... I then emailed them to my laptop and saved them on the laptop ...
      (microsoft.public.windowsxp.basics)