Re: Alert: W32/BadTrans.B-mm
From: http-equiv@excite.comDate: 11/27/01
- Previous message: Magni@HAMMEROFGOD.COM: "Malicious use of grc.com"
- Maybe in reply to: Russ: "Alert: W32/BadTrans.B-mm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <9053762.1006839253128.JavaMail.imail@slippery> Date: Mon, 26 Nov 2001 21:34:07 -0800 From: "http-equiv@excite.com" <http-equiv@EXCITE.COM> Subject: Re: Alert: W32/BadTrans.B-mm To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> This thing exploits a vulnerability in some versions of Internet Explorer
> (see below) that was first fixed back on March of this year. The way these
> versions of IE handled certain MIME types allowed files to be delivered
that
> would automatically execute when the email was opened (when using Outlook)
> or rendered in the Preview Pane (when using Outlook Express). It was
> subsequently used by Nimda in two of its propagation mechanisms (it used
> .eml and .nws files via HTML to delivery the MIME header, and also mass
> mailed messages formed specifically to exploit this vulnerability).
>
> TruSecure's analysis of this over the weekend leads us to believe that a
> great many people must not have applied the patch, or other packages that
> deliver the patch. This should be considered carefully by anyone who
thinks
> there's a reasonable amount of time within which people apply such
patches,
> we're talking more than 6 months and 4 packages that contained the fix for
> each affected version, yet we still seem to be seeing this thing get
> considerable legs.
>
> Although this is a BadTrans variant, it has been repackaged (compressed)
and
> as such probably requires an AV update to be detected. Most AV Vendors
> should have updates available by the time you read this, check with them.
> Ultimately the message comes with a MIME Content Type of "audio/x-wav",
and
> a double extension (.doc.scr) ending in .scr or .pif. The attachment
itself
> is a Win32 executable.
>
> If executed it will mass-mail itself, probably as replies to unread
messages
> in your inbox. NTBugtraq posters may have already received some in
response
> to their list messages (I have).
>
> See your AV Vendor for more details.
>
> That done, take a minute to review the possible IE patch mechanisms
> described below. We predicted, when this vulnerability was first
discovered,
> that this was going to be heavily exploited. Nimda's email component
didn't
> seem to work very well, still unclear precisely why, but its web browser
> propagation certainly seemed effective. Now this BadTrans variant, and we
> will likely see more.
>
> If you cannot get your browsers to one of the unaffected versions for some
> reason other than time/manpower, drop me a note and let me know why. I'd
> like to understand what's preventing this vulnerability from going away
As below our communication in response to another matter in the same vein.
Having received a couple copies of this thing, couldn't quite understand how
or why they were emanating from parties who use IE6.00 which is not
vulnerable. Further testing reveals, that the fact that an *.scr file wedged
in-between an IFRAME, executes on the first opening of the attachment
warning. Previously it was our understanding and from our testing that an
assembly coded *.exe in a regular html frame would allow for this. Having
tested (working example below), a *.scr in-between an IFRAME executes like
the assembly coded *.exe renamed to a *.bat. "Regular" *.exe files with
correct extension, do nothing. No execution.
Clearly someone has cottoned on to changing it to *.scr as the likelihood of
a curious /newbie/ opening the 'attachment warning' on a patched or updated
IE5 and virgin IE6 is good, and it will execute without further warning.
According to the vendor response in the communication we are addressing
below, tough luck to the user, any warning should be sufficient.
May as well string up a cobweb in front of the executable attachment and
claim it is a warning.
Pathetic.
"Jouko Pynnonen" <jouko@solutions.fi> wrote in message >
> The flaw has been successfully exploited with Internet Explorer 5.5 and
> 6. An IE5 with the latest updates shows the spoofed file name and
> extension without a sign of EXE, and issue no Security Warning dialog
> after the file download dialog.
> VENDOR STATUS
>
> Microsoft was contacted on November 19th. The company doesn't currently
> consider this is a vulnerability; they say that the trust decision should
> be based on the file source and not type. The origin of the file, ie. the
> web server's hostname can't be spoofed with this flaw. It's not known
> whether a patch is going to be produced. Microsoft is currently
> investigating the issue.
This is interesting, but not surprising. Couple hours ago, we received two
copies of the new: W32/BadTrans.B-mm and taking a closer look we found the
following:
1. A lot of noise is being made about how the vulnerability that this uses
is old, and that many patches, service packs, warnings, other i-worms
utilising the vulnerability have come and gone, yet there is wide-scale
spreading of this variant today.
2. The two copies we received were from Outlook Express 6.00 mail clients.
How can that be? They are not vulnerable to the so-called: audio/x-wav MIME
IFRAME Outlook Express vulnerability.
3. What we found was precisely as you describe above, as what was discussed
and demonstrated over 12 months ago, and as recent as 3 months ago:
http://www.securityfocus.com/bid/3271, and as the vendor continuously claims
as above.
4. In the case of Outlook Express 6 [and probably the others, even the
patched others], the W32/BadTrans.B-mm uses *.scr or *.pif files
[S3MSONG.DOC.scr]
5. We found that a *.scr file incorporated in an IFRAME, does in fact
execute after only the single 'open it' or 'save it' attachment warning.
There is no second 'SECURITY WARNING', simply accepting the generic
attachment warning dialogue runs the *.scr without any other warning. *.exe
won't run.
Working Example [harmless "windows flower pot" screen saver]:
http://www.malware.com/badtranceman.zip
This is simple not acceptable. Guaranteed there are generic folk out there
who know nothing, and will open that attachment warning out of curiosity, be
it that their mail client Outlook Express 5.00 patched, 5.5 patched, 6.00
patched. The current proliferation can surely be based on that [as well].
The warning dialogue is just not good enough for executable file
attachments. A clear safety warning must follow the single, simple 'open it'
or 'save it' flimsy attachment warning. It is grossly unfair to the
clientele this vendor caters to and contributes to the destruction of the
internet infrastructure as a whole adding to making it unsafe for everyone.
Please don't sell the nice little children shiny bright toys with toxic
parts that fall off that they can swallow and then claim they ought to know
better and not put it in their mouths.
references:
http://www.malware.com/carolclickme.html
http://www.malware.com/yoko.html
side irritational note: there is nothing more pleasurable than scratching
out 3/4 of this communication, then having the Windows operating system
freeze on you, hard reboot and start all over again.
side technical AV note: the W32/BadTrans.B-mm copies received are not
actually being sent through/by the mail client. They're in X-Unsent: 1 state
which means Message Composition State in Outlook Express, no doubt it's
clear to the AV experts it's using it's own SMTP engine but the headers and
boundary lines aren't of OE vintage, also each copy arrived with a zero byte
*.txt file attachment as well as the payload. It all appears to be a
peculiar construction.
simple solution: SWITCH OF HTML IN THE EMAIL CLIENT !
--- http://www.malware.com______________________________________________________________________________ Send a friend your Buddy Card and stay in contact always with Excite Messenger http://messenger.excite.com
============================================================================ Delivery co-sponsored by Trend Micro, Inc. ============================================================================ BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000 Earn 5% rebate on licenses purchased for Trend Micro ScanMail for Microsoft Exchange 2000 between October 1 and November 16. ScanMail ensures 100% scanning of inbound and outbound traffic and provides remote software management. For program details or to download your 30-day FREE evaluation copy: http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a ntivirus.com/smex2000_rebate
- Previous message: Magni@HAMMEROFGOD.COM: "Malicious use of grc.com"
- Maybe in reply to: Russ: "Alert: W32/BadTrans.B-mm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
