IE/WMP Exploit

From: Carlos Kramer (csk_1975_at_hotmail.com)
Date: 06/15/04

  • Next message: Matthew Pope: "Re: Simple Windows incident response methodology"
    To: incidents@securityfocus.com
    Date: Tue, 15 Jun 2004 00:19:49 +0000
    
    
    

    I saw the 180solutions.com analysis and the stuff I've seen appears to be
    different and use a different exploit - maybe just a variation on a theme?
    But it overwrites wmplayer.exe and seems to use a WMP exploit as well as
    IE exploits.

    It comprimises a fully patched Windows 2000, IE6, WMP7 machine.

    FWIW attached is some information and a copy of the file which replaced
    Windows Media Player. Unfortunately I couldn't capture the actual exploit
    code but I'm sure its available to those who wish to dig.

    The URL which linked to the exploit was at:-

    http://www.celebritysearchengine.co.uk/fantasy/e/ellemc.htm

    This popped up six windows which installed both the default-homepage-network
    hijacker and also some nasty stuff from www.news-depot.com.
    www.news-depot.com
    is bogus and moves quickly - when I got the executable it was on a
    compromised
    unused parked server at a large hosting company. It is currently resolving
    to
    ip13-43-171-209.toro1.na.psigh.com - 209.171.43.13.

    These URLs were used to do the compromise:-

    http://207.44.156.26/~admin3/ron/ron.php?
    http:///
    http://207.44.156.26/~admin3/ron/adsredir.php?
    http://207.44.156.26/~admin3/ron/adsredir.php?
    http://www.news-depot.com/
    http://www.news-depot.com//main.chm
    http://www.news-depot.com/msits.exe

    This crashed Windows Media Player and then it was overwritten with a small
    windows executable (I have it if you want it) - this was called wmplayer.exe
    and was in the Windows Media Player folder. The real Windows Media Player
    had been deleted.

    Windows Media Player showed this error:-

    Invalid name: mmsu:///. The file name specified is incorrect.
    (Error=C00D001C)
    Invalid name: http:///. The file name specified is incorrect.
    (Error=C00D002B)
    Cannot open. Please verify that the path and filename are correct and try
    again. (Error=C00D002B)

    The next time a WMP media file was accessed the new wmplayer.exe file ran
    and installed lots of adware, junkware, spyware etc, etc. BetterInternet,
    ClockSync, Internet Speed Check, and much more...

    Anyway attached is a decription of the various windows which popped up and
    their contents. I don't know if this is of interest to anyone or even the
    correct forum - but hopefully its of use. (I put them in an attachment as
    they have scripts and HTML which email clients may try to render).

    _________________________________________________________________
    Looking to buy a house? Get informed with the Home Buying Guide from MSN
    House & Home. http://coldwellbanker.msn.com/

    
    
    

    ---------------------------------------------------------------------------
    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security

    Protect your network against hackers, viruses, spam and other risks with Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost of
    ownership.

    Download your free trial at
    http://www.securityfocus.com/sponsor/Astaro_incidents_040614
    ----------------------------------------------------------------------------



  • Next message: Matthew Pope: "Re: Simple Windows incident response methodology"

    Relevant Pages

    • [NT] Flaw In Windows Media Player May Allow Media Library Access
      ... Beyond Security in Canada ... An ActiveX control included with Windows Media Player 9 Series allows Web ... allow the attacker to view and manipulate metadata contained in the media ...
      (Securiteam)
    • Re: Windows Media Player Remote Code Execution (923689)
      ... "Windows media player 6.4 is installed by default in every windows ... The reason 6.4.9.1133 doesn't get updated or won't install on SP2 is ... Seems like the security auditor doesn't have all their facts straight. ... To reference the vulnerability description, ...
      (microsoft.public.windows.server.security)
    • Re: Windows Media Player Remote Code Execution (923689)
      ... Here is Microsoft Security-PSS' response: ... for Windows Server on June 12th. ... "Windows media player 6.4 is installed by default in every windows ... Seems like the security auditor doesn't have all their facts straight. ...
      (microsoft.public.windows.server.security)
    • Re: Windows Media Player Remote Code Execution (923689)
      ... "Windows media player 6.4 is installed by default in every windows ... The reason 6.4.9.1133 doesn't get updated or won't install on SP2 is ... Seems like the security auditor doesn't have all their facts straight. ... To reference the vulnerability description, ...
      (microsoft.public.windows.server.security)
    • [NT] Windows Media Player .ASF Processor Buffer Overflow Vulnerability
      ... Windows Media Player .ASF Processor Buffer Overflow Vulnerability ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ...
      (Securiteam)