Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Mailbag - Malware Everywhere, IE Unauthorized Printing

Published: 2004-04-12
Last Updated: 2004-04-12 21:28:50 UTC
by Joshua Wright (Version: 1)
0 comment(s)
Mailbag ? Malware Everywhere


We have received several additional reports of malware being distributed from a banner server at sm1.passthison.com (209.50.251.182). This site is reportedly exploiting the Internet Explorer CHM flaw to compromise systems by including JavaScript in banner advertisements. It isn?t immediately obvious is this is the result of intended action by this site, or the result of a system compromise. Attempts to contact the administrators of the passthison.com domain and the upstream ISP (servint.com) were not immediately returned.



There is some evidence of an automated tool to generate Internet Explorer exploitative code from the following source code comment:
<!-- NEW Z.D.E.-D.B.D. w/ vu083003-H.P.S. (c) April 2004 SmartBot -->



If anyone has any additional information about this tool, please contact the Internet Storm Center.



Another suspicious user identified the presence of malware in a SCR attachment to several public USENET news groups, purportedly offering adult content of a popular pop singer. No malware is reported by Symantec Anti-virus with signatures from 4/12/2004, but strings in the executable content indicate the malware has an embedded Trojan dropper called ?ExeStealth?.


Administrators should utilize anti-virus tools with malicious script blocking features and updated signatures to mitigate IE CHM attacks. Be prepared to deploy patches to resolve this serious issue once available.



IE Unauthorized Printing


A post on the BUGTRAQ mailing list indicates that an attacker can force Internet Explorer to print browser content without authorization by the user. Sample code to exploit the flaw was also made available. While this flaw does not allow an attacker to compromise a vulnerable system, it demonstrates another weakness in the popular web browser. Testing on Mozilla 1.7b on Windows XP indicates that it is not vulnerable to this flaw. Sarcasm omitted.



--Joshua Wright/Handler on duty
Keywords:
0 comment(s)
Diary Archives