lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <3DFA0C4E.4080409@thievco.com>
From: BlueBoar at thievco.com (Blue Boar)
Subject: How often are IE security holes exploited?

Nick FitzGerald wrote:
> What happens is one or two exploits become commonly used after a 
> virus using them is itself somewhat "successful" (always a relative 
> term) at spreading in the wild.  My impression is that this is 
> largely a function of lack of skill/interest/inspiration on the part 
> of the virus writers.  (Many familiar with my views on the typical 
> skill levl of virus writers are likely to be getting all riled up 
> about now, but please engage your thinking processes and bear 
> with me...)
> 
> In general, most viruses are derivative works, drawing on what has 
> gone before.  This is alsmot equally true of "new" families of 
> viruses as it is of the hoardes of (mainly) trivial variants of 
> existing viruses we continually see.  This is not to say that all 
> virus writers are clueless and unimaginative, but for many even the 
> notion that adding "C:\WINNT" to the hard-coded list of Windows 
> installation directories they test for the existence of whatever is 
> more than they are capable of...

I would tend to agree with you.  I think another reason for poor coding on 
malicious code in general is that I imagine it can be somewhat difficult to 
test.  I'd guess that most malicious code authors don't a lab environment 
that allows them to sufficiently simulate the Internet and the combinations 
of OSes, etc.. that they want to target.

> So, imagine what happens when one virus writer "imaginatively" adds 
> an exploit for some IE security hole that allows "auto-run simply 
> from reading an Email message" functionality to a self-mailing virus?
> 
> That's right -- a few other virus writers copy the idea.  Do they do 
> it by looking through the Bugtraq archives to find a _different_ 
> exploitable security hole and tweaking an exploit to their needs?
> 
> Nah -- they grab the virus' source code if it is available, or an 
> Email message "infected" with the virus in question if it became at 
> all widespread and they thus have access to a sample, and they more 
> or less copy what they see.  Of course, those who think of themselves 
> as especially imaginative will add a random string generator so the 
> MIME section headers will not be the same in all messages their virus 
> generates, but that's about the extent of "innovation" we see.

Nimda uses the X-audio exploit to try to autorun when you render the HTML 
in IE or Outlook.  Earlier this year, there was another bug in the same 
vein that was a direct functional equivalent, but because it came later, 
wasn't patched, etc... I fully expected it to get used quickly, and I don't 
think it did.

>>...  The KaK and Klez worms both use IE security holes to do their
>>dirty work, but most other Windows viruses seem to rely on social
>>engineering and standard features of Microsoft products.
> 
> I disagree, at least for the things that have had any degree of 
> "success".  For example, just recently, at least some varaiants of 
> the Bugbear, Oror, Winevar, Holar, Braid, Frethem and Yaha families 
> have used one or other (and some both) of the vulnerabilities I 
> mentioned above.  And going back a bit further, BadTrans, Nimda and
> SirCam all spring to mind (though I haven't checked).

Don't forget that if you're patched against the vulnerability, you usually 
still have the opportunity to manually launch the attachment.  Thus, the SE 
method is still there as a backup, and I'd say a large portion of them can 
still be counted as using it.

As an interesting side-effect, when they attach things in such a way as to 
take advantage of IE-isms, they often break the attachment on other 
platforms.  Most of my MC mail I get in my Mozilla mail client just shows 
as a dot.  If I want the attachment, I have to manually decode it.

> 
> Oh, and don't forget CodeRed (and Nimda also exploited the same 
> vulnerability).  

Code Red and Nimda did not take advantage of any of the same 
vulnerabilities.  Code Red was strictly a single-vulnerability worm, and 
affected only IIS servers, didn't have any IE exploit.  Now, Nimda did try 
to look for root.exe (CodeRed2, Sadmind, manual attacks from "China Cyber 
War") and the /C and /D mappings (CodeRed2) backdoors, but that's not quite 
the same thing.

						BB

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ