lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: How often are IE security holes exploited? Richard Smith wrote: > Has anyone ever looked into how often security holes in Internet > Explorer are actually used in viruses, worms, Trojan horses, and other > malware? ... Not systematically, but this is an issue of some interest to me too... > ... My sense is that very few of them are actually used in the > wild. ... Ditto. What happens is one or two exploits become commonly used after a virus using them is itself somewhat "successful" (always a relative term) at spreading in the wild. My impression is that this is largely a function of lack of skill/interest/inspiration on the part of the virus writers. (Many familiar with my views on the typical skill levl of virus writers are likely to be getting all riled up about now, but please engage your thinking processes and bear with me...) In general, most viruses are derivative works, drawing on what has gone before. This is alsmot equally true of "new" families of viruses as it is of the hoardes of (mainly) trivial variants of existing viruses we continually see. This is not to say that all virus writers are clueless and unimaginative, but for many even the notion that adding "C:\WINNT" to the hard-coded list of Windows installation directories they test for the existence of whatever is more than they are capable of... So, imagine what happens when one virus writer "imaginatively" adds an exploit for some IE security hole that allows "auto-run simply from reading an Email message" functionality to a self-mailing virus? That's right -- a few other virus writers copy the idea. Do they do it by looking through the Bugtraq archives to find a _different_ exploitable security hole and tweaking an exploit to their needs? Nah -- they grab the virus' source code if it is available, or an Email message "infected" with the virus in question if it became at all widespread and they thus have access to a sample, and they more or less copy what they see. Of course, those who think of themselves as especially imaginative will add a random string generator so the MIME section headers will not be the same in all messages their virus generates, but that's about the extent of "innovation" we see. Thus, at any point in history, just one or two exploits will be "fashionable". Way back when Kak was at its prime, a few other viruses copied the Scriptlet/TypeLib exploit it used (and many admins of "dubious" web sites wrote trivial IE configuration changing Trojans that were dropped onto the sites' visitors' machines via exploits of that same vulnerability). Of late the "Incorrect MIME Header" (MS01-020) and the "Java Exception Exploit" (MS00-075 from memory) bugs have been most widely used. > ... The KaK and Klez worms both use IE security holes to do their > dirty work, but most other Windows viruses seem to rely on social > engineering and standard features of Microsoft products. I disagree, at least for the things that have had any degree of "success". For example, just recently, at least some varaiants of the Bugbear, Oror, Winevar, Holar, Braid, Frethem and Yaha families have used one or other (and some both) of the vulnerabilities I mentioned above. And going back a bit further, BadTrans, Nimda and SirCam all spring to mind (though I haven't checked). Oh, and don't forget CodeRed (and Nimda also exploited the same vulnerability). And the "new" Opaserv family is the first (and so far only) one to exploit the (old) MS00-072 share-level password vulnerability in Win9x/ME. (I suspect that this has not become a more commonly used technique because Opaserv's code has not been published -- it is certainly a _very_ effective method as it is the only one Opaserv uses and Opaserv has been much more successful than most mass-mailers in the last year or so, with Klez being the obvious exception.) > If folks know of other malware that make use of IE security holes, > please let me know. I'm putting together a little list. Note that MS does not consider the vulnerability used in the "Java Exception Exploit" an IE hole but rather a Microsoft VM hole (the fix is to install an updated version of the MS VM). My understanding is that it is really a problem in the MS VM's flawed handling of a "feature" MS added all of its own volition with its security zones feature in IE and the decision to make the VM configurable on a zone by zone basis. This it does not seem misleading to refer to it as an "IE linked" vulnerability. Further to all these, there are semi-automated "scan and compromise" tools looking for MS SQL with null admin passwords, Windows boxes with open shares and such like. These seem to be mainly being used by the "web pirates" -- drive space and badnwidth stealers looking for free hosting space and bandwidth -- and various bot and DDoS net builders. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists