[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0H7100GY4KM964@smtp1.clear.net.nz>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: How often are IE security holes exploited?
Richard Smith wrote:
> Has anyone ever looked into how often security holes in Internet
> Explorer are actually used in viruses, worms, Trojan horses, and other
> malware? ...
Not systematically, but this is an issue of some interest to me
too...
> ... My sense is that very few of them are actually used in the
> wild. ...
Ditto.
What happens is one or two exploits become commonly used after a
virus using them is itself somewhat "successful" (always a relative
term) at spreading in the wild. My impression is that this is
largely a function of lack of skill/interest/inspiration on the part
of the virus writers. (Many familiar with my views on the typical
skill levl of virus writers are likely to be getting all riled up
about now, but please engage your thinking processes and bear
with me...)
In general, most viruses are derivative works, drawing on what has
gone before. This is alsmot equally true of "new" families of
viruses as it is of the hoardes of (mainly) trivial variants of
existing viruses we continually see. This is not to say that all
virus writers are clueless and unimaginative, but for many even the
notion that adding "C:\WINNT" to the hard-coded list of Windows
installation directories they test for the existence of whatever is
more than they are capable of...
So, imagine what happens when one virus writer "imaginatively" adds
an exploit for some IE security hole that allows "auto-run simply
from reading an Email message" functionality to a self-mailing virus?
That's right -- a few other virus writers copy the idea. Do they do
it by looking through the Bugtraq archives to find a _different_
exploitable security hole and tweaking an exploit to their needs?
Nah -- they grab the virus' source code if it is available, or an
Email message "infected" with the virus in question if it became at
all widespread and they thus have access to a sample, and they more
or less copy what they see. Of course, those who think of themselves
as especially imaginative will add a random string generator so the
MIME section headers will not be the same in all messages their virus
generates, but that's about the extent of "innovation" we see.
Thus, at any point in history, just one or two exploits will be
"fashionable". Way back when Kak was at its prime, a few other
viruses copied the Scriptlet/TypeLib exploit it used (and many admins
of "dubious" web sites wrote trivial IE configuration changing
Trojans that were dropped onto the sites' visitors' machines via
exploits of that same vulnerability).
Of late the "Incorrect MIME Header" (MS01-020) and the "Java
Exception Exploit" (MS00-075 from memory) bugs have been most widely
used.
> ... The KaK and Klez worms both use IE security holes to do their
> dirty work, but most other Windows viruses seem to rely on social
> engineering and standard features of Microsoft products.
I disagree, at least for the things that have had any degree of
"success". For example, just recently, at least some varaiants of
the Bugbear, Oror, Winevar, Holar, Braid, Frethem and Yaha families
have used one or other (and some both) of the vulnerabilities I
mentioned above. And going back a bit further, BadTrans, Nimda and
SirCam all spring to mind (though I haven't checked).
Oh, and don't forget CodeRed (and Nimda also exploited the same
vulnerability). And the "new" Opaserv family is the first (and so
far only) one to exploit the (old) MS00-072 share-level password
vulnerability in Win9x/ME. (I suspect that this has not become a
more commonly used technique because Opaserv's code has not been
published -- it is certainly a _very_ effective method as it is the
only one Opaserv uses and Opaserv has been much more successful than
most mass-mailers in the last year or so, with Klez being the obvious
exception.)
> If folks know of other malware that make use of IE security holes,
> please let me know. I'm putting together a little list.
Note that MS does not consider the vulnerability used in the "Java
Exception Exploit" an IE hole but rather a Microsoft VM hole (the fix
is to install an updated version of the MS VM). My understanding is
that it is really a problem in the MS VM's flawed handling of a
"feature" MS added all of its own volition with its security zones
feature in IE and the decision to make the VM configurable on a zone
by zone basis. This it does not seem misleading to refer to it as an
"IE linked" vulnerability.
Further to all these, there are semi-automated "scan and compromise"
tools looking for MS SQL with null admin passwords, Windows boxes
with open shares and such like. These seem to be mainly being used
by the "web pirates" -- drive space and badnwidth stealers looking
for free hosting space and bandwidth -- and various bot and DDoS net
builders.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists