Broadband Tech > Security > Security > HTA Download, a new type of danger!

HTA Download, a new type of danger!

quote:

---

HTA DOWNLOAD EXPLOIT

SYNOPSIS:

On July 28th 2003, a new means of exploit was discovered by the team at spywareinfo.com which involved a program rapidly disseminating onto the computers of innocent victims called "WINMAIN.EXE." The source of this file is currently unknown, though it appears to be rampant, likely placed onto machines as one of those "hijacker/adware" packages. Normally such programs are at worst a privacy issue or an annoyance. However, this event portends an entirely new method of attack against machines, given that the offending executable activates a particularly dangerous piece of Internet Explorer and exposes a serious new risk to all machines, since this executable runs throughout an entire Windows session, and does not possess the ability to distinguish the source of scripts which it will run. This particular exploits drops a file called "C:\WINLOG.HTML" which is called, and can be located, but future exploits will be able to generate other files with other names in the future. This exploit is merely the opening salvo in what we expect to be a whole new approach to trojans.

"Winmain.exe," the first discovered version of "HTASPLOIT" was apparently loaded as "spyware" on numerous machines, most likely installed along with "freeware" or "shareware trial" software since the economics of software has gravitated towards the installation of advertising software in order to compensate for the use of "free software". While this practice has provided software at no cost in exchange for the sufferance of advertising and popups to the end user, the advertising software which places advertising on the end user's screen has been an annoyance, and at worst, a privacy violation in exchange for the use of that "free software." Winmain ("HTASPLOIT") presents a far more serious threat.

HTASPLOIT goes beyond advertising "downloaders" (commonly classified by antiviruses as "DLOADER trojan") into a whole new realm of risk. HTASPLOIT functions by automatically loading Microsoft's extremely dangerous "MSHTA.EXE" program, otherwise known as "HyperText Application" interpreter. THIS time, the malware is MICROSOFT, and no firewall or antivirus will block MSHTA.EXE! "Winmain" immediately loads MSHTA.EXE from the Windows folder and places it on "hot standby" ... at this point, once it's confirmed to be running, "winmain" exits. MSHTA, once started, runs for the rest of the system session until Windows itself is completely shut down. On system startup, it is automatically run again each time Windows reboots.

This "winmain" program is starting up MSHTA, ready to ACCEPT HTA scripting within a web page and then EXECUTE what is embedded in ANY web page containing VBScript in the form of HTA coded page as a PROGRAM. In most circumstances, the web-based script can be turned INTO an EXE file and saved to the victim's machine. While Microsoft has, since our raising of this issue along with "Guninski" back in 2001, disconnected MSHTA from being INVOKED by Internet Explorer, it will STILL run what is presented to it when started on a local machine in the "local machine" or "my computer zone" as a TRUSTED APPLICATION ORIGINATING FROM A TRUSTED SITE since this is done on some corporate networks for the convenience of the "glass room geeks." In other words, this completely bypasses the security zone structures and patches of Internet Explorer BECAUSE MSHTA is ALREADY RUNNING in the "local" zone ... therefore, when presented with script, it will parse it and run it, despite any firewall, and/or IE restrictions.

Back at the time of the release of the EXE2HTML exploit, Microsoft had IE set so that the PRESENCE of the object call in a web page would INVOKE MSHTA.EXE ... their "solution" was to remove the ability to invoke it without a warning screen. However, if it's ALREADY RUNNING, then no such warning will occur and MSHTA will then replace all those pesky "downloaders" that get caught by AV's, thus making the ability to silently download to a victim computer a CINCH. What has occurred here is a BRAND NEW direction by the spies! And one that's two years old and previously unused. And a CLEVER way of pulling it all together without any alarms from firewalls, antiviruses, or other security software since a Microsoft function is at the heart of this exploit.

"Winmain" is covered in BOClean as "HTASPLOIT," and for those who are using our IEClean product, this problem has been a NON-issue for over two years now. However, since many folks AREN'T using IEClean, we made a FREEBIE available back in April of 2001 called "HTAstop" ... it WILL prevent MSHTA from functioning. HTAstop is a solution for THIS problem, but is limited to JUST this one) ...Details of how "HTA" works can be examined here in the Microsoft MDSN library information which explains HTA in detail:

»msdn.microsoft.com/library/defau···view.asp

SOLUTION:
Privacy Software Corporation has made available a FREE program called "HTAstop" which will permit the complete shutdown of the HTA aspect of the Windows Scripting Host at whim and also permit it to be turned on again if needed. We encourage our customers to download this program and have notified our existing BOClean customers on our list server of its availability.

You can download a free copy of "HTAstop" HERE. The program should be saved to your desktop. No installation or uninstall is required, the program will run as soon as it is saved and removal if you desire is accomplished by simply deleting the file. There are no other components to the program.

Support and instructions for HTAstop can be found on our page at: »www.nsclean.com/htastop.html

COPYRIGHTED MATERIAL:

Copyright (c) 2001, 2003 by Privacy Software Corporation.

---

As far as I know, those of us that are running ScriptSentry are already protected from this danger.

Also, from memory, you can overcome the danger by removing the association of MSHTA.exe from HTA under Folder Options\File Types.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt.

Absolutely. You could associate HTA files with Notepad, and be done with it.

In Win98 I used to rename Mshta.exe, which will obviously also work fine.

However, the implications for people who are unaware that this danger exists could potentially be huge.

reply to John2g

said by John2g:

---

As far as I know, those of us that are running ScriptSentry are already protected from this danger.

Also, from memory, you can overcome the danger by removing the association of MSHTA.exe from HTA under Folder Options\File Types.

---

reply to TonyKlein
Yep, Wormguard and all those other programs will block HTA. We received this sample and have added detection for TDS-3, just shows some of the old methods are still being used I guess..
--
Gavin Coe
DiamondCS Analyst
»www.diamondcs.com.au

reply to TonyKlein
Huston, we have a problem.

In Windows XP, the User Accounts in the control panel needs mshta.exe to run. Go ahead, open the User Accounts, and you'll see mshta.exe running.
--
I wanna fsck you like an animal.

reply to TonyKlein

... ditto ... what a great little program ... nice to know I was protected before I even saw this thread - good read, though, and definitely something to watch develop ...

--
... "Sometimes you're the Bird ... sometimes you're the Windshield" ...

reply to Ctrl Alt Del

said by Ctrl Alt Del:

---

Huston, we have a problem.

In Windows XP, the User Accounts in the control panel needs mshta.exe to run. Go ahead, open the User Accounts, and you'll see mshta.exe running.

---

reply to FiOS Dan
Are you guys saying to delete this applications in the "file types"? Thanks.

said by HVM007:

---

Are you guys saying to delete this applications in the "file types"? Thanks.

---

reply to TonyKlein
As an aside, I read a monthly newsletter "Crack Talk". Terry Blount recommended in September 1999 that you delete the MSTA entry associated with .hta files because " a new hole found in IE5 allows anyone with a web page to place a program on a victim's hard disk that will be executed at the next reboot." He further writes " This is one hell of an exploit. Not many people realize that html pages renamed to .hta are executable in Windows"

He really was ahead of the field.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt.

reply to FiOS Dan
I made the default action on *.hta to open in notepad.exe. Folder Options in XP now shows *.hta associated with notepad. Is this sufficient for the moment? (I did not remove the old default association entry)
--
"in flagrante delicto"

reply to John2g

said by John2g:

---

As an aside, I read a monthly newsletter "Crack Talk". Terry Blount recommended in September 1999 that you delete the MSTA entry associated with .hta files because " a new hole found in IE5 allows anyone with a web page to place a program on a victim's hard disk that will be executed at the next reboot." He further writes " This is one hell of an exploit. Not many people realize that html pages renamed to .hta are executable in Windows"

He really was ahead of the field.

---

...clicking on a link to a HTA application won't run that application on your local system. It will prompt you to download it.

reply to Jason Levine

said by Jason Levine:

---

I really don't think HTA files pose any more of a risk than running some EXE file you've downloaded.

---

Yes, but there may be legitimate uses for HTA files. Grant it, not a lot - but Jason is one who programs with them.

The same argument was made about disabling Windows Script Host after the Love Bug. I program with VBscripts, so I love WSH. Jason uses a lot of WSH-run files as well.

Simply using Script Sentry is a MUCH more elegant solution. You can have your cake and eat it too. Eh, as they say.

I'm making the assumption, while not knowing for sure that a malicious website operator could cause an .hta file to be downloaded much like other executables and scripts are.

reply to Jason Levine

said by Jason Levine:

---

As an example, click here and see what happens:

»www.jasons-toolbox.com/OpenPorts···orts.hta

---

said by antiserious:

---

should I have seen one ? ...

---

Yeah - me too.

Not to mention the fact that I've had the OpenPorts thing sitting on my Desktop for awhile now and never got alerted to the fact that it had anything to do with HTA stuff by anything here (specifically, WormGuard).

Went ahead and installed it and still never got an alert of any kind.

What's up with this? Pete
--
Compaq Presario 7110US, 1.3GHz Athlon w/384KB On-Chip Cache Memory, 768MB PC2100 DDR RAM, 60GB MAXTOR UltraDMA HD, WinXP Pro w/SP1, IE6.0 w/SP1,TDS-3, WormGuard, NOD32, SpyBlocker 6.2, OutPost Pro, ALL javacool programs, SBS&D, SPYCOP .