Search:  

 
theme to white backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » Remote Code Execution, aka, Drive-by Download
Search Topic:
 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
[IE6.x] Add ons storing location »
« Microsoft One Care - Question  
AuthorAll Replies

mysec
Premium
join:2005-11-29

reply to RobertLudlum
Followup

I received an email asking if any of the exploits given as examples were very widespread. A year ago, the animated cursor exploit was used in a DNS cache poisoning attack.

From »isc.sans.org/presentations/dnspoisoning.php :

We received some logs from two of the machines that were used to launch
the initial attack observed on March 4. Remember, that those machines
were compromised. The log files from those machines indicate the
following statistics over a 3 day period (Mar 2 - 5):

-- 1,304 domain names were poisoned/hijacked
-- 7,973,953 HTTP get attempts from 966 unique IP addresses.
-- 75,529 incoming email messages from 1,863 different mailservers.
-- 7,455 failed FTP logins from 635 unique IP addresses (95 unique user
accounts).
-- 7,692 attempted IMAP logins (805 unique users, 411 unique IP
addresses).
-- 2,027 attempted logins to 82 different webmail (HTTP) servers.

What malware was placed on my machine if I visited the evil servers?

The webservers in the first/third attack tried to drop a spyware program
onto the victim's computer using a Microsoft Internet Explorer
vulnerability for ani cursor handling. The vulnerability was released
on January 11, 2005 and further technical information can be found
here:
    http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx
Proof of concept exploit code was publicly released soon after the
vulnerability was announced. The filenames being used in this attack
were: abx.ani and abx22.ani. Using VirusTotal, these ani files were
detected as:
    Kaspersky:   Trojan-Downloader.Win32.ani.d
    McAfee:      Exploit-anifile
    BitDefender: Exploit.Win32.MS05-002.Gen

The ani exploit attempted to download one of the following two
executable files (same exact file) on the webserver: abx_search.exe or
mhh.exe. These binaries were detected as:
    Kaspersky: AdWare.ToolBar.SearchIt.h
    Panda:     Adware/AbxSearch
If you were infected by this toolbar, you should run your favorite
spyware/adware program to identify and clean it from your computer.
____________________________________________________________

The fact that we still see these exploits, even though now patched, indicates the people out there are still vulnerable.

Late last year, we saw the wmf file remote code execution exploit.

You may have noticed the recent Microsoft patches include several types of Remote Code Excecution:

MS06-013 - Cumulative Security Update for Internet Explorer
- Impact: Remote Code Execution

MS06-014 - Vulnerability in the Microsoft Data Access Components
- Impact: Remote Code Execution

MS06-015 - Cumulative Security Update for Internet Explorer
- Impact: Remote Code Execution

MS06-016 - Cumulative Security Update for Outlook Express
- Impact: Remote Code Execution

MS06-017 - Vulnerability in Microsoft FrontPage Server Extensions Could Allow Cross-Site Scripting
- Impact: Remote Code Execution

to forum · permalink · · 2006-04-16 15:20:09 · Reply to this
Forums » Up and Running » Security » Security[IE6.x] Add ons storing location »
« Microsoft One Care - Question  

Saturday, 28-Nov 12:51:20 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.republican-creole
page compression OFF
Most commented news this week
· [122] Time Warner Cable Fires Broadside At Broadcasters
· [112] New AT&T Ad Campaign Hits Back At Verizon
· [96] Apple Joins AT&T Verizon Snark Fest
· [87] New Bill Takes Aim At Higher Verizon ETFs
· [73] TiVo Sees Record Customer Losses
· [70] Verizon CEO: Hulu Will Be Dead Soon
· [69] In-Flight Internet Headed For Bumpy Landing?
· [62] Thanksgiving Open Thread
· [60] Weekend Open Thread
· [40] EFF Wages War On Fine Print
Most people now reading
· Windows 7 boot manager editing questions [Microsoft Help]
· 3.x Feral Druid - Bear Tanking Guide [World of Warcraft]
· Using AirMax to provide triple play services? [Wireless Service Providers]
· Why does it take so long? Mail question [General Questions]
· DIR-655 New Beta 1.32b09 [D-Link]
· Windows 7 - Dell ALPS Touchpad driver [Microsoft Help]
· tx AM FM SSB CW - stupid radio technical question - beware - [Wireless Service Providers]
· [Newsgroups] Newzleech down? [Filesharing Software]
· Using DIR-615 C1/3.01 with Trendnet TEW-652BRP in N Mode [D-Link]
· Hosts file attributes set to system and hidden [Security]