THEY'RE BAA-ACK!
A little over two years ago, an exploit of Microsoft's "HyperText Application" ("HTA") scripting capabilities surfaced, which allowed rogue sites to load a script on the machines of victims and in turn, that SCRIPT would create a Windows PROGRAM on their hard disk and then RUN it. It took Microsoft a period of time after the exploit was publicized before Microsoft did something about it, barely.
In the interim, while people were being victimized, we released a freebie called "HTASTOP" which permitted people to BLOCK any attempts at installing or even running an HTA script. This solved the problem for the several months it required for Microsoft to deal with their problem. While Microsoft's solution resolved the problem to a degree, it only removed the danger from the "Internet Zone" and didn't ever deal with the problem of the "Local Machine" or "My computer" security zone. Our free HTAstop however, DID protect all zones from rogue scripts exploiting HTA holes.
Fast forward this past month. After so many patches, so many adjustments, and new versions of Windows, the problem has returned with a vengeance. About a month ago, a few spam emails were reported which contained various attachments with filenames like ERROR.HTA or FREEPORN.HTA or other enticing "click on me" names. In the past couple of days, and particularly TODAY, more variations on this theme are appearing, claiming "returned email, click on the attachment for more information" with respect to the "undelivered email." So far, we've received reports from several hundred of our customers telling us that our BOClean product applied the brakes for them and found nasties on their machines where their antivirus software DIDN'T.
What makes this twist even more of concern though is that the HTA script is obfuscated within an MS javascript" which causes the attachment to elude ALL antivirus programs unless they are redefined to the specific characters in a specific attachment. We've examined about 16 of these and there's no opportunity for the typical "antivirus pattern match" on these files.
They're all different, and unique. And the "zombie" which is downloaded reports back to a site which tracks carefully which nations and specific IP addresses it has been successfully installed to. Of primary interest to the culprits are the US, UK, Russia and Australia specifically, but other nations carry lesser "weight" and are also included after reviewing the unprotected site and its files that the script kiddies behind this are using to cull the data from their trojan and run their scripts from.
The source of the file is the Mideast region although the specific country has not yet been determined. However, the sheer number of reports from our BOClean customers with respect to trojans found after licking on these attachments has been nothing less than STUNNING, especially considering that the nasties in question arrive in SPAM! People still apparently OPEN SPAM, and even worse, CLICK on attachments in SPAM!
The central theme of the various downloads are getting a "mass denial of service bot" onto your system, then putting it to sleep awaiting command from its "master." This portends of a serious situation ahead and the sheer VOLUME of the emails indicates that if it's successful, it will be a MASSIVE attack based on our examination of the DOWNLOADED nasty once the exploit downloader successfully downloads same. The downloader making the rounds has numerous download sites and fallback opportunities to other sites should any of the primaries be shut down. It has the ability to contact many sites as well as IRC's "dalnet" in order to FIND "updates" as has been typical for quite some time. What makes THIS different is its apparent SUCCESS.
The most recently encountered HTA files contain a buried exploit of Internet Explorer which causes it to visit various pre-programmed sites, whereupon it begins to download a BACK DOOR TROJAN which is immediately activated. The one we saw overnight downloads MIRC and sets up a backdoor, a port flooder and a multiple instance denial of service zombie which at this time "sleeps" for further activation. In examining the downloaded "zombie" we've found additional obfuscation and "stealth" which continues to elude even the BEST antiviruses entirely, even when it RUNS.
Our BOClean antitrojan software detects and deals with all of these items as of our most recent updates. HOWEVER, the HTA exploit is of great concern since it appears to be sufficiently successful that it's being exploited at an exponential rate at this time. Even MORE disturbing is that, with all of the "security improvements" Microsoft has claimed to make to Internet Explorer and Outlook Express in making it nearly impossible to receive a LEGITIMATE file attachment in email, the proprietary formats belonging to Microsoft themselves have NEVER been "corralled" ... such as VBS, HTA and others.
Since we made a free solution to this problem available back in April of 2001, we highly recommend that anyone (including our customers) download this free utility. HTAstop does not need to be installed or uninstalled, it's a stand-alone program that turns HTA within Windows on and off at will.
Over the time since we released this utility, HTA has STILL not been widely used, therefore turning off HTA capabilities PERMANENTLY remains the most effective solution to this long-standing exploit of Windows (all versions from Win95 to XP) ... and if you KEEP the HTAstop utility handy (it's VERY small) you can always reverse the system neutering should there ever occur a LEGITIMATE need to run HTA. This exploit is yet another of many reasons to NOT permit "scripting" to run AT ALL in Windows. It's been a continuing nightmare and security hole that is the basis of the majority of all exploits ever since Microsoft released their "Internet Explorer" browser.
These exploits and security holes haven't stopped after a good number of years of Microsoft trying to fix them without disabling their "internet integration" entirely, which would actually solve the problem.
WHY SHOULD I CARE ABOUT THIS?
PROPERLY PATCHED systems will still HIDE "file extensions" ... so
instead of seeing a link marked "FREEPORN.HTA" you will see "FREEPORN"
as something to click on. Reality has demonstrated that people WILL
click on it. This is what the authors of this malware DEPEND on. If you
have all "hide file
extensions" and "known safe programs" enabled (by default, Windows IS
this way) then you may be fooled and click on it.
File extensions CAN be shown:
http://www.cert.org/incident_notes/IN-2000-07.html
That alone will go a LONG way in DISCLOSING unknown, unsafe file attachments. If a file attachment ends in .COM, .BAT, .PIF, .LNK, .WMA, .EXE, .VBS, .SCR, .HTA or OTHER unsafe attachments, at least you'll now SEE it!
If your system doesn't have ALL the patches (many Windows "fixes" are
NOT cumulative, if you missed the one that pops up an alert, then you're
NOT protected) or you've reloaded Windows and you're NO LONGER patched
AT ALL, then these HTA things will just RUN silently without so much as
a warning or whimper while they do their work completely hidden from
view.
OTHER EXPLOITS OF NOTE
Microsoft is also battling demons with their WEBDAV, IIS, and numerous other components that are part of their "web servers" and WindowsNT, 2000, XP and certain machines that contain personal web servers, file sharing tools such as KAZAA, GnuTella, WinMX, Napster and such. In fact the record companies and others are exploiting the security holes in these and Windows in general in order to SABOTAGE those running "file sharing software."
If you're DELIBERATELY running a remote server on your machine, then
you're at serious risk of being "trojaned" and the federal courts of the
US are refusing to prosecute corporate sabotage if you're a "thief." And
all of the patches out of Microsoft and other vendors are playing a
"catch up" game with existing, readily exploited back door trojans. Even
this HTA outbreak's purpose is to install a trojan to take over your
system. And Microsoft is NOT fixing the holes, nor are they backfilling
your PRIOR "updates" if you find yourself needing to reload Windows with
all the pre-existing bugs and holes on your "repair disk."
ARE YOU UNPATCHED?
Most people who fall victim to old exploits (this one is STILL a risk, Microsoft NEVER patched THIS one worth the proverbial "whistle") fall victim to exploits because they're REINSTALLED WINDOWS! Sure you got your machine all patched up once before. You did all the "Windows updates" and kept Microsoft happy with your frequent visits.
When you "crash and burn" though, you end up reloading Windows again. What about those patches? Whoops. A good number of Windows patches were "one of a kind" releases and Microsoft is notorious for relocating their pages and not maintaining them, so patches from a few years ago are GONE! And Microsoft won't let you find them AGAIN if you're not using their LATEST version. In other words, if you're running Win98, or ME, or NT, you're SCREWED. FORGET Windows95, no patches at all!
Most people visit the "Windows update" site and allow Microsoft to automatically install them. As a result, you don't HAVE a backup to use the next time you reload Windows. If it's gone from their site, and you don't know about the need for it, old exploits (like THIS two year old one) come back to bite you. And Microsoft has NOT "cumulative patched" many of these exploits. The HTA exploit has NEVER been fixed! The only solution Microsoft has applied is a "script warning" *IF* you have it turned on. Default values in Internet Explorer and Outlook Express are "RUN IT!"
IF you use "Windows update" all you're doing is letting Microsoft
"check your inventory" and then download and install a program without
any means of future reloading. Instead, note the updates available and
then go to their CORPORATE SITE and MANUALLY download the updates!
http://corporate.windowsupdate.microsoft.com/
Natch, you have to turn on everything HERE, but at least you can RIGHT
CLICK and "Save Target As" and end up with a file to run that you can
copy to a BACKUP DISK FIRST ... THEN you can run it and patch youself
once you have a COPY of the patch for the NEXT time Windows crashes and
burns and you need to reload your world, completely UNPROTECTED. THIS is
the avenue by which most of these exploits function.
DOWNLOAD HTASTOP, IT'S FREE!
If you're not using BOClean, look for HTASTOP on our "freebies" page:
http://www.nsclean.com/freebies.html
Given the current popularity of HTA, we'd even recommend that our CUSTOMERS download HTA stop and run it - while BOClean protects you against back door trojans and similar nasties, the HTA exploiting going on just might permit ordinary VIRUSES to slip past. Normally, incoming nasties known to the Antivirus companies get stopped long before a trojan is allowed to actually RUN where BOClean steps right up and trashes it. BOClean is NOT a substitute for an antivirus program and the current exploits of HTA _ARE_ successfully bypassing antivirus software. BOClean is intended to be a second layer of defense for situations where a nasty slips past your antivirus given the unique nature of backdoors and the continuing inability of antivirus software to stop them once they've "implanted."
HTASTOP is provided FREE. Of course, we'd appreciate your looking at our commercial software and considering buying a copy of what we make, but there's no obligation, no spies, no nonsense with any of our freebies. They have been provided to provide a limited subset of what our commercial products provide, and are completely self-contained. We'll never bother you if you choose to use one of our freebies, so feel free to grab a copy and be safe without annoyance.
Please also understand that freebies are not supported officially,
support for our freebies are maintained on our website with all the
answers you'll need, links to them listed directly on the screen of the
freebies themselves to further ensure your privacy in not having to
contact us if you don't
want to. Since these have been around for QUITE some time and folks have
contacted us for support in the past, they're MOST reliable and won't
REQUIRE support. :)
___________________________________________________________________________
You are receiving this email as part of our Opt-In Newsletter program.
You have either opted in with us or through Digital River. We value
your privacy. If you wish to stop receiving these, please email
newletter@nsclean.com with the subject of OPT-OUT and ONLY the email
address(es) to be deleted in the body of the message. If you have
received multiple copies of the mailing in error, please email
newsletter@nsclean.com with the subject of MULTIPLE and list ONLY the
email address(es) to be deleted in the body of the message, we will
retain the primary address and send one copy to you in the future. Thank
you.
©2003 Privacy Software Corporation. All rights reserved.