PSC Library-Newsletter Archives

PSC Newsletter-The FIRST wave of a serious new attack method...
Tue, 29 Jul 2003
The FIRST wave of a serious new attack method...
The whole story, in all it's detail, is available at:
http://www.nsclean.com/psc-htas.html

Here's the deal - "winmain" (known as "HTASPLOIT") is like many dangerous microbes, small and straight to the jugular. This one's a brand new direction that we'll all be seeing lots of, now that "downloaders" are getting caught so easily. This time, the malware is Microsoft's operating system itself!

What "winmain" does is it runs, and then immediately loads MSHTA.EXE from the Windows folder and places it on "hot standby" ... at this point, once it's confirmed to be running, "winmain" exits. MSHTA, once started, runs for the rest of the system session.

We saw this coming in January of 2001, and added the ability to STOP HTA functionality along with the ability to stop ALL the MS scripts in our IEClean product at that time. In April of that year, the first of a handful of exploits of HTA appeared, and because of the urgency and severity of the problem, we released HTAstop to allow people to turn that stuff OFF. We released the following security bulletin on HTA here:
http://www.nsclean.com/psc-exe2.html
"HTA" is "HyperTextApplication" in Microsoft parlance ... details on how it works here:
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/hta/overview/htaoverview.asp

This "winmain" program starts up MSHTA, making it ready to accept HTA scripting within a web page and then execute what is embedded in the page as a program. In certain circumstances, the web-based script can be turned into an EXE file and saved to the victim's machine. Here's where it turns ugly. While Microsoft has, since our publicizing the eventuality of script exploits back in 2001, disconnected MSHTA from being invoked by Internet Explorer, it will still run what is presented to it when started on a local machine in the "local machine" or "my computer zone" since this is done on some corporate networks for the convenience of the glass room "geeks'. In other words, this completely bypasses the security zone structures and patches of Internet Explorer because MSHTA is already running in the "local" zone ... therefore, when presented with script, it will parse it and run it, despite firewall, and IE restrictions.

Back at the time of EXE2HTML, Microsoft had IE set so that the prescense of the object call in a web page would invoke MSHTA.EXE ... their "solution" was to remove the ability to invoke it without a warning screen. However, if it's ALREADY RUNNING, then no such warning will occur and MSHTA will then replace all those pesky "downloaders" that get caught by AV's, thus making the ability to silently download to a victim computer a CINCH. What you've seen here is a BRAND NEW direction by the spies! And one that's two years old and previously unused. And a CLEVER way of making it all happen!

Covered in BOClean as "HTASPLOIT," and for those who are using our IEClean product, this problem has been a non-issue for over two years now. However, since many folks aren't using IEClean, we made a freebie available back in April of 2001 called "HTAstop" ... it prevents MSHTA from functioning. Stopping this exploit is just one of th emany things our IEClean browser manager does. this is just HTAstop is a solution for THIS problem, but is limited to JUST this one.

If you don't have BOClean or IEClean, come to our site, and download the HTAstop freebie. There's other freebies there as well, but this is the one you'll want for this particular exploit. DSOstop isn't a bad idea either. Go to:
http://www.nsclean.com/freebies.html

The links to downloads can be found there - more information on our products can be found on the menu bar on the left of the screen. HTAstop will take care of this, so will BOClean and IEClean ...
___________________________________________________________________________

You are receiving this email as part of our Opt-In Newsletter program. You have either opted in with us or through Digital River. We value your privacy. If you wish to stop receiving these, please email newletter@nsclean.com with the subject of OPT-OUT and ONLY the email address(es) to be deleted in the body of the message. If you have received multiple copies of the mailing in error, please email newsletter@nsclean.com with the subject of MULTIPLE and list ONLY the email address(es) to be deleted in the body of the message, we will retain the primary address and send one copy to you in the future. Thank you. ©2003 Privacy Software Corporation. All rights reserved.

TOP