Privacy Software Corporation Security Advisory
Friday, April 13, 2001
 
 EXE2HTML HTA Exploit Generator

Screenshot of the program they use against your machine. What runs on your machine is completely invisible.
 

SYNOPSIS:

EXE2HTML is the first tool to allow malicious people to actually embed trojans, viruses and other executables directly into a web page as a script. We're all familiar with the "rogue website" that may contain links that provide appealing downloads that can contain malicious software within. In order to be infected by such sites however, you need to click on a link to a malicious file, save the file on your machine and then choose to deliberately execute that malicious file in order to become infected by it.

EXE2HTML.EXE is a tool which allows ANY file to be encoded and then embedded in plain HTML web page code as a script which will execute automatically by making use of the Hypertext Application (HTA) functions of the Microsoft Windows Scripting Host (WSH) which is called by a script embedded along with the encoded content inside that web page. It is not necessary to click on any link. The mere presence of the script in the page will automatically activate and execute MSHTA.EXE which will then save the exploit to the computer's hard drive as an HTA file. This exploit was described previously by Georgi Guninski ("scriptlet exploit") but this represents the first time an automatic generator has been released along with all of the necessary source code to permit others to exploit further.

EXE2HTML allows anyone with no knowledge of programming to successfully embed any program file into a web page and cause it to be automatically executed. With the latest Microsoft patches, a warning will appear that an ActiveX control wishes to run on the page, a common reality on many web pages these days that results in most users hitting the OK button to continue on without a thought as to what may happen next. Unpatched copies of Internet Explorer will automatically execute the embedded code without warning of any kind.

Details of how "HTA" works can be examined here in the Microsoft MDSN library information which explains HTA in detail:

 http://msdn.microsoft.com/library/default.asp?url=/workshop/author/hta/overview/htaoverview.asp

Quoted from the EXE2HTML.TXT file included with the generator: 

How does it work, what systems does it run on ?
-----------------------------------------------
EXE2HTML creates an HTML file that will use the HTA
exploit to extract an EXE/JPG/etc...-file from an
HTML file. According to Georgi Guninski, the exploit
runs on all windows versions with Internet Explorer
5.0/5.1 on.

How to use EXE2HTML
-------------------

When you start up exe2html, you will see the following
input fields :

---
Source File --> The EXE file to be embedded
          (max. 12 chars)

Append to/Create HTML file --> The Output HTML file (max. 255 chars)

Target File --> The EXE filename of the extracted exe
          (in the startup dir) (max. 12 chars)
---
HTA Filename --> File that will be written to the startup dir
          (random, ending with *.HTA, max.12 chars)

Script File --> File that will be written to the startup dir that will
          be used to write the Decoder File
          (random, max. 12 chars)

Encoded File --> File that will be written to the startup dir **
          (encoded exe) (random, max. 12 chars)

Decoder File --> Decoder that will decode the Encoded File
          (random, ending with *.COM, max. 12 chars)
---

** Change this to 3/4 encoding or none at all

Actually, if you dont give a damn about how the exploit/exe2html works,
then just change the first 3, the rest has been filled in by the program.
So, basically, you throw the exe in the EXE2HTML directory, you type the 
name in the Source File field, you compile the stuff and you're done ...

Problems with Encoding
----------------------
There seem to be problems with the encoding on certain systems (especially
7/8). Therefore you'd better use 3/4 encoding or no encoding at all, however,
on my system (Windows 98 SE, IE5) they all work.

Privacy Software Corporation's BOClean 4.07 (currently version 4.10) software, designed to detect and defeat trojan horse programs, is *NOT* capable of removing exploits generated by this program because the actual offending program is the legitimate Microsoft MSHTA.EXE script running tool. Because the generated output of this exploit of Windows Scripting Host will vary tremendously based on the input data, it is not practical to scan the file for signature analysis, and the memory footprint will be that only of Microsoft's MSHTA.EXE program. Declaring a major component of the Windows operating system as a trojan is not practical and therefore removal would be difficult as well given the flexibility of this generator to permit the scripts to be sent to any part of the system and executed immediately.

Because of this problem our recommendation is to completely disable the Microsoft HTA portion of the Windows Scripting Host as there is no other practical method of ensuring that such a script will not run. Privacy Software Corporation has made available a FREE program called "HTAstop" which will permit the complete shutdown of the HTA aspect of the Windows Scripting Host at whim and also permit it to be turned on again if needed. We encourage our customers to download this program and have notified our existing BOClean customers on our list server of its availability.

You can download a free copy of "HTAstop" HERE. The program should be saved to your desktop. No installation or uninstall is required, the program will run as soon as it is saved and removal if you desire is accomplished by simply deleting the file. There are no other components to the program.

Support and instructions for HTAstop can be found on our page at: http://www.nsclean.com/htastop.html

COPYRIGHTED MATERIAL:

Copyright (c) 2001 by Privacy Software Corporation.

Permission is granted for the retransmission of this advisory by electronic means. It is not to be edited in any way without the express consent of Privacy Software Corporation. Requests to reprint this information in whole or in part should be directed to technology@privsoft.com.

Disclaimer: The information within this advisory may change without notice and is provided by Privacy Software Corporation AS IS. No warrantees, express or implied, are provided with respect to this information nor should any be construed by the transmission of this information. Any use of this information or its recommendations is solely at the risk of the user.

Contact Privacy Software Corporation at http://www.privsoft.com, http://www.nsclean.com, email to technology@privsoft.com. Copies of the BioNet distribution(s) as captured by Privacy Software Corporation will only be provided to recognized security interests and responsible, recognized members of the press with the technical capability to conduct independent research on this trojan horse program or in the alternative, we will provide the URL where the programs can be obtained independently. Copies will NOT be provided by us to any other parties. Privacy Software Corporation reserves the right to refuse transmission without further explanation. Under the provisions of Privacy Software Corporation's customer and website privacy policies, we cannot divulge email from our customers regarding their experiences with these trojan horse programs nor can we divulge their identities under any circumstances.



TOP