Monday, May 17, 2004
Technical final step to 'silent delivery and installation of an executable on the target computer, no client input other than reading an email' this can be achieved with the highly touted 'secure-by-default' Outlook 2003 mail client from the craftsman known as 'Microsoft'.
Default settings of the 'gadget' are: restricted zone which means no active x controls, no scripting, no file downloads etc.
This can all very easily be bypassed by simply embedding in a rich text message our OLE object, one Windows Media Player. We then point our source url to our media file which includes or now run-of -the mill 0s url flip and simply by previewing or opening the email message invoke our device known as Internet Explorer to proxy our manipulation of the recipient's machine.
In typical fashion despite the settings in the Windows Media Player being set to 'disallow' scripting in media files, despite Outlook 2003's 'highly' secure default setting of view html content in the so-called 'restricted zone'; it all still works !
[screen shot: http://www.malware.com/rockitman.png 46KB]
This now all automates our process and coupling it with our previous first step finding:
all we need to do next is our second step and embed the entire package including the media file into the mail message and send it along its merry way.
The whole Outlook 2003 'gadget' is broken.
Simply view the mail message: