ALERT-TSA03-015

TSA03-015 Trojan QHOSTS IE Vulnerability

Current Assessment:  Important
Initial Assessment:  Important
Current Assessment Date: October 2, 2003
Initial Assessment Date:  September 30, 2003

Executive Summary:
An exploit has been released to attack one of several known but unpatched vulnerabilities in the Internet Explorer (IE) web browser.  This attack allows a malicious web site to down load and run executable code on the user's machine without their intervention or knowledge.  As of late on Wednesday, October 1, 2003, the specific web site for this attack has been taken down, however, other sites malicious sites are possible.

Symptoms of this attack include machines no longer able to connect to web sites (particularly on the inside of a corporate network), and/or connecting to the wrong web site when attempting to reach common search sites (i.e. www.google.com).  Updating user's anti-virus signatures, use of a personal firewall, disabling active scripting, and other TruSecure recommendations (see below) will help to mitigate this exploit.

Threat:
Low-Moderate - TruSecure has received reports from many independent organizations indicating that this exploit is real, and is affecting a variety of companies.

Vulnerability Prevalence:
High - Because this is an unpatched IE vulnerability, the prevalence is high. 

Cost:
Low - Currently the cost of this exploit is relatively low; however, the potential for serious impact has been demonstrated by this exploit.  A more destructive variant of this exploit could change the cost significantly.

Summary:
On Tuesday, September 30, 2003 TruSecure began to observe evidence of an active attack against users of Internet Explorer (IE) 5.0, 5.5, and 6.0. The attack is involves a banner ad, hosted by FortuneCity.com, which in turn calls a JavaScript to render a self-closing "pop-under" banner ad from a site hosted on the EV1.NET (Everyone's Internet) network.  This EV1.NET site then delivers executable code to the IE client, and the exploit is executed without end-user intervention.  This exploit takes advantage of the HTA vulnerability, which is one of several known, but unpatched vulnerabilities in IE.  

TruSecure has received reports from many locations around the world indicating they have had reports of this exploit. Several of the Anti-Virus vendors are developing signatures to detect this specific exploit.  NAI and Symantec are both calling this QHOSTS Trojan, for more details see
http://vil.nai.com/vil/content/v_100719.htm or http://www.symantec.com/avcenter/venc/data/trojan.qhosts.html

Some AV Vendors have incorrectly stated that applying the patch referenced in Microsoft Security Bulletin MS03-032 resolves the issues pertaining to this attack. TruSecure Corporation has confirmed that application of this patch does not prevent this particular exploit. The attack is exploiting a vulnerability which has yet to be addressed by Microsoft. TruSecure Corporation believes that a patch for this issue is coming soon, likely within the next cumulative IE update. No firm deadline for that update has been given; however, it may well be released on a day other than a Wednesday due to the active exploitation involved.

Among the addresses inserted as the domain name server, during this specific exploit are 69.57.146.14, 69.57.147.175, and other IP addresses that resolve to EV1.NET.

Technical Details:
When the Object Data vulnerability is exercised, IE renders and executes the ActiveX object reference in the JavaScript code. During the check to determine whether the content is safe, IE mistakenly believes the ActiveX object code to be simple HTML/Jscript.  Therefore, it does not prompt to save to disk. During processing, the application incorrectly reads the code as HTA content, and invokes MSHTA.EXE to drop and execute the object code. That code is x.hta (may be named something else), which in turn creates and executes AOLFIX.exe.

Creates the hidden folder C:\Bdtmp\Tmp.
Creates and runs the batch file C:\Bdtmp\Tmp\.bat.
Deletes the C:\Bdtmp\Tmp\.bat file.

When the C:\Bdtmp\Tmp\.bat file is executed, it does the following:
Creates the files:
%Windir%\o.reg
%Windir%\o2.reg
%Windir%\o.vbs

Runs the .reg files, which does the following:

Adds the values:

"EnableDNS"="1"
"NameServer"=""
"HostName"="host" "Domain"="mydomain.com"

To the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\VxD\MSTCP

Such that the DNS server, which the computer uses, will be the one that the Trojan's creator specified.

Adds the values:

"ProxyEnable"="0"
"MigrateProxy"="0"

To the registry key:

HKEY_CURRENT_USER\
Software\Microsoft\Windows\CurrentVersion\InternetSettings

Adds the values:

"Use Search Asst"="no"
"Search Page"="http://www.google.com"
"Search Bar"="http://www.google.com/ie"

To the registry key:

HKEY_CURRENT_USER\
Software\Microsoft\Internet Explorer\Main

Adds the value:

""="http://www.google.com/keyword/%%s"
"provider"="gogl"

To the registry key:

HKEY_CURRENT_USER\
Software\Microsoft\Internet Explorer\SearchURL

Adds the value:

"SearchAssistant"="http://www.google.com/ie"

To the registry key:

HKEY_CURRENT_USER\
Software\Microsoft\Internet Explorer\Search

Adds the value:

"r0x"="your s0x"

To the registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Tcpip\Parameters\interfaces\windows
HKEY_LOCAL_MACHINE\SYSTEM\
ControlSet001\Tcpip\Parameters\interfaces\windows
HKEY_LOCAL_MACHINE\SYSTEM\
ControlSet002\Tcpip\Parameters\interfaces\windows

Adds the value:

"NameServer"="69.57.146.14"

To the registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{interfaceGUID}
HKEY_LOCAL_MACHINE\SYSTEM\
ControlSetXXX\Services\Tcpip\Parameters\Interfaces\{interfaceGUID}

where {interfaceGUID} represents the GUID of any interfaces in the registry, many systems have multiple interfaces. All will have the "NameServer" value added. Also note that "NameServer" is a valid key if the system is configured with a static IP address, however, it should not be present if the system uses DHCP. If the system does use DHCP, having this value in the registry will override the information provided by the DHCP server for DNS address.

Modifies the Hosts file to point many different URLs to the IP, which the Trojan's creator specifies.

Adds the value:

"DataBasePath"="%SystemRoot%\help"

to the registry keys:

HKEY LOCAL MACHINE\SYSTEM\
CurrentControlSet\Services\Tcpip\Parameters
HKEY LOCAL MACHINE\SYSTEM\
ControlSetXXX\Services\Tcpip\Parameters

And in doing so, causes the operating system to use the supplied Hosts file. Note, this value may or may not have been changed, regardless; the Hosts file in the %systemroot%\system32\drivers\etc directory may have been modified.

MITIGATIONS:
Disable Active Scripting - Disabling Active Scripting will prevent the pages from executing the code which in turn delivers the exploit.

Implement TruSecure's recommended Default-Deny stance, especially on all Internet facing devices - In particular blocking outbound port 53 (DNS) for this specific exploit.  While this will not prevent the exploit, it will prevent information leakage and misdirection of DNS queries.  Affected users will experience DNS resolution problems due to the inability to connect to corporate internal DNS servers, and port 53 being blocked outbound.  

Personal Firewalls - Client systems with personal firewalls capable of denying network access to applications can ensure that MSHTA.EXE does not gain network access (at least temporarily, as this may inhibit other, legitimate uses of MSHTA.EXE.)

Disable the HTA MIME Type -
HKEY_LOCAL_MACHINE\SOFTWARE\
Classes\MIME\Database\Content Type\application/hta should be temporarily removed. It can be saved to disk and restored later. This will disable the attempt by the exploit to serve IE as an HTA application, thereby stopping code execution.  NOTE: Disabling the HTA MIME type mapping may break other functions, and so should be done in such a way that it can be reversed after the expected patch is applied.

Updating Anti-Virus signatures may also help to protect against this

Once a patch is released from Microsoft for these IE vulnerabilities, clients are encouraged to apply that patch.

DISCLAIMER:
Copyright 2003 TruSecure Corporation.  All rights reserved.  This Alert is the property of the TruSecure Corporation.  It may not be redistributed except within your own company or organization.  This Alert is being provided for informational purposes only and is provided AS IS."  The TruSecure Corporation makes no warranties of any kind, express or implied, including, but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, and warranties arising out of any course of dealing or course of conduct.  

Impenetrable security is unattainable in real world environments; the TruSecure Corporation cannot and does not guarantee protection against breaches of security.

IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY KIND, HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE ANY PRIOR OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE TRUSECURE CORPORATION HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.