Most recent exploits are like vehicles, they are assembled piece by piece, you can make a virus scanner detect the wheels, but a car, a bus and a bike are most certainly entirely different things! Yet none of them are any good without wheels, oh and in this case painting the wheel another color would circumvent detection, it's just that trivial, virus scanners are pretty useless against these type of attacks >From the psysm description: "The vulnerability allows for the writing, and overwriting, of local files by exploiting the ADODB.Stream object" As I wrote in the analysis, this exploit uses both known and unknown vulnerabilities. What is detected as psysm (the wheels) is what I described in this post http://seclists.org/lists/fulldisclosure/2003/Aug/1703.html And is used in this exploit as well However this flaw that has gone unpatched for many many months, only works when run from a file on the local hard drive!, so essentially it's a useless find unless you can complement it with one or more other vulnerabilities Over the past couple of months it's been combined with many an exploit I used it in combination with one of liu's finds http://lists.netsys.com/pipermail/full-disclosure/2003-September/009992.html Andreas sandblad used it: http://www.forbiddenweb.org/viewtopic.php?t=5242&view=previous Mindwarper used it: http://www.securityfocus.com/archive/1/342471 Some unknown person used it in the wild and wrote a worm, http-equiv did a writeup on it http://seclists.org/lists/fulldisclosure/2004/Mar/1404.html many many more people used it But it are all separate exploits and none of the formentioned ones work anymore they have been patched and dealt with, well except on thor's pc naturally ;) but thor deserves only mockery -----Original Message----- From: full-disclosure-admin@xxxxxxxxxxxxxxxx [mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx] On Behalf Of Larry Seltzer Sent: maandag 7 juni 2004 4:43 To: 'Jelmer'; bugtraq@xxxxxxxxxxxxxxxxx Cc: full-disclosure@xxxxxxxxxxxxxxxx; peter@xxxxxxxxxxxxxxxx Subject: RE: [Full-Disclosure] Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) >>Finally I also attached the source files to this message My McAfee-based gateway scanner blocks the attachment and labels it as "VBS/Psyme", which has this description (http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100749): "This trojan exploits an unpatched (at the time of this writing) vulnerability in Internet Explorer. The vulnerability allows for the writing, and overwriting, of local files by exploiting the ADODB.Stream object. There are several variants of this trojan. Therefore this description is design to give an overview of how the trojan works. The trojan exists as VBScript. This script contains instructions to download a remote executable, save it to a specified location on the local disk, and then execute it." Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer larryseltzer@xxxxxxxxxxxxx _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
