Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Exploit.HTML.Mht

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts
View previous topic :: View next topic  
Author Message
Longknife
Newbie


Joined: 02 Oct 2004
Last Visit: 08 Aug 2006
Posts: 3

PostPosted: Sat Oct 08, 2005 1:08 pm    Post subject: Exploit.HTML.Mht Reply with quote

Picked this up somewhere on the net. It executed in the IE Temporary Files. In this case the exploit was carrying a Porn Dialer Win2.UPDating.g. Luck was with me. Caught it in the process of infecting my second machine, moving thru the LAN from my first Machine. It had passed through two locked firewall's and was infecting the printer drivers when caught. Somehow it slipped past my real time AV which was set on high at the time. I did manage to delete it with an on demand scan so it spoofed or disabled the real time scan prior to moving. I was lucky it certainly could carry a more lethal payload.

Heres more on the subject courtsy of "neohapsis"

NUL Character Evasion

Internet Explorer ignores NUL characters
-- i.e. ascii characters with the value 0x00 -- most
security software does not. This behaviour of IE
does not depend on the charset in the Content-Type-Header.

In Detail

You can embed NUL characters at any place in an HTML
document, even inside of tags. IE parses the file, as
if they were not there. The number of NUL characters
does not matter: a single one is ignored as well as
5000 en bloc after every single valid character. In
tests I sucessfully infected an unpatched Windows
system from html pages containing 5000 NUL
characters.

Antivirus

I took a standard mhtml exploit, that was recognized by
ten AV programms:

AntiVir HTML/Exploit.OBJ-Mht
BitDefender Exploit.Html.MhtRedir.Gen (suspected)
ClamAV Exploit.HTML.MHTRedir-8
eTrust-VET HTML.MHTMLRedir!exploit
F-Secure Exploit.HTML.Mht
Fortinet HTML/MHTRedir.A
McAfee Exploit-MhtRedir.gen
Kaspersky Exploit.HTML.Mht
Panda Exploit/Mhtredir.gen
Symantec Bloodhound.Exploit.6

After I modified it by inserting NUL characters none
of the AV scanners found anything suspicious --
although the exploits were still fully
functional.

Full Article at

http://archives.neohapsis.com/archives/fulldisclosure/200509/0411.html
TY neohapsis

Fine work by

Juergen Schmidt editor in chief heise Security www.heisec.de
Heise Zeitschriften Verlag, Helstorferstr. 7, D-30625 Hannover
Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail juheisec.de
GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 19 Dec 2014
Posts: 10346
Location: at the beach

PostPosted: Sat Oct 08, 2005 1:10 pm    Post subject: Reply with quote

Thanks for the post Longknife. That's good info.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group