Beng Hacks: October 2006

Sunday, October 15, 2006

WebViewFolderIcon part 2

Ok, regarding this ActiveX attack, I noticed that MS has patched this in this week's security update. I advise everyone to patch NOW.

Why? Cuz this javascript hack is quite clever. It hides shellcode inside Unicode to compact it and the shellcode is usually exec and download shellcode to grab trojan off the website. So by the time your IE browser crash just from visiting a website (can be any website, can even be hidden inside email if your webmail dun filter jscript), it already download exe into your PC.

Not only scan your PC for infection, but check your STARTUP folder, and your RUN folder inside your registry. If you dunno what RUN folder in registry is, Google it. Check both LOCAL_MACHINE and CURRENT_USER as instruction can be hidden inside both of these entries to hide a repeating EXE.

Who knows, YOU might be INFECTED right now! If you ever experience IE browser crash for no reason, please be suspicious.

Monday, October 09, 2006

WebViewFolderIcon

One recent (or not so recent) web hack is the WebViewFolderIcon ActiveX attack. Basically it's a web browser attack that allows code to be executed after an integer buffer overflow. All a victim needs to do is visit a webpage that contains the code on the website (usually encoded in escape chars).

When this happens usually your IE browser crashes. By then it's already too late. Then it does the usual thing with stack access etc...

It works on ALL IE browser and is STILL not patched. GG M$. But a small caveat, AVG reported this particular one I have as a known exploit patched in MS04-011, an attack on the LSASS. Maybe AVG detected it wrong?

Anyway according to HD Moore's site, it still works.

Will post an update when I find out more...