Author Topic: Zero Day exploit being used to infect PCs  (Read 23978 times)

0 Members and 1 Guest are viewing this topic.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 81777
  • No support PMs thanks
Re: Zero Day exploit being used to infect PCs
« Reply #15 on: September 22, 2006, 06:44:57 PM »
I'm aware of that Frank, the comment was more aimed at others who might be viewing the Topic, now or later currently (Read 192 times).
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.7.2388 (build: 19.7.4674.494)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline cyfer

  • Jr. Member
  • **
  • Posts: 65
Re: Zero Day exploit being used to infect PCs
« Reply #16 on: September 22, 2006, 11:33:20 PM »
Quote
reputable group known as "ZERT" — Zeroday Emergency Response Team — has produced a very nice GUI and Command Line patch utility which repairs the VML buffer overrun design flaw in Microsoft's VGX.DLL file.

Since VML is very rarely used on the web, "unregistering" the vulnerable DLL to take it completely out of service is probably the more prudent countermeasure. But if you choose to unregister the DLL you will need to remember to re-register it later. And corporate users may wish to employ ZERT's CommandLine tool to patch all Windows systems network-wide. (Full source code is included to allow independent verification of the utility's operation.)

This ZERT page contains the latest information on this alternative:

http://isotf.org/zert/

Additionally, and either way, a simple and benign vulnerability test page is available from their download page. It will (a) crash your IE browser if your system is currently vulnerable, (b) display two red rectangles if your browser has VML enabled (registered) and safely patched, or (c) pop-up a dialog box informing you that your IE is immune to this vulnerability if VGX.DLL is unregistered and you have scripting enabled to allow the pop-up. (If scripting is disabled for untrusted sites you'll just get a blank page.)

See the details of this testing page here:

http://isotf.org/zert/download.htm

Note that using this patching solution will "re-register" the VGX.DLL file for use by your system. So if you want double protection you could patch the file then follow the instructions below to also unregister it (though doing either is also certainly sufficient).

    * Microsoft's VML Security Advisory — "Vulnerability in Vector Markup Language Could Allow Remote Code Execution." This advisory provides a general overview of the problem and, fortunately, also provides a robust interim work-around to disable Windows' and IE's VML parsing. This can and should be used until Microsoft has repaired the buffer overrun in the VGX.DLL VML parser that is being actively exploited on the Internet.
    * How to protect your system:
      As detailed in Microsoft's VML security advisory (see link above), you can quickly, easily, and safely protect your system from possible VML exploitation by "unregistering" the defective DLL. The system will no longer be able to render web-based vector markup language graphics, but you won't notice any difference since few sites use VML for benign purposes.

      Simply copy this command from this page (highlight the entire line then type Ctrl-C to Copy it into the clipboard), then open the "Run..." dialog by pressing your system's Start button and choosing "Run..." Press "Backspace" to remove anything that might already be in the "Open" field, then type "Ctrl-V" to paste the command into the field. Press "OK" to execute the command and you should receive a dialog confirming that the VGX.DLL file has been "unregistered" ...

      regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

      Please tell your family and friends and the word. Since this newly discovered Windows VML defect is being actively exploited by thousands of web sites to install malware, and since viewing malicious eMail with many versions of Outlook will also cause this to occur, EVERY Windows user is a potential victim. Please help people to protect themselves.
    * How to "re-register" the VGX.DLL:
      Once Microsoft has repaired this defect, which should happen no later than the second Tuesday in October (Oct. 10th) — and after you have applied those October security updates — you should re-register the repaired VGX.DLL file by repeating the steps above, but using a command without the "-u" argument, as follows:

      regsvr32 "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

      At that time, please also remind anyone you may have helped to protect themselves through un-registering the DLL to re-register it AFTER they have updated their system with the current October patches.

http://www.grc.com/sn/notes-058.htm

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Zero Day exploit being used to infect PCs
« Reply #17 on: September 23, 2006, 09:54:48 AM »
A video of the exploit in action.

http://www.websense.com/securitylabs/blog/blog.php?BlogID=82

The interesting thing is that nothing seems to happen: the attack occurs "behind the scenes".

Interestingly, the site is not a "porn" site: the exploit has spread to legitimate looking sites. Websense has some examples here:

http://www.websense.com/securitylabs/alerts/alert.php?AlertID=632

The URL's are obscured but not hard to find, so head the warning:

Quote
DO NOT VISIT THESE SITES. YOU WILL BE COMPROMISED.
  :o
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Zero Day exploit being used to infect PCs
« Reply #18 on: September 23, 2006, 12:49:11 PM »
Quote
According to Sunbelt researcher Eric Sites, the exploits at the moment appear to be hosted mainly on hardcore porn sites. But if past experience with new IE exploits holds true, we may soon see this exploit being sewn into the fabric of legitimate, but poorly programmed, business Web sites that hackers can manipulate to their advantage.

As predicted, this now seems to have happened:

Quote
Hackers have hijacked a large number of sites at web hosting firm HostGator and are seeking to plant trojans on computers of unwitting visitors to customer sites. HostGator customers report that attackers are redirecting their sites to outside web pages that use the unpatched VML exploit in Internet Explorer to install trojans on computers of users. Site owners said iframe code inserted into their web pages was redirecting users to the malware-laden pages.

http://news.netcraft.com/archives/2006/09/22/hacked_hostgator_sites_distribute_ie_exploit.html

Microsoft are playing down the problem, but uming and ahing about bringing out a patch before October 10th:

Quote
Microsoft's security team said Friday afternoon that it may release a patch for the VML exploit before its next scheduled update on Oct. 10. "Attacks remain limited," Microsoft's Scott Deacon wrote on the Security Response blog. "There’s been some confusion about that, that somehow attacks are dramatic and widespread. We’re just not seeing that from our data, and our Microsoft Security Response Alliance partners aren’t seeing that at all either.

"Of course, that could change at any moment, and regardless of how many people are being attacked, we have been working non-stop on an update to help protect from this vulnerability," Deacon added. "We’ve made some progress in our testing pass for the update and are now evaluating releasing this outside the monthly cycle, as we do any time customers are under threat and we believe we can issue an update that meets our quality bar for widespread deployment."

(Same link)
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Zero Day exploit being used to infect PCs
« Reply #19 on: September 24, 2006, 08:24:04 AM »
Please note that the universal application of the DEP feature as described earlier in the thread may result in some legitimate programs failing to function correctly.

In SP2, the feature is not applied by default, probably for this reason. Anybody applying it as protection against the VML exploit needs to bear in mind that it may cause problems.

I applied the DEP feature on my computer (software only, as I have an older chip) and soon after I got this message while running Ad-Aware:

     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

..::ReVaN::..

  • Guest
Re: Zero Day exploit being used to infect PCs
« Reply #20 on: September 24, 2006, 10:04:52 AM »
In SP2, the feature is not applied by default, probably for this reason.

Yes it is but only for essential windows programs and services ... ;)

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Zero Day exploit being used to infect PCs
« Reply #21 on: September 24, 2006, 10:30:42 AM »
Yes, I was refering to the universal application of DEP- OptOut and AlwaysOn settings- which are the ones SP2 users need to change to to prevent the VML exploit from working.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

..::ReVaN::..

  • Guest
Re: Zero Day exploit being used to infect PCs
« Reply #22 on: September 24, 2006, 11:13:09 AM »
OK i see Frank. I thought you meant it wasn't turned on at all in SP2.

I turned DEP on for all software(i don't have hardware DEP also) and i ran a couple scans with Ad-Aware but seems to run just fine here. Infact everything seems to work OK but i will run some more programs and i see if i encounter any problems.


Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Zero Day exploit being used to infect PCs
« Reply #23 on: September 24, 2006, 11:36:04 AM »
Hopefully it will be a rare problem:

Quote
The majority of applications will not encounter a problem with DEP. However, when an application does encounter a problem with DEP, a Data Execution Prevention message is presented to the user, alerting them to the problem.

http://technet2.microsoft.com/WindowsServer/en/library/b0de1052-4101-44c3-a294-4da1bd1ef2271033.mspx?mfr=true
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

..::ReVaN::..

  • Guest
Re: Zero Day exploit being used to infect PCs
« Reply #24 on: September 24, 2006, 11:45:23 AM »
OK thanks for the link ;)

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Zero Day exploit being used to infect PCs
« Reply #25 on: September 24, 2006, 11:51:53 AM »
I notice when using the OptOut setting (I tried AlwaysOn before) there is a tick box for Ad-Aware, so I guess the conflict with DEP must be a known issue.



I notice there's also a tick box for Windows Explorer: I wonder if that also will conflict with DEP?

I'll leave it unticked for a while and see what happens.  :P

     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

..::ReVaN::..

  • Guest
Re: Zero Day exploit being used to infect PCs
« Reply #26 on: September 24, 2006, 12:16:07 PM »
Interesting i have none of those programs on the list ... Perhaps they appear there if they conflicted with DEP in the past?
« Last Edit: September 24, 2006, 02:26:48 PM by M2 »

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Zero Day exploit being used to infect PCs
« Reply #27 on: September 24, 2006, 02:38:48 PM »
I've never had system wide DEP enabled before!  ???
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline szc

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6957
Re: Zero Day exploit being used to infect PCs
« Reply #28 on: September 24, 2006, 02:57:57 PM »
Not a single box on my end either, and DEP is enabled for all programs on my machine since like forever:

MB: GIGABYTE GA-Z77X-UD3H Intel 7 Series  - LGA1155, CPU: Intel Core i5-3570K - Quad Core, 3.40GHz (3.80GHz Max Turbo), CPU COOLER: Cooler Master Hyper 212 EVO Direct Heat Pipe R2, RAM: 16 GB Kingston HyperX Blu DDR3, VIDEO CARD: Galaxy GeForce GTX 560 Ti - 1GB, GDDR5, POWER SUPPLY: Corsair Enthusiast Series TX750 V2 - 750 Watts, HD: Seagate Barracuda - 2TB, 7200RPM, 64MB, SATA 6Gb/s

Offline drhayden1

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3234
  • Avast & Garfield-Best Protection
Re: Zero Day exploit being used to infect PCs
« Reply #29 on: September 24, 2006, 03:32:18 PM »
Hey SZC....mine has been checked just the opposite since day one on this laptop(turn on DEP for essential Windiows Programs and Services Only)and what is the best way to go-everything runs fine as is and i really hate to change anything ???
Gateway Laptop-AMD Phenom™ II Quad-Core Processor N830 (2.1GHz)-5000MB Dual-Channel DDR3 1066MHz Memory-ATI Radeon® HD 5650 Graphics with up to 1024MB of dedicated memory-500GB 5400RPM SATA hard drive-Windows® 8 Pro (64bit)-Windows Live Mail-Kaspersky Pure 3.0-WinPatrol Plus....