Author Topic: Check your ActiveX Controls...  (Read 3030 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Check your ActiveX Controls...
« on: December 18, 2009, 07:52:57 PM »
Hi malware fighters,

Abusable ActiveX controls can be mitagated by setting killbits.
OK so far, but also consider this info I stumbled upon at PCreview:
Quote
Killbits in a registry entry for the class ID of an ActiveX object *NEVER*
prevents that AX control from getting onto your host. It only prevents it
from being referenced (i.e., called) through the registry. So the malware
can still get onto your host but hopefully it cannot run.

At one time, the author of SpywareBlaster was clear in how his product
worked in setting killbits which would prevent executing the AX control but
did not prevent it from getting put onto the computer. Later he started
making non-truths (he got caught up in the anti-malware prattle) saying that
his product would prevent *installation* of the bad AX controls included in
his killbit list. He backed off from that claim when it was shown that
setting killbits never prevents an install program from depositing the files
on the computer.

So like with eunuchs, rather than keep the men from messing with the harem,
just snip off their important bits to make them impotent. They're still
there but can't molest. The killbit doesn't stop the installation program
from depositing the files onto your computer. The killbits won't remove
those files. The killbits only prevent the AX control from being called
through its reference in the registry. DLLs may also get registered so
their path and attributes are defined there and any application can make a
call to an entry point (function) without having to know where is the DLL;
however, a program can still make a direct call to a function within a DLL
file. I don't do AX programming and don't know if direct calls to the AX
file can be used instead of requiring the use of the registry.

Since the installation of the malware could also update the registry, it
would seem that setting the killbit for it beforehand would be fruitless
since the install program could change that registry key to unkill the AX
control. So it seems the killbit scheme is an afterthough approach where
you periodically need to update those registry keys to [re]set the killbits.
That's why I'm not sure how effective are killbits. Malware gets installed,
updates the registry, removes the killbit value, if set, and the malware
will run okay until the next time you rerun SpywareBlaster or whatever you
use to add the killbit values. Since you can edit the registry to add the
killbit or use software to do so, why can't an install program running under
the same account also perform the same action (but to unkill) as did you or
the software that you used? If you let the AX control install through the
Windows-supplied installation routines then the killbit is honored. If,
however, you open an attachment and run it, the installation program does
whatever it wants, and malware doesn't care about killbits and might be
smart enough to unkill them for itself.

So start to test yourself, it is free...

http://codetest.verizonbusiness.com/

Else you have this software, Axban: http://erratasec.blogspot.com/2008/05/activex-is-dangerous.html

polonus
« Last Edit: December 18, 2009, 07:57:40 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

YoKenny

  • Guest
Re: Check your ActiveX Controls...
« Reply #1 on: December 18, 2009, 09:14:25 PM »
Results on Windows 7:

Not Affected!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Check your ActiveX Controls...
« Reply #2 on: December 18, 2009, 10:40:02 PM »
Hi YoKenny,

Same results for me on Windows XP SP3, apparently ran all updates and patches there..

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

pete319

  • Guest
Re: Check your ActiveX Controls...
« Reply #3 on: December 19, 2009, 06:22:59 AM »
Results Windows XP Home sp3

I also got Not Affected!