Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: BHO and dlls

  1. #1
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152

    BHO and dlls

    Found this posted on SANS this morning

    http://isc.sans.org/diary.html?storyid=3702

    After I searched the web a bit, I found out that Elia Florio from Symantec already described another variant of this same BHO which they called Trojan.Advatrix (Symantec's description is here). Besides the information I already had, that particular variant did something else to the machine. Something very, very mean.

    Elia found out that the BHO modifies Internet Explorer so that it becomes vulnerable to two security vulnerabilities: MS06-014 known as the MDAC vulnerability and MS07-017, known as the ANI vulnerability.

    These two vulnerabilities are probably the most exploited vulnerabilities in Internet Explorer today. The MS06-014 vulnerability is practically a part of every exploit pack today (and is certainly in MPACK, which is the most popular one). Exploits for the ANI vulnerability can also still be found almost everywhere.

    What makes me extremely worried is how hidden this whole thing is. The BHO just modifies Internet Explorer’s image which means that no files are written to the disk. In other words, such a machine will look completely patched to Windows Update or any other patch checking system. However, while the BHO is active, the machine will be vulnerable to two most exploited client side vulnerabilities in last couple of years.

    The last line of defense, the anti-virus program, is not particularly helpful here either. The dropper I had was detected by only 13 out of 32 AV programs on VirusTotal and the DLL detection was even worse with only 7 AV programs detecting it.

    While there are many lessons to learn from this malware, I would like to stress out one really important thing: when a machine gets infected, your only option is to reinstall it from scratch. With today’s malware phoning home and installing stealth, updated modules, this is really a no brainer.
    MLF
    Last edited by morganlefay; November 29th, 2007 at 03:35 PM. Reason: forgot my sig
    How people treat you is their karma- how you react is yours-Wayne Dyer

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Good find!

    I don't know if these would show up, but I see no reason why they shouldn't:

    SpyBot Search & Destroy ("tools") and WinPatrol both have tools to manage BHOs.

    http://www.safer-networking.org/
    http://www.winpatrol.com/


  3. #3
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Until you remove the BHO...your machine will be vulnerable.

    I use Hijackthis for viewing BHOs....

    But you can never have too many tools

    heres an update explaing the vulnerability and how it loads in memory

    http://isc.sans.org/index.html?on=diary

    UPDATE

    We got couple of questions about this "memory modification" that causes Internet Explorer to be vulnerable to old vulnerabilities, so here's a short explanation about this.

    When you patch your system, the patching utility basically just replaces old files - OS files, libraries (DLLs) and similar files on your system with new revisions which fix vulnerabilities. Complex software, such as Internet Explorer, loads tens of different libraries and other files. Some of these libraries were previously affected with vulnerabilities that have been patched. Those files are generally the same as before, just the vulnerable part has been modified.

    So, once Internet Explorer loads such libraries in memory in order to use them, Advatrix finds them and modifies patched parts of the code (just overwrites the fixed code with the code from the previous (unpatched) library). This way the current instance of Internet Explorer is vulnerable to those two vulnerabilities even though the libraries that are saved on the disk are current and patched.

    The point of patching is to prevent your machine to be exploited through old vulnerabilities - keep in mind that in this case the machine has already been infected with something (through some other infection vectors).

    One of the key points here is that until you remove the BHO, the machine stays vulnerable to those two vulnerabilities (and this will inevitably lead to other infections, no matter how good your AV software is). And the worst thing is that patch checking software will report machine as being up to date with all released patches.
    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  4. #4
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    I wonder who had the bright idea of letting one program (the BHO)
    trespass on the memory image of another running program (Internet Explorer)
    without generating a seg fault. It violates basic multitasking theory,
    but BHOs are <snicker>so useful, and provide such wonderful
    functionality.</snicker>
    I came in to the world with nothing. I still have most of it.

  5. #5
    Junior Member
    Join Date
    Dec 2007
    Posts
    12
    Quote Originally Posted by rcgreen
    I wonder who had the bright idea of letting one program (the BHO)
    trespass on the memory image of another running program (Internet Explorer)
    without generating a seg fault. It violates basic multitasking theory,
    but BHOs are <snicker>so useful, and provide such wonderful
    functionality.</snicker>
    From the 2 articles posted it wasnt saying that it was writing into the ie processes memory, it was rewriting some dlls back to unpatched versions so that it becomes vuln again, dlls are just files like .so's which as the necesitation of tripwire proves get over written by things all the time in nix systems, i mean hundreds of rootkits exist for linux that rewrite system functions, its the same prinipal in play.

    Windows memory managment will not allow you to write to other processes localmemory however there is a small amount of global memory (i think its a page in windows) that all applications can write to but it is limited so not many applications will take advantage of it, got a heap for storing data.

  6. #6
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    The BHO just modifies Internet Explorer’s image which means that no files are written to the disk. In other words, such a machine will look completely patched to Windows
    Maybe I'm misinterpreting this, but that's what this person seems
    to be saying. I assume that a BHO is allowed to rewrite IEs memory
    because IE is designed to permit it. I was being facetious about
    memory management, because this vulnerability, like all of Windows
    vulnerabilities, was put there deliberately, because they thought
    it was a good idea at the time. They never dreamed that anyone
    would ever write a malicious BHO.
    I came in to the world with nothing. I still have most of it.

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hmmm,

    The way I understood it was that a lot of applications have files that they load or use when they are started. After that they do not use the original file until the next restart.

    At this point in time the original file is vulnerable as the system does not have a lock on it, so you just replace them with older, vulnerable versions.

    AFAIK Windows doesn't actually check its files for updates, it has some sort of table with the patches that have been applied. So, to Windows update and other tools that use this table, it seems to be up to date, even though the patch has since vanished.


  8. #8
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    If, as they say, the various DLLs used by IE appear to be the latest
    patched versions, the BHO loads the older unpatched code at the time
    you open IE, not from the good DLLs, but from itself. The only way
    to know you are infected is if you happen to be informed that this BHO
    is a bad guy. It doesn't modify the files, but loads the code at runtime.
    So it's a combination of problems. Users shouldn't install every BHO
    that is advertised free on the net. But it's also a design issue. IE is designed
    to allow BHOs to modify the way it acts, and they are way too
    easy to install. Who needs seventeen toolbars and assorted "download managers"?
    I came in to the world with nothing. I still have most of it.

  9. #9
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Who needs seventeen toolbars and assorted "download managers"?
    you wouldnt believe how many people "think" they need all that crap

    You are right..it is far to easy to install these "helpers"

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  10. #10
    Senior Member kingkong's Avatar
    Join Date
    Oct 2007
    Location
    UAE
    Posts
    197
    Hi Guyz

    bouncer

    Regards

    KK
    Question is not "Why are you Online"
    Question is "Why are you Off line"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •