Re: Spyware installs with no interaction in IE on fully patched XP SP2 box

[Alla Bezroutchko <alla () scanit be>]

Carr, Robert wrote:
> Interesting...
>
> I just went there, and he's right. Atpartners.cab installed without
> permission. My McAfee picked it right up as Atpartners.dll, downloaded
> to Temp Internet files. Spyware detected as NetPals. On the other hand,
> I'm admin of my machine, I wonder if a "user" would get an error message
> about not having the correct rights...

I have tested it on Windows XP SP2 and on fully patched Windows 2000. In 
both cases _nothing_ gets run or installed. Both systems are more or 
less standard installations without any special IE hardening (except 
patches).

When I surf to the site with Windows XP "Installing components... 
ATpartners.cab" briefly appears in the status bar and then the site gets 
displayed. Under the normal browser bars there is a message saying "The 
site might require the following ActiveX control: FREE on-line games and 
special offers from... Click here to install...". I don't click on it. 
Searching the disk for atpartnets.cab or atpartners.dll finds nothing. 
The CLSID of the ActiveX control only appears in the registry in 
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".

With Windows 2000 I also get "Installing components... ATpartners.cab" 
in the status bar and then the dialog box asking if I want to install 
"Free online games from ATgames.com". This is a usual dialog box you get 
when a page attempts to install an ActiveX control. If I click "No", 
nothing gets installed, no atpartners files on the file system, no 
traces of the CLSID in the registry.

I suppose the cab file gets downloaded so that Windows can read and 
display the signature of the file. It does not get run or installed 
unless explicitly  permitted by user.

So, as far as I can see this is no 0-day.

Alla.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html