Re: idsearch.com and googleMS.DLL

[Jelmer <jkuperus () planet nl>]

----- Original Message ----- 
From: "trappers" <trappers () mail15 com>
To: <bugtraq () securityfocus com>
Sent: Saturday, November 15, 2003 4:21 PM
Subject: idsearch.com and googleMS.DLL


> Hi everyone,
> Here is a peice of information i'd like to share. Sorry of its
> old or irrelevant but I haven't noticed a mention of this on
> bugtraq, so am posting my experience with "the arrogant idsearch
> default homepage".
>
> For about two weeks we've been getting complaints from various
> stand-alone cutomers about automatic setting of idgsearch.com as
> their default homepage. Symantec and McAfee also had nothing
> initially (around 2nd November). So we sat down and started
> exploring.
>
> Now during these days, some interesting facts were observed. The
> spyware/worm seems to use many of the exploits/bugs mentioned on
> bugtraq, like those mentioned by Jelmer, Thor Larholm, Liu Die Yu
> (IE, XML amd WMP related) and mindWarper(Internet Explorer and
> Opera local zone restriction bypass).
>
> Once the user gets this syware/worm into their computer, it uses
> the MediaPlayer.exe to trigger set registry entries.

thats this issue :

http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-09/0654.html

Unfortunatly I imagine it's being used pretty heavily to install malware
since I had some run ins with
it myself just browsing some sites


> When "infected" mediaplayer is run, it drops the googleMS.dll
> file in user's application data folder. Even after removal of the
> registry entries, they again are set unless the googleMS.dll file
> is not deleted. we also found some entries in trusted zones of
> the affected computers, despite Norton Personal Firewall running
> (with updates) on two of the systems. All the systems had at
> least one anti-virus program, mostly Norton.


I am running an updated norton 2k4 and it doesn't catch any of the  most
recent wave of major public IE remote code execution exploits. I know some
other AV solutions do a better job in this regard.
Though you shouldn't rely on them

> Besides manual editing, we were able to locate the registry
> entries using HijackThis!. SpybotPro typically failed to identify
> the entries or the file.
>
> The cause, as usual, is unpatched versions of IE, possibly the
> patched versions may also be susceptible to the infection.

Up untill a couple of days ago there was no patch only workarounds
So your users probably got infected before that

MS03-048
(http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/M
S03-048.asp)

patches three vulnerabilities that involve the cross-domain security model
of Internet Explorer
all 3 by liu die yu, one of them being the file-protocol proxy vulnerability
(http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-Content.HTM),
which is an integrate part
of both liu's 6 step compromise exploit and my mediaplayer / adodb issue,
the 2 most recent public vulnerabilities that allow for execution of
arbitrary code

the other 2 being

- an issue with placing a javascript:code() style url in the history then
caching the history.back function and calling it after another url has been
loaded
(http://safecenter.net/liudieyu/NAFjpuInHistory/NAFjpuInHistory-Content.HTM)

- an issue with opening a javascript:code() style url in the search pane by
calling the open method of a frame contained in the searchpane
(http://safecenter.net/liudieyu/WsFakeSrc/WsFakeSrc-Content.HTM)

which could probably with some work both be swapped in, in place of the file
proxy issue

so for the time being you're "save" if your machines are fully patched since
there currently is no way to access the my computer zone
*but* when another way is found and a while back these popped up on a bi
weekly basis, all the stuff starts working again. Unfortunatly microsoft is
treating symptoms not administering a cure (yet anyway)

> More information on how it gets initiated would be appreciated.
>
> Best wishes.
>
> Inderjeet S Sodhi
> IT Consultant, S/W and E-Security Solution Provider,
> Web/WAP Developer and Beta Tester.
>
> wwwDOTinderjeetsodhiDOTcom
> This text online at: http://www.inderjeetsodhi.com/eSec/index.php

--jelmer