Security Incidents mailing list archives

Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3

From: "Thor Larholm" <thor () pivx com>
Date: Fri, 9 Jul 2004 18:35:57 -0700

This is most likely the result of your users browsing to sites with banner or
popup advertisement that use the Ibiza CHM exploit to automatically launch the
CHM file from a local drive, as opposed to already existing malware phoning
home - you are seeing the infection itself.

IEService215.chm consists of 3 files, INDEX.hhc, INDEX.hhk and index.htm, with
the first 2 files simply pointing at the last. index.htm contains obfuscated
VBScript and JScript code which when deobfuscated reveal an attempt to use an
ActiveX object that starts with A, then a DO, then DB .. you know, the one AV
scanners would block my mail for if I mentioned it. This is attempted to be
hidden by URL escaping the ActiveX object instantiation.

The end result is that http://67.109.249.3/download/IEService215.exe is
downloaded and executed, with a faulty Windows Media Player installation as a
telltale sign.

I have put a copy of all the files, including the decoded index.htm, at

http://www.jscript.dk/2004/7/IEService215/



Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor () pivx com
Stock symbol: (PIVX)
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation.
<http://www.pivx.com/qwikfix>



----- Original Message ----- 
From: "Humes, David G." <David.Humes () jhuapl edu>
To: <incidents () securityfocus com>
Sent: Friday, July 09, 2004 12:01 PM
Subject: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from
67.109.249.3

Starting around July 8th we noticed workstations trying to access
67.109.249.3 on port 80 and do a

GET /download/IEService215.chm HTTP/1.1

Analysis of the users' browsing activity did not reveal any pattern that
would suggest that the activity was user-initiated.  We suspect that this is
something trying to "phone home", but not sure quite what.  A reverse lookup
of the IP just returns 67.109.249.3.ptr.us.xo.net, and whois just tells me
that it belongs to XO.  Has anyone else seen this and know what it is?

Thanks.

--Dave

Current thread:

Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3 Humes, David G. (Jul 09)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3 Paul Schmehl (Jul 12)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3 Andy (Jul 12)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3 Paul Schmehl (Jul 12)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3 Ronaldo C Vasconcellos (Jul 12)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3 Thor Larholm (Jul 12)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3 Axel Pettinger (Jul 12)
  - Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3 Matthew Jonkman (Jul 12)