Yet another soon to be widespread MS Exploit

[SNGX1275]

I just got this in an e-mail from our public relations IT guy on campus. Enjoy:

UMR IT received reports from various security communications channels that a new security exploit is circulating via Microsoft ActiveX controls. We have one confirmed exploited campus system thus far.

Microsoft is aware of this exploit, but they cannot provide details until they are ready to deliver a patch.

This new exploit affects any application that uses Microsoft ActiveX controls (Outlook, Word, etc.). Once a system is exploited all web activity is automatically redirected to pornographic web sites. Additionally, once a person logs off they will not be able to log back in. There are other implications too numerous to cover in this e-mail.

In the mean time, IT suggests customers exercise the following:

1) Turn off Outlook preview pane. This can be toggled (turned on/off) by selecting "view/preview pane".

2) Do not open any unsolicited e-mail. E-mail in HTML format is of concern once opened.

3) Do not visit unknown web sites. In other words, refrain from general web-surfing.

We will keep the campus posted as we know more about this exploit.

 

[poertner_1274]

Yeah I heard about this the other day. People who are using dial up connections are being re-routed to some place overseas and being charged an ungodly amount of money per minute to connect. It is all going throught his active X exploit. This isn't good, but what do you expect from M$

 

[XtR-X]

Oh man that's horrible. I just placed a credit card order of about 1,000+ dollars.

 

[StormBringer]

Originally posted by poertner_1274
Yeah I heard about this the other day. People who are using dial up connections are being re-routed to some place overseas and being charged an ungodly amount of money per minute to connect. It is all going throught his active X exploit. This isn't good, but what do you expect from M$

That is interesting, I'd like to know how they do this after the connection is established. since the call has already been made and dialing is impossible while the connection is there.

 

[poertner_1274]

I'll see if I can't find the article for you. I'll post back later.

 

[poertner_1274]

Ah, but wait, it can get even worse. Up until this point the site has been playing with the browser, which has some reasonable security (usually) and must follow a set of rules. But what if the site tries to download an ActiveX control or an executable file? Yes, the browser will ask you if it's okay (unless you've had a serious case of the stupids and turned off ALL security) and only install or run it if you say yes.



But if you do say yes, then you've potentially added, willingly I might add because the browser did ask for permission, a totally unknown element to your system. There is absolutely no telling what this could do. In fact, it might do anything at all.



This program does not usually destroy anything. No, what it wants to do is dial up a phone number - a 900-type number. You know, one of those phone lines which charges by the minute.



Now you are really in trouble and you will not even know it until you get your phone bill. Something on your computer, something over which you have no control, can do anything it wants, including charging you money on your phone bill. And heaven help you if you, in some moment of insanity, give this program your credit card number or numbers. (And, of course, it could theoretically scan your hard drive for such things).

Ok I found this, but I saw this actually on thescreensavers or callforhelp, but I couldn't find an article about it.
And this article is kind of vague, doesn't say exactly what happens, just gives an example. But it shows the point.

 

[poertner_1274]

Oh yeah, I found that here

 

[LNCPapa]

Not sure if this is related - might be a seperate issue from what's being discussed here, but...

Quote from ND Security e-mail I received
The recommended way of dealing with this will be to switch DNS settings (for all connections) back to "Obtain DNS Automatically," update McAfee using the Super Extra.DAT file linked from http://vil.nai.com/vil/content/v_100719.htm#RemovalInstructions and scan entire system. According to McAfee, their product will clean it when eqipped with necessary updates. They have issued this Extra.DAT to cover the gap between now and the regularly-scheduled release of SuperDATs. ...

We suspect that this will burn itself out as McAfee relases their next regular DAT files and those not already infected are updated and protected. Microsoft's patch that was to have protected against this apparently does not work, so we suspect that there will be yet another security update to patch the patch. :-/ ...

This is a Trojan horse which infects a system that visits a web page containing the malicious code. The executable (partyboy.exe or aolfix.exe) is downloaded and run in the background. DNS settings are hard-coded to a third-party server that attempts to re-route all DNS requests through there in order to pop up ads, etc. The result in most cases is that pages will not display and other Internet services such as email, AIM, etc. that rely on DNS may cease to function properly. This is NOT a worm and cannot spread from one infected machine to another.