Solved

ActiveX Driveby Installs with ActiveX Permissions Disabled in Internet Zone  Why?

Posted on 2004-08-01
17
1,795 Views
Last Modified: 2008-01-09
Following is the last part of my Setupapi.log.  I caught an ActiveX driveby download at a website and it appears to have installed due possibly to (Policy=Ignore).  I intentionally set all my ActiveX permissions to Disabled in the Internet Security Zone in Internet Options.  Does anyone know why this was allowed to install.  I think my settings stuck although its hard to tell because the selector defaults to Medium and it becomes confusing sometimes as to whether its set to medium or wants to reset to medium.  But I'm reasonably confident they were all Disabled.  Anybody want a new start pagehijacker.  I have one I'll give you.



[2004/08/01 12:50:37 1748.1]
#-198 Command line processed: "C:\msinfo.exe"
#-024 Copying file "C:\DOCUME~1\no\LOCALS~1\Temp\ICD1.tmp\v2.dll" to "C:\WINDOWS\Downloaded Program Files\v2.dll".
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\no\LOCALS~1\Temp\ICD1.tmp\v2.dll" will be installed (Policy=Ignore). Error 0x800b0100: No signature was present in the subject.
[2004/08/01 12:50:38 1748.1]
#-198 Command line processed: "C:\msinfo.exe"
#-024 Copying file "C:\DOCUME~1\no\LOCALS~1\Temp\ICD1.tmp\OSD461.OSD" to "C:\WINDOWS\Downloaded Program Files\OSD461.OSD".
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\no\LOCALS~1\Temp\ICD1.tmp\OSD461.OSD" will be installed (Policy=Ignore). Error 0x800b0100: No signature was present in the subject.
[2004/08/01 12:50:52 1748.1]
#-198 Command line processed: "C:\msinfo.exe"
#-024 Copying file "C:\DOCUME~1\no\LOCALS~1\Temp\ICD1.tmp\MediaTicketsInstaller.ocx" to "C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx".
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\no\LOCALS~1\Temp\ICD1.tmp\MediaTicketsInstaller.ocx" will be installed (Policy=Ignore). Error 0x800b0100: No signature was present in the subject.
[2004/08/01 12:50:53 1748.2]
#-198 Command line processed: "C:\msinfo.exe"
#-024 Copying file "C:\DOCUME~1\no\LOCALS~1\Temp\ICD1.tmp\MediaTicketsInstaller.INF" to "C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.INF".
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\no\LOCALS~1\Temp\ICD1.tmp\MediaTicketsInstaller.INF" will be installed (Policy=Ignore). Error 0x800b0100: No signature was present in the subject.
[2004/08/01 13:46:13 456.118]
#-199 Executing "\??\C:\WINDOWS\system32\winlogon.exe" with command line: winlogon.exe
#-336 Copying file "D:\i386\ctfmon.ex_" to "c:\windows\system32\ctfmon.exe" via temporary file "c:\windows\system32\SET8.tmp".
No signature was present in the subject.
#W187 Install failed, attempting to restore original files.
[2004/08/01 17:49:34 1512.2]
#-199 Executing "C:\WINDOWS\System32\rundll32.exe" with command line: rundll32.exe sti_ci.dll,AddDevice
#-147 Loading class installer module for "Imaging devices".
#W239 The driver signing class list "C:\WINDOWS\INF\certclas.inf" was missing or invalid. Error 1168: Element not found. Assuming all device classes are subject to driver signing policy.
#E360 An unsigned or incorrectly signed file "C:\WINDOWS\System32\sti_ci.dll" for driver "Imaging devices" will be installed (Policy=Ignore). Error 0x800b0100: No signature was present in the subject.
0
Comment
Question by:timothyfryer
  • 9
  • 7
17 Comments
 
LVL 4

Assisted Solution

by:Bart van der Wee
Bart van der Wee earned 250 total points
ID: 11690261
Search the archives here: http://www.ntbugtraq.com/default.asp?pid=36&sid=1
And you will see that there are serious issues within IE's 'Security Zones'. Including one where websites can run in the 'local comoputer' zone.

IMHO - drop IE in favour of ANYTHING else.

Bart


0
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 250 total points
ID: 11690374
I am going to write an email to a friend at MS and see if they can answer this for us...  just hope they are reading their mail, eh..??

0
 
LVL 10

Author Comment

by:timothyfryer
ID: 11690520
Yeah, I'm sitting here running regmon and filemon and hijackthis and watching this thing recreate the files within a few seconds of hijackthis fixing them.  I think it's running from a service but haven't figured out which one.   Thanks Fatal.
0
 
LVL 10

Author Comment

by:timothyfryer
ID: 11696475
Some of the virii were running under the browser process.  No idea how they managed to do that but a good idea.  Hijacker only runs when browser is running.  Also found that unchecking hijacker entries in msconfig doesn't remove the corresponding entry in the run keys or possibly it does and then they are immediately rewritten without changing the checkbox in msconfig.  Smart virii.  
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11699502
the virus writers are the ones getting smart, eh?
0
 
LVL 10

Author Comment

by:timothyfryer
ID: 11750226
Did you have any luck with your friend Fatal?  I went to vanderwee's link and while I didn't find anything specifically addressing this issue, I may have missed it.  It's still a good resource though.  If you had time to email your buddy, let me know and I'll hold off on awarding points.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11751893
Have not heard back yet, so....  He might be out on a MS Technet tour, as he speaks at many of these events...  
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11751901
BTW:  I have found that file to be curiously the same in all my XP Pro boxes, so this may be a default behavior...
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 10

Author Comment

by:timothyfryer
ID: 11752018
If your talking about the Policy=Ignore then I'm not sure thats good.  One thought I had was that it might be related to the same policy you set when installing non WHQL certified devices though it doesn't make since that it would.  The other thing I noticed was that when I check my Advanced tab in Internet Options, both Install on Demands were checked which I don't think I checked.  Either I overlooked it, or possibly i invoked Reset Web Settings under programs and thats the default position.  What I don't know is which takes precedence over the other.  Would having Install on Demand active in the Advanced tab override any restrictions in the Internet Zone.  Kind of like power options, too many places to set the same thing.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11752180
Hmm.   I would think the opposite to be true, that your security zones would take precedence..  a good question though...
0
 
LVL 10

Author Comment

by:timothyfryer
ID: 11752316
Well, SP2 is supposed to hit this week so maybe all my ms paranoia will be proven wrong, I hope.  I probably won't upgrade right away though, I'm not running sp1 right now but if sp2 turns out to be something, I might go for it.  Every time I put on sp1, the comp runs terrible and while there are patches down the road that fix it, it seems comp runs best right from the install disk.  I know I don't have all the security patches but I kind of doubt any would cover something like this anyway.  Most of the patches seem to address buffer overflows in various programs.  Funny, every time I run regmon, I see buffer overflows.  Comforting thought.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11756202
ha...  I have a quick tour of what SP2 will break and what it contains..  not lengthy, but you are welcome to read it:

http://65.24.134.81/KipSolutions/SP2/SP2.htm
0
 
LVL 10

Author Comment

by:timothyfryer
ID: 11756435
Oh Goody, WHQL for applications with buffer overflows.  I'm sure it will include my favorite apps.  Well, maybe I won't put it on.  Is KipSolutions your outfit?  I checked the web page, looks good.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11756556
I am one of the principals in KIP, and acting CIO.  It is primarily an educational company, but we also offer support services too.  

The website is mine along with all the content, and as you can tell, it is running out of my house on a W2K3 server, using only my ipaddress.  (too cheap to go with a static address, even though I do have several domainnames registered with my various companies)  I am putting up the content to help our KIP endusers, although my counterparts at KIP think that I am writing over our customer's heads..  lol, eh?  How can you dumb it down any further, I ask?    Sometimes I wonder...  :)

FE
0
 
LVL 10

Author Comment

by:timothyfryer
ID: 11756656
Looks good.  Maybe you should do a daily editorial to get a reader following.  Might help expand business.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11757144
haha...  Maybe I should hire you to do it for me, eh?  Do any of us really have the time?  :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12005451
Thanks Tim..  If I ever get that email response, I will post back here with it..  In fact, I will just email it to you also..  Going to send it off again, in the hopes that they get a chance to read and respond.

FE
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

There are 2 things you must have in order to connect to the internet behind a router, The "Gateway IP" of the router, which is usually something like 192.168.xxx.1, I've seen routers with default values of: 192.168.0.1, 192.168.1.1, 192.168.11.1, …
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now