ActiveX Driveby Installs with ActiveX Permissions Disabled in Internet Zone Why?

Following is the last part of my Setupapi.log.  I caught an ActiveX driveby download at a website and it appears to have installed due possibly to (Policy=Ignore).  I intentionally set all my ActiveX permissions to Disabled in the Internet Security Zone in Internet Options.  Does anyone know why this was allowed to install.  I think my settings stuck although its hard to tell because the selector defaults to Medium and it becomes confusing sometimes as to whether its set to medium or wants to reset to medium.  But I'm reasonably confident they were all Disabled.  Anybody want a new start pagehijacker.  I have one I'll give you.



[2004/08/01 12:50:37 1748.1]
#-198 Command line processed: "C:\msinfo.exe"
#-024 Copying file "C:\DOCUME~1\no\LOCALS~1\Temp\ICD1.tmp\v2.dll" to "C:\WINDOWS\Downloaded Program Files\v2.dll".
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\no\LOCALS~1\Temp\ICD1.tmp\v2.dll" will be installed (Policy=Ignore). Error 0x800b0100: No signature was present in the subject.
[2004/08/01 12:50:38 1748.1]
#-198 Command line processed: "C:\msinfo.exe"
#-024 Copying file "C:\DOCUME~1\no\LOCALS~1\Temp\ICD1.tmp\OSD461.OSD" to "C:\WINDOWS\Downloaded Program Files\OSD461.OSD".
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\no\LOCALS~1\Temp\ICD1.tmp\OSD461.OSD" will be installed (Policy=Ignore). Error 0x800b0100: No signature was present in the subject.
[2004/08/01 12:50:52 1748.1]
#-198 Command line processed: "C:\msinfo.exe"
#-024 Copying file "C:\DOCUME~1\no\LOCALS~1\Temp\ICD1.tmp\MediaTicketsInstaller.ocx" to "C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx".
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\no\LOCALS~1\Temp\ICD1.tmp\MediaTicketsInstaller.ocx" will be installed (Policy=Ignore). Error 0x800b0100: No signature was present in the subject.
[2004/08/01 12:50:53 1748.2]
#-198 Command line processed: "C:\msinfo.exe"
#-024 Copying file "C:\DOCUME~1\no\LOCALS~1\Temp\ICD1.tmp\MediaTicketsInstaller.INF" to "C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.INF".
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\no\LOCALS~1\Temp\ICD1.tmp\MediaTicketsInstaller.INF" will be installed (Policy=Ignore). Error 0x800b0100: No signature was present in the subject.
[2004/08/01 13:46:13 456.118]
#-199 Executing "\??\C:\WINDOWS\system32\winlogon.exe" with command line: winlogon.exe
#-336 Copying file "D:\i386\ctfmon.ex_" to "c:\windows\system32\ctfmon.exe" via temporary file "c:\windows\system32\SET8.tmp".
No signature was present in the subject.
#W187 Install failed, attempting to restore original files.
[2004/08/01 17:49:34 1512.2]
#-199 Executing "C:\WINDOWS\System32\rundll32.exe" with command line: rundll32.exe sti_ci.dll,AddDevice
#-147 Loading class installer module for "Imaging devices".
#W239 The driver signing class list "C:\WINDOWS\INF\certclas.inf" was missing or invalid. Error 1168: Element not found. Assuming all device classes are subject to driver signing policy.
#E360 An unsigned or incorrectly signed file "C:\WINDOWS\System32\sti_ci.dll" for driver "Imaging devices" will be installed (Policy=Ignore). Error 0x800b0100: No signature was present in the subject.
LVL 10
timothyfryerAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Fatal_ExceptionConnect With a Mentor Commented:
I am going to write an email to a friend at MS and see if they can answer this for us...  just hope they are reading their mail, eh..??

0
 
Bart van der WeeConnect With a Mentor Commented:
Search the archives here: http://www.ntbugtraq.com/default.asp?pid=36&sid=1
And you will see that there are serious issues within IE's 'Security Zones'. Including one where websites can run in the 'local comoputer' zone.

IMHO - drop IE in favour of ANYTHING else.

Bart


0
 
timothyfryerAuthor Commented:
Yeah, I'm sitting here running regmon and filemon and hijackthis and watching this thing recreate the files within a few seconds of hijackthis fixing them.  I think it's running from a service but haven't figured out which one.   Thanks Fatal.
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
timothyfryerAuthor Commented:
Some of the virii were running under the browser process.  No idea how they managed to do that but a good idea.  Hijacker only runs when browser is running.  Also found that unchecking hijacker entries in msconfig doesn't remove the corresponding entry in the run keys or possibly it does and then they are immediately rewritten without changing the checkbox in msconfig.  Smart virii.  
0
 
Fatal_ExceptionCommented:
the virus writers are the ones getting smart, eh?
0
 
timothyfryerAuthor Commented:
Did you have any luck with your friend Fatal?  I went to vanderwee's link and while I didn't find anything specifically addressing this issue, I may have missed it.  It's still a good resource though.  If you had time to email your buddy, let me know and I'll hold off on awarding points.
0
 
Fatal_ExceptionCommented:
Have not heard back yet, so....  He might be out on a MS Technet tour, as he speaks at many of these events...  
0
 
Fatal_ExceptionCommented:
BTW:  I have found that file to be curiously the same in all my XP Pro boxes, so this may be a default behavior...
0
 
timothyfryerAuthor Commented:
If your talking about the Policy=Ignore then I'm not sure thats good.  One thought I had was that it might be related to the same policy you set when installing non WHQL certified devices though it doesn't make since that it would.  The other thing I noticed was that when I check my Advanced tab in Internet Options, both Install on Demands were checked which I don't think I checked.  Either I overlooked it, or possibly i invoked Reset Web Settings under programs and thats the default position.  What I don't know is which takes precedence over the other.  Would having Install on Demand active in the Advanced tab override any restrictions in the Internet Zone.  Kind of like power options, too many places to set the same thing.
0
 
Fatal_ExceptionCommented:
Hmm.   I would think the opposite to be true, that your security zones would take precedence..  a good question though...
0
 
timothyfryerAuthor Commented:
Well, SP2 is supposed to hit this week so maybe all my ms paranoia will be proven wrong, I hope.  I probably won't upgrade right away though, I'm not running sp1 right now but if sp2 turns out to be something, I might go for it.  Every time I put on sp1, the comp runs terrible and while there are patches down the road that fix it, it seems comp runs best right from the install disk.  I know I don't have all the security patches but I kind of doubt any would cover something like this anyway.  Most of the patches seem to address buffer overflows in various programs.  Funny, every time I run regmon, I see buffer overflows.  Comforting thought.
0
 
Fatal_ExceptionCommented:
ha...  I have a quick tour of what SP2 will break and what it contains..  not lengthy, but you are welcome to read it:

http://65.24.134.81/KipSolutions/SP2/SP2.htm
0
 
timothyfryerAuthor Commented:
Oh Goody, WHQL for applications with buffer overflows.  I'm sure it will include my favorite apps.  Well, maybe I won't put it on.  Is KipSolutions your outfit?  I checked the web page, looks good.
0
 
Fatal_ExceptionCommented:
I am one of the principals in KIP, and acting CIO.  It is primarily an educational company, but we also offer support services too.  

The website is mine along with all the content, and as you can tell, it is running out of my house on a W2K3 server, using only my ipaddress.  (too cheap to go with a static address, even though I do have several domainnames registered with my various companies)  I am putting up the content to help our KIP endusers, although my counterparts at KIP think that I am writing over our customer's heads..  lol, eh?  How can you dumb it down any further, I ask?    Sometimes I wonder...  :)

FE
0
 
timothyfryerAuthor Commented:
Looks good.  Maybe you should do a daily editorial to get a reader following.  Might help expand business.
0
 
Fatal_ExceptionCommented:
haha...  Maybe I should hire you to do it for me, eh?  Do any of us really have the time?  :)
0
 
Fatal_ExceptionCommented:
Thanks Tim..  If I ever get that email response, I will post back here with it..  In fact, I will just email it to you also..  Going to send it off again, in the hopes that they get a chance to read and respond.

FE
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.