• Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

My AntiSpyware

Free antispyware software, Online Scanners, Instructions on how to remove spyware and malware.

Menu
  • Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools
Home › Malware removal › Tips › A popular way for push exploit to your PC

A popular way for push exploit to your PC

Myantispyware team June 5, 2006     No Comment    

Hidden IFrame elements continue to be a popular way for targeting website visitors. After breaking into a server, the attacker modifies its HTML code, using a hidden IFrame tag to retrieve exploit code from another system. Maintainers of the compromised website typically don’t know that they are infecting their visitors for quite some time.

ISC reader Glenn Jarvis reported about a website that installs a malicious executable in the temporary folder of the victim’s system. A look at the source code of the website’s top page revealed a tiny IFrame tag that retrieved another page from a remote server. The size of the in-line frame is 1 pixel by 1 pixel, so it is not visible to the visitor of the site unless the person looks at the source code.

The remote server’s index.html file contained JavaScript code that attempted to exploit a recent Internet Explorer vulnerability to download, install, and run a malicious executable on the website visitor’s computer. The executable was recognized by about half of anti-virus tools as a spyware trojan, and was assigned names such as Downloader-ASQ, TR/Spy.Small.EE.2, Win32/SillyDL.2fy, Trojan.Spy.Win32.Small, and Downloader.

The exploit itself targeted a vulnerability that was patched in the update to Internet Explorer that Microsoft released on April 11, 2006. Microsoft Security Bulletin MS06-014 briefly describes the problem:

Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)A remote code execution vulnerability exists in the RDS.Dataspace ActiveX control that is provided as part of the ActiveX Data Objects (ADO) and that is distributed in MDAC. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Cumulative Security Update for Internet Explorer (912812), which was also released on April 11th, according to Microsoft Security Bulletin MS06-013, strengthens security settings for the Internet zone on Internet Explorer. These settings render the exploit ineffective even if the potential victim did not apply the 911562 patch referenced above. The cumulative update sets the following settings to Disable:

  • Initialize and script ActiveX controls not marked as safe for scripting
  • Access data sources across domains

The exploit we observed operates by instantiating a series of objects, including Microsoft.XMLHTTP, Adodb.Stream, and WScript.Shell. When looking for correlating activities related to this exploit, we came across web forum discussions that suggest that this exploited existed as early as April 26th, two weeks after the release of Microsoft’s patch.

For protect your PC:

if you can`t install Cumulative Security Update for Internet Explorer (912812), make next – Run Internet Explorer, Click Tools, chouse Internet Options…, click Security tab, click Custom Level Button, set Initialize and script ActiveX controls not marked as safe for scripting to Disable, set Access data sources across domains to Disable, click OK, click OK.

For more protection, read the howto: How to drop rights for safe surf

Malware removal Tips

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.

Leave a Reply Cancel reply




New Guides

Your Netflix account has been suspended Scam text
Your Netflix account has been suspended Scam Text Recovery.ffm.to
SearchIT New Tab searchresults.store
How to uninstall SearchIT New Tab from Chrome, Firefox, IE, Edge
goog.urewsawani.autos malicious
Track.clickcrystal.com pop-up redirect (Virus removal guide)
Legivenestatery.com Click Allow Scam
Legivenestatery.com Virus Removal Guide
Advaguru.com Click allow Scam
Advaguru.com Virus Removal Guide

Follow Us

Search

Useful Guides

remove android virus
How to remove virus from Android phone
Iphone Calendar virus spam
Iphone Calendar Virus/Spam 2022 (Removal guide)
How to reset Mozilla Firefox (Updated Apr. 2018)
remove chrome extension
How to remove Chrome extensions installed by enterprise policy
How to remove pop-up ads [Chrome, Firefox, IE, Opera, Edge]

Recent Posts

Firefox and Thunderbird updated
Urgent patch – buffer overflow vulnerability in the F-Secure products
How to remove NEED2FIND and RXToolbar
First virus for StarOffice and OpenOffice
YapBrowser is back online

MYANTISPYWARE.COM

  • About Us
  • Contact Us
  • Privacy Policy

NEED A HELP ?

If you're seeing unwanted pop-ups or ads in your web-browser, you might have an adware installed on your computer. Use the following guide to stop pop-up ads and remove malicious software. Or ask for help here.

Links

  • Downloads
  • Instructions
  • Questions and Answers
  • Free Malware Removal Tools
Copyright © 2004 - 2022 Myantispyware.com - Free antispyware programs and Spyware Removal Instructions.