HTA DOWNLOAD EXPLOIT
On July 28th 2003, a new means of exploit was discovered by the team at spywareinfo.com which involved a program rapidly disseminating onto the computers of innocent victims called "WINMAIN.EXE." The source of this file is currently unknown, though it appears to be rampant, likely placed onto machines as one of those "hijacker/adware" packages. Normally such programs are at worst a privacy issue or an annoyance. However, this event portends an entirely new method of attack against machines, given that the offending executable activates a particularly dangerous piece of Internet Explorer and exposes a serious new risk to all machines, since this executable runs throughout an entire Windows session, and does not possess the ability to distinguish the source of scripts which it will run. This particular exploits drops a file called "C:\WINLOG.HTML" which is called, and can be located, but future exploits will be able to generate other files with other names in the future. This exploit is merely the opening salvo in what we expect to be a whole new approach to trojans.
"Winmain.exe," the first discovered version of "HTASPLOIT" was apparently loaded as "spyware" on numerous machines, most likely installed along with "freeware" or "shareware trial" software since the economics of software has gravitated towards the installation of advertising software in order to compensate for the use of "free software". While this practice has provided software at no cost in exchange for the sufferance of advertising and popups to the end user, the advertising software which places advertising on the end user's screen has been an annoyance, and at worst, a privacy violation in exchange for the use of that "free software." Winmain ("HTASPLOIT") presents a far more serious threat.
HTASPLOIT goes beyond advertising "downloaders" (commonly classified by antiviruses as "DLOADER trojan") into a whole new realm of risk. HTASPLOIT functions by automatically loading Microsoft's extremely dangerous "MSHTA.EXE" program, otherwise known as "HyperText Application" interpreter. THIS time, the malware is MICROSOFT, and no firewall or antivirus will block MSHTA.EXE! "Winmain" immediately loads MSHTA.EXE from the Windows folder and places it on "hot standby" ... at this point, once it's confirmed to be running, "winmain" exits. MSHTA, once started, runs for the rest of the system session until Windows itself is completely shut down. On system startup, it is automatically run again each time Windows reboots.
This "winmain" program is starting up MSHTA, ready to ACCEPT HTA scripting within a web page and then EXECUTE what is embedded in ANY web page containing VBScript in the form of HTA coded page as a PROGRAM. In most circumstances, the web-based script can be turned INTO an EXE file and saved to the victim's machine. While Microsoft has, since our raising of this issue along with "Guninski" back in 2001, disconnected MSHTA from being INVOKED by Internet Explorer, it will STILL run what is presented to it when started on a local machine in the "local machine" or "my computer zone" as a TRUSTED APPLICATION ORIGINATING FROM A TRUSTED SITE since this is done on some corporate networks for the convenience of the "glass room geeks." In other words, this completely bypasses the security zone structures and patches of Internet Explorer BECAUSE MSHTA is ALREADY RUNNING in the "local" zone ... therefore, when presented with script, it will parse it and run it, despite any firewall, and/or IE restrictions.
Back at the time of the release of the EXE2HTML exploit, Microsoft had IE set so that the PRESENCE of the object call in a web page would INVOKE MSHTA.EXE ... their "solution" was to remove the ability to invoke it without a warning screen. However, if it's ALREADY RUNNING, then no such warning will occur and MSHTA will then replace all those pesky "downloaders" that get caught by AV's, thus making the ability to silently download to a victim computer a CINCH. What has occurred here is a BRAND NEW direction by the spies! And one that's two years old and previously unused. And a CLEVER way of pulling it all together without any alarms from firewalls, antiviruses, or other security software since a Microsoft function is at the heart of this exploit.
"Winmain" is covered in BOClean as "HTASPLOIT," and for those who are using our IEClean product, this problem has been a NON-issue for over two years now. However, since many folks AREN'T using IEClean, we made a FREEBIE available back in April of 2001 called "HTAstop" ... it WILL prevent MSHTA from functioning. HTAstop is a solution for THIS problem, but is limited to JUST this one) ...Details of how "HTA" works can be examined here in the Microsoft MDSN library information which explains HTA in detail:
Privacy Software Corporation has made available a FREE program called "HTAstop" which will permit the complete shutdown of the HTA aspect of the Windows Scripting Host at whim and also permit it to be turned on again if needed. We encourage our customers to download this program and have notified our existing BOClean customers on our list server of its availability.
You can download a free copy of "HTAstop" HERE. The program should be saved to your desktop. No installation or uninstall is required, the program will run as soon as it is saved and removal if you desire is accomplished by simply deleting the file. There are no other components to the program.
Support and instructions for HTAstop can be found on our page at: http://www.nsclean.com/htastop.html
Copyright (c) 2001, 2003 by Privacy Software Corporation.