html used ADODB.Stream to download and run arbitrary files
on the computer that browsed to the web page hosting the exploit. The Download.Ject
attack further attempted to propagate itself by looking for HTML files on the compromised
system and appending attack code to the footer of every page. It was an elaborate
attack propagated by Russian cybercriminals who used it to harvest credit card numbers
and username/passwords via key loggers. The malware side of this attack was super
interesting and you can find more by reading the sites listed in the references.
So, a short recap of the Ibiza and Download.Ject attacks:
??? An unsuspecting web browser visits an untrusted page in the Internet zone.
??? Attacker abuses a cross-zone vulnerability in the mhtml: protocol handler,
which causes the attacker??™s HTML page to load into the Local Machine zone.
??? From the Local Machine zone, the attacker uses the ADODB.Stream ActiveX
control to download and run malware.
This attack required discovery of a vulnerability in how the protocol handler worked.
There was no buffer overrun involved here, no shellcode or fancy tricks to redirect execution
flow from the assembly level.
References
Download.Ject malware story www.
Pages:
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658