Telecom and Logistics Associates 

Security NEWs Service: TLAnews
publication: Christian ALT  new6.gif (1031 bytes) TLAalert    Security Service 
Translate this page from:  Save Time and Money 

4.6.2000 SecurityStealthBomb Attack Code
A new attack technique has surfaced that allows hackers to deliver and install any file on a target computer with no user interaction other than viewing an e-mail or Web page. 

En français: StealthBomb Attack Code
Une nouvelle forme d'attaque a fait surface, elle permet aux pirates de livrer et installer n'importe quel fichier sur un ordinateur cible, sans autres interactions de l'utilisateur que de visualiser une page web ou un e-mail.

 

Threat Level: Medium


OVERVIEW
A new attack technique has surfaced that allows hackers to deliver and install any file on a target computer with no user interaction other than viewing an e-mail or Web page.  Finjan Software researchers have dubbed this attack "StealthBomb" for its ability to deliver a payload completely undetected.  All Windows 9x/NT/2000 platforms are vulnerable.  StealthBomb instructions have recently surfaced on several hacking sites and bulletin boards.  Due to its public distribution on the Internet, Finjan believes this to be a real and significant threat to all PC users.  Finjan Software has contacted Microsoft regarding this attack code and is recommending that you take precautionary actions to minimize your exposure to the StealthBomb attack.

DESCRIPTION
The StealthBomb attack uses a combination of known Internet Explorer vulnerabilities coupled with an unsecured local Microsoft Windows Media Player ActiveX control.  All Windows 9x/NT/2000 default installations are currently vulnerable to StealthBomb attacks.

A StealthBomb is a Trojan .eml or .nws file with two hidden files embedded - a trigger file (help file: .chm) and a payload file (any file extension).  Upon viewing the StealthBomb from a Web browser or e-mail client, both embedded files are loaded automatically into the default temp directory.  A simple script in the StealthBomb then initiates the trigger file, which in turn invokes the payload file to execute.

Hackers can use a StealthBomb to automatically deliver any Trojan, worm or malicious attack to unsuspecting victims through a Web page or e-mail.  The victim is not required to open any attachment or click on any link.  StealthBomb will deliver its payload in Outlook and Outlook Express in preview mode - the e-mail does not have to be opened.  There are several variations of the StealthBomb that can be easily created with the instruction set circulating on the Web.  Finjan has performed extensive testing and found the following system configurations to be vulnerable:

VULNERABLE SYSTEM CONFIGURATIONS:
Win 9x/NT/2000 with Internet Explorer 5.0 installed (IE 5.0 must be installed, but does not have to be running for the e-mail client attack scenario)

VULNERABLE E-MAIL CLIENTS:
Microsoft Outlook Express 5.0
Microsoft Outlook 98
Microsoft Outlook 2000

VULNERABLE BROWSERS:
Microsoft Internet Explorer 5.0

* Eudora, Netscape and Lotus Notes e-mail clients are not susceptible to a StealthBomb attack

PROTECTION
Users can take the following precautions to safeguard themselves from a StealthBomb attack:

1) Change the location of your Windows temp directory - this will keep a StealthBomb from successfully delivering its payload.
2) Set browser security settings to "High" - This will interrupt some variations of a StealthBomb, or at least make them less transparent
3) Disable Active Scripting - this will interrupt some variations of StealthBomb
4) Uninstall Windows Media Player

Author information.
Copyright © [Telecom and Logistics Associates Sàrl]. All rights reserved.
Revised: June 04, 2000 .

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.