Post Reply 
problem with IE: "Shell"/"Res" Cross Zon
Jul. 16, 2005, 04:45 AM
Post: #1
problem with IE: "Shell"/"Res" Cross Zon
Hi. I have posted at the following site http://castlecops.com/p589631-.html#589631 regarding a fault with a filter. I am using Grypens filter set.
The problem relates to about:blank entries in hijackthis logs. It converts this;
Quote:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kduiq.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kduiq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kduiq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kduiq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kduiq.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kduiq.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kduiq.dll/sp.html#93256

to this;

Quote:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar /> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page /> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL /> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar /> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page /> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant /> R3 - Default

I have unchecked that particular filter in order for me to correctly view the logs.

Thanks guys.
Quote this message in a reply
Jul. 16, 2005, 05:16 AM
Post: #2
 
It's matching the "res" parts of the HJT logs Sad

Replace "IE: "Shell"/"Res" Cross Zone Exploit [Kye-U]" and "Prevent file access [Siamesecat] {Modified by Kye-U}" with the following filters:

Code:
[Patterns]
Name = "Prevent file access [Siamesecat] {Modified by Kye-U}"
Active = TRUE
URL = "(^(\w.|)(castlecops.com|short-media.com/forum)/)"
Bounds = "<(a|img|input|(no|)script|applet|object|area)\s*<(/*|br)>"
Limit = 1000
Match = "*((GetObject|open)\w|)[^a-z0-9]([a-z]:([\\]+{1,*})(*|)|"
        "(file://(/|)|(res|shell):|)[^a-z0-9][a-z](:|\|)([/]+{1,*})(*|)|"
        "document.open|uploadFile=)*"
Replace = "File Access Removed!"

Name = "IE: "Shell"/"Res" Cross Zone Exploit [Kye-U]"
Active = TRUE
URL = "(^(\w.|)(castlecops.com|short-media.com/forum)/)(^*.(gif|jp(e|)g|png|ico))(^$TYPE(css))"
Limit = 512
Match = "(=|\()$AV(((shell|res)(|2(shell|res)))([:]+{1,3})*)"
        ""
        "&*$SET(Msg=)($TST(svAlert=1)$SET(Msg=$ALERT(IE: "Shell"/"Res" Cross Zone Exploit Detected on:\n\n\u))|)"
        "$SET(\9=This exploit can execute possibly malicious programs with permissions of the My Computer Zone."
        ""
        "Version(s) Vulnerable: 6.0 (SP1)"
        "http://www.securityfocus.com/bid/9628/info/"
        "http://www.securityfocus.com/bid/10943/info/)"
Replace = "$GET(Msg)$SET(Msg=)"

I will include this in my next release. (Perhaps I'll have to implement a bypass list...)
Visit this user's website
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: