StealthBomb Attack Code StealthBomb Attack Code June 2, 2000 Threat Level: Medium OVERVIEW A new attack technique has surfaced that allows hackers to deliver and install any file on a target computer with no user interaction other than viewing an e-mail or Web page. Finjan Software researchers have dubbed this attack "StealthBomb" for its ability to deliver a payload completely undetected. All Windows 9x/NT/2000 platforms are vulnerable. StealthBomb instructions have recently surfaced on several hacking sites and bulletin boards. Due to its public distribution on the Internet, Finjan believes this to be a real and significant threat to all PC users. Finjan Software has contacted Microsoft regarding this attack code and is recommending that you take precautionary actions to minimize your exposure to the StealthBomb attack. DESCRIPTION The StealthBomb attack uses a combination of known Internet Explorer vulnerabilities coupled with an unsecured local Microsoft Windows Media Player ActiveX control. All Windows 9x/NT/2000 default installations are currently vulnerable to StealthBomb attacks. A StealthBomb is a Trojan .eml or .nws file with two hidden files embedded - a trigger file (help file: .chm) and a payload file (any file extension). Upon viewing the StealthBomb from a Web browser or e-mail client, both embedded files are loaded automatically into the default temp directory. A simple script in the StealthBomb then initiates the trigger file, which in turn invokes the payload file to execute. Hackers can use a StealthBomb to automatically deliver any Trojan, worm or malicious attack to unsuspecting victims through a Web page or e-mail. The victim is not required to open any attachment or click on any link. StealthBomb will deliver its payload in Outlook and Outlook Express in preview mode - the e-mail does not have to be opened. There are several variations of the StealthBomb that can be easily created with the instruction set circulating on the Web. Finjan has performed extensive testing and found the following system configurations to be vulnerable: VULNERABLE SYSTEM CONFIGURATIONS: Win 9x/NT/2000 with Internet Explorer 5.0 installed (IE 5.0 must be installed, but does not have to be running for the e-mail client attack scenario) VULNERABLE E-MAIL CLIENTS: Microsoft Outlook Express 5.0 Microsoft Outlook 98 Microsoft Outlook 2000 VULNERABLE BROWSERS: Microsoft Internet Explorer 5.0 * Eudora, Netscape and Lotus Notes e-mail clients are not susceptible to a StealthBomb attack PROTECTION Users can take the following precautions to safeguard themselves from a StealthBomb attack: 1) Change the location of your Windows temp directory - this will keep a StealthBomb from successfully delivering its payload. 2) Set browser security settings to "High" - This will interrupt some variations of a StealthBomb, or at least make them less transparent 3) Disable Active Scripting - this will interrupt some variations of StealthBomb 4) Uninstall Windows Media Player © 1996 - 2000 Finjan Software Ltd. All rights reserved.