Thu Nov 23 09:00:05 2000 Subject: Explanation of the hack used for Romeo & Juliet Hi, Here is an explanation of how Romeo and Juliet works - its from the an older hack described on www.malware.com http://www.finjan.com/attack_release_detail.cfm?attack_release_id=45 > > > >Malicious Code Alert >Threat Level: Medium > >------------------------------------------------------------------------------- >Romeo & Juliet worm (aka “BleBla” worm, “StealthBomb II”) >------------------------------------------------------------------------------- > >A new worm was discovered this week that strikes victims automatically >simply by viewing an infected e-mail. The so-called “Romeo & Juliet” worm is >a true “no-click” attack that uses several known security flaws in >Microsoft’s Internet Explorer to deliver and launch its payload. Although >the Romeo & Juliet worm is considered a low threat, the delivery mechanism >used to spread it has been known and circulating in the hacking community >since June 2000 – the StealthBomb attack code. Simply viewing a web page >or html e-mail can launch a StealthBomb attack. Our surveillance of recent >hacker activity indicates that the “no-click” StealthBomb technique will >proliferate now that hackers can attack PCs without relying on their >victims to open attachments. Finjan products can detect and block these >attacks with proactive behavior monitoring of code. > >STEALTHBOMB OVERVIEW >Finjan alerted its users to the “StealthBomb” attack code in June 2000. >Also known as “Silent Delivery” and “ForceFeed”, it is a delivery technique >widely known in script-kiddie hacking circles. Explicit instructions to >create StealthBombs are available online. StealthBomb allows an attacker >to silently deliver and execute payload files from a web page or HTML >e-mail without any user interaction. > >Originally posted to bugtraq in June 2000, StealthBomb uses a combination >of several published exploits including a Microsoft Active Movie Control >exploit, and a Guninski Internet Explorer vulnerability. StealthBomb >basically “tricks” Internet Explorer into saving and running a payload file >using legitimate HTML and scripts. > >A new security flaw disclosed earlier this week by researcher Georgi >Guninski was incorporated into the old StealthBomb attack code to create an >improved version (StealthBombII) used in Romeo & Juliet. The new flaw >bypasses Microsoft’s original security patch: >http://www.microsoft.com/technet/security/bulletin/MS00-046.asp > >Details of the original StealthBomb can be found on Finjan’s Website: >http://www.finjan.com/attack_release_detail.cfm?attack_release_id=38 > >A working demo of the previous StealthBomb code is available at Finjan's >Malicious Code Research Center: >http://www.finjan.com/mcrc/ > >PROTECTION >Users can take the following precautions to help safeguard themselves from >some variants of the StealthBomb attack by: >1)Applying related Microsoft security patches including: >http://www.microsoft.com/technet/security/bulletin/ms99-042.asp >http://www.microsoft.com/technet/security/bulletin/MS00-046.asp >http://www.microsoft.com/technet/security/bulletin/ms99-032.asp >http://www.microsoft.com/technet/security/bulletin/ms00-037.asp >2)Set browser security settings to "High" - This will interrupt some >variations of a StealthBomb, or at least make them less transparent >3)Disable Active Scripting - this will interrupt some variations of >StealthBomb