Thu Nov 23 09:00:05 2000

Subject: Explanation of the hack used for Romeo & Juliet


Hi,
Here is an explanation of how Romeo and Juliet works - its from the an older 
hack described on www.malware.com


http://www.finjan.com/attack_release_detail.cfm?attack_release_id=45
>
>
>
>Malicious Code Alert
>Threat Level:  Medium
>
>-------------------------------------------------------------------------------
>Romeo & Juliet worm (aka “BleBla” worm, “StealthBomb II”)
>-------------------------------------------------------------------------------
>
>A new worm was discovered this week that strikes victims automatically 
>simply by viewing an infected e-mail.  The so-called “Romeo & Juliet” worm is 
>a true “no-click” attack that uses several known security flaws in 
>Microsoft’s Internet Explorer to deliver and launch its payload.  Although 
>the Romeo & Juliet worm is considered a low threat, the delivery mechanism 
>used to spread it has been known and circulating in the hacking community 
>since June 2000 – the StealthBomb attack code.  Simply viewing a web page 
>or html e-mail can launch a StealthBomb attack. Our surveillance of recent 
>hacker activity indicates that the “no-click” StealthBomb technique will 
>proliferate now that hackers can attack PCs without relying on their 
>victims to open attachments.  Finjan products can detect and block these 
>attacks with proactive behavior monitoring of code.
>
>STEALTHBOMB OVERVIEW
>Finjan alerted its users to the “StealthBomb” attack code in June 2000.  
>Also known as “Silent Delivery” and “ForceFeed”, it is a delivery technique 
>widely known in script-kiddie hacking circles.  Explicit instructions to 
>create StealthBombs are available online.  StealthBomb allows an attacker 
>to silently deliver and execute payload files from a web page or HTML 
>e-mail without any user interaction.
>
>Originally posted to bugtraq in June 2000, StealthBomb uses a combination 
>of several published exploits including a Microsoft Active Movie Control 
>exploit, and a Guninski Internet Explorer vulnerability.  StealthBomb 
>basically “tricks” Internet Explorer into saving and running a payload file 
>using legitimate HTML and scripts.
>
>A new security flaw disclosed earlier this week by researcher Georgi 
>Guninski was incorporated into the old StealthBomb attack code to create an 
>improved version (StealthBombII) used in Romeo & Juliet.  The new flaw 
>bypasses Microsoft’s original security patch: 
>http://www.microsoft.com/technet/security/bulletin/MS00-046.asp
>
>Details of the original StealthBomb can be found on Finjan’s Website:
>http://www.finjan.com/attack_release_detail.cfm?attack_release_id=38
>
>A working demo of the previous StealthBomb code is available at Finjan's 
>Malicious Code Research Center:
>http://www.finjan.com/mcrc/
>
>PROTECTION
>Users can take the following precautions to help safeguard themselves from 
>some variants of the StealthBomb attack by:
>1)Applying related Microsoft security patches including:
>http://www.microsoft.com/technet/security/bulletin/ms99-042.asp
>http://www.microsoft.com/technet/security/bulletin/MS00-046.asp
>http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
>http://www.microsoft.com/technet/security/bulletin/ms00-037.asp
>2)Set browser security settings to "High" - This will interrupt some 
>variations of a StealthBomb, or at least make them less transparent
>3)Disable Active Scripting - this will interrupt some variations of 
>StealthBomb