Oct 9 2003
On the evening of September 29th, a mysterious sequence of events led to the discovery of a new Trojan being served via a banner ad at FortuneCity.com. The banner ad was emanating from a website hosted by Everyone's Internet, Inc. Users of XP or Windows 2000 who visited the FortuneCity.com website during the infected period were subjected to having their Internet Explorer browser hijacked.
DNS settings were changed to point to 69.57.146.14 and 69.57.147.175, a new HOSTS file was dropped to their system, and the Internet Explorer startpage changed to http://www.google.com. The registry was also changed to point to the new HOSTS. Because of the HOSTS and DNS setting changes, affected users would first be redirected to the malicious site, served up advertising banners, and then redirected back to the legitimate site.
For example, an affected user who attempted to access http://www.google.com would first be redirected to 216.127.92.38, served up a range of advertisements, and then redirected back to http://www.google.com.
Everyone's Internet, Inc. has since shutdown the offending website and FortuneCity has removed the malicious banner ad.
Delude.B (a.k.a. QHosts-1) exploits an Object Tag vulnerability in Internet Explorer which allows a remote attacker to run the code of their choice on a victim's system. The first patch released for this vulnerability fails to protect against the exploit.
Microsoft acknowledges this flaw but at the time of this writing has yet to release a new patch.
Though the description of the MS03-032 Object Tag vulnerability was updated to provide a workaround to block the attack, the workaround also fails. Antivirus software detects the Trojan itself and not the exploit that leads to the Trojan. Since the Trojan could easily be changed (and thus be undetectable), to protect their systems users should disable Active Scripting and ActiveX controls in both the Internet and Local Zones and exercise caution when adding any site to the Trusted Sites zone until a suitable patch is released by Microsoft.
To properly configure the zones to disable ActiveX:
To properly configure the zones to disable Active Scripting:
Antivirus software updated after October 1, 2003 should effectively detect and remove the Trojan. However, DNS settings and the HOSTS file will need to be reconfigured manually. Network Associates provides an indepth list of changes made by the Trojan.
Update: On October 3, 2003, Microsoft Security Bulletin MS03-040 was released to protect against the vulnerability exploited by the QHosts-1 Trojan.
On the evening of September 29th, a mysterious sequence of events led to the discovery of a new Trojan being served via a banner ad at FortuneCity.com. The banner ad was emanating from a website hosted by Everyone's Internet, Inc. Users of XP or Windows 2000 who visited the FortuneCity.com website during the infected period were subjected to having their Internet Explorer browser hijacked.
DNS settings were changed to point to 69.57.146.14 and 69.57.147.175, a new HOSTS file was dropped to their system, and the Internet Explorer startpage changed to http://www.google.com. The registry was also changed to point to the new HOSTS. Because of the HOSTS and DNS setting changes, affected users would first be redirected to the malicious site, served up advertising banners, and then redirected back to the legitimate site.
For example, an affected user who attempted to access http://www.google.com would first be redirected to 216.127.92.38, served up a range of advertisements, and then redirected back to http://www.google.com.
Everyone's Internet, Inc. has since shutdown the offending website and FortuneCity has removed the malicious banner ad.
Delude.B (a.k.a. QHosts-1) exploits an Object Tag vulnerability in Internet Explorer which allows a remote attacker to run the code of their choice on a victim's system. The first patch released for this vulnerability fails to protect against the exploit.
Microsoft acknowledges this flaw but at the time of this writing has yet to release a new patch.
Though the description of the MS03-032 Object Tag vulnerability was updated to provide a workaround to block the attack, the workaround also fails. Antivirus software detects the Trojan itself and not the exploit that leads to the Trojan. Since the Trojan could easily be changed (and thus be undetectable), to protect their systems users should disable Active Scripting and ActiveX controls in both the Internet and Local Zones and exercise caution when adding any site to the Trusted Sites zone until a suitable patch is released by Microsoft.
To properly configure the zones to disable ActiveX:
- Select Tools | Internet Options and select the Security tab.
- Select the desired Zone (i.e. Local Intranet).
- Choose Custom Level.
- Scroll down the list and Disable each of the following:
- Download unsigned ActiveX controls
- Initialize and script ActiveX controls not marked as safe
- Run ActiveX controls and plug-ins
- Script ActiveX controls marked safe for scripting
- Download signed ActiveX controls
To properly configure the zones to disable Active Scripting:
- Select Tools | Internet Options and select the Security tab.
- Select the desired Zone (i.e. Local Intranet).
- Choose Custom Level.
- Scroll down the list until you see Scripting
- Set Active Scripting to Disabled.
Antivirus software updated after October 1, 2003 should effectively detect and remove the Trojan. However, DNS settings and the HOSTS file will need to be reconfigured manually. Network Associates provides an indepth list of changes made by the Trojan.
Update: On October 3, 2003, Microsoft Security Bulletin MS03-040 was released to protect against the vulnerability exploited by the QHosts-1 Trojan.