|
Donations |
|
 |
|
|
|
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
|
|
|
Survey |
|
|
|
|
|
|
|
|
Translate |
|
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
LWC
Trooper
Joined: Feb 13, 2004
Posts: 27
Location: Israel
|
 Posted: Fri Feb 13, 2004 6:07 am Post subject: ActiveX via Scripts |
|
|
This topic was originally about an annoying scripts that used ActiveX commands to eject my CD drives.
However, later on I got a spyware (another user claimed it's even a trojan!) because of it and therefore decided to change the topic to reflect the general dangers of this thing and not just the original problem.
See my later post for my new filter that deals with the general problem.
Scary! Script that ejects my CD drives!
With all my general protection and all the filters in Proxomitron, I thought I'm driving in a tank in the dark corridors of the Internet.
And then I surfed into http://faked.org and my CD drives started to eject one by one!
I thought I'm getting a heart attack.
Did this site just install me a trojan, I thought.
But when I came back to my senses, I looked in the source code and found this, well, simple javascript:
| Code: |
<script language="javascript">
var oWMP = new ActiveXObject("WMPlayer.OCX.7");
var colCDROMS = oWMP.cdromCollection;
if (colCDROMS.Count >= 1){
for(i = 0; i <= colCDROMS.Count; i++)
colCDROMS.Item(i).Eject();
}
</script>
|
BTW, it works without the language="javascript" part just as well (i.e. simply <script>).
Now, of course I can just capture the entire thing and remove it all via a filter, but I want something to block any other "version" of this too.
How the hell did Microsoft allow an ActiveX to control my WMP remotely?!
If people can eject CD drives, what else can they do?
Now, someone here once helped me shut ActiveX completly so I wouldn't see those annoying SWF ads. So how do I shut it off when it comes in the shape of a javascript?
Or do you think I should just shut it off when it uses "WMPlayer.OCX.7"?
Thanks!
Last edited by LWC on Sun Apr 11, 2004 11:38 am, edited 4 times in total
|
|
| Back to top |
|
 |
LWC
Trooper
Joined: Feb 13, 2004
Posts: 27
Location: Israel
|
| Posted: Sun Feb 15, 2004 5:18 am Post subject: |
|
|
What are the odds?
I've just entered this page and the same thing happened - only this time via Vbscript!
| Code: |
<SCRIPT language=VBScript>
Set oWMP = CreateObject("WMPlayer.OCX.7" )
Set colCDROMs = oWMP.cdromCollection
if colCDROMs.Count >= 1 then
For i = 0 to colCDROMs.Count - 1
colCDROMs.Item(i).Eject
Next ' cdrom
End If
</SCRIPT>
|
Note: unlike the javascript, this one will only run if you specify the "language=VBScript" part. Is it because Javascript is assumed as default or what?
|
|
| Back to top |
|
|
z12
Sergeant
Joined: Jul 17, 2002
Posts: 135
Location: USA
|
| Posted: Sun Feb 22, 2004 8:26 am Post subject: |
|
|
lol, if your going to browse sites like that with ActiveX enabled, your asking for trouble.
If you must use IE, I recommend setting you Internet zone security settings to High & then setting the trusted zone settings to medium.
Or, better yet, use Firefox. ActiveX and VbScripts don't work with it since that stuff is MS only.
Do you really trust running software from warez sites?
Mike |
|
| Back to top |
|
|
LWC
Trooper
Joined: Feb 13, 2004
Posts: 27
Location: Israel
|
| Posted: Sun Feb 22, 2004 8:56 am Post subject: |
|
|
What do you mean "running a program"? It's not like someone asked me. This is NOT an ActiveX control or something like that! It's just a script. Every site can use it. It's not like those messages which ask "would you like to download X"? It's just a simple script!
Besides, the first example is not even ActiveX! It's Javascript!
And the ActiveX one is not so much ActiveX as it is VBScript!
And in XP, IE's security settings are automatically changed into "custom".
Anyway, I think there should be a Proxomitron filter that gets rid of every script that uses "curse words" like "WMPlayer.OCX.7".
And speaking of ActiveX (and this doesn't have to be related!), another filter altogether that gets rid of ActiveX scripts, for that matter. Why? Well, because, unlike Javascripts, ActiveX scripts are basically VBScript. And VBScript has unlimited power...
When I want to automate something, I'll use VBScript. But not online, thank you. |
|
| Back to top |
|
|
z12
Sergeant
Joined: Jul 17, 2002
Posts: 135
Location: USA
|
| Posted: Sun Feb 22, 2004 12:09 pm Post subject: |
|
|
LWC,
Hi. First of all, I'm having a bit of a problem following your reply, bit here we go...
When I looked at the link in your 2nd post, ://youarelame.com/warez/, I couldn't help but laugh.
warez = hacked software
Personally, I wouldn't trust any software downloaded from a warez site, no telling what your getting.
heres a code snippet from that site:
| Code: |
<title>You Are Lame</title>
<meta name="keywords" content="you, are, lame, lamer, idiot, stupid, loser">
<meta name="description" content="Yes, you truly deserve it. You Are Lame!">
|
About ActiveX, from example #1:
| Code: |
var oWMP = new ActiveXObject("WMPlayer.OCX.7");
from example #2:
Set oWMP = CreateObject("WMPlayer.OCX.7" )
|
Both of these scripts depend upon ActiveX. If ActiveX is disabled, they will fail.
The default security settings for IE in XP do not disable ActiveX.
Anyway, VbScript & ActiveX don't work with firefox, and thats the way I like it. 
Mike
edit: added code tag 
Last edited by z12 on Sun Apr 11, 2004 12:21 pm, edited 1 time in total
|
|
| Back to top |
|
|
Structure
Trooper
Joined: Mar 03, 2004
Posts: 10
Location: USA
|
| Posted: Fri Mar 12, 2004 6:16 pm Post subject: |
|
|
| Just turn off ActiveX. |
|
| Back to top |
|
|
LWC
Trooper
Joined: Feb 13, 2004
Posts: 27
Location: Israel
|
| Posted: Sat Mar 13, 2004 10:27 am Post subject: |
|
|
First of all, I've already mentioned it's more of a Vbscript that it is ActiveX.
Secondly, instead of disabling legitimate uses by innocent sites, I rather disable just this one specific use. |
|
| Back to top |
|
|
Structure
Trooper
Joined: Mar 03, 2004
Posts: 10
Location: USA
|
| Posted: Sun Mar 14, 2004 12:57 am Post subject: |
|
|
I understand, but turning off the ActiveX controls in the Internet Options will prevent the ejects. Whatever you want to call the code, it is disabled by the ActiveX settings.
There are also other malicious things in ActiveX, but I don't know them by name. I know once I went to a link pasted in a chatroom which displayed a picture. Innocent enough I thought, but on the way to close I was prompted to allow an ActiveX control. (I had previously set it to Prompt mode) I said no, and later found out it was a virus that corrupts your Windows install after execution.
ActiveX is too much of a security problem imo, that's why I recommend turning it off. Yea it kills flash and certain other things, but I don't miss them much. |
|
| Back to top |
|
|
Lepus
Trooper
Joined: Mar 02, 2004
Posts: 15
Location: USA
|
| Posted: Sun Mar 14, 2004 1:52 am Post subject: |
|
|
| LWC wrote: |
First of all, I've already mentioned it's more of a Vbscript that it is ActiveX.
Secondly, instead of disabling legitimate uses by innocent sites, I rather disable just this one specific use. |
No, as other have said it most certainly is a ActiveX thing. It has nothing to do with the scripting language - an ActiveX object can be created in VB script or Javascript and it's the media player ActiveX object they're using to eject the drive. You could make a Proxo filter for it too, but you're safer by far to just disable or restrict ActiveX in IE. IMO there's little to no "legitimate" use for ActiveX - we're not talking about disabling all scripting. Most pages don't need it, and I'd be suspicious of any pages that do.
|
|
| Back to top |
|
|
PrivateEye
Cadet
Joined: Feb 13, 2004
Posts: 3
Location: Netherlands
|
| Posted: Thu Mar 18, 2004 11:26 am Post subject: |
|
|
There is some functionality in IE6 that allows you to control which ActiveX controls are allowed to run on your machine (and blocks the rest).
In Internet Explorer, go to Tools>Options>Security>Custom Level>
Find the option: "Run ActiveX controls and plug-ins" and change it to "Administrator Approved"
Next, open regedit and go to:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls
Add a DWORD entry for each CLSID value of the ActiveX component that you wish to allow and set the value to ZERO (to allow).
If you don't know the the CLSID value, you can find the ones already loaded on your machine by going to ..\WINDOWS\Downloaded Program Files. Right click on the ActiveX component concerned and select Properties.
You might want to check this folder anyway to see which ActiveX components you are already using and add them to the list - be sure to run ad-aware/Pest-Patrol/Spycop or some other program that is capable of detecting which ActiveX components are adware/spyware. You don't want to authorise those ones by mistake!). SIGNED (and therefore relatively trustworthy ActiveX controls will give you an indication as to what they are and what they are for. The company name ought to be visible in the version tab - if not, do not trust it (rule of thumb). If you don't know the company, at least check it out on the web...
Some common CLSID's:
{9F1C11AA-197B-4942-BA54-47A8489BB47F} Windows update
{DF6A0F17-0B1E-11D4-829D-00C04F6843FE} Microsoft Office update
{D27CDB6E-AE6D-11CF-96B8-444553540000} Flash Shockwave
{22D6F312-B0F6-11D0-94AB-0080C74C7E95} MediaPlayer
{06DD38D3-D187-11CF-A80D-00C04FD74AD8} Plug-ins, including Acrobat Reader
{CA8A9780-280D-11CF-A24D-444553540000} Acrobat Reader
{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} Real Player
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} QuickTime
As you can see from the list above, there ARE legitimate reasons for allowing ActiveX with IE6. ActiveX was not designed solely with advertisers and hackers in mind... |
|
| Back to top |
|
|
LWC
Trooper
Joined: Feb 13, 2004
Posts: 27
Location: Israel
|
| Posted: Sun Apr 11, 2004 11:26 am Post subject: |
|
|
Well, after encountering first hand the gross creature from
http://www.computercops.biz/postt30078.html
(and the scary part is that unless my WAV files stopped working, who
knows how long it could be before I found it out!),
I've finally decided that there's no "legitimate" use for to load ActiveX commands via scripts and so I present my new filter:
| Code: |
[Patterns]
Name = "Disable: ActiveX via Scripts"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js))"
Limit = 100
Match = "(\s|;)(var|set)*\0=*(ActiveX|Create)Object"
"\( $AV(\1) \)"
Replace = "// Disabled ActiveX code by killing\0"
"$ALERT(Hack attempt disabled!\n"
"\n"
"\u\n"
"has just tried to invade your machine\n"
"by using a dubious ActiveX code\n"
"that remote controls "\1"!\n"
"\n"
"Your protection has disabled it!)"
|
The script works by cutting out the original parameter that calls up the Vbscript command (e.g. media player), which all the rest totally depend on.
It was tested on the two sites mentioned earlier ("Faked" and "Warez"). I wasn't brave enough to try it out against the aforementioned trojan...
Anyway, import it and stop fearing "ActiveX via Scripts".
Yours Truly
P.S.
Hey z12, would you mind editing your post and use code tags this time (for your example quotes)? My new filter thinks you're a hacker...
|
|
| Back to top |
|
|
Structure
Trooper
Joined: Mar 03, 2004
Posts: 10
Location: USA
|
| Posted: Sun Apr 11, 2004 10:39 pm Post subject: |
|
|
| Interesting. Does it still allow launching of simple activex objects? (like flash / quicktime) |
|
| Back to top |
|
|
LWC
Trooper
Joined: Feb 13, 2004
Posts: 27
Location: Israel
|
| Posted: Mon Apr 12, 2004 6:43 am Post subject: |
|
|
| Absolutely, because Flash and Quicktime are launched through an <object tab and not via scripts! That's why I said I can't think of any legitimate use for it. |
|
| Back to top |
|
|
Fluffbutt
Cadet
Joined: Apr 07, 2004
Posts: 8
Location: Australia
|
| Posted: Mon Apr 12, 2004 10:33 am Post subject: |
|
|
That works, it kills the activex. BUT it still allows the viraltype code to come to the hard drive, and the antivirus program jumps up with a Virus!!!! message. It's not active, it's just annoying to have the AV proggie think so..
My other attempt kills the textarea with the code id, and buggers up the java script line= bits. The end result is that the anti virus program is quiescent.
_________________
|
Meeow! |
|
| Back to top |
|
|
LWC
Trooper
Joined: Feb 13, 2004
Posts: 27
Location: Israel
|
| Posted: Mon Apr 12, 2004 1:09 pm Post subject: |
|
|
| Quote: |
That works, it kills the activex. BUT it still allows the viraltype code to come to the hard drive
|
Well, all it does is kill one line, but that line defines the one parameter that the rest of the script depends on.
So in that sense, it's like the Outlook Express feature that lets you download viruses in the e-mail, but just prevents you from clicking them...
| Quote: |
and the antivirus program jumps up with a Virus!!!! message. It's not active, it's just annoying to have the AV proggie think so..
|
Well, are you sure you didn't just mean my simple alert command? Compare your message with the one in the filter's. If that's your problem, just delete the "$ALERT" tag and everything after it and Proxomitron won't "bother" you whenever some site tries to hack you...
| Quote: |
My other attempt kills the textarea with the code id, and buggers up the java script line= bits. The end result is that the anti virus program is quiescent.
|
Maybe so, but I learned my lesson in the CD drives ejection filter (original post). I rather have a general filter that disables any future versions of this trouble too, while yours just blocks this specific method.
All the hacker has to do is tweak something (i.e. use something else instead of a <textarea, etc.) and your filter is worthless...
|
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
Powered by phpBB 2.0.8a © 2001 phpBB Group
Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops
|
You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
