JS/Exploit-BO.gen

Content

JS/Exploit-BO.gen

Type: Trojan
SubType: Generic
Discovery Date: 01/05/2005
Length: Varies
Minimum DAT: 4417 (12/29/2004)
Updated DAT: 5296 (05/15/2008)
Minimum Engine: 5.1.00
Description Added: 12/29/2004
Description Modified: 04/26/2007 2:53 AM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

-- Update April 25, 2007 --

A malicious website linked from a Google sponsored link, was found to be hosting multiple web exploits. The website hosted at www.smartt{hidden}.org contained a frame that is linking to www.expl{blocked}ff.net, where the actual exploits and malware are hosted.

The main webpage that is hosting the cocktail of exploits, when browsed using Internet Explorer, was proactively detected and blocked as JS/Exploit-BO.gen by VirusScan when script scanning is enabled.

The following vulnerabilities were found to be targeted:

At the time of writing, the malware installed was found to be downloading a bank password stealer and can be detected as PWS-Banker.gen.bt in the 5018 DATs.

-- Update October 1, 2006 --
Two of the latest exploits targeting Microsoft Internet Explorer are commonly proactively detected as JS/Exploit-BO.gen.

-- Update March 31, 2006 --
Source code was released that produces more efficient exploit files. The 4732 DAT files contain enhanced Exploit-BO.gen detection to cover these exploits. Exploit-CreateTxtRnd detection proactively covers these.
--

-- Update March 24, 2006 --
Exploit-CreateTxtRng detection was created for raw exploit code (this covers the pure DoS exploit that was previously not detected. Those exploits that attempt code execution will still be handled under JS/Exploit-BO.gen as noted below.
--

-- Update March 23, 2006 --
JS/Exploit-BO.gen detection is being updated to cover proof of concept code released today that exploits a recent 0-day vulnerability, Microsoft Internet Explorer "createTextRange()" Code Execution. This change will be represented in the 4726 DAT files and does not cover DoS versions of the exploit, only known code execution exploits.

Due to the fact that Internet Explorer (IE) executes scripts prior to writing them to disk (stored in IE's internal cache), McAfee VirusScan's ScriptScan (VSE8.0i feature) must be enabled to protect vulnerable clients that access an exploit from a malicious website. Files saved to disk prior to being opened by IE would be detected by the On Access Scanner. Email and gateway scanners would also protect by detecting recognized exploits prior to execution.

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1359
http://www.microsoft.com/technet/security/advisory/917077.mspx
http://www.kb.cert.org/vuls/id/876678
http://blogs.technet.com/msrc/archive/2006/03/22/422849.aspx
--

-- Update December 1, 2005 --
The first known trojan to exploit the "Window()" remote code execution vulnerability was discovered recently (aka TrojanDownloader:Win32/Delf.DH). This threat was proactively detected as JS/Exploit-BO.gen with the 4633 DAT files or newer.

Microsoft has posted a security advisory on this vulnerability. For more information see: Microsoft Security Advisory (911302)

VirusScan Enterprise 8.0i / Managed VirusScan
Generic Buffer Overflow Protection protects against code execution that may result from exploiting this vulnerability.

McAfee Entercept
Entercept's Generic Buffer Overflow Protection protects against code execution that may result from exploiting this vulnerability.

McAfee IntruShield
Updated signatures are available for Trimble release with http response support.

McAfee Foundstone
Updated signatures have been released.

-- Update November 21, 2005 --
This detection was modified to cover a 0-day "Window()" remote code execution exploit targeting Internet Explorer. The change is represented in the 4633 DAT release.
--

This is a non-specific, generic, detection of script code that intends to exploit various buffer overflow vulnerabilities (such as those that are known to exist in Microsoft Internet Explorer).

Due to the fact that Internet Explorer executes scripts prior to writing them to disk (stored in IE's internal cache), either McAfee VirusScan's ScriptScan must be enabled in order to block this exploit prior to execution or else Buffer Overflow protection must be enabled, which will also protect the system from the malicious effects of the script.

If both ScriptScan and Buffer Overflow Protection are disabled, the On Access Scanner will detect identifiable exploit code but not block execution.

Gateway scanners can also protect systems under this detection name.

Symptoms

This detection is sufficiently generic, such that it can cover an endless number of threats that contain the exploit code. Therefore, it is not possible to describe specific symptoms or details about system charges that can occur from this threat. However, simply seeing this detection does not mean that any exploit code was run at all as such exploit code could only run on a vulnerable system.

Method of Infection

This threat could be delivered via an email message, or an infectious web page.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

JS_WINDEXP.A (Trend)

TrojanDownloader:Win32/Delf.DH (Microsoft)

Characteristics

Characteristics -