Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Introduction to Internet Explorer DLL Vulnerability and Damage Analysis Bo Sun, Dawei Su {sun,

Published byVivien Carter Modified over 8 years ago

Similar presentations

Presentation on theme: "An Introduction to Internet Explorer DLL Vulnerability and Damage Analysis Bo Sun, Dawei Su {sun,"— Presentation transcript:

1 An Introduction to Internet Explorer DLL Vulnerability and Damage Analysis Bo Sun, Dawei Su {sun, dsu}@cs.fsu.edu

2 1. Introduction and Background 2. Problem Description 3. What We Did 4. Damage Analysis 5. Solution

3 I. Introduction and Background Windows is popular on personal laptop/desktop Antivirus and firewall software is implemented above Windows The flaw and vulnerability of Windows depends on MS to eradicate

4 II. Problem Description Internet Explorer “404 Not Found” Page

5 II. Problem Description (cont’l) The file is located in a DLL file call ieframe.dll with the name of navcancl.htm. As to IE6, the DLL file is called shdoclc.dll, and one of the HTML names is dnserror.htm. This navcancl.htm can be extracted from the DLL file using certain software such as Resource Hacker®. Any code can be inserted. The analysis of 404 Not Found Page

6 III. What we did The HTML part can be easily found in the shdock.dll file. We can add a customized function after onload=, or just simply add something as below. alert( “Hello World!” ); Hacking Internet Explorer 6

7 III. What we did (Cont’l) Hacking Internet Explorer 6 (Cont’l)

8 Hacking Internet Explorer 7 In IE7, there is nearly no such DLL file containing these HTML code parts, since Microsoft created another file called ieframe.dll.mui to store these HTMLs whereas they used ieframe.dll to store the JavaScript file which is used to dynamically generate the error messages. III. What we did (Cont’l)

9 Simple Attack – Resource Consumption The code is inserted directly below the tag. while(1) { Window.open(“”); /*we can also use ‘alert()’ here*/ } III. What we did (Cont’l)

10 Simple Attack – CPU and Stack Attack A example to show CPUand stack attack by calculating the Fibonacci numbers function fibonacci(n) { if (n>1) return fibonacci(n-1)+fibonacci(n-2); if (n<=0) return 0; return 1; } for (i=0; i<100000; i++) document.write ("Fibonacci number "+i+" is "+fibonacci(i)+" "); III. What we did (Cont’l)

11 Simple Attack – Social Engineering Attack Modify the HTML code in ieframe.dll.mui We can add – some if - goto statements. – Or ask the DLL file to modify host file. Once the user types suntrust.com, the browser search for the spoofed file which is then displayed to the screen. We can also add – some hidden code and wait. When the user encounters an error, e.g. he/she enters a URL like sutrust.com, the script captures it and display the fake page. III. What we did (Cont’l)

12 Simple Attack – Social Engineering Attack (cont’l) III. What we did (Cont’l)

13 On the attacker’s server: – Write code on server to receive bank account information Simple Attack – Social Engineering Attack (cont’l) III. What we did (Cont’l)

14 IV. Damage Analysis Some attackers can gain control of the user account remotely by altering certain HTML part of the DLL file. Then the hacked computer can be used as a node to start a DDOS attack Serious Damage Examples

15 Antivirus and Firewall Software We tested the infected DLL file using Symantec Antivirus / Firewall and Kaspersky Internet Security. The security levels in both software are set to Highest. Even though the software can give user a report when the DLL file tries to access the Internet, most of the users will let it pass, since the users, same as the software, tend to trust the operating system. IV. Damage Analysis (Cont’l)

16 Antivirus and Firewall Software (Cont’l) IV. Damage Analysis (Cont’l)

17 V. Solution Applied in Windows XP to prevent programs from replacing critical Windows system files which includes ieframe.dll* WFP uses file signatures and catalog files that are generated by code signing to verify protected system files Windows XP check the signatures about every 6 to 7 seconds Windows File Protection (WFP)

18 Replacement of protected system files is supported only through the following mechanisms: – Windows Service Pack installation using Update.exe – Hotfixes installed using Hotfix.exe or Update.exe – Operating system upgrades using Winnt32.exe – Windows Update Otherwise system will prompt user to use the installation disk to recover the damaged files V. Solution (Cont’l) Windows File Protection (WFP) (cont’l)

19 Two major defects. – The prompt can be overridden by users. – Now there are some tools that can completely disable the prompt dialogue, therefore disable the whole protection system. V. Solution (Cont’l) Windows File Protection (WFP) (cont’l)

20 Write access protection One better way to prevent this malicious modification is to implement a file system like UNIX. – Users, including root, do not have the write access to some system files. V. Solution (Cont’l)

21 Reference Matt Bishop, Computer Security: Art and Science, Addison-Wesley, 2002 Microsoft Corporation, http://support.microsoft.com/kb/222193http://support.microsoft.com/kb/222193 Microsoft MSDN, http://msdn.microsoft.com/en-us/library/aa382551.aspxhttp://msdn.microsoft.com/en-us/library/aa382551.aspx Microsoft MSDN, http://msdn.microsoft.com/en-us/library/aa372820.aspxhttp://msdn.microsoft.com/en-us/library/aa372820.aspx Steven Holzner. Inside JavaScript. New Riders Publishing, 2002 Zakas. Professional JavaScript for Web Developers. Wrox, 2005 David Flanagan. JavaScript: The Definitive Guide. O'Reilly Media, 4 th Edition, 2001 Danny Goodman. JavaScript & DHTML Cookbook. O'Reilly Media, 2003 Danny Goodman, Michael Morrison. JavaScript Bible, 5 th Edition, 2004 Christian Heilmann. Beginning JavaScript with DOM Scripting and Ajax: From Novice to Professional. Apress, 2006 Stuart McClure, Joel Scambrav, George Kurtz. Hacking Exposed. Mcgraw- Hill Osborne Media, 5 th Edition, 2005

22 Thank you! Any questions?

Download ppt "An Introduction to Internet Explorer DLL Vulnerability and Damage Analysis Bo Sun, Dawei Su {sun,"

Similar presentations

1 of 4 Malicious software, also known as “malware,” is often only a nuisance, but increasingly, malicious software can damage data, computers, and computer.

1 of 4 Malicious software, also known as “malware,” is often only a nuisance, but increasingly, malicious software can damage data, computers, and computer.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
Engaging your Customer Base through Web Services Presented by Ben Liyanage.

Engaging your Customer Base through Web Services Presented by Ben Liyanage.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
For Removal Info: visit

For Removal Info: visit
NetAcumen ActiveX Download Instructions

NetAcumen ActiveX Download Instructions
3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.

3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
DT211/3 Internet Application Development Active Server Pages & IIS Web server.

DT211/3 Internet Application Development Active Server Pages & IIS Web server.
Malicious Attacks By: Albert, Alex, Andon, Ben, Robert.

Malicious Attacks By: Albert, Alex, Andon, Ben, Robert.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
ASP Tutorial. What is ASP? ASP (Active Server Pages) is a Microsoft technology that enables you to make dynamic and interactive web pages. –ASP usually.

ASP Tutorial. What is ASP? ASP (Active Server Pages) is a Microsoft technology that enables you to make dynamic and interactive web pages. –ASP usually.
B.Sc. Multimedia ComputingMedia Technologies Database Technologies.

B.Sc. Multimedia ComputingMedia Technologies Database Technologies.
What is spyware? Supervisor dr. lo’ay tawalbeh Search By Mahmoud al-ashram Soufyan al-qblawe.

What is spyware? Supervisor dr. lo’ay tawalbeh Search By Mahmoud al-ashram Soufyan al-qblawe.
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Chapter 4 Application Security Knowledge and Test Prep

Chapter 4 Application Security Knowledge and Test Prep
Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.

Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

Similar presentations

Ads by Google