block net access to Regsvr32.exe ASAP.

[Elixer]

If you have a decent firewall, (and you should), block network access to Regsvr32.exe ASAP.

http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html

In short, it is possible to use Regsvr32.exe to execute a remote url script on your system, and do all sorts of nasty stuff.

More info here http://www.bleepingcomputer.com/new...nstall-ransomware-through-jscript-installers/

And if you want a video of this exploit: http://www.youtube.com/watch?v=t8SpYn5GkHA

**A/V programs will not stop this!

 

[VirtualLarry]

I guess, I'm not sure why this is such a big deal? Don't you already need shell-level access on the remote machine to execute the REGSVR32.EXE command-line?

And it doesn't seem to allow a privilege-escalation. So what's the big deal? If I've got someone doing remote shell accesses on my machine, it's already been compromised, IMHO.

Is this just mitigation to prevent further compromise?

Edit: Unless it's somehow possible to use JavaScript to execute shell commands, or otherwise call REGSVR32.EXE from JavaScript?

 

[VirtualLarry]

Although, this could be an attack vector for compromised USB devices. (Keyboards, or devices that masquerade as a keyboard, to inject commands.)

 

[Elixer]

What is going on is, malware can use Regsvr32 to install programs via a remote computer by running a script.
Since Regsvr32 is a system file, all A/V programs ignore it.
If you block outbound access from Regsvr32, then it can't do anything.

 

[TheRyuu]

What is going on is, malware can use Regsvr32 to install programs via a remote computer by running a script.
Since Regsvr32 is a system file, all A/V programs ignore it.
If you block outbound access from Regsvr32, then it can't do anything.

So would a better way to describe this be as an escalation of privilege vulnerability? It still requires a method to get you to run this script either by compromising software (e.g. a browser) or through some user interaction.

 

[John Connor]

And here in lies the vector:

This obviously leads to a whole mess of possibilities where an attacker can do very bad things to your computer as long as they have access to it. Unfortunately, there are many ways for an attacker to gain access to a computer, whether it be through an exploit kit or a vulnerability.

+1 for Sandboxie and Noscript.

 

[Elixer]

So would a better way to describe this be as an escalation of privilege vulnerability? It still requires a method to get you to run this script either by compromising software (e.g. a browser) or through some user interaction.

Yes, it can be a perfectly benign program that the user runs, for example, many installers ask for system access (even if they don't actually need it), and all the malware needs to do is hijack the installer, run regsvr32 to activate a script, and that is all she wrote.

The biggest here is, the trust factor MS built into this program, it just trusts everything, which shouldn't be the case.

 

[John Connor]

The biggest here is, the trust factor MS built into this program, it just trusts everything, which shouldn't be the case.

Voodoo Shield? A good HIPS firewall?