ICQ hack, watch out
 

Got this today:

"I have created an example exploit on

http://www.xs4all.nl/~jkuperus/icq/icq.htm

that starts a little flame program

It works as followed

the default action for icq soundscheme (scm) files is open it places the wav files included with the scm file in a known location on the hard disk.

flame.scm wil be downloaded and installed in C:\Program Files\ICQ\Sounds\flame[1] the scm file i use creates a auth.wav file .

In reality however this is not a wav file but a mht (mail archive file) with en embeded base64 encoded executable

then i use one of the many available local code execution vulnerabilities found in internet explorer recently to execute the embedded binary with this url :

mhtml:file:///C:/Program%20Files/ICQ/Sounds/flame/Auth.wav!file:///C:/fire.exe

I dont think its necisary to use one of ie's exploit as you can also call html files in the mht archive, But for some reason i wasn't able to get this to work right away.


>>Workaround <<

For a short term solution

open explorer (the file manager not the browser)
go to the file types tab in tools > folder options

locate the scm extention and change the default behaviour to prompt before download

In the long term icq will have to use something like random foldernames for soundschemes to prefent this from happening"

Now this is usefull info!!!
That's why I like this board!!!

:winkwink:

thats scary... thats why i dont use icq anymore.. its unsafe and users with icq can get hacked

Feel free to call me stupid, but...
C:/Program%20Files/ICQ/Sounds/flame/Auth.wav
I found this, now what is it we need to do to prevent what?

THIS IS FUCKING UNREAL!!

I cannot believe ICQ does this... it shocked the hell outta me, since I thought that URL was a page that was going to explain the hack in more detail...

WOW!

This should be posted in a forum or thread where everyone can read it... to make sure everyone can read it.

I hope

cheatski.com doesnt find out about this :1orglaugh

I found that just deleting the sounds directory prevents this. I never use the sounds anyway, so I already had them turned off before I did this. ICQ doesn't seem to mind.

we will see this on millions of gallery pages soon. hint, if you tweek the script a little you can autoinstall dialers and shit, and ICQ is not really necessary to get it working ...

thanks for posting,idiot, twat, pissnelke !!!

I located the file but didn't see an option to "change the default behaviour to prompt before download"

How is this done?

does that apply to all versions of icq ?
if someone can help me out
icq me please
#121258311

same prob, i just put "confirm after download"

:(

thats crazy, i am practically computer illeterate, and even I can figure out how to fuck with someones computer with a program like that...scary shit.

Don't use internet explorer.

Use opera www.opera.com :thumbsup

I don't know if my method of deleting the 'sounds' directory works for all versions of ICQ or not. All I know is that the program cannot be run, if the html file is looking for it in a directory that does not exist. So, yes, it will prevent this no matter which ICQ version you use. BUT I CANNOT GAURANTEE that it will not fuck up your ICQ. So make sure you can restore the directory if it doesn't work. (I hate those ICQ sounds, anyway, so I have them turned off.)

Also, realize that this can probably be done in other programs that auto download and install (WHY THE FUCK does windows allow this to happen? We are supposed to be able to tell windows to download or run from location for each file it downloads through IE). Winamp does this with plugins, so the same thing would be possible if the plugins go to the same directory every time.

ALSO REALIZE that these programs do not have to contain viruses that can be detected by your virus scanner. They can very well contain new viruses OR THEY COULD SIMPLY CONTAIN A PROGRAM THAT DELTREES YOUR ENTIRE SYSTEM. Virus scanners would not catch this, as it is not a virus, and does not attempt to hide itself or recreate itself.

This is too fucking crazy, and makes me mad :mad: that idiots can allow for such stupid security flaws. Windows, ICQ, winamp, and any other program that sets its file associations to allow for auto download and auto run, are all to blame. All in the effort to make these programs easy for morons to install, because they can't remember where files go when they get downloaded.

Thats exactly what I selected.

Neither Funbrunette or I have been able to log on to ICQ today...
I hope this isn't the reason why....

Anyone ever try the icq alternatives? Like SecureICQ?

Take a look: http://download.com.com/3120-2001-0-...re+icq&ca=2001

Trillian :thumbsup

Another thing is that my ICQ sounds don't work anymore now. WTF??

Tell me how to fix that too if you please, this wasn't a funny thread:321GFY

Fuck it, I got it:ak47: :winkwink:

I think I know what happened... the webpage automatically downloads the file (which has a hidden .exe in it) because it has it named as a ICQ sounds theme - so ICQ is the culprit automatically downloading and installing this crap (fucking programs :mad: no wonder there is so many security leaks, it should have to ASK before downloading AND before installing), anyway, it auto downloads, and then attempts to install it - but it can't install it because it's not an ICQ sounds theme file - it's a text file with a hidden compressed .exe in it that is just renamed to look like an ICQ sounds theme so the stupid insecure ICQ program can download it onto your drive... so now your ICQ's sound theme is set to something invalid. You have to set it back...

Didn't work on my system.

Is that because I have ICQ sounds turned off or because I have Windows XP or ...?

I should not have any problem...as I have ICQ installed on my D: drive. but am going to check anyway.

it's quite easy to run locate the file by script and pipe the result
to the next action :1orglaugh

DynaMite

Like I said am going to check anyway. I did and found nothing.

As long as your running a firewall, and dont have the firewall set to let programs automatically do shit like that, your FINE!

I have a firewall, but it didn't block this program from being run, according to the default settings.

It didn't stop it from downloading the files since it has given ICQ the right to download sound themes (the .exe was hidden in a sound themes file). And then the html runs the hidden file (somehow - I didn't really look to see what was going on) from your own computer... I am not sure why it let this happen, but I do know that a lot of programs are run on your own computer without your permission...

Has anyone analyzed the file, yet?

good catch!