Review: Vista, XP Users Equally At Peril To Viruses, Exploits

Printer-friendly version Email this CRN article


Vista's Windows Defender successfully blocked a trojan executable called Backdoor.Win32.Hupigon.emb.

But Vista missed another trojan executable file -- named and detected in September 2006, months before Vista's release -- that was flagged by the Finjan appliance.

Vista produced the usual warning message that running the file might cause problems. XP also gave similar warnings and allowed the engineer to run both trojans.


Vista with IE 7 was able to detect a bad remote data services (RDS) ActiveX control from one PHP-based Web site. However, on four other sites that use similar exploits, IE 7 failed to provide any warning messages. Hackers can use RDS exploits to paralyze a system with denial-of-service (DOS) attacks by corrupting IE's heap and possibly go as far as evoking code remotely.

It's not clear how IE 7 detected the bad control on the first site. It's possible that the other four sites were not detected because the code might not have been targeting Vista. On XP, however, some of the sites were able to run client-side code.

Vista might have failed to detect the code if hackers obfuscated their applications. Code obfuscation is a programming technique often employed by hackers to scramble code structures so their programs can bypass detection. Polymorphic viruses usually hide their signatures using code obfuscation.

A newer technique is to dynamically obfuscate code during execution, making it extremely hard to detect a signature. The viruses can sometimes change function names using different encryption keys. This technique is now spreading to Web scripting languages as well.

Windows XP with IE 6 failed to detect all of the sites with RDS exploits. In addition, XP with IE 6 failed to detect all of the sites that used obfuscated RDS exploits. Vista, too, failed to detect this code. These sites were able to pass malicious code embedded in JavaScript.

According to Finjan, some of the sites that were used for testing contained a new PHP application called MPack to run code remotely. The MPack tool is used by hackers on PHP sites to pass code to unsuspecting users' PCs. Exploits using the MPack tool became known late last year.

MPack poses a serious threat because the code is typically passed through a malformed home page. When left undetected, hackers can use MPack to pass trojans or just about any code they wish. In addition, two sites were tested that had the Neosploit malware tool, which carries several distinct exploits. Both OSes failed to detect the MPack and Neosploit signatures on all the malicious sites that had it.


Both OSes failed to block spoofed content and vector-based images that had embedded scripts.

Vector Markup Language (VML) and other vector-based images pose a significant threat because they allow hackers to execute remote code. Hackers use simple redirects to pull in users into sites riddled with malware and bots. Past and current Windows architectures are still unable to accurately detect embedded scripts in images.

Finjan reported 19 scripting violations, many of which came from Web sites. Two scripts had spyware embedded in them, and some of the scripts used code obfuscation to hide their signatures. Since Finjan looks for behavior, the scripts were detected by the appliance. However, Vista and XP failed to flag them.

Next: How VistaXP Security Stack Up

Printer-friendly version Email this CRN article