The Power of (Misplaced) Trust: HTAs and Security

We have seen a few spam samples today which use the old tactic of HTML Application (.hta) scripting to get malicious code onto a Windows machine via Internet Explorer. A gullible user is only two non-default security settings and one socially-engineered click away from further badness.

The spam messages flog some news item (e.g. a new song from Michael Jackson) to coax you into clicking the link. This link redirects your browser to an HTA file, which contains scripts to download and run several EXE and DLL files.

From Microsoft’s Introduction to HTA’s:

As fully trusted applications, HTAs carry out actions that Internet Explorer would never permit in a Web page. The result is an application that runs seamlessly, without interruption.

… And HTAs have read/write access to the files and system registry on the client machine.

Now that seems like a lot of power. Fortunately, browsing to the site opens the web page in the ‘Internet’ Security zone — the least trusted and most restricted security settings. The default settings for this zone (the ‘Medium’ configuration) will not allow the HTA file to carry out its malicious doings. However if you have customized your security settings, you should check the following;

– Initialize and script ActiveX controls not marked as safe

If this setting is ‘Enabled’, the HTA is allowed to run the code to attempt the HTTP GET requests for the malicious EXEs.

– Access data sources across domains

This setting is only required if the HTA and malicious binaries are hosted on separate domains (they are in this case). Enabling it allows the HTTP GET requests made from the HTA scripts to proceed. If (and when) a campaign chooses to co-locate the HTA and EXE malware on the same domain, only the first setting would be required.

As stated, malicious HTAs are an old trick. Sophos detects the sample seen today (Troj/Psyme-KS) as part of the Mal/Psyme-A family which dates back to January 2007. W32/Feebs-FAM is another HTA malware family which sent out the HTA as a spam attachment, such that a clumsy double-click of the file would run it with local security privileges (rather than the restricted Internet privileges as above). Thus, be wary of unsuspected .hta files and, as always, don’t get fooled into following spam content.