R5 – Internet Explorer Proxy Management (IEPM)

Related to the Internet Explorer Proxy Management module (IEPM). It allows to identify the Microsoft Internet Explorer proxy settings.

Features

– Search on the following Base of registry keys :
[HKLMSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
[HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings]

– For the following registry values :
ProxyOverride
ProxyServer
ProxyEnable
MigrateProxy
ProxyHttp1.1
EnableHttp1_1
AutoConfigProxy

I. PROXY : THE REGISTRY KEY VALUES.

The management of the proxies is mostly around 3 values of registers main "ProxyEnable"., "ProxyServer" and "ProxyOverride"..

ProxyEnable : Allows or denies using a proxy
ProxyServer : Allows the description of the proxy and the port as for example "http = localhost:8080 ».
ProxyOverride : Configure the proxy server for local addresses bypass.

Many malware using the proxy settings in order to establish a direct connection to their servers, This is particularly true of the rogues, trojans or some worms with backdoor like KoobFace characteristics.

The first thing to observe is the data of the value "ProxyEnable"., It is she who will allow or deny the connection to the proxy.

The following line indicates that the connection to a proxy is denied or that there is no proxy installed.
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyEnable = 0
R5 – HKLMSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyEnable = 0

This configuration is generally accompanied lines in the format :
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = <local>
R5 – HKLMSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
R5 – HKLMSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = <local>

The following lines indicate that the connection to a proxy is authorized :
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyEnable = 1
R5 – HKLMSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyEnable = 1

It is the latter case that particularly interested the helper because it allows a fraudulent use of a proxy.

Must now be interested in the other two values "ProxyOverride" and "ProxyServer".

ProxyOverride configures the avoidance of the proxy server for local addresses. Next to legitimate data above, suspect concatenations overloaded string of caracteress with a semicolon. ; «as for example «» <local>;*.local"or «» ;localhost;<local> »;

ProxyServer provides the description of the proxy and the port it uses. This is usually the local loop mated with a different random port IP 8080. This trick allows you to believe one is in the presence of a legitimate IP address of local loop «» 127.0.0.1 ».

On the principle the malware is done :
a) It reduces or removes the firewall protection,
b) He manages to open a specific port that is fraudulent on the local IP, either through a trojan or by exploitation of a flaw of the system security,
c) He puts the information in the data of the value "ProxyServer" which becomes the new local address reroutée to the specific port,
d) The parameters of this address local malware are passed to the data of the value "ProxyOverride".,
e) It allows the proxy by modifying the data value "ProxyEnable"..
f) The proxy uses the ProxyOverride settings to connect to its server through the specific port defined in ProxyServer.

Overview ZHPDiag : Cases of rogues :

Using the Proxy via the Local loopback address. 127.0.0.1 "but with a random port :

—\\ Internet Explorer, Proxy Management (R5)
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyEnable = 1
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = local;*.local
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local;<local>
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = <local>;*.local
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,Proxyserver = http = 127.0.0.1:5555 (Rogue.AntispywareSoft)
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,Proxyserver = http = 127.0.0.1:5557 (Rogue.AVSecuritySuite)
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,Proxyserver = http = 127.0.0.1:5643 (Rogue.AVSecuritySuite)
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,Proxyserver = http = 127.0.0.1:6522 (Rogue.AntimalwareDoctor)
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,Proxyserver = http = 127.0.0.1:18810 (Rogue.AntiviraAV)
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,Proxyserver = http = 127.0.0.1:25520 (Rogue.SmartEngine)

R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = http=127.0.0.1:25410 (Rogue.InternetSecurityEssentials)

Overview ZHPDiag : Cas d’infection KoobFace (Worm.KoobFace) :

—\\ Internet Explorer, Proxy Management (R5)
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyEnable = 1
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local;localhost
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = ;localhost;<local>
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,proxyserver = http=localhost:7171
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,proxyserver = http=127.0.0.1:8181

Overview ZHPDiag : Cas d’infection DNS :

Utilisation de l’Adresse IP d’un serveur Proxy Russe identifié (Ukraine Promnet) sur le port standard 8080.

—\\ Internet Explorer, Proxy Management (R5)
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyEnable = 1
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,proxyserver = 93.188.162.230:80
R5 – HKLMSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyEnable = 1
R5 – HKLMSoftwareMicrosoftWindowsCurrentVersionInternet Settings,proxyserver = 93.188.162.230:80
O17 – HKLMSystemCCSServicesTcpip.. {04F87BC5-7D49-4D5C-A720-07BA8A9A8C0B}: NameServer = 93.188.162.230,93.188.166.210
O17 – HKLMSystemCS1ServicesTcpipParameters: NameServer = 93.188.162.230,93.188.166.210
O17 – HKLMSystemCCSServicesTcpipParameters: DhcpNameServe = 93.188.162.230,93.188.166.210

Overview ZHPDiag : Cas d’infection diverse (trojan TROJ_PROXY. AEI) :

Using the Proxy via the Local loopback address 'localhost' modified with a random port :

—\\ Internet Explorer, Proxy Management (R5)
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyEnable = 1
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local;
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,proxyserver = http=localhost:7070

 

II. PROXY : THE SECONDARY REGISTRY VALUES.

Next to the main registry values, We find other values that allow the proxy setting. It's the values "AutoConfigProxy"., 'MigrateProxy '., 'ProxyHttp1.1' and 'EnableHttp1_1.

1) AutoConfigProxy.

The data in this registry value allows access to the internet features through the wininet.dll resource.
The wininet.dll resource (Win32 Internet Extensions) contains the Windows WinInet API functions. This API manages the internet access features, including the HTTP protocol used by the Internet Explorer browser.

Three cases are possible, legitimate, abnormal or malware :

a) Firstly the case legitimate, the resource is present in the original %System32% system folder.
R5 – HKLMSoftwareMicrosoftWindowsCurrentVersionInternet Settings,AutoConfigProxy = wininet.dll

NB : To verify that the resource is not patched, a wininet MD5 search is added in the header of the report.
—\\ Recherche particulière de fichiers génériques
[MD5.78B9ADA2BC8946AF7B17678E0D07A773] – (.Microsoft Corporation – Extensions Internet pour Win32.) (.21/12/2010 06:38:22.) — C:\WindowsSystem32wininet.dll [981504]
b) Then the abnormal cases, It causes a malfunction in Internet Explorer, the resource is absent from its original %System32% folder :
R5 – HKLMSoftwareMicrosoftWindowsCurrentVersionInternet Settings,AutoConfigProxy = wininet.dll (Not give)

c) Finally the case malware as possible because the resource is replaced :
R5 – HKLMSoftwareMicrosoftWindowsCurrentVersionInternet Settings,AutoConfigProxy = Mininet.dll

2) MigrateProxy.

The data in this registry value allows or denies remote proxy configuration entered by the user.

a) This line shows the inability to change the configuration of the proxy :
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,MigrateProxy = 0

b) This line shows the ability to modify the configuration of the proxy :
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,MigrateProxy = 1

3) ProxyHttp1.1

The data in this registry value toggles the HTTP1.1 Proxy.

a) This line indicates that the HTTP1.1 proxy is enabled :
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyHttp1.1 = 1

b) This line indicates that the HTTP1.1 proxy is disabled :
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyHttp1.1 = 0

4) EnableHttp1_1

The data in this registry value allows or denies running the queries GET HTTP1.1.
To be operational, It takes the HTTP1.1 proxy is enabled (ProxyHttp1.1 = 1).

a) This line allows execution of queries GET HTTP/1.1
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyHttp1.1 = 1
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,EnableHttp1_1 = 1

a) This line allows execution of GET HTTP/1.0 requests
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyHttp1.1 = 1
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,EnableHttp1_1 = 0

EXAMPLES :

1 – Case legitimate without proxy :

– ProxyServer is missing,
– ProxyEnable is disabled,
– GET Internet Explorer HTTP1.1 requests are allowed.

—\\ Internet Explorer, Proxy Management (R5)
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = no key
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyEnable = 0
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,MigrateProxy = 0
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyHttp1.1 = 1
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,EnableHttp1_1 = 1
R5 – HKLMSoftwareMicrosoftWindowsCurrentVersionInternet Settings,AutoConfigProxy = wininet.dll

2 – Abnormal cases, malfunction :

– ProxyEnable is enabled,
– ProxyServer is rerouted to a specific port,
– AutoConfigProxy prevents the running of the features of the wininet.dll resource (Original %System32% folder).

—\\ Internet Explorer, Proxy Management (R5)
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = http=127.0.0.1:8080
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyEnable = 1
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,MigrateProxy = 1
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyHttp1.1 = 1
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,EnableHttp1_1 = 1
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,AutoConfigProxy = wininet.dll (.Not give)

3 – Malware case :

– ProxyEnable is enabled,
– ProxyServer is rerouted to a specific port,
– AutoConfigProxy will run a patched wininet API features.

—\\ Internet Explorer, Proxy Management (R5)
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = http=127.0.0.1:4343
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyEnable = 1
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,MigrateProxy = 1
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyHttp1.1 = 1
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,EnableHttp1_1 = 1
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,AutoConfigProxy = C:\UsersCoolmanAppDataRoamingwininet.dll

4 – Malware case (Proxy hijack)

M2 – MFEP: prefs.js [Audrey J – mfkcaitw.default foxyproxy@eric.h.jung] [] FoxyProxy Basic v2.2 (.LeahScape, Inc..) => Web infection (Hijacker.Proxy)
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,Autoconfigproxy = 0 => Web infection (Hijacker.Proxy)

Action ZHPFix

R5 – {Key}, {ValueKey} = {DataKey}

{Key} : Regitres key (see the list above.
{ValueKey} : Key value of {Key}, Like what : ProxyOverride,ProxyServer.
{DataKey} : The value data {ValueKey}

– The tool Initializes the dEd {DataKey} of the key value.

a) For the value of ProxyServer, the data is initialized with the given default "http://127.0.0.1:8080 »
b) For the ProxyOverride value, the data is initialized with the given default "*.local.
c) For the AutoConfigProxy value, the data is initialized with the given default "wininet.dll".
e) In all other cases, the data of the value will be emptied.

Report ZHPFix

Line seizure :
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = http=127.0.0.1:5555
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local;<local>

Report of ZHPFix v1.12.3255 by Nicolas Coolman, Update of the 20/02/2011

= The registry data item =.
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local;<local> => Data deleted successfully
R5 – HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = http=127.0.0.1:5555 => Data deleted successfully

= Summary =.
2 : The registry data item

Links

R5 – ProxyOverride in Loopback mode.
Microsoft
Microsoft


Total views 152 (Today 1 )