If you are familiar with spyware removal programs, than you probably saw that besides other things, program scans a part of the registry, which contains this long strings: eg {00000566-0000-0010-8000-00AA006D2EA4}. This string is called CLSID number and identifies ActiveX Control. Each control has it's own number. Now if I show you the whole registry path, it would look like this: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}
Under HKEY_LOCAL_MACHINE hive, there is a key \SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility which contains CLSID numbers. CLSID numbers are also registry keys (not values). To make a step forward, under each CLSID key, there is one important value, which caries a setting for ActiveX to disable (please note, to enable ActiveX you should delete the CLSID key from the registry). This value is called Compatibility Flags and it's REG_DWORD type. And the magic value is 1024 as decimal format or 400 as hexadecimal. Here is example:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}
value name: Compatibility Flags
value: 1024
Here is a screenshot taken directly from regedit:
And that's it! Easy isn't it? This is the technique that Spyware blaster and Spybot (and other) use to immunize (prevent from running) Internet Explorer from unwanted ActiveX Controls. The hard thing here is, that you have to get CLSID numbers from controls authors or more exciting way, to discover them yourself :D Use virtual machines, where you can test them, infect your machine, etc. Of course the most elegant way is to get the database online, or just extract CLSID from databases of other Spyware removal tools. How to do it, it's up to you.
Next time, I'll talk more about the IE security. So, come back later ;)
No comments:
Post a Comment