Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Killbit apps for current IE exploit - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Killbit apps for current IE exploit
Update: I posted this late on Friday (9/15) evening, so I wanted to pull it back onto the front page again.  This looks to me like a perfect avenue for malware drive-bys, and with the likelihood being that this won't be addressed until the next MS monthly patch cycle (gee... who would EVER have thought that the bad guys would start timing THEIR releases to maximize exposure until the next patch-day?!?) we're probably going to be seeing a whole lot of this stuff:

To make life a little easier, I put together two small apps to set and unset the appropriate "kill bit" to block the actions of the current "daxctle.ocx" IE exploit.  They can be found here:  - Standard Windows executable
(MD5: 599a2e48602f63a5330eea8259216584) - Command line version
(MD5: 571a19cf51f713b81545ebd6a007d792)

The command line version, when run without any parameters, will set the "kill bit".  When run with any parameter (i.e. something like "/r"), will remove the "kill bit."

The standard Windows executable, when run, will tell you the current status of the kill bit and offer you the option of changing it.

Hope these help...

Tom Liston
ISC Handler
Senior Security Analyst - Intelguardians (


160 Posts
Sep 15th 2006

Sign Up for Free or Log In to start participating in the conversation!