The Latest in IT Security

CVE-2012-1889 is still alive!

11
Nov
2013

In  Zscaler’s daily
scanning, we identified an instance where CVE-2012-1889 (MSXML Uninitialized
Memory Corruption Vulnerability) is still alive. Lets take a look.

The site
hxxp://wm.17wan.info:9999/zx/zip.html?mag.fznews.com.cn is a Chinese site,
which targets online gamers by serving malicious code which exploits Microsoft
XML Core Services. This attack allows  a remote
attacker to execute arbitrary code or cause a denial of service (memory
corruption) via a crafted web site. The site serves highly obfuscated code to evade
antivirus solutions. 

VirusTotal lookup

https://www.virustotal.com/en/file/3eaf208c67ec268b969f260f55ef7d70fd06f3b086a6dcc9fdfb57758dd62240/analysis/1380076165/
You can see the highly obfuscated code served by the
malicious site in the screen shot below.


The highlighted code shows that the a CLSID object is being
used, which is exploited by parsing long strings of the letter “A”. This CLSID
object is related to the vulnerability detailed in CVE-2012-1889.

Lets take a look at a beautified version of this code.

This highlighted section shows the suspicious function,
which leverages the shell code for exploiting the vulnerability.

Here function heapLib() performs a heap spray. You can see
the complete series of functions utilized in the full attack.

Let’s decode the script which is shown in first screen shot

The decrypted source code shows that random named parameters
are used for obfuscation of the original code. The chunks of code are combined
into a final code snippet, which is then decoded again for making the actual
shell code. Here you can see that the variable “t” is using the “MYKEY”
parameter and “MYKEY” is using the “MY” parameter to construct the final chunk.
This final chunk is again decoded by the function utf8to6() and nbcode(), which
are defined in the source code for the final payload and that is used by the
window object. At the end of the code the “t” variable generates the final
javascript snippet which executes the shellcode.

This is the javascript which is generated at variable “t”.  Again, this script is obfuscated. Obfuscation is
primarily used by malware authors to avoid antivirus detection. It should be
noted that malware authors do not always leverage 0-days, in fact most
techni
cal attacks utilize known vulnerabilities as attackers know that a large
percentage of PC users have not applied the latest patches.


An interesting observation is that the javascript is written
in such a way that it only works on IE. It avoids delivering an unnecessary
heap spray when loaded in another browser. That’s why when you open this site
with IE it crashes IE and while opening with any other browser it works fine. It
does however attempt to serve alternate malicious files to other browser users
such as the samples described below.

Here you can see the sourcode contains a link which drops
a malicious Rar file.

VirusTotal lookup



https://www.virustotal.com/en/file/b732b09a6cacd78a8c6a789e8ee17b8c741de2c0234886decf6ce1807808c305/analysis/

HTTP Transactions 

This site makes a connection with following sites

  •   Js.users.51.la 
  •  Web1.51.la:82

Zscaler provides complete protection for these threats.

Leave a reply


Categories

TUESDAY, AUGUST 20, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments

Social Networks