aka wow on ZATAZ.com
Zero-Day Season Is Really Not Over Yet
I can confirm, the zero-day season is really not over yet. Less than three weeks after the discovery of the Java SE 7 0day, aka CVE-2012-4681, potentially used by the Nitro gang in targeted attacks, a potential Microsoft Internet Explorer 7 and 8 zero-day is actually exploited in the wild.
First I would like to thanks the nice people (@binjo, @_sinn3r and all the guys of the Metasploit IRC channel on freenode) how helped me to understand and go further in my investigations.
Second, I would like to clarify some points:
- I wasn’t a target of the 0day, I tested it on my lab. This misunderstanding has been introduced by Reuters in their press release.
- I did these researches on my personal time, and these researches are not linked with my professional activities. This misunderstanding has been introduced by Reuters in their press release.
- I don’t pin the responsibility on the Nitro gang, if you read my blog post, you will see that I found coincidences.
- I don’t know the timeline of the vulnerability, including when it was discovered and how long it has been exploited.
Since the release of the Java SE 7 0day I was monitoring some of the infected servers used by the alleged Nitro gang (take a look at the updates at the end of the blog post). The 14th September morning, I discovered a “/public/help” folder on one of these servers, the Italian one (smile to @PhysicalDrive0).
As seen in the following screenshot, 4 files were hosted in this folder, and as a curious man, I downloaded everything to see what was related to these files.
I tested these files on an up-to-date Microsoft Windows XP Pro SP3 with an up-to-date Adobe Flash (11,4,402,265). Surprise they dropped files on my test computer (See demonstration video here under) ! A new 0day ? I decide then to take a deeper look at the grabbed files.
exploit.html
This file is recognized as an HTML file, and catched by 0 anti-viruses on VirusTotal (9d66323794d493a1deaab66e36d36a820d814ee4dd50d64cddf039c2a06463a5).
“exploit.html” is the entry point of the attack. This file creates an array of “img” and load “Moh2010.swf” Flash file.
Moh2010.swf
This file is recognized as a Macromedia Flash Player movie, and catched by 0 anti-viruses on VirusTotal (70f6a2c2976248221c251d9965ff2313bc0ed0aebb098513d76de6d8396a7125).
You can observe that the file is packed by DoSWF and that it is decompress in the memory. After decompression “Moh2010.swf” file is spraying the heap and eval an iframe to ”Protect.html” file.
The ActionScript embedded in the original packed SWF file, is also interesting, you will see some special encoding (Chinese ?).
Decoded SWF file, is known as “Exploit:SWF/CVE-2010-2884.B”, or “SWF:Dropper” on VirusTotal (dd41efa629c7f7f876362c5ca6d570be6b83728a2ce8ecbef65bdb89cb402b0f) and detected only by 3/34 anti-viruses. Thanks to binjo.
This file, during exploitation is also checking if the web site is present in Flash Website Storage Settings pannel to no more load the “Protect.html” file. This mean, that once infected the user will no more be exploited despite further visites to the web site.
Display on the first visit
Display on successful exploitation
Display on further visits
Protect.html
This file is recognized as an HTML file, and catched by 0 anti-viruses on VirusTotal (2a2e2efffa382663ba10c492f407dda8a686a777858692d073712d1cc9c5f265).
If you take a look at the source code, you can see interesting javascript code, how is manipulating the “img“ array created by “exploit.html“.
You will also see that tests are done, in order to target Windows XP 32-bit and Internet Explorer 7 or 8.
111.exe
This file is recognized as a Autodesk FLIC image file, and catched by 0 anti-viruses on VirusTotal (a5a04f661781d48df3cbe81f56ea1daae6ba3301c914723b0bb6369a5d2505d9).
Submitted to Malware Tracker (baabd0b871095138269cf2c53b517927), this file look like suspicious and require further investigations. “111.exe” is packed and after decoding the file is still not detected by any anti-virus on VirusTotal (a6086c16136ea752fc49bc987b8cc9e494384f372ddfdca85c2a5b7d43daa812). But with a Malwr analysis, you can see that this file is recognized as installing a program to run automatically at logon.
Conclusion
The guys how developed this new 0day were not happy to have been catched, they just removed all the files from the source server 2 days after my discovery. But also more interesting the also removed a Java 0day variant from other folders.
Also I submitted all these stuff to different person in order to confirm the strangeness of this exploit, and we got some good return.
Confirmed @eromang and @binjo are right about the bug.Not Adobe, appears to be IE: goo.gl/LRTXn
— sinn3r (@_sinn3r) Septembre 16, 2012
Updates
Sunday 09/16:
Metasploit team is planning to release an exploit module on Monday. This module seems to work very well.
As @edistrosar predicted, yes, @_juan_vazquez_ and I r working on it, and looks good so far:goo.gl/ALR8L /cc @eromang & @binjo
— sinn3r (@_sinn3r) Septembre 16, 2012
Monday 09/17:
Metasploit has release an exploit module “ie_execcommand_uaf“ and this module is working for IE 7/8/9 on XP/Vista/7.
AlienVault Labs has provide some additional information s regarding DoSWF file and the C&C server aka “12.163.32.15“.
Microsoft has release MSA-2757760 and recommend to install EMET (Enhanced Mitigation Experience Toolkit) 3.0 and other mitigation solutions.
Tuesday 09/18:
AlienVault Labs has provide more details on the potential source of the attack.
It seems the guys behind this 0day were targeting specific industries. We’ve seen that they compromised a news site related to the defense industry and they created a fake domain related to LED technologies that can be used to perform spearphishing campaigns to those industries.
Wednesday 09/19:
AlienVault Labs has report variant of the “Protect.html” file, named “Dodge.html” how is now also infecting Windows 7 32 bits running Java6 with Internet Explorer 9, and confirm the usage of the 0day in targeted attacks.
Microsoft propose a Fix it KB2757760 solution, “Prevent Memory Corruption via ExecCommand in Internet Explorer“, that prevents exploitation of this issue.
Microsoft has publish an advanced notification “Microsoft Security Bulletin Advance Notification for September 2012“ for one out-of-band security bulletin that Microsoft is intending to release on September 21, 2012. The bulletin will addresses security vulnerabilities in Internet Explorer. The vulnerability is also affecting Internet Explorer on Windows Server 2003 and 2008.
Friday 09/21:
Microsoft has release the promised update MS12-063 in order to fix the 0day vulnerability. If you use Internet Explorer, I advice you to update as soon as possible !
[...] bug was discovered by security researcher Eric Romang over the weekend. Romang was monitoring servers infected by exploits against the Java zero-day [...]
[...] as to where the exploit may have been created and by whom, there are a couple of great articles here and [...]
[...] Zero-Day Season Is Really Not Over Yet http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/ [...]
[...] 昨天,eromang捕获了一个IE 0day,在他的blog上 http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/ 确认了可导致全补丁的IE7,IE8,IE9 执行代码,并且该0day 攻击已经in the wild. [...]
[...] http://vrt-blog.snort.org/2012/09/internet-explorer-use-after-free-0-day.html [사례분석] http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/ [...]
[...] 作者对整个漏洞的利用进行了一些分析: http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/ [...]
[...] a zero-day exploit affecting Microsoft’s Internet Explorer was discovered on a server associated with the Nitro campaign – the same server that was recently used to serve [...]
[...] chercheur en sécurité Eric Romang indique avoir découvert l’exploit 0-day en « surveillant certains serveurs infectés [...]
[...] A new zero-day vulnerability affecting Internet Explorer is being exploited in the wild, according to security researcher Eric Romang. “I can confirm, the zero-day season is really not over yet. Less than three weeks after the discovery of the Java SE 7 0day, aka CVE-2012-4681, potentially used by the Nitro gang in targeted attacks, a potential Microsoft Internet Explorer 7 and 8 zero-day is actually exploited in the wild,” Romang wrote in a blog post. [...]
[...] Over the weekend of September 15, researchers discovered a large security hole in Microsoft’s Internet Explorer. The security hole is more pervasive than any previously discovered and affects the last four versions of the browser, IE 6, 7, 8, and 9. The bug has been revealed to affect Windows XP, Vista, and Windows 7, putting all Windows users, who browse the web with Internet Explorer, at risk. (Zataz.com, 2012).. [...]
[...] a zero-day exploit affecting Microsoft’s Internet Explorer was discovered on a server associated with the Nitro campaign – the same server that was recently used to serve [...]
[...] a zero-day exploit affecting Microsoft’s Internet Explorer was discovered on a server associated with the Nitro campaign – the same server that was recently used to serve [...]
[...] a zero-day exploit affecting Microsoft’s Internet Explorer was discovered on a server associated with the Nitro campaign – the same server that was recently used to serve [...]
[...] hackers that unleashed other 0-day vulnerabilitie attacks in last months. The security specialist Eric Romang analyzing the compromised servers used to conduct the recent attacks against vulnerable Java [...]
[...] potential Microsoft Internet Explorer 7 and 8 zero-day is actually exploited in the wild,” Romang wrote in a blog post. Romang had been monitoring some infected servers said to be used by the alleged [...]
[...] one of the servers used to launch attacks on vulnerable Java installations in past, and he says that he has found a new zero day exploit for Microsoft’s Internet Explorer web browser. He [...]
[...] utilisés pour lancer des attaques contre les installations Java vulnérables dans le passé, et il explique qu’il a trouvé un nouvel exploit 0-Day pour le navigateur de Microsoft Internet Explorer. « Je [...]
[...] hackers that unleashed other 0-day vulnerabilitie attacks in last months. The security specialist Eric Romang analyzing the compromised servers used to conduct the recent attacks against vulnerable Java [...]
[...] utilisés pour lancer des attaques contre les installations Java vulnérables dans le passé, et il explique qu’il a trouvé un nouvel exploit 0-Day pour le navigateur de Microsoft Internet Explorer. [...]
[...] one of the servers used to launch attacks on vulnerable Java installations in past, and he says that he has found a new zero day exploit for Microsoft’s Internet Explorer web browser. He [...]
[...] one of the servers used to launch attacks on vulnerable Java installations in past, and he says that he has found a new zero day exploit for Microsoft’s Internet Explorer web browser. He [...]
[...] allows them to install malicious software on Windows computers.* Specifically, security researcher Eric Romang of Zataz.com discovered on Sunday that the fresh “zero day” vulnerability allowed cybercrooks to [...]
[...] Initial identification: Sept. 14, 2012 [...]
[...] Initial identification: Sept. 14, 2012 [...]
[...] Yesterday, Eric Romang reported the findings of a new exploit code on the same server that the Java 0day was found some weeks ago. The new vulnerability appears to affect Internet Explorer 7 and 8 and seems to be exploitable at least on Windows XP. [...]
[...] Patch: Junio 12, 2012, MS12-037 [...]
[...] Initial identification: Sept. 14, 2012 [...]
[...] the wild, the payload was dropped via a packed Flash file, designed to exploit the Java vulnerability and the new IE bug in one go. There’s also been [...]
[...] de Java 7 découverte fin août. Eric Romang explique sa découverte en détail dans un intéressant article de blog sur [...]
[...] September 14, 2012 – Security researcher, Eric Romang, discovered the vulnerability [...]
[...] 16/09/12, Eric Romang posted a blog post - Zero-Day Season Is Really Not Over Yet, in which he detailed a new MSIE Zero-Day exploit he found in-the-wild on 14/09/12. [...]
[...] 5 уязвимостей. В том числе и 0day уязвимость (рус. перевод), обнаруженную на прошлой [...]
[...] Vulnhunt.com eromang blog (русский перевод) Metasploit CVE-2012-4969 MSA-2757760 [...]
[...] vulnerability being exploited via in-the-wild attacks was disclosed on September 16 by researcher Eric Romang, who said [...]
[...] Original researcher’s blog post on IE 0day - Eric Romang [...]
[...] attack a few weeks before that. According to the researcher who found the IE vulnerability, Eric Romang, he detected the IE vulnerability while monitoring the servers used by the Nitro gang, a group [...]
[...] 時發現公布的. Java 7 0 day 漏洞發現後 eromang 持續監控一些感染的網站, [...]
[...] vulnerability was discovered by security researcher Eric Romang, who was assisted by members of the Metasploit team, which develops a vulnerability tool to for [...]