The IE7 vulnerability recently patched by Microsoft’s MS09-002 is being exploited in the wild. The ThreatFire community is not seeing much of the attack, but ThreatFire prevents attacks against the memory corruption (referenced in CVE-2009-0075) in Internet Explorer 7’s loaded mshtml.dll module just the same. We expect to see much more of this exploit code in the near future.
Security researcher Paul Ferguson speculated that the original targeted attack, in which a Word document was sent to a select group of individuals, was similar to previous attacks targeting pro-Tibetan groups:
“Although Ferguson does not know who wrote the attack code, he said that it looks similar to software that was sent to pro-Tibetan groups about a year ago, apparently for the purpose of intelligence gathering…Whether this will lead to more widespread Internet Explorer attacks is unclear, Ferguson said.”
The exploit code itself is beginning to spread and has shown up on additional servers in the Pacific rim. While the original attack may have been very targeted, the exploit code itself looks the same. Even variable and function names remain the same across the exploit pages we’ve seen.
The shellcode and the delivered malware executables differ altogether across servers. In one case, the writers jumped through hoops to complete some stable download and execute shellcode, and in another, the writers added some unusual loops to download “menu.dat” to the user’s temp directory and execute it as “U.exe”.
The original executable was not packed and dropped a dll that phoned data over an encrypted session to a server hosted in China. The second, U.exe, is a downloader packed with a somewhat common compressor known as nPack.
So it appears that different groups already are using the exploit, leading us to believe that this reliable and effective exploit code will continue to spread in the wild.
Be sure to update your Windows system if you have not done so already.
