|
Archive for the ‘0day’ Category
Friday, September 4th, 2009
PPStream is a multimedia player used widely throughout Asia, as in hundreds of millions of users. As such, it is interesting when crashes for widely used client-side software are reported as “exploitable” on various blogs and PoC sites.
According to the post, the reportedly vulnerable ActiveX component is MList.ocx, and it appears to maintain a heap overflow condition. The author had not released a workable exploit, and there appears to be no ThreatFire community reports for the component. Its exploitability is being discussed on full disclosure lists and various other forums:
“PPStream is the most huge p2p media player in the world. There are two hundred million ppstream users in the world. The vulnerability is exploitable,but I have no time to make it,you could visit my blog for detail.^@^ ”
So it appears to be a work in progress. If it is exploitable for such widely used software, it is strange that this one did not hit the underground market first and it has not been added to known exploit packs and kits. If you are using PPStream, be wary of the sites that you stream until you patch.
Posted in 0day, Notification | No Comments »
Tuesday, September 1st, 2009
We’ve been waiting for some stats to come rolling in, but we haven’t seen a hint of an 0day worm or any attacks for that matter on the current Microsoft Ftp module 0day.
Instead of the Ftp 0day showing global activity, Spybot/Kolab is attempting to rip across the Russian Federation and the Ukraine by attacking a several-year-old vulnerability in srvsvc.dll, the server service hosted within one of the several svchost.exe processes running on Windows systems. (Why rush development of a new stack overflow exploit when users don’t patch systems for various reasons for years?) The worm itself attempts to exploit the aged vulnerability and deliver download and execute shellcode, pulling down and running more malware on the compromised host. That shellcode has been downloading an incremented-daily URL from a server hosted in England since August 2nd. Today it is 94.76.194 .116/ 37.exe. Threatexpert report for the payload here.
Posted in 0day, Exploit, Worm | No Comments »
Wednesday, July 15th, 2009
We have been monitoring and examining the second of the fairly prevalent ActiveX 0day in the past couple of weeks, this one targeting Microsoft Office Web components for Internet Explorer. The exploits have been distributed mostly on servers in China. Accordingly, the payloads that we have examined target a massive audience.
The final payload that is downloaded and executed after visiting one of these sites is an executable that drops a dll to disk and runs it. The dll in turn attempts to steal info from the hugely popular Tencent QQ components. It does so by using hooks and capturing screenshots of the entire desktop. These hooks steal QQ usernames and passwords, in particular QQ Game’s Dungeon and Fighter. To give you an idea of the size of the target audience, QQ Game reports that it has over 200 million registered accounts.
Following successful 0day exploitation, the malware copies out a dll, and as an evasion technique, copies rundll32 (normally used to load dlls) to myInsDll.exe in system32. The malware calls ShellExecute on this renamed rundll32 component, which loads the dropped dll. Depending on the command line argument, the dll code will delete components or start the heist.First, the dll begins to disable Windows File Protection with a well-worn technique:
On a successful WFP disable, it deletes Comres.dll from dllcache and replaces Comres.dll with a copy of itself. When c:\Program Files\Tencent\DNF\DNF.exe is started, it normally loads Comres.dll. This code illustrates the switch:
 When the new Comres.dll is loaded into DNF.exe, the dll steals the QQ user name, password, serial, total money and more from unsuspecting users. To do so, it first places several hooks within TenQQAccount.dll and QQAccount.dll:
The jump hooks are written directly to the dll text segments:
All data, including captured usernames, passwords, and entire desktop screenshots were being uploaded to 080506.8866.org.
ThreatFire has been containing this threat within our global community, including our local Chinese user base.
Posted in 0day, Password stealing | No Comments »
|
|
|
|
