|
Archive for the ‘0day’ Category
Tuesday, September 1st, 2009
We’ve been waiting for some stats to come rolling in, but we haven’t seen a hint of an 0day worm or any attacks for that matter on the current Microsoft Ftp module 0day.
Instead of the Ftp 0day showing global activity, Spybot/Kolab is attempting to rip across the Russian Federation and the Ukraine by attacking a several-year-old vulnerability in srvsvc.dll, the server service hosted within one of the several svchost.exe processes running on Windows systems. (Why rush development of a new stack overflow exploit when users don’t patch systems for various reasons for years?) The worm itself attempts to exploit the aged vulnerability and deliver download and execute shellcode, pulling down and running more malware on the compromised host. That shellcode has been downloading an incremented-daily URL from a server hosted in England since August 2nd. Today it is 94.76.194 .116/ 37.exe. Threatexpert report for the payload here.
Posted in 0day, Exploit, Worm | No Comments »
Wednesday, July 15th, 2009
We have been monitoring and examining the second of the fairly prevalent ActiveX 0day in the past couple of weeks, this one targeting Microsoft Office Web components for Internet Explorer. The exploits have been distributed mostly on servers in China. Accordingly, the payloads that we have examined target a massive audience.
The final payload that is downloaded and executed after visiting one of these sites is an executable that drops a dll to disk and runs it. The dll in turn attempts to steal info from the hugely popular Tencent QQ components. It does so by using hooks and capturing screenshots of the entire desktop. These hooks steal QQ usernames and passwords, in particular QQ Game’s Dungeon and Fighter. To give you an idea of the size of the target audience, QQ Game reports that it has over 200 million registered accounts.
Following successful 0day exploitation, the malware copies out a dll, and as an evasion technique, copies rundll32 (normally used to load dlls) to myInsDll.exe in system32. The malware calls ShellExecute on this renamed rundll32 component, which loads the dropped dll. Depending on the command line argument, the dll code will delete components or start the heist.First, the dll begins to disable Windows File Protection with a well-worn technique:
On a successful WFP disable, it deletes Comres.dll from dllcache and replaces Comres.dll with a copy of itself. When c:\Program Files\Tencent\DNF\DNF.exe is started, it normally loads Comres.dll. This code illustrates the switch:
 When the new Comres.dll is loaded into DNF.exe, the dll steals the QQ user name, password, serial, total money and more from unsuspecting users. To do so, it first places several hooks within TenQQAccount.dll and QQAccount.dll:
The jump hooks are written directly to the dll text segments:
All data, including captured usernames, passwords, and entire desktop screenshots were being uploaded to 080506.8866.org.
ThreatFire has been containing this threat within our global community, including our local Chinese user base.
Posted in 0day, Password stealing | No Comments »
Wednesday, July 8th, 2009
The MsVidCtl 0day has been passed around and fully distributed since at least the 6th. We have been monitoring multiple groups abusing Internet Explorer’s capability to render streaming video.
Some of the fairly recent and interesting activity has been the exploit writers’ javascript evasion techniques, splitting what was one page of javascript into 10 files, one for each line of javascript, and rendering some pattern matching solutions useless. This sort of attack would be most effective against the most performance sensitive security layers, like network based ones, and some other fairly unsophisticated client side solutions.
The payloads vary, from adware to social network credential stealing. ThreatFire has been preventing the exploit within the community from the start. We anxiously await a hotfix, something past the killbit workaround. Georg Wicherski points out that the vulnerability is a trivial one, in which the attacker can abuse the SEH handler. But really the current heap spray attack code that we have seen is reliable and less effort to implement with the spray. What has worked in the past will continue to be put out in prevalence!
In the meantime, your information is safe and protected against observed and unknown exploits attacking this vulnerability with ThreatFire.
Posted in 0day | No Comments »
|
|
|
|
