Global cyber-intelligence

You can check out a somewhat lengthy and fascinating article on recent cyber intelligence, SCADA systems and various actors on the global cyber stage at The National Journal.

'Asked whether Washington knew of hacker involvement in the two blackouts, Joel Brenner, the government’s senior counterintelligence official, told National Journal, “I can’t comment on that.”'

Seeing Double?

What's that? Winifixer! Here are some comments from the web site:
"Statistics approve that virus and trojan attacks damage more than $3 million/hour and the new virus appears each hour. One of them, virus Sasser. A, infected million of computers at the first hours after let out and caused billions damages. It had been corrected within a lot of months."
Scared yet? Or do you just find the wording and explanation a bit odd? Let me see, let's work with those figures. In a day, that's $72 million in damages. In a week, it's half a billion dollars. By the end of the year, that adds up to almost $200 billion.
And it points out that almost EVERYONE's system is infected! WOW! 91% is a big number!

If you haven't read our previous posts, you might not be aware that there are a number of misleading applications being distributed on the web by malicious web site operators. Stuff that we've been calling "Rogueware". Some AV vendors prefix the detections with "not-a-virus: Fraudware", some will call the stuff a "Troj_Renos", some call it a "Misleading Application" and some call it "Rogue Security Software". Some AV vendors have been blogging dramatically about this software and how it was originally distributed, via fake codecs.
Here is the page that offers up the WinIFixerInstaller.exe download for only $99.95:
























What? You're not sure if you want to install that one? Well, you can always install something just like it...called the AdvancedXpFixer! It makes the same exaggerated claims as the site mentioned above, and offers up the AdvancedXPFixerInstaller.exe download. Are you seeing double? Maybe!





















My favorite part is where they provide links on the "company" page to securityfocus articles about developing av engines and heuristics. That's good stuff.

How might you wind up with these pages or software on your system? As always, patch your system! The software is partly being distributed using a few ugly old drive-by client side exploit tricks to run some downloaders on your system without you knowing it when you browse a malicious web site. Successful exploitation also results in a huge fake alert on your system's desktop wallpaper, telling you about all the malware on your system. The malicious sites also download and execute multiple spam bots and other malware, making your system a major problem and source of spam. Double the fix, er.



Update: while double is interesting, triple is all the more exciting!

Peach Fuzz

Another open source fuzzing toolkit update was released today, the "Peach Fuzzing Platform v2.0".
Fuzz. As in Peach. Ha!




Anyways, how does fuzzing effect the security of one's computer? Directly, it does not. Indirectly, it does.

Fuzzing an application or service is the process of introducing malformed and unexpected input, often in combination with expected input, to an application consuming data. This process can identify bugs or flaws in software, and lead to the identification of buffer overflows, format string errors. Once these bugs are uncovered, determined individuals may sometimes write code to exploit these bugs. Not all bugs are exploitable.




The easier, more open and popular it is to fuzz applications, the more likely it is that vulnerabilities are found in applications. The frequent hotfixes and updates that Microsoft releases to patch the vulnerabilities in their OS and browser software sometimes are found by individuals performing fuzz testing (and, most likely, some amount of reversing). Rumor has it, the largest fuzzing project in the history of software development was performed by the Microsoft developers and security teams themselves over the past couple of years on their own compiled code.

The Peach platform can fuzz data consumers of many types, including file format parsers, network services, third party plugins like those from Quicktime and Adobe, most any software.

ImmunitySec and Dave Aitel has been releasing this sort of software for years, with SPIKE, SPIKE proxy, and Sharefuzz.




What do our readers think of ethical hacking, exploit development and the spread of these sorts of tools? Please post a comment if you have an opinion on the subject. We'd love to hear from you.

Ongoing targeted attacks during Tibet, Burma controversy and Olympic torch protests

Unfortunately, targeted computer attacks commonly occur. This morning's NPR show exposed such problems in regards to activists and journalists in China. Sadly, not much data is public about these sorts of attacks and it would be easy to speculate that such types of attacks are on the rise. Sometimes, the groups being attacked do not want members to be exposed or further put into public light and sometimes they do not fully understand they are being attacked. The NPR audio mentioned groups like the Falun Gong, Students for a Free Tibet, Human Rights in China and some China-based foreign journalists. Often, the attackers' identities are more difficult to uncover than more entertaining examples we've given in the past. While spoofed sources may seem to be from friends or friendly members of organizations, the true source remains in the shadows, hiding university or seemingly public ip addresses.

The various code used in targeted attacks that we have evaluated to date are not terribly impressive pieces of malware. The trojans and spyware often are delivered over email as embedded data within files of all formats with enticing names that the recipient would most likely be interested in. For example, the NPR interview mentioned a "resume.doc" file that was delivered to current board members and staff of the targeted Students for a Free Tibet from the spoofed email address of an ex-board member. These Microsoft Word docs, Excel spreadsheets, malicious .chm help files, and Powerpoint slideshows usually are malformed in one way or another to attack vulnerabilities in flawed software on the receiver's side. When opened by outdated software, these maliciously crafted files and the included code drop and run trojans and spyware embedded in the files on the victim's system.
Most can be prevented by keeping software updated and patched, running security solutions, and as always, security in layers is recommended.

The audio mentions that most AV scanners are often evaded by the software components of these targeted attacks (an unusual admission from a member of the AV industry!). And that trojan builders create nastier rodents in response to the AV companies' better mousetraps.
ThreatFire is different -- our behavioral-based cat is bigger and faster than that little piece of cheese sitting on the wire and wood thing in the attic. Purrs like a kitten too.

Here come the mounties

I wonder if they didn't see the bright red jackets galloping towards their hard drives? Another botnet ring got busted in Canada.

This story is bigger than I thought..."Police in Quebec arrested 17 people on computer-hacking-related charges in the largest sweep of its kind in Canada".

It's not just the U.S. Fbi performing these major 2008 investigations and arrests.

cDc Hacktivist Tool Release

The Cult of the Dead Cow is a group that has been around for over a decade, presented by its members as an underground hacker/do-it-yourself media group. Every now and then, they release another "tool" as a result of their research. They are known mostly for their Back Orifice tool release in the late 1990's. Unfortunately, it was only a taste of what was to come from the world of "RAT" development, or so-called remote administration tools. These sorts of tools were often used to maintain botnets and control over compromised systems for malicious purposes.

















This new tool, the Goolag Scanner, is a stab at using Google's technologies for security research (open to definitions of white, grey, or black hat), and a part of the cDc hacktivist response "to Google's decision to comply with China's Internet censorship policy and censor search results in the mainland-Chinese version of its search engine." Its interface is similar to the popular Nessus vulnerability scanner. While use of the scanner most likely violates every contractual licensing agreement in the Google's terms of service, it provides an automated method of evaluating web sites for vulnerabilities using "Google Hacks", or "Dorks" that were popularized by "Johnny Hack" and his "Google Hacking Database".

In line with their generally dark humor, this version of the scanner is being released as the "Stanley Kowalski" version, most likely in reference to an awful character from Tennessee Williams' "Streetcar Named Desire", along with a tough love usage statement:
"If this software does something bad to your computer or network or provides information that you have no legal right to see, then that's your problem. In some countries this software might be illegal. Don't be stupid, and don't come whining to us if you get into trouble. You've been warned."

Discussions on various security mailing lists wager on how long the site will remain up. It seems that the cDc presents the site as a parody of the google site itself:
"It isn't even a particularly good parody. As such, it is protected by the First Amendment." It most likely will be up for a while:

















Web admins should be sure to attend to the security needs of their servers.

Infested stock message boards and a quick response

Sometimes, surprising events in the financial news draw users to the message boards. On Yahoo!, individual stock message boards are usually a safe haven for posting and browsing.
Right now, one stock at the Yahoo finance site appeared to have an almost 60% drop for the day. Instead, the company might be performing a reverse split with little notice. There is no news headline about a reverse split for the company, so the next logical step would be to check out the message boards and see what other users might be sharing.

Once on the message boards, a user may fall for friendly advice like "This Video Forecast should help“"(link intentionally removed). DO NOT FOLLOW THESE LINKS RIGHT NOW. We decided to follow these links once we saw them. After following one of them, our goat lab systems became totally infected by malware and completely unusable. Adware, worms, multiple processes and more were overloading the system's capacity. We can only post an image at this point of the link to the infecting site (DO NOT VISIT THESE LINKS). These attackers are acting quickly on the confusing financial news:

























UPDATE: It seems that the web links spammed to the message boards may be linked to a handful of web servers that were compromised. For example, here is a list of spammed links to another message board. We highlight one in particular in red:
















Here is the web page at the highlighted link's destination, apparently revealing a compromised site. Most likely, the malware and exploits served up at these sites were the result of compromised servers:














The operators of these sites seem to be on top of the problem, and almost all of the links we're visiting are now cleaned up.

These short lived and effective attacks can ruin your day. They lurk in the most unexpected of places, not just the adult and warez sites. Be sure to keep your security solutions updated.

Love in the air

The Storm continues to fall, and while their Valentine's Day message started early in January 2008, we see users continuing to fall for the sweet message of love. Tonight, we observed this site serving up malicious love from Flint, Michigan. The usual set of encoded javascript exploits accompany this lacy heart and "withlove.exe" executable. Do not visit this malicious web site, a slight variation on a Storm site we blogged on earlier this month:

Bootkit binaries in the wild

Yesterday, we were further analyzing an executable that we recently haven't been seeing all that much of, tmpms45.exe. The filename is familiar, as sometimes various executables with that name are delivered by malicious emails or malicious web pages. Most often, we see it as a part of a commodity exploit kit (i.e. Mpack), and the malicious web site operators simply forgot to change the filename in the kit's scripts that they just purchased.
This time, however, a file delivered with that filename is receiving a lot of attention as the newest piece of malware writing directly to raw disk and the master boot record on WindowsXP systems. It may also go by several other names, like mat16.exe, mat17.exe, mat18.exe and so on. The code for the malicious dropper itself is getting attention partly because it is the first in the wild malware found to contain a slightly modifed version of the "BootRoot" code presented at Blackhat 2005 by eEye researchers.

This malicious dropper executable is being distributed from web sites via a set of exploits targeting a vulnerability patched in 2003, the common Microsoft MDAC (MS06-014) vulnerabilities that we see targeted on a daily basis, along with the somewhat more recent VML and XML CoreServices BoF.

Bring in the New Year with a new Storm variant

What a generous way to bring in the new year. The Storm/Peacomm gang, the same group whose activities we presented at VB2007 and posted about previously, has not disappeared. The holidays brought a round of Christmas-themed spam, complete with a simple link to a njinx servers and the promise of a friendly xmas related message. In the past couple of days, they have turned towards a new year theme:
"Happy New Year!
Your download should begin shortly. If your download does not start in approximately 15 seconds, you can click here to launch the download and then press Run. Enjoy!"

Consistent with their past attacks, the executable name is themed as well. We have seen "happynewyear2008.exe", "happy_2008.exe" located on servers in Poland and multiple sites around the world. But in a small departure from using just unregistered ip addresses, these malware serving web hosts are now registered with cute, related DNS .com domains, like "newyearwithluv" or "hellosanta". The gang broke another trend and flashy graphics on the sites are not present either.

We are seeing a strong uptick in the number of users actually running these files (happy-2008.exe, happynewyear2008.exe, happy_2008.exe, happy_2008.exe, happynewyear.exe) on their systems. Please exercise caution when visiting links that were sent to you, update all of your system patches at the Microsoft Update site, and if using Quicktime or Firefox, update them as well.

Cheers to secure computing and happy New Year!

Shellcode analysis -- download n' exec

In a previous post, I mentioned that we could use c code to analyze some shellcode currently being posted in the wild by malicious web site operators.

These malicious websites are delivering malware by exploiting several Windows based vulnerabilities. The websites attack visitors by targeting vulnerabilities in .ani file parsing, .wmf file parsing, and rtsp content-type string parsing in the QuickTime plugin.

In our labs, we visit these web sites with vulnerable systems, allowing the pages to compromise the systems. We then analyze the techniques being used. Let's take a quick look at a major part of the attack -- the shellcode within the delivered malformed wmf file. We'll take a look at the low level data content of the malformed file itself:





















After seeing a lot of these malformed files, you can spot the shellcode right away. I did in the above image after a quick visual scan, but sometimes details of the file format need to be known to find the shellcode on the first try.
We copy out the string of shellcode hex data into a c-style string, like this one:
"\x83\xec\x10\xd9\xee\xd9\x74\x24\xf4\x58\x33\xc9\xb1\xdb..."

I copy it into the buffer in the c file from the previous post, and the assignment will look like this:
unsigned char shellcode[] = "\x83\xec\x10\xd9\xee\xd9\x74\x24\xf4\x58\x33\xc9\xb1..."

I compile it using gcc, but you can use the cl.exe Microsoft compiler if you would like -- whatever c compiler should be fine. I've never seen a problem with substituting one for another:
C:\sh\>gcc sh3ll.c -o sh3ll.exe

The compiler emits an expected warning that can be ignored, and now we have an executable to work with. We'll run it in Olly to its entry point, and then search for the beginning of the shellcode string in memory. When we find it, we'll set a memory access break point on that memory location and then let the process run to that point by hitting f9.
When the debugger arrives at this starting point for the shellcode, the debugger shows us a very strange listing -- "jno" instruction followed by a bunch of "cnq" instructions? The listing looks very strange:


















We hit f7 a few times and notice "xor byte ptr ds:[eax+12], 99", followed by a loopd instruction that takes us back to a few lines prior. This loop is an xor decoder loop, implemented in this shellcode because we are exploiting BoF, and usually that means we are attacking a string handling flaw. Any "00" or null bytes in the code will likely crash the code, as explained in chaps 3, 7, 9.
We also notice that ecx is set to "0xdbh" at 0040200e, meaning that this loop will decode the subsequent 219 bytes of data:










We can continue stepping through the code with f7, watching the decoding taking place, until ecx decrements to zero. When it finishes, we step through a bit more slowly.
Stepping into the instructions with f7 now reveals the code searching for kernel32's location in the process space using the common and reliable technique of parsing the PEB and its module initialization linked lists. It then searches for LoadLibraryA, ExitThread, and WinExec win32 api calls. It loads urlmon and finds URLDownloadToFileA. These calls all tell us that this shellcode's functionality is download and execute -- and we can observe the url strings that the code is communicating with.
Download and execute shellcode like this happens to be some of the most prevalent shellcode that we see served up by malicious web sites.

Hope that you learned a few things about the sorts of techniques we can use to analyze shellcode and its behaviors. Let me know what you think of it!

Tool for shellcode analysis

Here's some favorite c that I use to reverse engineer shellcode that I collect from malicious files, malicious web sites and attacking network traffic:


unsigned char shellcode[] = "";

int main()
{
void (*c)();
printf("Shellcode it is!\n");
*(int*)&c = shellcode;
c();
}


Basically, the code creates a buffer that stores your collected shellcode, creates a pointer to a void function empty of instruction, points the function to the beginning of the buffer and transfers control to it, just like an attacker's exploit. Drop the hex into the array as a c-style string, compile it, and toss it into Olly for stepping and analysis!
We'll look at a current example from a site in the wild in an upcoming post.

Cisco CSA BoF advisory fits the pattern away from the OS and deeper into the kernel

In yesterday's post, we noted that the Sans 2007 Top 20 list contains some obvious trends away from OS components targeted by network worms and more towards third party components.

Today's Cisco Security Agent Advisory is a casualty in that direction. CSA is Cisco's host-based security product (it would be installed on your system like any other piece of software) that makes for a juicy remote exploit target because it's remotely accessible. This vulnerability, unfortunately, also leads further down the path of complexity and into the kernel:
"A buffer overflow vulnerability exists in a system driver used by the Cisco Security Agent for Microsoft Windows. This buffer overflow can be exploited remotely and causes corruption of kernel memory, which leads to a Windows stop error (blue screen) or to arbitrary code execution."

Current quicktime and client side exploits

A long list of porn sites currently are attacking recent quicktime and some other older browser side vulnerabilties. Unfortunately, it looks like some of our users are getting hit with this stuff in the wild -- these exploits and malware are prevalent.

It looks as though the purpose is to download, install, and run a service that acts as a trojan clicker. Clickers like this one continue to fetch web pages from related porn sites and their banner ad links in the background, without the user noticing (although your network card and cpu might appear to be pretty busy!). This activity turns into revenue for the individuals hosting the sites that the clickers are fetching pages from. Here is what an infected system with the installed service looks like:


























We'll update the post with more info soon...patch your system and QuickTime, or just lay off the porn sites. Geesh.


UPDATE: The Quicktime rtsp streams appear to be down for the moment. But the CVE-2005-4560 wmf files targeting the Microsoft Gdi vulnerability of long ago continue to be delivered, as are the .ani files targeting Microsoft vulnerabilites as well.

UPDATE2: Threatfire continues to stop the component delivery. If your system isn't patched for the .ani and .wmf exploits that the sites deliver, TF stops the BoF exploit. If the exploit delivered components somehow end up on your system, TF detects the components as a Trojan clicker. These Trojan.Clicker.Syspose components are delivered from a couple web sites hosted in the Ukraine.

40,000 googled pages, an ineffective link that gets fixed, and tons of system-freezing downloads

We've been tracking the malicious search campaign involving thousands of domains and pages cited at the Internet Storm Center desk this morning for some time now. A couple of the sites in China each host approximately 5,000 web pages that each incorporate the same link to one malicious javascript page targeting Windows users. Other servers around the world have basically the same configuration. ThreatFire users are protected.

It's a pretty complicated attack. Basically, when visiting one of these google results, the malicious server will prompt you to download a malicious executable, at the same time while analysing your system for vulnerabilities and attempting to attack them. All this work in an effort to install lots of "rogue security software" that will scan your system, attempt to intimidate the user with fraudulent scan results into purchasing the product. Complete with pop-ups for pharaceuticals sprouting up on the screen.

Yesterday afternoon, we installed their executable manually (displayed at the Sunbelt blog as "VideoAccessCodecInstall.exe"). It runs on a user's system and then attempts to connect to a website and perform more downloads. The server at that destination was up, but the malicious download was not available.
However, the servers that the "video codec" connects to came back up overnight. Around 55 Internet Explorer windows and various screen prompts on one of our infected lab systems now tell me that malware and porn has been found all over the system (which were not when we started), and we need to buy their products to clean it up and keep my kids away from porn. What garbage.
Some of the product names look like this:
YourPrivacyGuard, ABSSearch, SecurePCCleaner, UltimateDefender, ADWare Remover2007, XPAntivirus, UltimateCleaner

So we've been visiting these malicious web sites in the lab, and they appear to prompt you to install a video codec, enticing you to check out the video that is about to play onscreen. But, in the background, the web page's javascript identifies the OS, browser and JavaVM version of the visiting user and attacks the browser accordingly. Based on this information, it attacks multiple Microsoft vulnerabilities: MS06-014, MS06-006, MS05-001, MS03-011. It also can attack a couple of old Firefox vulnerabilities: first MFSA 2005-50, and if that attack fails on your firefox browser, it resorts to attacking MS06-006, which overflows a buffer in unpatched versions of Firefox.

Simply put, the best way to deal with this threat is to update your Windows operating system and application components and keep your system's third party utilities patched, and maintain effective security products on your system.
We'll keep you updated on the situation.

If you see this on your system while you are browsing the web with Firefox, do NOT download and execute the executable:

















If you see this on your system while you are browsing the web with Internet Explorer, do NOT allow the executable to run:
























Here is an example of ThreatFire identifying one of the downloaders, running on a lab system:

Microsoft making IE client-side exploits easier once again

In an interesting move, Microsoft is returning more drive-by exploitation functionality to their Internet Explorer browser:
"Back in April 2006, we made a change to how Internet Explorer handled embedded controls used on some webpages. Some sites required users to “click to activate” before they could interact with the control. Microsoft has now licensed the technologies from Eolas, removing the “click to activate” requirement in Internet Explorer. Because of this, we're removing the “click to activate” behavior from Internet Explorer!"

Very exciting. This change means that malicious web sites delivering drive-by exploits targeting ActiveX controls will once again run without any user intervention from Internet Explorer.

The DailyDave mail list (run by Dave Aitel, an individual driving the penetration-testing industry with his CANVAS product), pointed this out last night in regards to the recent RTSP QuickTime 0day discussion and how CANVAS attacks the vulnerability:
"Dave-
It's not hard to make the exploit work against IE 7, but the user will have to click on the ActiveX (or hit the spacebar) to enable it.

Steve Shockley-
Fixed that for you"

ThreatFire prevents buffer overflow exploits like the QuickTime 0day. A related link can be found here -- the same SEH overwrite technique used in Krystian Kloskowski's recent 0day QuickTime exploit is described in that writeup.

Creepy kitty

Their social engineering team hasn't run out of ideas yet, but the attacks are starting to look a bit creepy. Here is a screenshot of the latest Storm related attack site:


























It's not reproduced all that well on this blog posting, but the image is a flash file, and the cat's head vibrates up and down rapidly.
So now they are taking on that group of people that forward disgustingly "cute" pictures of animals.

At the bottom of this page, when visited with Firefox, the authors include a treat -- if you don't want to download and run the malicious "SuperLaugh.exe" file hosted on the site, they'll run it without your permission by attacking the Windows Media Player vulnerability. If you use Firefox, be sure to update it by clicking Help -> Check for Updates...
The pages attack IE and Opera also, so be sure to update them if you haven't already.
All exploits from these Storm related web pages are stopped by Threatfire as always...

Whatever happened to Pacman?

If you've got kids, don't let them download any free games today. Oh yeah, you too.
It appears that the storm gang is now shifting their focus from football fans to children. This perpetual effort is changing, but its social engineering tactics appear to remain effective.

Today, an email arrived with the offer of 1000+ free games, here is the gimmick:

Subject: 1000 free games!
Message: "1000 plus games for free... Check it out hxxp://70.xxx.xxx.x3/"

If you receive this email message, DO NOT click on the link. The web site identifies your browser (IE, Firefox, Opera) and delivers a matching and reliable exploit with multiple malicious payloads. If your browser and component plugins are fully patched, all of the images are linked to their malicious downloader "ArcadeWorld.exe". This exe is related to the same bunch of malicious executables that no one wants on their system. We have seen variants of them since at least January (and possibly last November) from these guys -- rootkits, unwanted p2p components joining your system to a botnet, downloaders for pulling down more malware, DDoS components to make your the victim's system an attacker, and spam mailer components. DO NOT run this file.

Here is an image of the website. DO NOT visit it:

How do Storm, NotFound and other threats infiltrate so many PC's?

As the trend continues to move away from exploiting system services and more commonly toward exploiting client applications like web browsers and third party plugins, our research has turned towards these threats and overturned some fairly new stones for the commoditized exploit packages currently in the wild. The Storm threat, and numerous others have been using these packages to deliver driveby browser and, in this case, third party plugin exploits. These sorts of threats have been very effective recently at compromising users' systems in order to build botnets and send spam, and steal passwords and other sensitive information.

Now, not only are these packages delivering repacked and crypted binaries via harmless looking but malicious web pages, but they are re-obfuscating the malicious content hidden on the web pages at very small intervals. The threats, at every level, are constantly changing.

We collected up these changing pages from multiple malicious web sites, de-obfuscated their code, and isolated each exploit with its shellcode to analyze them, and to identify any problems they might cause for security products. Here are some notes from our research on in-the-wild web exploits:

The code across malicious groups is becoming more and more similar. There most definitely is code sharing between the groups writing the exploits. Some of them are the exact same techniques for identical exploits.

One recent addition to the commoditized exploit packages that are bought and sold online that has not been much discussed is exploitation of a recently disclosed Yahoo Messenger vulnerability, with shellcode that evades some of the major av vendors’ security software.

The vulnerability effects a version of a component called the "Webcam Viewer Networking and Imaging" ActiveX component (ywcvwr.dll v2.0.1.4). Basically, an old-fashioned stack-based buffer overflow occurs because a 1023 byte buffer is set aside to store input for webcam functionality, but the input is not properly checked, allowing for maliciously crafted webcam objects to run arbitrary code of the attacker's choosing.

We examined the attacker's approach. They use a reliable method of delivering control to their shellcode on XP Sp2 and Vista systems over IE6 and IE7 with default settings: they spray the heap with shellcode of their choosing simply by creating a dozen or so variables in their javascript, and stuffing them with lots of NOP followed by shellcode. They then deliver a large amount of data (5000 bytes) to this unchecked 1023 byte buffer and overrun values on the stack, including the exception handler. An exception occurs, and because the exception handler is overwritten with an address on the heap, control is passed to their download and execute shellcode.

By default, this exploit works on Vista systems when IE6 and IE7 do not have the "Data Execution Prevention" feature enabled. But techniques to disable the DEP check even when it is enabled have been published as well.

This image shows the thread stack as it is overflowed. An exception has been caused at this point, and we break on it to notice that the stack is covered with “\x0a\x0a\x0a\x0a”.

When this exception occurs, we can take a peek at the exception handler, which also is stored on the stack. It has been overwritten with “\x0a\x0a\x0a\x0a” as well. Because the exception has been thrown, our goat system tries to provide control to the first handler in the list, which happens to be at the craftily overwritten “0a0a0a0a”.

Interestingly, the heap has been sprayed with shellcode because the javascript sets up multiple variables full of shellcode. Due to this spray, the location “0a0a0a0a” now points to “0c0c0c0c”, which also is located on the heap. This heap contains two things – a nop sled of "0c0c0c0c" and “download and execute” shellcode.

Control will slide down the sled to our shellcode, and the attackers will effectively download and execute a set of binaries stored on another web server. These binaries download and execute even more malware, including bots, rootkits, password stealers, adware and other problematic software.

They keep coming! Another Yahoo webcam viewer vulnerability has been discovered and its exploit posted by a Chinese security group without having notified Yahoo, so we’ll keep an eye on this 0day as well and probably post on it. We’ve looked through the code, and it attacks a heap overflow instead of a stack overflow like this one, but methods to effectively defend against it remain the same.

Beware web sites and links that you have not visited before, especially if they are sent to you via email, and update your security software. Buffer overflow exploits like this one can turn an unwitting user into a victim.