New IE 0-day Vulnerability

November 5, 2010

SonicWALL UTM Research team received reports of a new Internet Explorer 0-day Vulnerability reported here being exploited in the wild. Internet Explorer version 6, 7 and 8 are affected by it. The vulnerability is actively being targeted in the wild by specially crafted HTML pages on compromised sites.

The HTML page contains a heavily obfuscated malicious java script code that encloses the shell code and NOP sled. Upon successful exploit attempt, the shell code gets executed and it will lead to download & execution of a malicious executable file on the victim machine.

During our research we found the shell code enclosed within the JavaScript to be encrypted and snippet of the decrypted code can be seen below:


The code seen above leads to the download of linkbl.gif file from a compromised site, which is an encrypted malicious executable and has a GIF header to avoid AV detection. The file gets decrypted and the GIF header is replaced by MZ header on the victim machine.

The malware performs following activities upon execution:

  • Drops following two files on the victim machine:
    • (STARTUP)/ctfmon.exe [Detected as GAV: Agent.IEM (Trojan)]
    • (SYSTEM32)/msnetacsvc.dll [Detected as GAV: Pirpi.D (Trojan)]

  • Creates the following registry entry to ensure that the dropped malware runs on every system reboot:
    • HKLM_SYSTEM_ServicesNWCWorkstationParametersServiceDll: "%SystemRoot%System32msnetacsvc.dll"
    • HKLM_SYSTEM_ServicesNWCWorkstationImagePath: "%SystemRoot%System32svchost.exe -k netsvcs"
    • HKLM_SYSTEM_ServicesNWCWorkstationDisplayName: "NetWare Workstations"
  • Opens a backdoor on victim machine and attempts to connect to an IP address of a server hosted in Poland. The server is still actively serving encrypted command files at the time of writing this alert. Sample command files requested:
    • GET /bbs/OmIxA9gILmICAAAAPDlUKWrsYsjh0XQxOpixOpixOpiA.gif
    • GET /binary/jXor5LTseXmEAAAAihV0f-Pux4Xbv_grj1Wrj1Wrj1UA.rar
    • GET /picture/OdEw2TlxLdEDAAAAPThVKGntYcfg0HUwO9ewO9ewO9eA.jpg
    • GET /images/Y6V8BWHA1AUIAAAAWtefUqtsaX7fGXD9g5mA.gif
    • GET /news/kHgu4hdmhHeCAAAAlx7Xgkpzwkh7xecukL8ukL8ukL6A.jpg
    • GET /pic/9AWMBYsPcAUgAAAA8un9djhBrNp2tiOM9IoM9IoM9ImA.bmp

    Directories contacted on the server include bbs, binary, pic, picture, image, images, index, and news.

SonicWALL Gateway AntiVirus provided protection against this threat via following signatures:

GAV: CVE-2010-3962.A (Exploit)
GAV: Pirpi.D#dldr (Trojan)
GAV: Agent.IEM (Trojan)
GAV: Pirpi.D (Trojan)
IDP: 5908 Malicious HTML Style Tag 1