New IE 0-day Vulnerability
SonicWALL UTM Research team received reports of a new Internet Explorer 0-day Vulnerability reported here being exploited in the wild. Internet Explorer version 6, 7 and 8 are affected by it. The vulnerability is actively being targeted in the wild by specially crafted HTML pages on compromised sites.
The HTML page contains a heavily obfuscated malicious java script code that encloses the shell code and NOP sled. Upon successful exploit attempt, the shell code gets executed and it will lead to download & execution of a malicious executable file on the victim machine.
The code seen above leads to the download of linkbl.gif file from a compromised site, which is an encrypted malicious executable and has a GIF header to avoid AV detection. The file gets decrypted and the GIF header is replaced by MZ header on the victim machine.
The malware performs following activities upon execution:
- Drops following two files on the victim machine:
- (STARTUP)/ctfmon.exe [Detected as GAV: Agent.IEM (Trojan)]
- (SYSTEM32)/msnetacsvc.dll [Detected as GAV: Pirpi.D (Trojan)]
- Creates the following registry entry to ensure that the dropped malware runs on every system reboot:
- HKLM_SYSTEM_ServicesNWCWorkstationParametersServiceDll: "%SystemRoot%System32msnetacsvc.dll"
- HKLM_SYSTEM_ServicesNWCWorkstationImagePath: "%SystemRoot%System32svchost.exe -k netsvcs"
- HKLM_SYSTEM_ServicesNWCWorkstationDisplayName: "NetWare Workstations"
- Opens a backdoor on victim machine and attempts to connect to an IP address of a server hosted in Poland. The server is still actively serving encrypted command files at the time of writing this alert. Sample command files requested:
- GET /bbs/OmIxA9gILmICAAAAPDlUKWrsYsjh0XQxOpixOpixOpiA.gif
- GET /binary/jXor5LTseXmEAAAAihV0f-Pux4Xbv_grj1Wrj1Wrj1UA.rar
- GET /picture/OdEw2TlxLdEDAAAAPThVKGntYcfg0HUwO9ewO9ewO9eA.jpg
- GET /images/Y6V8BWHA1AUIAAAAWtefUqtsaX7fGXD9g5mA.gif
- GET /news/kHgu4hdmhHeCAAAAlx7Xgkpzwkh7xecukL8ukL8ukL6A.jpg
- GET /pic/9AWMBYsPcAUgAAAA8un9djhBrNp2tiOM9IoM9IoM9ImA.bmp
Directories contacted on the server include bbs, binary, pic, picture, image, images, index, and news.
SonicWALL Gateway AntiVirus provided protection against this threat via following signatures:
GAV: CVE-2010-3962.A (Exploit)
GAV: Pirpi.D#dldr (Trojan)
GAV: Agent.IEM (Trojan)
GAV: Pirpi.D (Trojan)
IDP: 5908 Malicious HTML Style Tag 1