Earlier today, we encountered a malware that exploits a recently (and publicly) disclosed vulnerability, the MIDI Remote Code Execution Vulnerability (CVE-2012-0003). (Ed. Note: addressed in MS12-004)

The said vulnerability is triggered when Windows Multimedia Library in Windows Media Player (WMP) fails to handle a specially crafted MIDI file, consequently allowing remote attackers to execute arbitrary code.

In the attack that we found, the infection vector is a malicious HTML which we found hosted on the domain, hxxp://images.{BLOCKED}p.com/mp.html. This HTML, which Trend Micro detects as HTML_EXPLT.QYUA, exploits the vulnerability by using two components that are also hosted on the same domain. The two files are: a MIDI file detected as TROJ_MDIEXP.QYUA, and a JavaScript detected as JS_EXPLT.QYUA.

HTML_EXPLT.QYUA calls TROJ_MDIEXP.QYUA to trigger the exploit, and uses JS_EXPLT.QYUA to decode the shellcode embedded in HTML_EXPLT.QYUA’s body. Below is a screenshot of HTML_EXPLT.QYUA’s code. Notice the highlighted parts where it calls the MIDI and JavaScript components:

Upon successfully exploiting the vulnerability, it decodes and executes the decoded shellcode. This shellcode then connects to a site to download an encrypted binary:

This binary is then decrypted and executed as a malware detected as TROJ_DLOAD.QYUA. We’re still conducting further analysis on TROJ_DLOAD.QYUA, but so far we’ve been seeing some serious payload, including rootkit capabilities.

Meanwhile, as the routines stated above happens in the background, the affected users remains unsuspecting and sees the following:

Microsoft has already issued an update to address this vulnerability during the last patch Tuesday, so our first advice to users is to patch their system with the Microsoft security update here. It affects Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2. We’d like to reiterate that this is a publicly disclosed exploit. As such, we can expect similar attacks in the future.

On the other hand, Trend Micro customers are already protected from this by the Trend Micro™ Smart Protection Network™, which blocks the related malicious files and URLs.

We will update this blog entry once more information is available.

Update as of January 26, 2012, 7:50 a.m. (PST)

Trend Micro Deep Security shields this vulnerability using the specified rules. For more information on the Deep Security rules, users can visit our vulnerability page here.

Trend Micro Deep Security customers are protected by the rule 1004899 – Microsoft Windows Media Player MIDI Remote Code Execution Vulnerability (CVE-2012-0003). This rule prevents download of MIDI files, containing bad records, which could allow an attacker to execute arbitrary code if the user opens a link to a midi file or visits a page with embedded MIDI file.

Update as of January 27, 2012, 2:55 a.m. (PST)

Upon further processing, we found that TROJ_DLOAD.QYUA uses two other components for its routines. It drops RTKT_MDIEXP.QYUA for its rootkit capabilities, and connects to a certain URL to download its main payload — BKDR_EAYLA.QYUA. Currently, we are analyzing this threat and we will update this blog post once analysis is complete.

Update as of January 27, 2012, 8:15 p.m. (PST)

Further analysis of BKDR_EAYLA.QYUA revealed that it is not a backdoor, but an info stealer which we now detect as TSPY_ONLING.KREA. This particular malware steals credentials related to certain Korean online game sites. Once credentials are captured, they are sent to the attacker’s C&C.

Update as of January 30, 2012, 12:30 a.m. (PST)

Below is a behavior diagram on how this particular threat works.