Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2012
    S M T W T F S
    « Jun   Aug »
    1234567
    891011121314
    15161718192021
    22232425262728
    293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for July 4th, 2012




    As discussed in our previous blog entries, we found an exploit (Trend Micro detection HTML_EXPLOYT.AE) that targets a vulnerability found in Microsoft XML Core Services (CVE-2012-1889). Based on our analysis, HTML_EXPLOYT.AE contains three key features: its usage of Microsoft XML Core Services, heap spray, and No ROP (Return-Oriented-Programming) function. Our two initial blog entries already gave in-depth details on how HTML_EXPLOYT.AE uses Microsoft XML Core Services and how it executes heap spray method. This time, we focus on the No ROP function of HTML_EXPLOYT.AE, which leads to the downloading of a backdoor (detected as BKDR_POISON.HUQA).

    HTML_EXPLOYT.AE Feature 3: No ROP(Return-Oriented-Programming) function

    Let’s check how HTML_EXPLOYT.AE executes malicious code in the heap- sprayed area after successfully exploiting CVE-2012-1889.

    When we checked the exploit code, we did not find any ROP (Return-Oriented-Programming) function. This means HTML_EXPLOYT.AE jumps directly to the malicious code in the heap-sprayed memory area.

    The Data Execution Prevention (DEP) in Internet Explorer version 8, 9, 10 DEP is enabled, which prevents HTML_EXPLOYT.AE from jumping heap sprayed area. Let us now check the protection conditions of heap sprayed areas with Windbg extensions.

    On IE 9 and 10 where DEP is enabled by default, HTML_EXPLOYT.AE fails to jump to the heap sprayed area. This is because there is no PAGE_EXECUTE flag, which executes access to the committed region of pages. DEP detects the attack scenario and mitigates the threat by terminating the application.

    However, IE8 is a different story since its DEP status can be enabled or disabled. On a DEP disabled scenario, HTML_EXPLOYT.AE can proceed with its malicious task without problem. On the other hand, if DEP is enabled, the attack is prevented. It should be noted that in earlier versions of Internet Explorer (version 7, 6 etc.), DEP settings are disabled by default.

    After exploiting CVE-2012-1889, HTML_EXPLOYT.AE then downloads the backdoor BKDR_POISON.HUQA and executes it in the infected system.

    Once executed, BKDR_POISON.HUQA connects to specific malicious remote user via command-and-control (C&C) servers using TCP port 80. In effect, the malicious user can perform any malicious routines onto the infected system, which includes stealing system-related information.

    Because Microsoft XML Core Services is installed on most PCs, this exploit poses a significant threat among users. Furthermore, its attack code was made public, which may empower potential attackers to use the code for their future schemes.

    Trend Micro users are protected from this threat via Smart Protection Network™, which detects the malware HTML_EXPLOYT.AE and BKDR_POISON.HUQA via file reputation services. It also blocks access to the related C&C servers via web reputation services. More importantly, Trend Micro Deep Security and Officescan with IDF enabled prevent attacks exploiting CVE-201-1889 via the rule 1005061- Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889).

    For added protection, users must update their systems with the latest security patch made available by software vendors such as Microsoft. To know more about the related vulnerability, users may refer Microsoft’s security bulletin. Microsoft also released a fix tool as a workaround solution for this vulnerability. Users must observe best computing practices, such as avoiding visiting unknown websites and opening email messages from dubious sources.

     
    Posted in Exploits, Malware, Vulnerabilities | Comments Off



    In the first part of our three-part blog entry about HTML_EXPLOYT.AE, we provided an analysis on how HTML_EXPLOYT.AE uses Microsoft XML Core Services vulnerability (CVE-2012-1889). As previously discussed, HTML_EXPLOYT.AE has three key features: its usage of Microsoft XML Core Services, use of heap spray technique, and No ROP (Return-Oriented-Programming) function. In the second part of this three-part series, we will now focus on how HTML_EXPLOYT.AE uses the heap spray technique.

    HTML_EXPLOYT.AE Feature 2 : Heap Spray

    When we checked the error codes below using Windbg, HTML_EXPLOYT.AE uses heap overflow instead of stack overflow to refer to an object and call its virtual function. Heap Spray is a technique used in exploits in order to facilitate arbitrary code execution.

    Based on our analysis, HTML_EXPLOYT.AE uses the following heap spray code below:

    Using Windbg, we were also able to check the heap spray memory area created by HTML_EXPLOYT.AE. The following code shows that the number of heap-sprayed block amounted to 230 and each block contains 80,000 bytes.

    Below is the malicious code in the heap spray memory area

    Because Microsoft XML Core Services is installed on most PCs and the attack code is made public, HTML_EXPLOYT.AE may potentially have a significant impact among PC users everywhere. We may see potential attackers exploring this threat to target users with their malicious schemes. Users are advised to regularly update their systems with the latest security patch distributed by software vendors. Microsoft also released a fix tool as a workaround solution for this vulnerability. For added precaution, users must be wary of visiting untrusted sites and opening email message from unknown senders. Observing best practices is important in preventing this kind of attack.

    Fortunately, Trend Micro users need not worry as they are protected from this threat via Smart Protection Network™, which detects HTML_EXPLOYT.AE. In addition, both Trend Micro Deep Security and OfficeScan with IDF enabled prevent attacks exploiting CVE-201-1889 via the rule 1005061- Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889).

    In the last installation of our 3-part series about this exploit, we will share our findings regarding the third feature of HTML_EXPLOYT.AE: No ROP function.

     
    Posted in Exploits, Malware, Vulnerabilities | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice