Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    July 2012
    S M T W T F S
    « Jun   Aug »
  • Email Subscription

  • About Us

    Archive for July 10th, 2012

    We observed a zero-day attack aimed at a Chinese high school webpage and leveraged the Microsoft XML Core Services vulnerability. This discovery came about just days after Microsoft released an advisory regarding the vulnerability. The perpetrators behind the attack compromised a high school entrance exam result page in Jiangsu, China, which is visited by about a million students, parents, and teachers who are eager to know the exam results.

    Once users access this page, they are redirected to several sites until they reach http://vfi.{BLOCKED} This site hosts HTML_EXPLOYT.AE that exploits CVE-2012-1889 and leads to the downloading of malware onto users’ systems. As of this writing, the said webpage has been cleaned.

    Analysis of the Exploit and Exploit-Hosting Site

    Now, let’s take a look at the site http://vfi.{BLOCKED}, which hosts the said exploit.

    The screenshot below shows that site is designed to execute a heap spray – a similar technique used by most malware:

    Below is the particular code that triggers the exploit:

    As for the exploit itself, below are some of our findings.

    The following code generates memory corruption, which causes Internet Explorer to crash. However, as mentioned in our previous blog entries, the Data Execution Prevention (DEP) present in IE 9 and 10 should prevent this.

    Right after successfully executing memory corruption in Internet Explorer, the exploit then executes the shellcode. The screenshot below shows us how the exploit executes the shellcode, while the command line screenshot also shows us the execution via memory dump.

    To know more about how HTML_EXPLOYT.AE exploits CVE-2012-1889, you may refer to our previous blog entries below:

    Trend Micro users are protected from this threat via Smart Protection Network™, which blocks the malicious URLs related to this threat. Trend Micro file reputation service also detects and deletes the HTML_EXPLOYT.AE and the downloaded file. Deep Security and Officescan with IDF enabled prevent attacks exploiting CVE-2012-1889 via the rule 1005061- Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889). Furthermore, both Trend Micro Titanium Internet Security 2012 and upcoming 2013 version features an integrated BES (Browser Exploit Solution), which can detect the heapspray method without further pattern update.

    For their part, Microsoft released a fix tool as a workaround solution for this vulnerability. In addition, today’s Patch Tuesday includes patches that resolves CVE-2012-1889 vulnerability.

    Posted in Exploits, Malware, Vulnerabilities | Comments Off on High School Webpage Targeted by CVE-2012-1889 Exploit

    Last Monday, July 9, around 300,000 Internet users lost connectivity because they still had not removed their DNS Changer malware infection. Immediately after the take down of the DNS Changer network infrastructure of Rove Digital on November 8, 2011, the FBI set up clean DNS servers for infected victims. These servers were temporary solutions for the victims who had three months (which was later extended to six months) to clean their infected machines.

    Actually, a major blackout for hundreds of thousands of DNS Changer victims happened before: in fall 2008 when webhosting provider Atrivo went dark. Back then, Rove Digital had most of its computer servers running in the datacenter of Atrivo. In 2008, Atrivo’s going dark resulted in more than half of the rogue DNS servers going down for several days. So during those days, most DNS Changer victims could not use the Internet either.  However soon after, Pilosoft, a webhosting company in New York, came to rescue the criminal operation of Rove Digital. Most of the DNS Changer infrastructure moved to the Pilosoft datacenter. This is just one of the details of the Rove Digital takedown we described in our white paper, which can be downloaded here:

    Some media outlets dubbed July 9, 2012 as Internet doomsday. July 9 has passed and it looks like that doomsday prediction did not come true, just like any other doomsday announced by mortals happens to be a non-event.

    However, let me point out that although doomsday did not have massive repercussions, this doesn’t say that there was no damage done.

    300,000 computers (others estimate it at about 500,000) going offline worldwide may not have any measurable effect, but loss of productivity and computer repair costs are real concerns. This might even translate to millions of dollars. Let me be clear, though: Rove Digital is responsible for this damage, not the FBI, nor any other party. Since the victims are spread all over the world, we do not expect to hear complaints. Moreover, a lot of the large ISPs in the US and Canada have carefully prepared for this Internet doomsday. Some of these ISPs have been very successful with cleaning up machines of infected customers, often with help of the DNS Changer Working Group (DCWG). Trend Micro is one of the first industry partners of DCWG, and the only AV vendor acting as a main contributor during the investigation period before the Rove Digital suspects were arrested in 2011. Later, companies like Google and Facebook joined. On a scale never seen before, both companies showed warning messages to their users who were infected with the DNS Changer malware.

    All the great work of DCWG helped to reduce the number of infections a lot, but the last 300,000 – 500,000 infected users somehow cannot be reached by Facebook, Google, and mainstream media around the world. This remains somewhat a mystery to me.

    Posted in Botnets, Malware | Comments Off on We Survived Internet Doomsday


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice