We observed a zero-day attack aimed at a Chinese high school webpage and leveraged the Microsoft XML Core Services vulnerability. This discovery came about just days after Microsoft released an advisory regarding the vulnerability. The perpetrators behind the attack compromised a high school entrance exam result page in Jiangsu, China, which is visited by about a million students, parents, and teachers who are eager to know the exam results.
Once users access this page, they are redirected to several sites until they reach http://vfi.{BLOCKED}b.com:89/2/ee.htm. This site hosts HTML_EXPLOYT.AE that exploits CVE-2012-1889 and leads to the downloading of malware onto users’ systems. As of this writing, the said webpage has been cleaned.
Analysis of the Exploit and Exploit-Hosting Site
Now, let’s take a look at the site http://vfi.{BLOCKED}b.com:89/2/ee.htm, which hosts the said exploit.
The screenshot below shows that site is designed to execute a heap spray – a similar technique used by most malware:
Below is the particular code that triggers the exploit:
As for the exploit itself, below are some of our findings.
The following code generates memory corruption, which causes Internet Explorer to crash. However, as mentioned in our previous blog entries, the Data Execution Prevention (DEP) present in IE 9 and 10 should prevent this.
Right after successfully executing memory corruption in Internet Explorer, the exploit then executes the shellcode. The screenshot below shows us how the exploit executes the shellcode, while the command line screenshot also shows us the execution via memory dump.
To know more about how HTML_EXPLOYT.AE exploits CVE-2012-1889, you may refer to our previous blog entries below:
- Technical Analysis of CVE-2012-1889 Exploit HTML_EXPLOYT.AE Part 1
- Technical Analysis of CVE-2012-1889 Exploit HTML_EXPLOYT.AE Part 2
- Technical Analysis of CVE-2012-1889 Exploit HTML_EXPLOYT.AE Part 3
Trend Micro users are protected from this threat via Smart Protection Network™, which blocks the malicious URLs related to this threat. Trend Micro file reputation service also detects and deletes the HTML_EXPLOYT.AE and the downloaded file. Deep Security and Officescan with IDF enabled prevent attacks exploiting CVE-2012-1889 via the rule 1005061- Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889). Furthermore, both Trend Micro Titanium Internet Security 2012 and upcoming 2013 version features an integrated BES (Browser Exploit Solution), which can detect the heapspray method without further pattern update.
For their part, Microsoft released a fix tool as a workaround solution for this vulnerability. In addition, today’s Patch Tuesday includes patches that resolves CVE-2012-1889 vulnerability.
