Full disclousure deep technical analisys below. Beware !!!

Jan 20, 2010

IE 0day CVE-2010-0249 – Exploiting the mass… – Part 1

Now that IE DOM exploit details are well known, malguys are widely deploying exploiter all around.

Related malicious exploiter URL ( check also extraexploit at CVE-2010-0249 in the wild - xx222.8866.org and others – part 0) usually inserted as iframe in high volume site – blog, forum, etc.:

Working

Exploiter URL (.html)

Expl. Related URL (.jpg)

2nd stage URL

NO

 66cc.7766.org:2988/dz/ie.html 66cc.7766.org:2988/dz/what.jpg systemxp.3322.org:8277/down.css

YES

 xx222.8866.org:2988/dz/ie.html xx222.8866.org:2988/dz/what.jpg tempxxp.3322.org:8277/down.css

YES

 201003.8866.org:2988/log/ie.html 201003.8866.org:2988/log/what.jpg tempxxp.3322.org:8277/log.css

YES

 wwaa4.7766.org:2988/log/ie.html wwaa4.7766.org:2988/log/what.jpg teepsnp.3322.org:8277/log.css

YES

 22cc.8866.org:2988/dz/ie.html 22cc.8866.org:2988/dz/what.jpg teepsnp.3322.org:8277/down.css

 

MD5 Compare

Exploiter URL

ie.html (MD5 HASH)

Size (Bytes)

what.jpg (MD5 HASH)

Size (Bytes)
66cc.7766.org

na

-

na

-
xx222.8866.org 14CE646C72DF3D3D30D661CB89F528B5

2,183

 F0EF5D9E4D68E0E72FF9DBFE6D4D8357

3,838
201003.8866.org 14CE646C72DF3D3D30D661CB89F528B5

2,183

 F0819E94BC650D675B78322C26DDC92D

3,830
wwaa4.7766.org 14CE646C72DF3D3D30D661CB89F528B5

2,183

 F0819E94BC650D675B78322C26DDC92D

3,830
22cc.8866.org 14CE646C72DF3D3D30D661CB89F528B5

2,183

 F0EF5D9E4D68E0E72FF9DBFE6D4D8357

3,838

WEPAWET

Exploiter URL

ie.html (MD5 HASH)

what.jpg (MD5 HASH)

WEPAWET First analysis
xx222.8866.org 14CE646C72DF3D3D30D661CB89F528B5 F0EF5D9E4D68E0E72FF9DBFE6D4D8357

2010-01-19 16:37:47
wwaa4.7766.org 14CE646C72DF3D3D30D661CB89F528B5 F0819E94BC650D675B78322C26DDC92D

2010-01-20 05:40:54
22cc.8866.org 14CE646C72DF3D3D30D661CB89F528B5 F0EF5D9E4D68E0E72FF9DBFE6D4D8357

2010-01-20 06:03:05

2nd STAGE MALWARE

Filename Size (Bytes) MD5 Hash AV Detection
down.css 88,576 50F263B382E85F8A20A1A27638F5B154 Virus Total 27/41 (2010.01.19 12:42:46)
log.css 88,576 5409DC21AB0F60989C349EAEF307AB31 Virus Total 22/40 (2010.01.18 22:43:54)

Common Search String

*.org:2988/*/ie.html
*.org:2988/*/what.jpg
*p.3322.org:8277/*down.css
*p.3322.org:8277/*log.css

It seem there are two exploiter that reference different 2nd stage malware. Have fear..

0xFF

at 2:34 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)