Full disclousure deep technical analisys below. Beware !!!

Jan 21, 2010

IE 0day CVE-2010-0249 – Exploiting the mass… – Part 1 UPDATE

A new hosting site in the wild, with a new 2nd stage malware (different MD5)

Working

Exploiter URL (.html)

Expl. Related URL (.jpg)

2nd stage URL

YES

 201003.6600.org:2988/log/ie.html 201003.6600.org:2988/log/What.jpg http://stemip.3322.org:8277/log.css

 MD5 Compare

Exploiter URL

ie.html (MD5 HASH)

Size (Bytes)

what.jpg (MD5 HASH)

Size (Bytes)
201003.6600.org 14CE646C72DF3D3D30D661CB89F528B5

2,183

 984459565D0E229797CBBBD2B1ACBB50

3,830

WEPAWET

Exploiter URL

what.jpg (MD5 HASH)

WEPAWET First analysis
201003.6600.org 984459565D0E229797CBBBD2B1ACBB50

2010-01-21 03:55:48

2nd STAGE MALWARE

Filename Size (Bytes) MD5 Hash AV Detection
log.css 90,624 FE7F4A557697E0F3D1D87B09218A2BE3

26/41

Common Search String (unchanged)

*.org:2988/*/ie.html
*.org:2988/*/what.jpg
*p.3322.org:8277/*down.css
*p.3322.org:8277/*log.css

All the other related site here http://whsbehind.blogspot.com/2010/01/ie-0day-cve-2010-0249-exploiting-mass.html

at 12:56 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)