Full disclousure deep technical analisys below. Beware !!!

Jan 21, 2010

IE 0day CVE-2010-0249 – Updated Overview

Slowly the truth is cooming out…
The IE 0day vulnerability has been used in two scenario till now.

In first time for a targetted & silent attack against many worldwide companies finalized to intellectual properties stealing in operation “Aurora” through set up of Trojan.Hydraq bots (http://www.symantec.com/connect/blogs/trojanhydraq-incident).

Nowadays after the vuln became public, it’s going to be widely used for common malware spreading to the Mass (http://extraexploit.blogspot.com/2010/01/cve-2010-0249-in-wild-xx2228866org-and.html).

A quickly compare show that:

- IE exploitation was in both case based on heavily-encrypted javascript exploit. Aurora’s “yellow” boys probably targetted employers and public known mail accounts with fake&but trustable social engineered e-mail, convincing them to go on first malicious hosting site. Instead “scrounger” malguys are now injecting malicious iframe in “high contact volume” forum and website.

- Shellcode used was similar: Yellows code COMELE cause a connection to demo1.ftpaccess.cc/demo/ad.jpg downloading a malicious, XOR-encrypted binary that is detect as Trojan.Hydraq/Roarur.dr.
This file is saved to %Application Data%\a.exe, such as "C:\Documents and Settings\User\Application Data\a.exe".  A.exe is decrypted to b.exe in the same directory and executed.
decrypt1 decrypt2

It seems that Scroungers just take SC from Comele used in “Aurora” and modified it, changing 2nd stage download URL and removing its decrypting code.

Code from Comele
Modified actual code (an absolute JMP overwrite a conditional jnz and bypass piece of code – 2nd stage decrypt - unusefull to Scroungers)

So modified code simply donwload a malicious binary, saving it as "C:\Documents and Settings\User\Application Data\f.exe” and execute it.

- 2nd stage malware is obviously quite different: Trojan.Hydraq / Roarur  in first case; two version (down.css and log.css) of a generic malware in the second.

Virustotal Trend

2010.01.19 (UTC)
2010.01.20 (UTC)
2010.01.21 (UTC)

IE exploit
2nd stage malware
3rd stage malware
Operation Aurora
supposed social engineered targetted email
/ Roarur.dr
(XOR Crypted)
IE CVE-2010-0249 Exploiting the mass…
injected iframe in forum/website
Modified Comele
Generic Trojan

No comments:

Post a Comment