Full disclousure deep technical analisys below. Beware !!!

Jan 22, 2010

IE 0day CVE-2010-0249 – Blocking and Tracking

Here are some suggested action to Block and Track the initial use of CVE-2010-0249 in “Operation Aurora” and the current use in exploiting the Mass (thx to Extraexploit for additional one).
Operation Aurora Domain List
  • yahooo.8866.org
  • sl1.homelinux.org
  • 360.homeunix.com
  • li107-40.members.linode.com
  • ftp2.homeunix.com
  • update.ourhobby.com
  • blog1.servebeer.com
CVE-2010-0249 exploiting the Mass
Proxy Filtering and DNS Query Tracking (Exact and less restrictive)
… exploiter & 2nd stage hosting domain list
  • 201003.3322.org
  • systemxp.3322.org
  • tempxxp.3322.org
  • teepsnp.3322.org
  • mxdo102.3322.org
  • 201003.6600.org
  • 66cc.7766.org
  • wwaa4.7766.org
  • 201002.7766.org
  • 22ee.8866.org
  • 22cc.8866.org
  • 201003.8866.org
  • xx222.8866.org
  • www.ms8.cc
  • www.babooa562.com
  • ssun.dddwfft.com NEW
  • www.fenghuashi.com
  • a05.xfbfgw.com
  • news.21npc.com
  • www.qvodcom1.com
  • h.d5d3.com
  • ff.c5c3.com
  • club.9istyle.com
  • www.tsqzsb.cn
  • www.fsus.cn
  • malegebi251.21sys21.cn
  • googleie2.23sys23.cn
  • qqqqqqqqqqqqqqqqqqqbv.24sys24.cn
  • www.latax.gov.cn
  • vbdf23.xicp.cn NEW
  • bbb.nba1001.net
  • www.ynew.net
  • we55.qq88.in NEW
  • we22.qq88.in NEW
  • bb55.qq66.in NEW
  • 99.qq66.in NEW

Proxy Filtering and DNS Query Tracking (Wide and more restrictive – can block new one)
… exploiter & 2nd stage hosting

  • *.3322.org
  • *.6600.org
  • *.7766.org
  • *.8866.org
or better
  • REGEXP .*\.\d{4}\.org.*

and

  • *ms8.cc
  • *.babooa562.com
  • *.fenghuashi.com
  • *.xfbfgw.com
  • *.21npc.com
  • *.9istyle.com
  • *.qvodcom1.com
  • *.d5d3.com
  • *.c5c3.com
  • *.dddwfft.com NEW
  • *.tsqzsb.cn
  • *.21sys21.cn
  • *.23sys23.cn
  • *.24sys24.cn NEW
  • *.fsus.cn
  • *.latax.gov.cn
  • *.xicp.cn NEW
  • *.nba1001.net
  • *.ynew.net
  • *.qq88.in NEW
  • *.qq66.in NEW
Updated 28/1/2010 18.00 GMT+1 

Jan 21, 2010

IE 0day CVE-2010-0249 – Exploiting the mass… – Part 1 UPDATE

A new hosting site in the wild, with a new 2nd stage malware (different MD5)

Working

Exploiter URL (.html)

Expl. Related URL (.jpg)

2nd stage URL

YES

201003.6600.org:2988/log/ie.html 201003.6600.org:2988/log/What.jpg http://stemip.3322.org:8277/log.css

 MD5 Compare

Exploiter URL

ie.html (MD5 HASH)

Size (Bytes)

what.jpg (MD5 HASH)

Size (Bytes)

201003.6600.org 14CE646C72DF3D3D30D661CB89F528B5

2,183

984459565D0E229797CBBBD2B1ACBB50

3,830

WEPAWET

Exploiter URL

what.jpg (MD5 HASH)

WEPAWET First analysis

201003.6600.org 984459565D0E229797CBBBD2B1ACBB50

2010-01-21 03:55:48

2nd STAGE MALWARE

Filename Size (Bytes) MD5 Hash AV Detection
log.css 90,624 FE7F4A557697E0F3D1D87B09218A2BE3

26/41

Common Search String (unchanged)

*.org:2988/*/ie.html
*.org:2988/*/what.jpg
*p.3322.org:8277/*down.css
*p.3322.org:8277/*log.css

All the other related site here http://whsbehind.blogspot.com/2010/01/ie-0day-cve-2010-0249-exploiting-mass.html

IE 0day CVE-2010-0249 – Updated Overview

Slowly the truth is cooming out…
The IE 0day vulnerability has been used in two scenario till now.


In first time for a targetted & silent attack against many worldwide companies finalized to intellectual properties stealing in operation “Aurora” through set up of Trojan.Hydraq bots (http://www.symantec.com/connect/blogs/trojanhydraq-incident).


Nowadays after the vuln became public, it’s going to be widely used for common malware spreading to the Mass (http://extraexploit.blogspot.com/2010/01/cve-2010-0249-in-wild-xx2228866org-and.html).


A quickly compare show that:


- IE exploitation was in both case based on heavily-encrypted javascript exploit. Aurora’s “yellow” boys probably targetted employers and public known mail accounts with fake&but trustable social engineered e-mail, convincing them to go on first malicious hosting site. Instead “scrounger” malguys are now injecting malicious iframe in “high contact volume” forum and website.

- Shellcode used was similar: Yellows code COMELE cause a connection to demo1.ftpaccess.cc/demo/ad.jpg downloading a malicious, XOR-encrypted binary that is detect as Trojan.Hydraq/Roarur.dr.
URL_get
This file is saved to %Application Data%\a.exe, such as "C:\Documents and Settings\User\Application Data\a.exe".  A.exe is decrypted to b.exe in the same directory and executed.
decrypt1 decrypt2

It seems that Scroungers just take SC from Comele used in “Aurora” and modified it, changing 2nd stage download URL and removing its decrypting code.


Code from Comele
 sc-unmodified
Modified actual code (an absolute JMP overwrite a conditional jnz and bypass piece of code – 2nd stage decrypt - unusefull to Scroungers)
 sc-mass-modified

So modified code simply donwload a malicious binary, saving it as "C:\Documents and Settings\User\Application Data\f.exe” and execute it.
sc-download

- 2nd stage malware is obviously quite different: Trojan.Hydraq / Roarur  in first case; two version (down.css and log.css) of a generic malware in the second.

Virustotal Trend

Filename
2010.01.19 (UTC)
2010.01.20 (UTC)
2010.01.21 (UTC)
down.css
log.css

SUMMARY
Threat
IE exploit
Shellcode
2nd stage malware
3rd stage malware
Operation Aurora
supposed social engineered targetted email
Trojan.Hydraq
/ Roarur.dr
(XOR Crypted)
IE CVE-2010-0249 Exploiting the mass…
injected iframe in forum/website
Modified Comele
Generic Trojan
na

Jan 20, 2010

IE 0day CVE-2010-0249 – Exploiting the mass… – Part 3

SHELLCODE STAGE

As usal the shellcode has a first step decryption routine (simply xor)

sc-decrypt

followed by dll loading and finding external function reference address:

sc-loadlib-getfuncaddr

 

Then the 2nd stage malware is downloaded and stored in special local path file name f.exe

sc-download

and is executed

sc-createprocess

IE 0day CVE-2010-0249 – Exploiting the mass… – Part 2

EXPLOITER STAGE

Let’s see the exploiter..

The ie.html file that exploit IE CVE2010-0249 vulnerability

exploit

has an obfuscated piece in var sss

ie.html-obf

that once decoded reveal deobfuscation step needed for decoding external data in what.jpg  file (referenced by VAR AH01 to AH06)

ie.html-decr

to produce the working shellcode (here not yet unescaped):

sc-decrypt

IE 0day CVE-2010-0249 – Exploiting the mass… – Part 1

Now that IE DOM exploit details are well known, malguys are widely deploying exploiter all around.

Related malicious exploiter URL ( check also extraexploit at CVE-2010-0249 in the wild - xx222.8866.org and others – part 0) usually inserted as iframe in high volume site – blog, forum, etc.:

Working

Exploiter URL (.html)

Expl. Related URL (.jpg)

2nd stage URL

NO

66cc.7766.org:2988/dz/ie.html 66cc.7766.org:2988/dz/what.jpg systemxp.3322.org:8277/down.css

YES

xx222.8866.org:2988/dz/ie.html xx222.8866.org:2988/dz/what.jpg tempxxp.3322.org:8277/down.css

YES

201003.8866.org:2988/log/ie.html 201003.8866.org:2988/log/what.jpg tempxxp.3322.org:8277/log.css

YES

wwaa4.7766.org:2988/log/ie.html wwaa4.7766.org:2988/log/what.jpg teepsnp.3322.org:8277/log.css

YES

22cc.8866.org:2988/dz/ie.html 22cc.8866.org:2988/dz/what.jpg teepsnp.3322.org:8277/down.css

 

MD5 Compare

Exploiter URL

ie.html (MD5 HASH)

Size (Bytes)

what.jpg (MD5 HASH)

Size (Bytes)

66cc.7766.org

na

-

na

-

xx222.8866.org 14CE646C72DF3D3D30D661CB89F528B5

2,183

F0EF5D9E4D68E0E72FF9DBFE6D4D8357

3,838

201003.8866.org 14CE646C72DF3D3D30D661CB89F528B5

2,183

F0819E94BC650D675B78322C26DDC92D

3,830

wwaa4.7766.org 14CE646C72DF3D3D30D661CB89F528B5

2,183

F0819E94BC650D675B78322C26DDC92D

3,830

22cc.8866.org 14CE646C72DF3D3D30D661CB89F528B5

2,183

F0EF5D9E4D68E0E72FF9DBFE6D4D8357

3,838

WEPAWET

Exploiter URL

ie.html (MD5 HASH)

what.jpg (MD5 HASH)

WEPAWET First analysis

xx222.8866.org 14CE646C72DF3D3D30D661CB89F528B5 F0EF5D9E4D68E0E72FF9DBFE6D4D8357

2010-01-19 16:37:47

wwaa4.7766.org 14CE646C72DF3D3D30D661CB89F528B5 F0819E94BC650D675B78322C26DDC92D

2010-01-20 05:40:54

22cc.8866.org 14CE646C72DF3D3D30D661CB89F528B5 F0EF5D9E4D68E0E72FF9DBFE6D4D8357

2010-01-20 06:03:05

2nd STAGE MALWARE

Filename Size (Bytes) MD5 Hash AV Detection
down.css 88,576 50F263B382E85F8A20A1A27638F5B154 Virus Total 27/41 (2010.01.19 12:42:46)
log.css 88,576 5409DC21AB0F60989C349EAEF307AB31 Virus Total 22/40 (2010.01.18 22:43:54)

Common Search String

*.org:2988/*/ie.html
*.org:2988/*/what.jpg
*p.3322.org:8277/*down.css
*p.3322.org:8277/*log.css

It seem there are two exploiter that reference different 2nd stage malware. Have fear..

0xFF

Jan 19, 2010

IE 0day CVE-2010-0249 - How to truly check if DEP is on for your IE??

As stated by Microsoft at http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-ie-0day-vulnerability.aspx, DEP can help in mitigate vulnerability impact. How to check if your IE is under DEP protection?

Simply use Sysinternal Process Explorer and enable the DEP colum in the normal view.

Jan 15, 2010

IE 0day CVE-2010-0249 – The original source??

CVE-2010-0249 Exploiter Comele and Trojan.Hydra have been found in the wild, supposed involved in "Operation Aurora", top newtech company (Google, Adobe, Yahoo, Juniper..) intellectual properties stealing. Exploit make use of new IE 6,7,8 0day vuln.
Any relationship with this... http://twitter.com/viciousf on the SALE exploit?? A joke?? Or a new different threat is just wating the best offer??

Make your own opinion...
0xFF