IE 0day CVE-2010-0249 – Blocking and Tracking

Here are some suggested action to Block and Track the initial use of CVE-2010-0249 in “Operation Aurora” and the current use in exploiting the Mass (thx to Extraexploit for additional one).
Operation Aurora Domain List

• yahooo.8866.org
• sl1.homelinux.org
• 360.homeunix.com
• li107-40.members.linode.com
• ftp2.homeunix.com
• update.ourhobby.com
• blog1.servebeer.com

CVE-2010-0249 exploiting the Mass
Proxy Filtering and DNS Query Tracking (Exact and less restrictive)
… exploiter & 2nd stage hosting domain list

• 201003.3322.org
• systemxp.3322.org
• tempxxp.3322.org
• teepsnp.3322.org
• mxdo102.3322.org
• 201003.6600.org
• 66cc.7766.org
• wwaa4.7766.org
• 201002.7766.org
• 22ee.8866.org
• 22cc.8866.org
• 201003.8866.org
• xx222.8866.org
• www.ms8.cc
• www.babooa562.com
• ssun.dddwfft.com NEW
• www.fenghuashi.com
• a05.xfbfgw.com
• news.21npc.com
• www.qvodcom1.com
• h.d5d3.com
• ff.c5c3.com
• club.9istyle.com
• www.tsqzsb.cn
• www.fsus.cn
• malegebi251.21sys21.cn
• googleie2.23sys23.cn
• qqqqqqqqqqqqqqqqqqqbv.24sys24.cn
• www.latax.gov.cn
• vbdf23.xicp.cn NEW
• bbb.nba1001.net
• www.ynew.net
• we55.qq88.in NEW
• we22.qq88.in NEW
• bb55.qq66.in NEW
• 99.qq66.in NEW

Proxy Filtering and DNS Query Tracking (Wide and more restrictive – can block new one)
… exploiter & 2nd stage hosting

• *.3322.org
• *.6600.org
• *.7766.org
• *.8866.org

or better

• REGEXP .*\.\d{4}\.org.*

and

• *ms8.cc
• *.babooa562.com
• *.fenghuashi.com
• *.xfbfgw.com
• *.21npc.com
• *.9istyle.com
• *.qvodcom1.com
• *.d5d3.com
• *.c5c3.com
• *.dddwfft.com NEW
• *.tsqzsb.cn
• *.21sys21.cn
• *.23sys23.cn
• *.24sys24.cn NEW
• *.fsus.cn
• *.latax.gov.cn
• *.xicp.cn NEW
• *.nba1001.net
• *.ynew.net
• *.qq88.in NEW
• *.qq66.in NEW

Updated 28/1/2010 18.00 GMT+1 

IE 0day CVE-2010-0249 – Exploiting the mass… – Part 1 UPDATE

A new hosting site in the wild, with a new 2nd stage malware (different MD5)

Working	Exploiter URL (.html)	Expl. Related URL (.jpg)	2nd stage URL
YES	201003.6600.org:2988/log/ie.html	201003.6600.org:2988/log/What.jpg	http://stemip.3322.org:8277/log.css

 MD5 Compare

Exploiter URL	ie.html (MD5 HASH)	Size (Bytes)	what.jpg (MD5 HASH)	Size (Bytes)
201003.6600.org	14CE646C72DF3D3D30D661CB89F528B5	2,183	984459565D0E229797CBBBD2B1ACBB50	3,830

WEPAWET

Exploiter URL	what.jpg (MD5 HASH)	WEPAWET First analysis
201003.6600.org	984459565D0E229797CBBBD2B1ACBB50	2010-01-21 03:55:48

2nd STAGE MALWARE

Filename	Size (Bytes)	MD5 Hash	AV Detection
log.css	90,624	FE7F4A557697E0F3D1D87B09218A2BE3	26/41

Common Search String (unchanged)

*.org:2988/*/ie.html
*.org:2988/*/what.jpg
*p.3322.org:8277/*down.css
*p.3322.org:8277/*log.css

All the other related site here http://whsbehind.blogspot.com/2010/01/ie-0day-cve-2010-0249-exploiting-mass.html

IE 0day CVE-2010-0249 – Updated Overview

Slowly the truth is cooming out…
The IE 0day vulnerability has been used in two scenario till now.

In first time for a targetted & silent attack against many worldwide companies finalized to intellectual properties stealing in operation “Aurora” through set up of Trojan.Hydraq bots (http://www.symantec.com/connect/blogs/trojanhydraq-incident).

Nowadays after the vuln became public, it’s going to be widely used for common malware spreading to the Mass (http://extraexploit.blogspot.com/2010/01/cve-2010-0249-in-wild-xx2228866org-and.html).

A quickly compare show that:

- IE exploitation was in both case based on heavily-encrypted javascript exploit. Aurora’s “yellow” boys probably targetted employers and public known mail accounts with fake&but trustable social engineered e-mail, convincing them to go on first malicious hosting site. Instead “scrounger” malguys are now injecting malicious iframe in “high contact volume” forum and website.

- Shellcode used was similar: Yellows code COMELE cause a connection to demo1.ftpaccess.cc/demo/ad.jpg downloading a malicious, XOR-encrypted binary that is detect as Trojan.Hydraq/Roarur.dr.

This file is saved to %Application Data%\a.exe, such as "C:\Documents and Settings\User\Application Data\a.exe".  A.exe is decrypted to b.exe in the same directory and executed.


It seems that Scroungers just take SC from Comele used in “Aurora” and modified it, changing 2nd stage download URL and removing its decrypting code.

Code from Comele
 
Modified actual code (an absolute JMP overwrite a conditional jnz and bypass piece of code – 2nd stage decrypt - unusefull to Scroungers)
 

So modified code simply donwload a malicious binary, saving it as "C:\Documents and Settings\User\Application Data\f.exe” and execute it.


- 2nd stage malware is obviously quite different: Trojan.Hydraq / Roarur  in first case; two version (down.css and log.css) of a generic malware in the second.

Virustotal Trend

Filename	2010.01.19 (UTC)	2010.01.20 (UTC)	2010.01.21 (UTC)
down.css	27/41	30/41	30/40
log.css	22/40	30/41	32/41

SUMMARY

Threat	IE exploit	Shellcode	2nd stage malware	3rd stage malware
Operation Aurora	supposed social engineered targetted email	Comele	Trojan.Hydraq / Roarur.dr (XOR Crypted)	Trojan.Hydraq / Roarur.dll
IE CVE-2010-0249 Exploiting the mass…	injected iframe in forum/website	Modified Comele	Generic Trojan	na