Wednesday, February 18, 2009

MS09-002 in the wild

Yesterday we came across a website taking advantage of a programming error in Internet Explorer that allows a remote attacker to execute code on a vulnerable system. Microsoft issued an advisory (MS09-002) on February 10, 2009 and released a patched on the same day to mitigate the problem. We released same-day coverage for this and other vulnerabilities (see this blog post). The SANS ISC reported this activity in yesterdays handler's diary.

The webpage exploiting MS09-002 is on the domain of the Morning Sun (Tianjin) Int’l Trading Co., Ltd, a company based in China. Upon visiting the compromised page with Internet Explorer 7 on a vulnerable machine, a malicious script is executed, which in turn downloads an executable on the system before crashing the web broswer. Using the Sourcefire VRT Certified rules released for this issue, Snort generates events on this script as seen below:


MS09-002 alert
Pic.1: Internet Explorer object clone deletion memory corruption attempt


Additionally, ClamAV detects the downloaded file as Trojan.Rincux-2. This Trojan is a dropper that will create winnet.dll (detected as Trojan.Rincux-3) in the %SystemRoot%\system32 folder and change the registry to include the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\System DllName = "%System%\winnet.dll"

This causes winnet.dll to be installed as a Winlogon notification package. A Winlogon notification package is a DLL that exports functions that handle Windows logon events. This malicious DLL in turn, makes outbound requests to jiaozhu100.9966.org

There's more to come on this issue. Keep an eye on this blog.

UPDATE:

As of 11AM EST on Feb 19, 2009, another Chinese website is leveraging MS09-002 to push malware to victims. This time it is the website for Taiwanese company Hwa Jiang International Co. Ltd. The exploit is similar to the one found on the Morning Sun's website. The difference here is that the piece of malware that is being pushed to the user's computer has the filename WinUpdter.exe. This file is located in the %temp% folder and is assured to survive a reboot because of the creation of the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Run WindowsUpdater = "C:\DOCUME~1\[USERNAME]\LOCALS~1\Temp\WinUpdter.exe"

Note how the value name "WindowsUpdater" for the "Run" key looks Microsoft-like in order not to look suspicious to someone checking out the registry. WinUpdter.exe is packed with NPack and is a Trojan that attempts to contact 61.219.xxx.xxx to download data. Sourcefire VRT Certified rules alert on the exploit while ClamAV detects WinUpdter.exe as Trojan.Downloader-68058.

UPDATE #2:

We grabbed the MS Internet Explorer 7 Memory Corruption proof of concept exploit from milw0rm.com and tested it against the Sourcefire VRT Certified rules. The rules alert on the exploit.

2 comments:

  1. I've downloaded VRT rule set 2009-02-10 and just couldn't fine the rule sid 15304 in web-client.rules. Where is this rule?

    ReplyDelete
  2. The rule is a shared object rule and can be found in the so_rules directory of the rule tarball. Take a look at the post on Using VRT Certified Shared Object Rules

    ReplyDelete

Post a Comment