In a previous blog post I was writing about an increase in attacks against an at the time, un-patched vulnerability. Microsoft patched it on July 13, which doesn't mean that people aren't still trying to own un-patched machines.goodgirlsbadguys.com (213.155.12.144) is a domain registered on July 19 2010 with a registrant address listed in Cambodia. Visiting a particular webpage for that domain (trust me and don't go there...despite the name there is nothing juicy on this domain except pwnage) returns a URL as part of an iframe. Microsoft Help and Support Center is invoked with a few parameters, one of which is the URL obtained earlier:

KB2286198_help_center_command_line


Pic.1: Help and Support Center

Notice the use of the keyword "crimepack" in the hcp:// request.

In a randomly named file (in this case, "bat.vbsautba" in c:\Documents and Settings\user\Local Settings\Temp the following html can be found:

KB2286198_dropped_file.png


Pic.2: Dropped file with random name

Later, the command line utility is invoked with the following parameters:

KB2286198_cmd_exe.png


Pic.3: cmd.exe called to run script...and kill Windows Media Player

The script that is executed is called D.vbs:

KB2286198_wscript_exe.png


Pic.4: D.vbs

Snort detects this Windows Help Center escape sequence cross-site scripting attempt with sid 16665:

08/09-11:26:49.588645  [**] [1:16665:3] WEB-CLIENT Microsoft Windows Help Centre escape sequence XSS attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 213.155.12.144:80 -> 10.11.250.196:107608/09-11:26:49.588645 0:1E:13:F0:2E:19 -> 0:C:29:21:50:D5 type:0x8100 len:0x59E213.155.12.144:80 -> 10.11.250.196:1076 TCP TTL:59 TOS:0x0 ID:11527 IpLen:20 DgmLen:1420 DF

ClamAV has got you covered as well with BC.Exploit.CVE_2010_1885.