Friday, November 22, 2013

I'm calling this Goon Exploit Kit, for now

We started seeing this exploit kit in our systems on November 21st.  It has some similarities to Redkit and the Dotcache exploit kit.

Cookiebomb redirection to:

192.168.0.58 1044 173.237.187.203 80 GET 173.237.187.203 /cnt.php?id=786629 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

173.237.187.203 80 192.168.0.58 1044 301 text/html

Which bounces you over to:

Landing:
192.168.0.58 1046 192.185.32.90 80 GET vinnypedulla.com /2013/11/11/21/2013/downloader.php?page_seed=xhtml Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

192.185.32.90 80 192.168.0.58 1046 200 text/html

This is the JNLP bypass in an xml.
192.168.0.58 1048 192.185.32.90 80 GET vinnypedulla.com /5/201311/browser.xml Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_16

192.185.32.90 80 192.168.0.58 1048 200 text/xml

Cve: 2012-0507
192.168.0.58 1048 192.185.32.90 80 GET application/x-java-archive vinnypedulla.com /5/201311/browser.jar Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_16

192.185.32.90 80 192.168.0.58 1048 200 application/java-archive

Payload
192.168.0.58 1049 192.185.32.90 80 GET vinnypedulla.com /5/201311/014146.mp3 Java/1.6.0_16

192.185.32.90 80 192.168.0.58 1049 404 text/html

At the time of this investigation, the Payload 404'ed.

I'll update this blog post as more information becomes available.

Update:  After further research, it appears the structure for the URLs doing the download of the jar and jnlp files is dynamic in some way.  However, we are seeing this exploit kit now drop a XOR'd binary of Zeroaccess.  Please ensure you have VRT rule 26524 enabled, as that will detect the JWS bypass section of this exploit kit. If in IPS mode, it should stop this kit from working.  

Update-2: Added some clarification around the Cookiebomb bump.  Detected 60 installs of this yesterday.

Tuesday, November 12, 2013

Microsoft Update Tuesday November 2013: HyperV vulnerability and fix for 0day

We have a relatively light Update Tuesday this month: 8 bulletins covering 19 CVEs, 3 of which are marked critical. The most interesting vulnerability this month is actually in the non-critical ones: a vulnerability in Hyper-V (MS13-092). We’re also getting a fix for a 0-day vulnerability in ActiveX (MS13-090).

As always there’s the requisite critical IE bulletin (MS13-088), this time covering ten CVEs. The vulnerabilities span the range of IE releases from 6-11 and cover the usual suspects of use-after-free and information disclosure vulnerabilities.

The next critical bulletin (MS13-089) is for the Windows Graphical Device Interface (GDI), where a malicious embedded BMP can result in remote code execution (CVE-2013-3940). The likely attack vector for this vulnerability would be a WordPad file with the BMP embedded, which will cause a buffer overflow when opened.

MS13-090, the final critical bulletin, provides a fix for a 0-day vulnerability (CVE-2013-3918) that’s seeing limited exploitation in the wild.  The vulnerability exists in the “InformationCardSigninHelper” ActiveX control, where an out of bounds access can occur on a deleted array, potentially allowing an attacker to execute arbitrary code. Microsoft has a short discussion on this vulnerability and a second information disclosure vulnerability in a blog post.

There are three vulnerabilities in Office (MS13-091), related to the handling of WordPerfect documents that can result in remote code execution when exploited. The vulnerabilities result in stack-based buffer overflows when Word tries to convert WordPerfect documents containing an invalid number of CSTYL elements.

The next bulletin (MS13-092) covers a vulnerability (CVE-2013-3898) in Hyper-V, Microsoft’s hypervisor. The vulnerability can result in an escalation of privilege because it can allow an attacker to run code from one virtual machine in the context of another. A failed attack can result in a denial of service.

An information disclosure vulnerability (CVE-2013-3887) exists in the Windows Ancillary Function Driver (MS13-093), where an attacker could use a guest account to run a malicious binary that would disclose information from other accounts.

Outlook (MS13-094) has an interesting information disclosure vulnerability (CVE-2013-3905), where an attacker can send a user an S/MIME email that will send back information on the internal network back to the attacker when the email is parsed by Outlook.

MS13-095 covers a single vulnerability (CVE-2013-3869) when parsing XML digital signatures in .NET.  This occurs when passing in a malicious PFX file as X509 certificate, causing a denial of service.


We are releasing rules SID 28489-28492, 28494-28524 to address these issues.