In a previous blog post I was writing about an increase in attacks against an at the time, un-patched vulnerability. Microsoft patched it on July 13, which doesn't mean that people aren't still trying to own un-patched machines.
goodgirlsbadguys.com (213.155.12.144) is a domain registered on July 19 2010 with a registrant address listed in Cambodia. Visiting a particular webpage for that domain (trust me and don't go there...despite the name there is nothing juicy on this domain except pwnage) returns a URL as part of an iframe. Microsoft Help and Support Center is invoked with a few parameters, one of which is the URL obtained earlier:Pic.1: Help and Support Center
Notice the use of the keyword "crimepack" in the hcp:// request.
In a randomly named file (in this case, "bat.vbsautba" in c:\Documents and Settings\user\Local Settings\Temp the following html can be found:
Pic.2: Dropped file with random name
Later, the command line utility is invoked with the following parameters:
Pic.3: cmd.exe called to run script...and kill Windows Media Player
The script that is executed is called D.vbs:
Pic.4: D.vbs
Snort detects this Windows Help Center escape sequence cross-site scripting attempt with sid 16665:
08/09-11:26:49.588645 [**] [1:16665:3] WEB-CLIENT Microsoft Windows Help Centre escape sequence XSS attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 213.155.12.144:80 -> 10.11.250.196:107608/09-11:26:49.588645 0:1E:13:F0:2E:19 -> 0:C:29:21:50:D5 type:0x8100 len:0x59E213.155.12.144:80 -> 10.11.250.196:1076 TCP TTL:59 TOS:0x0 ID:11527 IpLen:20 DgmLen:1420 DF
ClamAV has got you covered as well with BC.Exploit.CVE_2010_1885.
Hi Alain,
ReplyDeleteThanks for the post. But it's not clear from your writeup how the .lnk vulnerability plays into this at all. I would seem from your writeup that this malicious site is leveraging the Help and Support Center vuln, not the .lnk vuln. Am I missing something?
TX
Bk
Thanks for pointing that out, Brian. My brain is fried...blame DEFCON or my normal state. Anyway, fixed the title and the link to the Microsoft security bulletin.
ReplyDelete