In a previous blog post I was writing about an increase in attacks against an at the time, un-patched vulnerability. Microsoft patched it on July 13, which doesn't mean that people aren't still trying to own un-patched machines.goodgirlsbadguys.com (213.155.12.144) is a domain registered on July 19 2010 with a registrant address listed in Cambodia. Visiting a particular webpage for that domain (trust me and don't go there...despite the name there is nothing juicy on this domain except pwnage) returns a URL as part of an iframe. Microsoft Help and Support Center is invoked with a few parameters, one of which is the URL obtained earlier:
Pic.1: Help and Support Center
Notice the use of the keyword "crimepack" in the hcp:// request.
In a randomly named file (in this case, "bat.vbsautba" in c:\Documents and Settings\user\Local Settings\Temp the following html can be found:
Pic.2: Dropped file with random name
Later, the command line utility is invoked with the following parameters:
Pic.3: cmd.exe called to run script...and kill Windows Media Player
The script that is executed is called D.vbs:
Pic.4: D.vbs
Snort detects this Windows Help Center escape sequence cross-site scripting attempt with sid 16665:
08/09-11:26:49.588645 [**] [1:16665:3] WEB-CLIENT Microsoft Windows Help Centre escape sequence XSS attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 213.155.12.144:80 -> 10.11.250.196:107608/09-11:26:49.588645 0:1E:13:F0:2E:19 -> 0:C:29:21:50:D5 type:0x8100 len:0x59E213.155.12.144:80 -> 10.11.250.196:1076 TCP TTL:59 TOS:0x0 ID:11527 IpLen:20 DgmLen:1420 DFClamAV has got you covered as well with BC.Exploit.CVE_2010_1885.