AlienVault R&D Labs Portal. Get the latest news from our research.
Header

Adobe patches two vulnerabilities being exploited in the wild

February 8th, 2013 | Posted by jaime.blasco in APT | Attacks | Exploits | Malware - (Comments Off)

Yesterday, Adobe released a patch for Adobe Flash that fixed a zeroday vulnerability that was being exploited in the wild. According to Adobe, CVE-2013-0633 is being exploited using Microsoft Office files with embedded flash content delivered via email. They are also aware of CVE-2013-0634 being exploited trough web browsers such as Firefox and Safari on MacOSX. FireEye released some information a few hours ago.

We found several Microsoft Office files containing the exploit that seems to be part of a spearphishing campaign targeting several industries including the aerospace one.

One of the files was using the 2013 IEEE Aerospace Conference schedule as a lure to trick the user into opening the file. Here is the content displayed to the user.

 

 

 

 

 

 

Another sample is related with an online payroll system used by several companies in the US.

 

 

 

 

 

 

 

As we previously said, the .doc files contain an embedded flash file with no compression or obfuscation. The flash file has an embedded executable file that is the actual payload delivered to the victim. It is worth mentioning that the executable file isn’t obfuscated at all that means most of the security products should be able to detect this threat using generic signatures.

 

 

 

 

 

 

The flash files contain several ActionScript classes that checks for specific Flash and operating system versions and specific code to trigger the exploit.

 

 

 

 

 

 

 

The code contains several references to “Lady Boyle” who is a character in the computer game Dishonored.

 

 

 

 

 

 

 

 

 

One of the payloads used is an executable signed with a fake certificate from a South Korean company called MGAME. We have seen this certificate dozens of times in the past as part of targeted attacks including NGO’s to sign several RAT files including PlugX.

The sample connects to ieee[.]boeing-job[.]com (C&C):

 

 

 

 

We will keep you up to date as we discover new information related with this attack.

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , ,

New year, new Java zeroday!

January 10th, 2013 | Posted by jaime.blasco in Advisory | Attacks | Exploits - (Comments Off)

Earlier this morning @Kafeine alerted us about a new Java zeroday being exploited in the wild. With the files we were able to obtain we reproduced the exploit in a fully patched new installation of Java. As you can see below we tricked the malicious Java applet to execute the calc.exe in our lab.

 

 

The Java file is highly obfuscated but based on the quick analysis we did the exploit is probably bypassing certain security checks  tricking the permissions of certain Java classes as we saw in CVE-2012-4681 .

Right now the only way to protect your machine against this exploit is disabling the Java browser plugin. Let’s see how long does it take for Oracle to release a patch.

On the other hand we expect a Metasploit module in the upcoming days as it has been happening during the last year as well as most of the exploit kits adopting this new zeroday sooner than later.

We will keep you updated as we obtain more information.

Be safe!

Update: It seems both Blackhole and Nuclear Pack exploit kits are using this vulnerability in the wild

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, ,

New versions of the IExplorer ZeroDay emerge targeting Defence and Industrial companies

September 19th, 2012 | Posted by jaime.blasco in APT | Attacks | Exploits | Malware | Snort - (Comments Off)

As we related in our previous blog post the latest Internet Explorer ZeroDay is being used to target specific sectors including the Defence and Industrial ones.

Following our investigations on the servers found serving the Internet Explorer Zeroday and using OSINT, we were able to use the WHOIS mail address and the ip addresses used by the attackers to find fake domains registered by them that contain specific names of companies related with:

- US Aircraft and weapons delivery systems company

- US Defence decoy countermeasures company

- US Aerospace and defence technology company

- US Supplier for repairs of tactical fighters

- Laboratory for energetic systems and materials

- UK Defence contractor

We also found a fake domain of a company that builds turbines and power sources used in several applications including utilities and power plants.

We were able to check that the official website of the company has been compromised as well and it is serving the Internet Explorer ZeroDay to the visitors. They’ve included an iframe to the exploit in the entry page:

 

 

The version of the exploit found seems to be based on the code that we found in the previous servers and also uses the Grumgog.swf Flash file to aid on the exploitation.

Apart from that, it seems the exploit code has evolved and they are now able to infect not only Windows XP but also Windows 7 32 bits running Java6. This is based on the Dodge.html file we found within the exploit code:

 

 

 

 

 

 

 

 

 

 

 

The flash file is also encrypted with DoSWF as the previous versions and licensed to bnetbgm@163.com.fr. Once the vulnerability is triggered, the malicious code downloads the payload from /_include/site.exe.

The payload is obfuscated with the same XOR 70 scheme and once again it contains a version of the PlugX RAT that we found in previous attacks.

The PlugX RAT connect to a C&C server on oXXX.blogdns.com that resolvs to 142.4.46.214. I recommend you to search your logs for connections to that ip address since it will be a symptom of a compromised system.

In the other hand, these Emerging Threats Snort rules will help you catching exploit attempts and related activity:

2015704 – ET CURRENT_EVENTS DoSWF Flash Encryption Banner
2015711 – ET CURRENT_EVENTS Internet Explorer execCommand fuction Use after free Vulnerability 0day
2015712 – ET CURRENT_EVENTS Internet Explorer execCommand fuction Use after free Vulnerability 0day

Happy hunting!

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , ,

0-day in Microsoft IIS 5/6 FTP

September 1st, 2009 | Posted by jaime.blasco in Alienvault OSSIM | Attacks | Vulnerability Management - (Comments Off)

A 0-day exploit in Microsoft IIS 5/6 FTP was recently published on Milw0rm while HDMoore is porting the bug to Metasploit.

Alienvault’s feed customers are protected with the directive released today:

  • 45046 :AV Possible 0day IIS FTP Exploit against DST_IP

    • http://isc.sans.org/diary.html?storyid=7039

    UPDATE:

    We have previously coverage with two directives present on Alienvault Professional Feed:

  • 45024: AV Possible FTP Exploit attempt against DST_IP
  • 45025: AV Possible FTP Exploit attempt against DST_IP (FTP preprocessor)

    • jaime.blasco

    At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

    More Posts - Website

    Follow Me:
    TwitterLinkedIn

    , , , , ,

    Ossim: 0-day in Microsoft DirectShow

    July 7th, 2009 | Posted by jaime.blasco in Alienvault OSSIM | Attacks | Exploits - (Comments Off)

    A 0-day exploit in Microsoft Video ActiveX Control is being exploited by malicious sites. Many people is covering this vulnerability and seems that will be widely deployed.

    Alienvault’s feed customers are protected and covered with these directives:

  • 45046:AV Possible MSVidCtl Client side attack detected against SRC_IP (KB-972890)
  • 45047:AV Possible Malicious Server exploiting MSVidCt against DST_IP (KB-972890)
  • 45048:AV Possible MSVidCt Client Side Attack against DST_IP from a compromised host (KB-972890)
  • 45049:AV Possible MSVidCtl Client side attack detected against SRC_IP (KB-972890) 2

    • http://isc.sans.org/diary.html?storyid=6733

    http://www.microsoft.com/technet/security/advisory/972890.mspx

    jaime.blasco

    At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

    More Posts - Website

    Follow Me:
    TwitterLinkedIn

    , , , , ,