13 December, 2008

IE vulnerability just one of many

The latest IE "0day" is making big news. The bulletin now includes IE6, IE7, and IE8 beta. Looking at CVE-2008-4844 will give a decent round-up of related links. Shadowserver has a list of domains known to be using exploits that attack this vulnerability. Microsoft has some workarounds to help mitigate the vulnerability.

One thing to remember is that many malicious sites do not rely on one vulnerability. Don't let one high-profile vulnerability and news of exploits in the wild make you forget about the big picture. If a site is hosting exploits against this IE vulnerability, it is very likely the site will be hosting additional exploits.

One example is one of the highest profile domains hosting exploits, 17gamo[dot]com. The SQL attacks referenced on SANS are injecting a URI containing this malicious domain. As mentioned on SANS diary, the javascript in the injected URI leads to additional files on the malicious site. Although the SANS diary specifically mentions the IE exploit, it doesn't mention the other exploits.

Please remember the following site is malicious!

$ wget -r http://www.17gamo.com/co
After downloading the content, I change to the correct directory and see what is there:
$ ls co/
14.htm flash.htm ihhh.html nct.htm real.htm swfobject.js
fhhh.html ie7.htm index.html office.htm real.html
The index file tries to open iframes containing 14.htm, flash.htm, ie7.htm, nct.htm, office.htm, real.htm and real.html. The flash.htm file then references ihhh.html and fhhh.html. We already know from the SANS diary what ie7.htm does.

It was nice of the file authors to use relevant names for some of the files. The flash.htm code references both ihhh.html and fhhh.html. Both these files look like they will serve up a Flash exploit of varying names depending what version of the Flash Player is detected. Downloading a couple of the SWF files, they are the same size but diff shows that they are not identical. They all seem to produce similar results on Virustotal.

The office.htm file appears to be an exploit targeting CVE-2008-2463, a MS Office Snapshot Viewer ActiveX vulnerability. If vulnerable, this will lead to the download of the same win.exe mentioned in the SANS diary and it looks like it will attempt to write the executable to the 'Startup' folder for All Users.

I haven't looked at real.htm, real.html, nct.htm or 14.htm yet.

This is all just to point out that most malicious sites these days will run a number of attacks against web clients, so just because one failed doesn't mean the others did the same. I saw a system get hit by the ie7.htm exploit without immediately downloading the win.exe from steoo[dot]com, yet it did run one of the malicious SWF files.

No comments:

Post a Comment