Just a day before Patch Tuesday, when Microsoft is going to release couple of patches for DirectShow vulnerabilities including MSVIDCTRL 0-day , IE (Internet Explorer) users are hit by another surprise. A new 0-day vulnerability has been identified in MS office web component and is currently being exploited via the IE scripting interface. There is no patch available at the moment but MS has come up with a workaround.
One of the malicious URL which has been found to exploit this vulnerability is hxxp://www.fdsdffdfsf.cn/of.htm.
Here is what the exploit page looks like:
....
If successfully exploited, the above shell code fetches a malware binary from hxxp://www.fdasfadf.cn/new.exe
Let's see what the actual payload i.e new.exe is all about.
Here is VirtusTotal report for new.exe
Upon execution this malware produces outbound communication like this:
GET /hao.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.98765W; Windows NT 5.1; SV1)
Host: www.qvod69.cn
Connection: Keep-Alive
One of the malicious URL which has been found to exploit this vulnerability is hxxp://www.fdsdffdfsf.cn/of.htm.
Here is what the exploit page looks like:
....
If successfully exploited, the above shell code fetches a malware binary from hxxp://www.fdasfadf.cn/new.exe
Let's see what the actual payload i.e new.exe is all about.
Here is VirtusTotal report for new.exe
Upon execution this malware produces outbound communication like this:
GET /hao.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.98765W; Windows NT 5.1; SV1)
Host: www.qvod69.cn
Connection: Keep-Alive
Read more
http://blog.fireeye.com/research/2009/07/who-is-exploiting-office-web-components-0day.html?cid=6a00d835018afd53ef0115720324c1970b
References:
Office Web Components exploits in the wild
http://www.malwaredomainlist.com/forums/index.php?topic=3123.0
No comments:
Post a Comment