Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday 7 July 2009

Who is Exploiting the Windows 0-day (MSVIDCTL.DLL) ?

As most readers will already know, a new 0-day vulnerability in MS Video ActiveX Control is currently being exploited in the wild. Lots of research material has already been published covering different aspects of this vulnerability and the attack vector. I have nothing more to add on this front. I would rather focus on explaining the details of the malware behind the scenes.

Readers who are interested in learning more about the vulnerability might refer to these articles:

http://voices.washingtonpost.com/securityfix/2009/07/microsoft_internet_explorer_ex.html
http://isc.sans.org/diary.html?storyid=6733
http://www.csis.dk/dk/nyheder/nyheder.asp?tekstID=799

Surprisingly, no detailed analysis of the underlying malware is yet available on the web (at least I was not able to find it). The primary purpose of this article is to bridge this gap.

Let's just start here.

MD5 = 6cf94b87cbeabfa0cec421f3e4827823

Packing = NsPack

AV Coverage (Virus Total) = 95.12 %

Although the vulnerability is 0-day, the malware itself has been around for quite some time. Upon execution this malware tries to contact its CnC server 'babi2009.com'. Here is what the first HTTP request looks like:


Read more
http://blog.fireeye.com/research/2009/07/who-is-exploiting-0day-msvidctl-.html

No comments: