Mapping the Future of an Exploit
Friday May 11, 2007 at 7:56 am CST
Posted by Cedric Cochin, Rachit Mathur, Craig Schmugar
Last month we posted a blog entitled Malware Exploits Microsoft “Feature” Along With Vulnerabilities. What prompted the creation of that entry was the discovery of malware exploiting the way Internet Explorer handles character encoding, an issue that was first reported last year. Since then we’ve been tracking the posting of exploits targeting this vulnerability. To date we’ve identified 256 obfuscated pages hosted on 198 unique domains. This Google Map plots the geographic location of the servers hosting the malicious files.
As you can see, the majority of servers are hosted in China. What is ironic here is that the reason the flaw exists is due to the handling of US-ASCII encoded pages. The code exists for the “benefit” of English-reading viewers, and yet non-English users are the ones most targeted. Attacks can be successful on such targets due to the manual specification of US-ASCII character encoding within the malicious HTML pages. It doesn’t matter if the victims configured their browsers to use a different character encoding; whichever encoding type is specified within the HTML is the one used by Internet Explorer.
We took a sampling of 89 URLs to catalog the payloads of the malicious code. We found that in virtually all cases, patched Internet Explorer vulnerabilities lay beneath the obfuscation layer. It is fairly common for one page to contain multiple exploits. Here’s a breakdown of the exploits obfuscated:
19 of the obfuscated pages were very obviously created with a readily available exploit creation tool. (The page authors didn’t bother removing the comments that make it obvious how the pages were created.)
We also found that in the vast majority of cases, the final payload of these exploits had been removed, and yet the pages that led victims to those absent payloads were still present. Additionally, a third of the pages charted as MS07-017 exploits had the target ANI files removed. All that remains is the HTML pointers to the files (which, all things considered, we assume contained MS07-017). Perhaps a method of content scanning was used that couldn’t recognize, or decode, the obfuscation.
Finally, four of the domains involved in the attacks are associated with Chinese government sites (.gov.cn), and at least two others rely on social engineering in that they are similar to trusted sites.
So where is this all headed?
As we stated last month, this vulnerability has been discussed before. Given the uptick in malicious usage, the concentration of attacks originating from (and targeting) China, and this all coming about on the heels of the worst vulnerability affecting Microsoft Vista to date (which was disclosed after public exploitation was discovered–in China), we can expect Microsoft to release an official statement on this issue sooner or later. The longer this issue goes unaddressed, the more likely it is that a new IE zero-day attack will leverage this method of obfuscation to conceal its presence just a little bit longer. And the likelihood of such an attack emanating from China is higher than anywhere else right now. Unfortunately it might just take such an event for this issue to become a priority.
May 21st, 2007 at 10:37 pm
The title is sensational, but the article was a disappointment,
The title talks about future of an exploit , but the article is based on servers hosting malware in the past .If there is anything in the article that relates to the future of an exploit, I am sorry I missed it. Also, isnt the conclusion (the last para) a statement of the obvious. I dont see any new information or finding emerging from it. The only finding that I see is that a particular class of malware are hosted mostly on Chinese servers.
Isnt there a distinct possibility that a majority of these servers are owned, and are remote controlled ( esp when you consider malware being hosted on .gov.cn).I would be inclined to believe that most of these servers are possibly never patched , making them prime bot candidates .It would have been interesting to run an fingerprint on those servers and see what OS and server they were running.
So , even though the malware is physically hosted on Chinese sites, it is probably far fetched to draw conclusions based on the geos of malware.
Also , I was highly surprised with
“This Google Map plots the geographic location of the servers hosting the malicious files”
“We also found that in the vast majority of cases, the final payload of these exploits had been removed”
So is your analysis based on malware servers where the malicious payload is removed ? Hope you see my point.
“And the likelihood of such an attack emanating from China is higher than anywhere else right now”
I would say not necessarily, that such a conclusion is far fetched.
What I would have appreciated is:
1. Publishing the methodology you followed in your research ( for example, there is no way of knowing whether you investigated a wide sample of servers or a narrow one ).Could it be that your sample itself was skewed ?
2.Details of the servers ( At least the OS and server ) , which may aid in drawing more reasonable conclusions
3.More research with possibly more reasonable inferences and conclusions
May 22nd, 2007 at 9:10 am
> Re: the title
The title was meant to entice you to read further, so it served its purpose.
> Re: future of an exploit point missed.
The title talks about mapping (which is obviously there), an exploit (Internet Explorer handles character encoding handling), and where this is headed (aka future, the last paragraph).
The conclusion/prediction is that Microsoft won’t address this issue until it’s used to hide a separate, yet to be discovered, zero-day IE exploit; and that such an exploit will likely emanate from China.
> Re: Couldn’t the servers be compromised?
Absolutely! In all likelihood these web servers were compromised. I wouldn’t expect .gov.cn domains to purposefully host malicious code. Fingerprinting wasn’t done as it was assumed that many of the servers were compromised and we weren’t attempting to isolate the method used to post the malicious code.
> Re: Is your analysis based on malware servers where the malicious payload is removed?
A couple of points:
First, we can tell from the exploit code that they are designed to work on non-US-ASCII browsers.
Second, we can tell from pages leading to exploit code that Chinese readers are targeted. Additionally, many pages contain embedded exploit HTML, those pages typically target Chinese readers too.
Third, the payloads that had not been pulled typically target applications that are most commonly used in the region.
Forth, the vast majority of servers involved are located in China.
> Re: …such a conclusion is far fetched
Far fetched? The vast majority these US-ASCII encoding exploits are emanating from China right now. MS07-017 (ANI) was disclosed after it was discovered emanating from China. The mass-hacks around Super Bowl XLI & the Dolphin Stadium website lead to servers in China
[http://www.avertlabs.com/research/blog/index.php/2007/03/29/ani-file-exploit-has-connection-with-hacked-super-bowl-site/]. Those servers were later updated to serve MS07-017 exploits. The first MS07-017 worm came from China, W32/Fujacks.aa [http://vil.nai.com/vil/content/v_141877.htm]. My point is that exploits are hot in China right now, and newer techniques are implemented at a faster adoption rate than we typically see elsewhere–anecdotally.
> Re: Publishing the methodology…skewed sample set.
I’m from the old AV school, where we don’t lead people to malware or educate black hats. What I can tell you is that we used search engines to run global searches that lead us to a number of sites. The searches were not specific to any region. The queries run yielded the same results whether searching the .com or the .cn engine sites. Exploit results were validated manually.