Computer Security Research - McAfee Labs Blog

Earlier today, Microsoft released Security Advisory (981374). This advisory covers CVE-2010-0806, an unpatched vulnerability affecting Internet Explorer versions 6 and 7. This attack appears to be rather targeted at the moment, but as with other unpatched vulnerabilities in the past, this has the potential to explode now that the word is getting out.

McAfee Labs is aware of an attack emanating from the domain topix21century.com (over both http and https). In this attack, vulnerable users are directed to a malicious webpage that downloads and executes a file named notes.exe or svohost.exe (classified as BackDoor-EMN) in drive-by download fashion (visiting the page is enough to get infected). There are multiple variants of this trojan involved. Notes.exe creates two copies of itself in the %temp% directory, and drops a DLL file. This DLL file is injected into Internet Explorer and provides remote access to an attacker.

The backdoor allows an attacker to perform various functions on the compromised system, including uploading & downloading files, executing files, and terminating running processes. Infected systems may attempt to communicate with the domain notes.topix21century.com over https.

File names related to this attack include:

20100307.htm (CVE-2010-0806 exploit)
bypasskav.txt (part of exploit obfuscation code)
- notes.exe (backdoor installer)
  - note.exe (backdoor installer copy)
  - clipsvc.exe (backdoor installer copy)
    - wshipl.dll (backdoor)
  - rsvm.exe (backdoor installer)
    - wshipnotes.dll (backdoor)

Preliminary product coverage is as follows:

McAfee DAT files (antivirus): Coverage will be provided for known exploits as Exploit-CVE-2010-0806 and known payloads as BackDoor-EMN in the 5916 DAT files, releasing March 10.
McAfee VirusScan Enterprise Buffer Overflow Protection: Generic Buffer Overflow Protection is expected to cover future exploits.
McAfee Host Intrusion Prevention: Generic Buffer Overflow Protection is expected to cover future exploits.
McAfee Network Security Platform: The sigset releasing March 9 contains coverage under the signature “HTTP: Microsoft Internet Explorer Code Execution Vulnerability”.
McAfee Vulnerability Manager: The FSL/MVM package of March 9 includes a vulnerability check to assess if your systems are at risk.
McAfee Web Gateway (formerly Webwasher): TrustedSource has coverage for domains and IP addresses that the malware contacts.
McAfee Firewall Enterprise (formerly Sidewinder): TrustedSource has coverage for domains and IP addresses that the malware contacts.
McAfee SiteAdvisor, SiteAdvisor Plus, SiteAdvisor Enterprise: TrustedSource has coverage for domains and IP addresses that the malware contacts.

McAfee Labs is investigating this attack further and will continue to monitor any related activity closely.

Unpatched Flaw in Internet Explorer Allows Remote Code Execution « One Man Band Says:
March 11th, 2010 at 11:43

[...] after Microsoft announced yet-another flaw in Internet Explorer we receive word of that flaw being detected in the wild by McAffee. Just as quickly, we receive word that it has already been integrated into the MetaSploit [...]

Praetorian Prefect | IEPeers – A New Internet Explorer Zero Day Vulnerability Says:
March 11th, 2010 at 15:40

[...] Targeted Internet Explorer Zero-Day – McAfee Labs [...]

0-day exploits for IE flaw another reason to switch to IE8 « Web Designing Says:
March 11th, 2010 at 21:08

[...] information was confirmed by McAfee, reporting that exploitation of the flaw was originating from the domain topix21century dot com [...]

petanews Says:
March 12th, 2010 at 01:55

Hinweis zum IE 6/7 – Sicherheitsloch wird aktiv ausgenutzt…

Das Sicherheitsloch im Internet Explorer wird durch einen böswilligen Exploit-Code derzeit aktiv ausgenutzt. Benutzern vom Internet Explorer 6 und 7 wird dringend davon abgeraten diesen Browser zu verwenden, solange Microsoft kein Patch herausgegeben h…

The Register Says:
March 14th, 2010 at 19:04

http://www.theregister.co.uk/2010/03/12/ie_metasploit_0day_flaw/

McAfee inadvertently speeds creation of Metaploit IE exploit pack

A security researcher has credited McAfee for helping him to develop exploit code that cracks open an unpatched flaw in older versions of Internet Explorer. Moshe Ben Abu (AKA Trancer00t) developed exploit code for the flaw in IE 6 and 7 in knocking-up an exploit module for the open-source Metasploit exploit database. “I didn’t find the vuln’, just found it in the wild. With a little help from McAfee (http://j.mp/c4W3xA) ,” the Israeli security researcher noted in a Twitter update on Thursday. Microsoft acknowledged that the flaw, which stems from an invalid pointer reference, affects IE 6 and 7 and creates a possible mechanism for hackers to drop malware onto vulnerable systems. IE8, the latest version of Microsoft’s web surfing software, isn’t vulnerable.

…

nod32升级id » Microsoft Internet Explorer iepeers.dll use-after-free exploit (meta) Says:
April 1st, 2010 at 04:39

[...] >> References:CVE-2010-0806OSVDB 62810BID 38615McAfee Labs Blog – Targeted Internet Explorer Zero-Day Attack Announced (CVE-2010-0806) [...]

Targeted Internet Explorer Zero-Day Attack Announced (CVE-2010-0806)

6 Responses to “Targeted Internet Explorer Zero-Day Attack Announced (CVE-2010-0806)”

Leave a Reply

Archives

Categories