About Me

Haowei Ren

Haowei Ren

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

New Attacks Against Internet Explorer

Monday, July 6, 2009 at 2:39am by Haowei Ren
Haowei Ren

If you read Geok Meng and Xiaobo’s blog published in December last year, this must almost seem like a movie sequel. Over the July 4 weekend, an exploit targeting a zero-day vulnerability in the Microsoft Microsoft DirectShow ActiveX object was widely discovered on many Chinese websites.

At the time of research, over a hundred hijacked sites were found to be injected with malicious links that are still actively hosting this Trojan. Many of these sites are what you and I would not consider “malicious” or “dodgy.” For example, some of them are school websites or the local community club’s website that had been hijacked or infected.

When browsing these sites (hijacked site #1), the victim is hyperlinked to hijacked site #2, which seems to act as a proxy. In this case, if someone were to audit the source code of hijacked site #1, he or she would see that the links are connected to sites that look legitimate. Hijacked site #2 is, subsequently, hyperlinked to a malicious site hosting a web exploit toolkit.

During research, one of the things we found interesting was the web exploit toolkit explicitly checks that the origin of the hyperlinked references do not come from the “.gov.cn”  and ”.edu.cn” domains, which are used by Chinese government and education sites, respectively. If the references are not coming from any of these domains, it starts sending a cocktail of exploits including:

  • Exploit-MSDirectShow.b (zero-day)
  • Exploit-XMLhttp.d
  • Exploit-RealPlay.a
  • JS/Exploit-BBar
  • Exploit-MS06-014

Each of these exploits targets a different application that could be vulnerable–Internet Explorer 6 and 7, DirectShow ActiveX, RealPlayer, Baidu Toolbar–that can be accessed via the Internet Explorer browser.

From past investigations, this toolkit has been widely used on many Chinese hijacked sites this year. The attackers may be trying to avoid or delay attention from the Chinese government.

When successful, the attacker installs a downloader Trojan that could download other malware.

This zero-day vulnerability has been verified to affect at least Windows XP systems with Internet Explorer 6.x and 7.x. However, on IE 7, the browser on Windows Vista systems, risky ActiveX objects are blocked by default, which may mitigate this zero-day attack. Users should ensure that their systems are always kept up to date against the older exploits.

The zero-day exploit will be detected as Exploit-MSDirectShow.b by McAfee VirusScan in today’s 5668 DATs. The downloader Trojan installed by this exploit can be proactively detected as Generic.dx since the 5567 DATs (released March 28).

We will post more information as we receive it.

(Thanks to our colleague Wei Wang for assistance in this analysis.)

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (0)