About Me

Craig Schmugar

Craig Schmugar

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

Targeted Internet Explorer Zero-Day Attack Announced (CVE-2010-0806)

Tuesday, March 9, 2010 at 5:30pm by Craig Schmugar
Craig Schmugar

Earlier today, Microsoft released Security Advisory (981374). This advisory covers CVE-2010-0806, an unpatched vulnerability affecting Internet Explorer versions 6 and 7. This attack appears to be rather targeted at the moment, but as with other unpatched vulnerabilities in the past, this has the potential to explode now that the word is getting out.

McAfee Labs is aware of an attack emanating from the domain topix21century.com (over both http and https). In this attack, vulnerable users are directed to a malicious webpage that downloads and executes a file named notes.exe or svohost.exe (classified as BackDoor-EMN) in drive-by download fashion (visiting the page is enough to get infected). There are multiple variants of this trojan involved. Notes.exe creates two copies of itself in the %temp% directory, and drops a DLL file. This DLL file is injected into Internet Explorer and provides remote access to an attacker.

The backdoor allows an attacker to perform various functions on the compromised system, including uploading & downloading files, executing files, and terminating running processes. Infected systems may attempt to communicate with the domain notes.topix21century.com over https.

File names related to this attack include:

  • 20100307.htm (CVE-2010-0806 exploit)
  • bypasskav.txt (part of exploit obfuscation code)
    • notes.exe (backdoor installer)
      • note.exe (backdoor installer copy)
      • clipsvc.exe (backdoor installer copy)
        • wshipl.dll (backdoor)
      • rsvm.exe (backdoor installer)
        • wshipnotes.dll (backdoor)

Preliminary product coverage is as follows:

  • McAfee DAT files (antivirus): Coverage will be provided for known exploits as Exploit-CVE-2010-0806 and known payloads as BackDoor-EMN in the 5916 DAT files, releasing March 10.
  • McAfee VirusScan Enterprise Buffer Overflow Protection: Generic Buffer Overflow Protection is expected to cover future exploits.
  • McAfee Host Intrusion Prevention: Generic Buffer Overflow Protection is expected to cover future exploits.
  • McAfee Network Security Platform: The sigset releasing March 9 contains coverage under the signature “HTTP: Microsoft Internet Explorer Code Execution Vulnerability”.
  • McAfee Vulnerability Manager: The FSL/MVM package of March 9 includes a vulnerability check to assess if your systems are at risk.
  • McAfee Web Gateway (formerly Webwasher): TrustedSource has coverage for domains and IP addresses that the malware contacts.
  • McAfee Firewall Enterprise (formerly Sidewinder): TrustedSource has coverage for domains and IP addresses that the malware contacts.
  • McAfee SiteAdvisor, SiteAdvisor Plus, SiteAdvisor Enterprise: TrustedSource has coverage for domains and IP addresses that the malware contacts.

McAfee Labs is investigating this attack further and will continue to monitor any related activity closely.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (1)

  • The Register March 14, 2010 7:04PM

    http://www.theregister.co.uk/2010/03/12/ie_metasploit_0day_flaw/

    McAfee inadvertently speeds creation of Metaploit IE exploit pack

    A security researcher has credited McAfee for helping him to develop exploit code that cracks open an unpatched flaw in older versions of Internet Explorer. Moshe Ben Abu (AKA Trancer00t) developed exploit code for the flaw in IE 6 and 7 in knocking-up an exploit module for the open-source Metasploit exploit database. “I didn’t find the vuln’, just found it in the wild. With a little help from McAfee (http://j.mp/c4W3xA) :-) ,” the Israeli security researcher noted in a Twitter update on Thursday. Microsoft acknowledged that the flaw, which stems from an invalid pointer reference, affects IE 6 and 7 and creates a possible mechanism for hackers to drop malware onto vulnerable systems. IE8, the latest version of Microsoft’s web surfing software, isn’t vulnerable.

    http://www.theregister.co.uk/2010/03/12/ie_metasploit_0day_flaw/