New IE 0-day Vulnerability (Nov 5, 2010)


SonicWALL UTM Research team received reports of a new Internet Explorer 0-day Vulnerability reported here being exploited in the wild. Internet Explorer version 6, 7 and 8 are affected by it. The vulnerability is actively being targeted in the wild by specially crafted HTML pages on compromised sites.

The HTML page contains a heavily obfuscated malicious java script code that encloses the shell code and NOP sled. Upon successful exploit attempt, the shell code gets executed and it will lead to download & execution of a malicious executable file on the victim machine.

During our research we found the shell code enclosed within the JavaScript to be encrypted and snippet of the decrypted code can be seen below:


The code seen above leads to the download of linkbl.gif file from a compromised site, which is an encrypted malicious executable and has a GIF header to avoid AV detection. The file gets decrypted and the GIF header is replaced by MZ header on the victim machine.

The malware performs following activities upon execution:

  • Drops following two files on the victim machine:
    • (STARTUP)/ctfmon.exe [Detected as GAV: Agent.IEM (Trojan)]
    • (SYSTEM32)/msnetacsvc.dll [Detected as GAV: Pirpi.D (Trojan)]

  • Creates the following registry entry to ensure that the dropped malware runs on every system reboot:
    • HKLM_SYSTEM_ServicesNWCWorkstationParametersServiceDll: “%SystemRoot%System32msnetacsvc.dll”
    • HKLM_SYSTEM_ServicesNWCWorkstationImagePath: “%SystemRoot%System32svchost.exe -k netsvcs”
    • HKLM_SYSTEM_ServicesNWCWorkstationDisplayName: “NetWare Workstations”
  • Opens a backdoor on victim machine and attempts to connect to an IP address of a server hosted in Poland. The server is still actively serving encrypted command files at the time of writing this alert. Sample command files requested:
    • GET /bbs/OmIxA9gILmICAAAAPDlUKWrsYsjh0XQxOpixOpixOpiA.gif
    • GET /binary/jXor5LTseXmEAAAAihV0f-Pux4Xbv_grj1Wrj1Wrj1UA.rar
    • GET /picture/OdEw2TlxLdEDAAAAPThVKGntYcfg0HUwO9ewO9ewO9eA.jpg
    • GET /images/Y6V8BWHA1AUIAAAAWtefUqtsaX7fGXD9g5mA.gif
    • GET /news/kHgu4hdmhHeCAAAAlx7Xgkpzwkh7xecukL8ukL8ukL6A.jpg
    • GET /pic/9AWMBYsPcAUgAAAA8un9djhBrNp2tiOM9IoM9IoM9ImA.bmp

    Directories contacted on the server include bbs, binary, pic, picture, image, images, index, and news.

SonicWALL Gateway AntiVirus provided protection against this threat via following signatures:

GAV: CVE-2010-3962.A (Exploit)
GAV: Pirpi.D#dldr (Trojan)
GAV: Agent.IEM (Trojan)
GAV: Pirpi.D (Trojan)
IDP: 5908 Malicious HTML Style Tag 1

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.