Patched Hole Doesn’t Stop Attackers

Monday, January 30, 2012 @ 01:01 PM gHale

Attackers are going after the newly patched Windows Media Play vulnerability.

Patched earlier this month, the flaw, classified as CVE-2012-0003, can suffer from a remote code execution, and it affects a wide range of Windows systems.

Malware Shifts from Safe to Malicious
Malware Strains Meld by Accident
Rail Hack: Govt. Works with Industry
Video Conferencing: An Easy Hack

When the patch released, Microsoft officials strongly suggested users install it immediately as there was a decent chance of attackers leveraging it in the near future. They were right.

Researchers at the IBM ISS X-Force noticed malicious attacks against the MIDI vulnerability going on and said because exploitation of the flaw is not difficult, there may be more coming.

“In addition to the appearance of live exploitation, detailed discussion of the vulnerability details and methods of exploitation have been seen. The relatively low complexity of locating the vulnerability will doubtlessly lead to more malware targeting it,” said Shane Garrett of the X-Force.

In order to exploit this vulnerability, an attacker needs to entice a user into opening a specifically formatted media file. Once the exploit code executes, the attacker would then have full control of the system. And there are now pieces of malware that are circulating online that are capable of exploiting this vulnerability.

“In the attack that we found, the infection vector is a malicious HTML which we found hosted on the domain, hxxp://images.{BLOCKED} This HTML, which Trend Micro detects as HTML_EXPLT.QYUA, exploits the vulnerability by using two components that are also hosted on the same domain. The two files are: a MIDI file detected as TROJ_MDIEXP.QYUA, and a JavaScript detected as JS_EXPLT.QYUA,” Roland Dela Paz of Trend Micro wrote in an analysis of the attacks.

“HTML_EXPLT.QYUA calls TROJ_MDIEXP.QYUA to trigger the exploit, and uses JS_EXPLT.QYUA to decode the shellcode embedded in HTML_EXPLT.QYUA’s body.”

The specific attack that Trend Micro’s researchers have analyzed uses the shellcode to download an encrypted binary, which it then decrypts and executes. The payload in this attack includes malware with rootkit capabilities, which ends up installed on the victim’s machine. That rootkit also then connects to a remote server and downloads another component, a backdoor.

Leave a Reply

You must be logged in to post a comment.