Chris Mosby at myITforum.com

New Attacks Against Internet Explorer

Monday July 6, 2009 at 2:39 am CST
Posted by Haowei Ren, Geok Meng Ong

Trackback

If you have read Geok Meng and Xiaobo’s blog published in December last year, this would almost seem like a movie sequel. Over the July 4th weekend, an exploit targeting a 0-day vulnerability in the Microsoft Microsoft DirectShow ActiveX object was widely discovered on many Chinese websites.

At the time of research, over a hundred hijacked sites were found to be injected with malicious links that are still actively hosting this trojan. Many of these sites are what you and I would not consider to be “malicious” or “dodgy”.  For example, some of them are school websites or the local community club’s website that had been hijacked or infected.

When browsing upon these sites (hijacked site #1), the victim is hyperlinked to another hijacked site #2, which seem to act as a proxy. In this case, if someone were to audit the source code of hijacked site #1, he or she would see that the links are connected to sites that look legitimate. Hijacked site #2 is , subsequently, hyperlinked to a malicious site hosting a web exploit toolkit.

During research, one of the things we found interesting was the web exploit toolkit explicitly checks that the origin of the hyperlinked references do not come from the “.gov.cn”  and “.edu.cn” domains, which are used by Chinese government and education sites.  If the references are not coming from any of these domains, it starts sending a cocktail of exploits including:

• Exploit-MSDirectShow.b (0-day)
• Exploit-XMLhttp.d
• Exploit-RealPlay.a
• JS/Exploit-BBar
• Exploit-MS06-014

Each of these exploits targets a different application that could be vulnerable - Internet Explorer 6 and 7, DirectShow ActiveX, RealPlayer, Baidu Toolbar, that can be accessed via the Internet Explorer browser.

From past investigation, this toolkit had been widely used on many Chinese hijacked sites this year.  The attackers may be trying to avoid or delay attention from the Chinese government.

When successful, the attackers installs a downloader trojan which could download other malware.

This 0-day vulnerability has been verified to affect at least the Windows XP system with Internet Explorer (IE) 6.x and 7.x. However, on IE7 which is default on Windows Vista systems, risky ActiveX objects are blocked by default which may mitigate this 0-day attack. Users should ensure that their systems are always kept up-to-date against the older exploits.

The 0-day exploit will be detected as Exploit-MSDirectShow.b by McAfee VirusScan in today’s 5668 DATs.  The downloader trojan installed by this exploit can be proactively detected as Generic.dx since the 5567 DATs (Mar 28th, 2009).

More information will be posted as they are available.

(Thanks to Wei Wang for assistance in the analysis)