As mentioned in a recent blog, Symantec is aware of the exploitation of a previously unknown and unpatched vulnerability affecting the Microsoft Video Streaming ActiveX control. Initially, there were limited in-the-wild attacks; however, new developments indicate that the flaw is now being exploited to great extent in China and other parts of Asia. Reports indicate that thousands of websites have been compromised and are now hosting the exploit for this issue.
Our tests show that Microsoft Windows XP systems are affected, while Windows Vista systems do not seem to be affected by the attack. The flaw lies in the “msvidctl.dll” library and can be exploited by providing a crafted file as input to the “data” parameter of the “BDATuner.MPEG2TuneRequest.1” ActiveX object. The object is associated with the following CLSID:
Exploits available in the wild use a .gif file as an input to the data parameter of the object. However, the file is not a GIF file. An overflow occurs when “msvidctl.dll” file parses the file, which results in overwriting the SEH handler with 0x0C0C0C0C. This address lies in heap, where the exploit has already loaded the shellcode using heap-spray techniques.
Symantec Security Response advises users to:
• Set the kill bit associated with the control’s CLSID
• Avoid visiting sites of questionable integrity
• Deploy NIDS to monitor traffic at the network level
• Keep antivirus definitions up to date
Symantec antivirus products detect the exploit as Downloader.Fostrem and the dropped files as Trojan Horse, Backdoor.Trojan, Infostealer, and Downloader. Symantec IPS detects the threat as “HTTP Malicious Toolkit Download Request” and “HTTP Malicious Toolkit Variant Activity.”