CVE-2012-1875 Exploited in the Wild - Part 1 (Trojan.Naid)
Created: 18 Jun 2012 12:04:03 GMT | Updated: 14 Nov 2013 04:07:12 GMT | Translations available: 日本語
Microsoft, in their recent Security Bulletin Summary for June 2012, released security bulletin MS12-037, which is a critical security update covering a host of Internet Explorer (IE) versions ranging from IE6 to IE9. This update addresses a specific vulnerability whereby viewers of a specially-crafted Web page using IE could unintentionally trigger an exploit allowing arbitrary code execution in the context of the current user.
Symantec has a detection in place for this exploit under the name of Bloodhound.Exploit.466 and IPS Signature Web Attack: MSIE Same ID Property CVE-2012-1875.
Analysis of the Amnesty International website (which has now been rectified) showed the following script injecting an iframe:
The exploit itself supports a variety of Windows versions and languages including Windows XP, Windows Vista, and Windows 7. English, Russian, Korean, and French are just a few of the supported languages observed in this exploit so far.
The shellcode executed by this exploit is a small Downloader that connects to a remote host and downloads an executable, which Symantec detects as Trojan.Naid, a Remote Access Trojan (RAT) first seen by Symantec as early as January 2010.
Trojan.Naid is a Trojan horse program that listens for and accepts a connection from the attacker to essentially provide unauthorized remote control functionality to the compromised computer over a custom communications protocol. This access allows the attacker to perform numerous nefarious activities such as stealing private information or monitoring Internet activities. The Trojan.Naid sample used in this attack and others has been observed to communicate to IP addresses hosted in Hong Kong by local Internet Service Providers.
While the exploit used in this attack has been referred to as being a zero-day due to reports of it being seen in the wild before the recent Security Bulletin Summary, zero-days are not commonly observed in attacks. Most attacks use known, patched exploits readily available to attackers online. Other zero-days have, however, been reported in recent days, such as Microsoft’s announcement of the Microsoft XML Core Services CVE-2012-1889 Remote Code Execution Vulnerability (CVE-2012-1889) (Symantec detection Bloodhound.Exploit.465 and IPS Web Attack MSIE MSXML CVE-2012-1889), this begs the question: will we see more zero-days being used in similar attacks?
In part 2 of this blog, we will examine the techniques used in exploiting this vulnerability.
To reduce the possibility of being affected by exploits and their associated malware, Symantec advises users to ensure that they are using the latest Symantec protection technologies with the latest antivirus definitions installed.