Microsoft Access Snapshot Viewer Exploited in Neosploit Wrapper
On July 7, Microsoft released a Security Bulletin outlining a vulnerability in the Access Snapshot Viewer ActiveX control. On or about this date, our honeypots began detecting this vulnerability exploited in what I can only describe as a Neosploit wrapper.
I have not managed to confirm that this is a completely new version of Neosploit, but in effect the attack consists of an encrypted block that is similar to some of the Mpack variants. This primary encoder serves the Access Snapshot exploit. Once this exploit has been attempted, the user is presented with a malicious iframe, which redirects the user to a copy of Neosploit. This adds an Access Snapshot exploit to the Neosploit repertoire, albeit in an unusual way. I can only speculate that this method of adding an exploit to Neosploit was chosen because the author does not control the source of Neosploit. Symantec Browser Protection (NIS 2008, NAV 2008, N360 v2) will detect this exploit as MSIE MS Snapshot ActiveX File Download.
As is the case with most of these ActiveX attacks, they are being served by traditional Web sites that have themselves fallen victim to automated SQL injection attacks. In the past, we have seen government, commercial, and hobby sites fall victim to these SQL injection attacks and subsequently begin serving exploits to each of their visitors. It is recommended that all Internet Explorer users, including those who do not have the Access Snapshot viewer installed, should update their IPS signatures and set the kill bits mentioned in the above Microsoft Security Bulletin.