Yesterday our honeypots picked up a browserattack toolkit that I had not encountered before. This toolkit usesdynamic function and variable names and wraps its exploits in twolevels of dynamic encoding. Finding a new toolkit on our honeypotsalways piques my interest as a new toolkit often yields new exploitpayload.
Lo and behold, once the encoder layers are peeled away, the toolkit is found to contain an exploit for the MySpace Uploader 'MySpaceUploader.ocx' ActiveX Control Buffer Overflow that was announced on the 31st of January.
The IPS that ships with 2008 versions of NAV and NIS will detect this attack as HTTP MySpace Uploader Action BO, regardless of the encoding used by the browser attack toolkit.
MySpace Uploader 'MySpaceUploader.ocx' ActiveX Control Buffer Overflowhttp://www.securityfocus.com/bid/27533