Not surprisingly, attackers are again targeting vulnerabilities from the latest set of Microsoft Security Bulletins. This time around, it is the Microsoft Media Encoder ActiveX overflow patched in MS08-053. This attack chronology is another example of the rapid adoption of public exploits into widely deployed exploit toolkits. The vulnerability was disclosed by Microsoft on Tuesday, September 9. A public exploit was released on September 13 (although the exploit itself is dated September 10). Our honeypots began picking variants of this exploit up in the wild soon thereafter on September 13.
The exploits that we have been finding so far are distributed in two major ways. One is that they are simply cleartext. That is, they are not obfuscated in any way, but are effectively the same as the public exploit, with attacker-supplied shellcode substituted for the sample shellcode in the public exploit. The second method that we are seeing the exploit is encoded in a fairly wildly deployed toolkit that seems to be called e2.
This e2 attack toolkit is a system that appends its first stage-encrypted block to an otherwise legitimate web page to begin its attack. It is detected by existing IPS signatures as HTTP Malicious Toolkit Variant Activity. This first stage will then redirect the user to either an intermediary redirector, or directly to the attack page. In either case, the result is the same-the user will eventually arrive at the e2 attack page. The e2 encryptor is much like later versions of Mpack, in that an encrypted block is fed to a two-key decoder. By this, I do not mean that it is using a public key variant, but rather a decoder that takes the following form:
String.fromCharCode(key2 ^(key1 ^ encodedString.charCodeAt(i)
(Where key2 and key1 vary.)
Users of NAV/NIS 2008/2009 or N360v2 will notice this attack to be detected as MSIE MS Windows Media Encoder BO. Because this signature is immune to iterations of encoders used on the exploit, future iterations of the exploit encoding will also be detected without need for a signature update.
Users of other versions of IPS-enabled products (SCS/SEP and pre-2008 versions of products) will notice that the above attacks are detected as HTTP Windows Media Encoder ActiveX BO.