First the CollectEmailInfo vulnerability was exploited in the wild, then the util.printf vulnerability, followed by JBIG2, and Foxit. With the level of obfuscation of the exploits often used, distinguishing each vulnerability in the wild has become a problem. An in-the-wild exploit against the Adobe Reader Collab.getIcon vulnerability (described in BID 34169) was discovered on April 5. Adobe has already updated Reader to patch this...
Last year when Adobe Acrobat was being exploited in the wild, some were calling for people to switch their PDF reader software as a defense against the exploits targeting Acrobat Reader. While application diversity can enhance an individual's ability to withstand broadcast attacks, it is important to consider that any alternative software still needs to be maintained, and consideration needs to be given as to how security systems handle this software. If a replacement application is not handled well by perimeter systems, has security been improved by the replacement?
Today's Web attack toolkit operators are often content with only a small percentage of success with their attacks. This often means that they are deploying any and every functional exploit they can get their hands on without regard for how successful it may be. Thinking that one can simply move to software that is not currently being exploited is not a good long term solution. In the long term, moving to...
It appears that last night, an exploit for the Acrobat util.printf() vulnerability was added to a well known Web attack toolkit. The attack exists as a compressed PDF. Once decompressed, the exploit is encoded with a simple eval()+ concatenation block:
--
function main() {
eval(unescape(""+"%"+"76%61%"+"72%20%7"+
..
this.closeDoc(true); }
app.setTimeOut("main()", 5000);
--
This decodes into an exploit for the util.printf() vulnerability:
---
var sccs = unescape(""+"%"+"u03eb%u"+"eb59%ue805%uf"+"ff8%uffff%u4949%u4949%u494"+ ...);
I am sure by now that many have read about Trojan.Gimmiv exploiting the new MSRPC vulnerability. While we have not seen any evidence of Gimmiv replicating by itself, we analyzed a second component, related to Gimmiv, which is able to exploit the vulnerability patched on Wednesday. Interestingly though, Gimmiv exploits a 2006 vulnerability described in MS06-040 along with its MS08-067 exploit. Because of the way that Gimmiv does this, Symantec IPS definitions circa August 2006 will block this attack.
Because the MS08-067 vulnerability can be exploited without triggering the 2006 IPS signature, we strongly...
Not surprisingly, attackers are again targeting vulnerabilities from the latest set of Microsoft Security Bulletins. This time around, it is the Microsoft Media Encoder ActiveX overflow patched in MS08-053. This attack chronology is another example of the rapid adoption of public exploits into widely deployed exploit toolkits. The vulnerability was disclosed by Microsoft on Tuesday, September 9. A public exploit was released on September 13 (although the exploit itself is dated September 10). Our honeypots began picking variants of this exploit up in the wild soon thereafter on September 13.
The exploits that we have been finding so far are distributed in two major ways. One is that they are simply cleartext. That is, they are not obfuscated in any way, but are effectively the same as the public exploit, with attacker-supplied shellcode substituted for the sample...
On August 20, our honeypots began to receive attacks against the Cisco WebEx Meeting Manager vulnerability. This August 6 vulnerability exists in the ActiveX control used by WebEx to permit users to participate in meetings via Internet Explorer. Users running the vulnerable version of the Webex control who happened upon a Web site distributing the exploit would become infected. The first exploits that we have seen so far have been served via gaming sites that have had the exploit package injected on to them.
While WebEx will automatically patch each user when they join a meeting hosted on a patched server, this vulnerability is only two weeks old. Many vulnerable users may have been on holidays, making it reasonably likely that some users will become infected by visiting day-to-day Web sites before their next WebEx meeting.
Recently, we came across a ratherunfortunate exploit case for the Access SnapshotViewer ActiveX Vulnerability that took advantage of a property ofthe ActiveX system to exploit IE users who did not have the vulnerable controlinstalled. How does one exploit a vulnerability that does not exist on a systemyou say? Sadly, attackers have found a way to install the vulnerable AccessSnapshot Viewer ActiveX control through Internet Explorer prior to exploitingit.
Because the control is Microsoft signed,its installation is silent, and does not require any user interaction. Oncethis vulnerable control is installed on the victim’s computer, it is exploitedin the same way as if the control was installed all along. To top it off, thisattack is carried out as a drive-by attack, so the unprotected user may neverknow that they were vulnerable, or had been targeted, let alone...
On July 7, Microsoft released a Security Bulletin outlining a vulnerability in the Access Snapshot Viewer ActiveX control. On or about this date, our honeypots began detecting this vulnerability exploited in what I can only describe as a Neosploit wrapper.
I have not managed to confirm that this is a completely new version of Neosploit, but in effect the attack consists of an encrypted block that is similar to some of the Mpack variants. This primary encoder serves the Access Snapshot exploit. Once this exploit has been attempted, the user is presented with a malicious iframe, which redirects the user to a copy of Neosploit. This adds an Access Snapshot exploit to the Neosploit repertoire, albeit in an unusual way. I can only speculate that this method of adding an exploit to Neosploit was chosen because the author does not control the source of Neosploit. Symantec Browser...
On about April 18th, Symantec's DeepSight honeypots began capturing a new iteration of the Neosploit exploit toolkit. It appears that the pervasive exploit kit has been updated to take advantage of a circa February 2008 vulnerability in Adobe Acrobat Professional and Reader. What makes this attack vector of particular concern is that it will work reasonably silently through most browsers. If a user is enticed to a hostile Web site (who knows which ones are hostile these days) using the browser of their choice, it is reasonably likely that their computer will become infected provided that they have Acrobat installed on their computer. Although the vulnerability has been patched since early February, I suspect that many users have not applied this patch yet. We highly recommend that if you haven’t done so, go and get the latest patched versions of Adobe Acrobat Reader and Professional...
It has been less than two days since Microsoft announced a couple of vulnerabilities in graphics device interface (GDI) EMF formatted images, but our DeepSight honeypots are already showing some signs of exploitation in the wild. Although the exploits that we have seen so far do not yet appear to be functional, they appear to have the right general idea in their exploitation. It is possible that these exploits either have been leaked and are "in-work" copies, or that they are functional on some platform that we have not tested.
However, the exploit (named "top.jpg") does contain functional payload, which downloads a secondary file (word.gif). Word.gif is really an executable that would be run following a successful infection. Its main function would be to use iexplore.exe to contact a few hosts in China, presumably to download additional malicious code.
The exploit image is detected by Symantec IPS-enabled products as...
Sometime on April 1, our honeypots began finding exploits for the RealPlayer 'rmoc3260.dll' ActiveX Control Memory Corruption Vulnerability (BID 28157). Sadly, this is not surprising given that a complete exploit was published for this vulnerability around the same time. At the time of this writing, there is no patch for this vulnerability.
So far impacted sites have ranged from forums, to webmail, to news agencies.
Norton Internet Security 2008, Norton AntiVirus 2008, and Norton 360 version 2 customers will see this attack blocked by the existing MSIE RealPlayer rmoc ActiveX BO IPS signature. Some variants of this attack may be blocked as HTTP Internet Explorer Heap Spray Buffer Overflow. Additionally, antivirus signatures are available for Bloodhound.Exploit.182, protecting customers from threats attempting to exploit this vulnerability.
Update: It appears that this vulnerability has been patched within RealPlayer version 11.0.2 (build...
Sometime over the recent Easter weekend, an update to the Neosploit Web attack toolkit showed up on DeepSight honeypots. The new Neosploit version is being served mainly from traffic exchange sites, but some mainstream sites, such as those for restaurants, were also serving up the infectious content.
The main addition that was found in the new iteration of Neosploit is the addition of an exploit for the CA BrightStor 'AddColumn()' ListCtrl.ocx ActiveX Control Buffer Overflow Vulnerability. There is no patch available for this vulnerability as of this writing.
The 2008 versions of NAV, NIS, and N360v2 will catch this exploit as “MSIE CA BrightStor ActiveX BO”, although most of the time the new Neosploit version will be detected as the other vulnerabilities exploited by the toolkit: MDAC, NCTAudioFile2, GOM Player, WebViewFolderIcon setSlice(), and Daxctle.OCX KeyFrame.
CA BrightStor 'AddColumn()' ListCtrl.ocx ActiveX Control Buffer Overflow...
As seems to be the trend lately, anytime avulnerability is disclosed in an ActiveX control, it is only a shorttime before it is bundled into the Web attack toolkits. For thisFacebook vulnerability, it was less than a day from the vulnerabilitybeing disclosed on February 12th to it first showing up on ourhoneypots on February 13th.
So far, the exploits that have shown up are encoded versions of the public exploit, bundled with an exploit for Yahoo Jukebox and several other routinely exploitable vulnerabilities.
Oddly enough, this Facebook exploit kit is being served from aMySpace phishing site, though unsurprisingly, hosted on a numbered .cndomain. Detections for this attack will be as “Facebook Photo Uploader'ImageUploader4.1.ocx' FileMask Method ActiveX Buffer OverflowVulnerability” for NAV/NIS...
Yesterday an exploit was released for the Yahoo! Music Jukebox AddImage Function ActiveX Remote Buffer Overflow Vulnerabilityand you guessed it: our honeypots are already picking up exploitationof it in the wild. So far the exploits that we have seen used in thewild have been carbon copies of the public exploit. I suspect that itwon’t take long before the exploit is wrapped in an encoder in anattempt to make detection more difficult, however.
A set of similar vulnerabilities in Yahoo! Jukebox were announced onFriday and although I have not yet seen these being exploited, I amsure it is only a matter of time. Symantec IPS products will stop theseattacks as one of the following, depending on the product deployed andexploit encountered:
Yahoo Jukebox MediaGrid Activex BO Yahoo JukeBox DataGrid ActiveX BO MSIE Yahoo Jukebox MediaGrid Bitmap Activex BO MSIE Yahoo JukeBox...
