One Article Review
Accueil - L'article:
Source News.webp Contagio
Identifiant 9957
Date de publication 2013-09-09 00:21:11 (vue: 2013-09-09 00:21:11)
Titre Sandbox MIMIng. CVE-2012-0158 in MHTML samples and analysis
Texte WikipediaUpdate - Sept 4, 2013I added more descriptions and changed NjRat / Backdoor.LV to Vidgrab - in the traffic communications are similar to NjRat/Backdoor;lv but it does not use base64 and sends initial request starting with ...3 (0x01 0x00 0x00 0x00 0x33) followed by null bytes  - it does not start with  lv|I am still looking for names for a few other backdoors below, so if you recognize them, please let me know. Recently, my custom sandbox has been trying to open some Word attachments in a browser because the filetype fingerprint service detected them as MIME HTML files. Browsers are usually the default applications for such types and they did contain the CVE-2012-0158 exploit. A quick Google lookup yielded a May 2013 report from the Chinese company Antiy  "The Latest APT Attack by Exploiting CVE-2012-0158 Vulnerability", which described this new exploit vector.Antiy noted that these MHTML files evade antivirus and indeed only half of vendors represented on Virustotal detect. However, many companies rely on their automated tools, inline and standalone sandboxes not just Antivirus to determine if the file is malicious.I checked how these files (file without any extension) were processed by other commercial and open source mailboxes. 3 out of 5 well known commercial and open source mail scan and web sandbox vendors returned no output or informed me that that filetype was not supported. While writing this post, I noticed that Malwaretracker also mentioned the rise in this vector usage in his post on Friday, so I am sure the sandbox vendors are fixing the issue as we speak.I checked 25 MHTML CVE-2012-0158 files and compared their targets (at least those I could obtain) and payload. The analysis showed a good variety of trojans and predominantly human rights (Tibet, Uyghur) activists. I will post a month worth of these files.CVE #CVE-2012-0158The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2
Envoyé Oui
Condensat #10 #11 #12 #13 #14 #15 #16 #17 #232 #cve   22   43   5f057a03ba1b211f00af97259027ad10   80fe8c4a0e555769c719ada476d15e15traffic:download   8325e4c8bab8455e924303dc2a9a8c04   8a15ca5527530c553e285805ca1dce2e  +  113  132  17/f  172  192  299ab2c8a3db4a57e64d1792060e27e8  34  35  5426  55  582c61c67df96c561363e14bd080093b  61  658c55d6f92b2e8ccccb82c6980ce2ab8  660709324acb88ef11f71782af28a1f0  6d2c12085f0018daeb9c1a53e53fd4d1  800  8th  90  9802  abuse@newworldtel  and  arin  aug  b502500ba5198135086a25c83722f261  bytes  c1d3f8cc1f46abaf2231637b5e67414a  cn +86  d6d60a7689f6f73d1ceb589df97dd868  d7e7ef1f41635365148a7bb6e08f56ff  db8700492269d59072aad57f54848fda  domain  e5ad512524b634f9eb4e2ab2f70531c8  established  f19b49dc8cd7daa2c0a388ad043757a2  file  flash  for  foreign  hacking  hbadd@189  header  hkadmin  hong  ips  irt  last  local  malware  ms12  nc315  nmc@newworldtel  nwt  nwtbb  opening  recently  rfc  state  strings  traffic:download  style  usa  wanghao howah  yescontact  | */*accept +86 /3000fc08000024fe0700363635353544304331303530313136300052656d6f746520504300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000070161646d696e000000000000000000000000000000000000000000000000000000000000000000000000 0/46 0000 00:11:40 00:28:36 00:39:47 00:50:25 00c0f0283628 01085986585registrant 0120fax: 0158 0158the 01:05:38 01:20:03 01:32:14 01:35:45 01:39:09 01:49:51 027 02787660801whthoughtful@163 02787740588whthoughtful@163 02:13:46 02:13:57 02:14:02 02:40:06 02:40:07 02:47:54 0380 microsoft 03:10:12 03:18:45 03:23:42 03:25:56 03:26:56 03:28:11 03:40:03 04:13:41 04:13:44 04:19:02 04:20:08 04:30:08 04:52:01 05:00:07 05:09:32 05:30:07 064ae9b451f0503982842c9f41a58053 06:00:18 06:40:18 06:41:49 06:42:35 072614 07:00:06 07:00:07 07:00:10 07:53:30 07:54:43 080 08:18:42 08:36:23 09:00:14 09:12:12 0bjtrd 0first 0pt;font 0pt;mso 0to 0x00 0x01 0x33 100 101 103302 105 106first 107first 10:30:06 10:40:09 10:40:18 110asn 110first 111 111first 112 113 115 116 1164cf0c769f1656c235ba108874a9d6 117 119 11:14:02 11:20:07 11:20:09 11d1 12/tr 120433 121 122 123 123824 124 125 129:1045 12:13:21 12:13:37 12:20:17 12:40:08 12first 130 130first 132 1325ec00149cd2dd9a2982769f1fa12a 132:1074 133first 134 134first 136 137 13:00:07 13:07:50 13:40:17 14 tbd 141 143 145first 148first 149 14:13:37 14af2f439bce8a236295b0e28c59ddc8traffic:download 14first 150d788d58a7b9c632cf20fecfabfab5 152 15228pdns 153 1535 154 154first 15:52:00 160 161 1616 163 164 165 168 16:45:13 172 173 174 178 179 17b9d6735a39576a0a598617954d4cdb 180 181 181first 181genniu 181www 186first 188 19 vidgrab  njrat 190 192 194 194:80 194country: 194dolphinsjerseysale 194elitefootballjersey 194first 194oakleysunglassesoutlet 194www 195 197 19:13:41 19:23:03 19:26:41 1accept: 1e22098b5fb61118a48daa780755e8cb 1user 200 2000 2002 2003 2004 2005 2007 2008 2009 2010 20101208mnt 2011 2012 2013 2013 attachment 2013 file 2013 judgment 2013 resume 2013 tibetan 2013 tibettour 2013 Ã¤Â¸Â­Ã¥Â¤Â®Ã¦â€Â¿Ã¥ÂºÅ“各æ©ÿ關派赴國外各地區出差人員ç”ÿ活費日支數額表 2013 Ã¤ÂºÂºÃ¦Â°â€˜Ã¥Å¡â€ºÃ©â€¡Â 2013 Ã¥â€¦Â¬Ã¦Â°â€˜Ã¦ÂÂÃ¥ÂÂÃ¥ÂÅ¡Ã¦ÂÂÃ¥ÂÂÃ¥Â§â€Ã¥â€œÂ¡Ã¦Å“Æ’ 2013 Ã¦ÂµÂ·Ã¥â€ â€¦Ã¥Â
Tags
Stories Yahoo
Notes
Move


L'article ne semble pas avoir été repris aprés sa publication.


L'article ne semble pas avoir été repris sur un précédent.
My email: