CVE-2012-1875 Exploited in the Wild – Part 1 (Trojan.Naid)

 

Microsoft, in their recent Security Bulletin Summary for June 2012, released security bulletin MS12-037, which is a critical security update covering a host of Internet Explorer (IE) versions ranging from IE6 to IE9. This update addresses a specific vulnerability whereby viewers of a specially-crafted Web page using IE could unintentionally trigger an exploit allowing arbitrary code execution in the context of the current user.
 
Symantec recently discovered that the Amnesty International Hong Kong website had been compromised with an injected iframe linking to a Russian domain hosting a JavaScript file which actively exploited the Microsoft Internet Explorer CVE-2012-1875 Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875). Last month Amnesty international suffered a similar attack on their UK website.  
 
Symantec has a detection in place for this exploit under the name of Bloodhound.Exploit.466 and IPS Signature Web Attack: MSIE Same ID Property CVE-2012-1875
 
 
Analysis of the Amnesty International website (which has now been rectified) showed the following script injecting an iframe:
 
 
This iframe links to another piece of JavaScript hosted on the Russian domain. The iframe, meanwhile, displays a generic error page suggesting that the requested page is "Under Construction". However, after the page is loaded, a function labeled MyTest() is executed and attempts to exploit a vulnerability in the way IE handles cached objects in memory that have the same property ID.
 
The exploit itself supports a variety of Windows versions and languages including Windows XP, Windows Vista, and Windows 7. English, Russian, Korean, and French are just a few of the supported languages observed in this exploit so far.
 
The shellcode executed by this exploit is a small Downloader that connects to a remote host and downloads an executable, which Symantec detects as Trojan.Naid, a Remote Access Trojan (RAT) first seen by Symantec as early as January 2010. 
 
Trojan.Naid is a Trojan horse program that listens for and accepts a connection from the attacker to essentially provide unauthorized remote control functionality to the compromised computer over a custom communications protocol. This access allows the attacker to perform numerous nefarious activities such as stealing private information or monitoring Internet activities. The Trojan.Naid sample used in this attack and others has been observed to communicate to IP addresses hosted in Hong Kong by local Internet Service Providers.
 
While the exploit used in this attack has been referred to as being a zero-day due to reports of it being seen in the wild before the recent Security Bulletin Summary, zero-days are not commonly observed in attacks. Most attacks use known, patched exploits readily available to attackers online. Other zero-days have, however, been reported in recent days, such as Microsoft’s announcement of the Microsoft XML Core Services CVE-2012-1889 Remote Code Execution Vulnerability (CVE-2012-1889) (Symantec detection Bloodhound.Exploit.465 and IPS Web Attack MSIE MSXML CVE-2012-1889), this begs the question: will we see more zero-days being used in similar attacks?
 
In part 2 of this blog, we will examine the techniques used in exploiting this vulnerability.
 
To reduce the possibility of being affected by exploits and their associated malware, Symantec advises users to ensure that they are using the latest Symantec protection technologies with the latest antivirus definitions installed.