CVE-2012-1889 in Action

Thanks to Andrea Lelli for assistance with this research.

Following on from the exploitation of the Microsoft Internet Explorer CVE-2012-1875 Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875) detailed in our previous blog, Symantec has also observed continued exploitation of the Microsoft XML Core Services CVE-2012-1889 Remote Code Execution Vulnerability (CVE-2012-1889) in the wild. This vulnerability involves one of the functions of the MSXML object found in Internet Explorer. The issue allows access to uninitialized memory locations which can result in arbitrary code execution.

We have seen attempts to spread malware through the injection of malicious iframes on legitimate websites. These iframes load the exploit code into a web browser, triggering the vulnerable condition. Figure 1 shows an example iframe from a legitimate site used for spreading the malware.
 

Figure 1. Example of a malicious iframe
 

Just like the exploit code used against CVE-2012-1875, this exploit also uses an embedded SWF (Flash) file. The SWF file is responsible for performing the heap spray and setting up the shellcode. Figure 2 shows the HTML code that uses the malicious SWF file.
 

Figure 2. HTML code referencing the malicious SWF file
 

The exploit also supports multiple versions of Windows and languages. The heap spray and shellcode are customized depending on the combination of the Windows version and languages. Figure 3 shows parts of the ActionScript that are responsible for performing the customization.
 

Figure 3. ActionScript extract showing OS and language customization code
 

When the vulnerability is triggered, the execution is transferred to the shellcode. The shellcode is designed to download an encrypted payload from a URL and save it to the Temporary Internet Files folder.

The encryption algorithm employed by the attackers offers the slightest veneer of protection, a simple XOR operation with a key of 0x95 decrypts the payload. The decrypted payload is written into the same folder and then executed. The malware also drops other files with the following names:

  • %Temp%\happy.exe
  • %Temp%\happy.dll
  • %Temp%\bypassuac.exe
  • %Temp%\bypassuac.dll
  • %Temp%\cryptbase.dll

Incidentally, the attackers appear to be a fan of our own Norton antivirus product as evident from a message embedded in the binary file shown in Figure 4:
 

Figure 4. Fan message from attackers
 

We are not so sure that they will still love us when they learn that our products detect their creation as Trojan Horse and block their attacks with our IPS technology using the signatures Web Attack: MSIE MSXML CVE-2012-1889 and Web Attack: MSIE MSXML CVE-2012-1889 2.