Never-Ending Zero-Day Story

Yesterday, it was reported that an Internet Explorer zero-day threat was actively being exploited in the wild. We did a quick analysis and have some interesting findings.

The exploit contains four parts:

  • Exploit.html. First-stage exploiting web page (initialize variables and load the .swf file).
  • Moh2010.swf. Encrypted SWF using DoSWF, it contains shellcode and heap spray code. After the heap spray is done, it loads Protect.html to trigger the vulnerability.
  • Protect.html. Detects browser/Flash version and triggers the vulnerability
  • 111.exe. The Trojan

Unlike common exploits that have everything in HTML/JavaScript, this threat hides all important elements such as shellcode and heap spray code in the encrypted SWF file. The exploitation part is very simple. It targets only Windows XP SP3 and IE8. So there is no need to bypass ASLR; it uses only an ROP payload to bypass Windows data execution prevention. The ROP gadget is hardcoded from the msvcrt.dll module.

0:008> u 0x77c15ed5
77c15ed5 94              xchg    eax,esp
77c15ed6 c3              ret

The ROP payload calls kernel32!VirtualAlloc to change the memory-holding shellcode to RWX.

0c10104c 00000000 0c18fa00 00005500 00001000 kernel32!VirtualAllocEx
0:008> !address eax
0c120000 : 0c18f000 – 00006000
Type     00020000 MEM_PRIVATE
State    00001000 MEM_COMMIT
Usage    RegionUsageIsVAD

The actual shellcode is XORed with opcode 0xE2, and it also uses a hook-hopping technique when calling APIs like urlmon!URLDownloadToCacheFileW, kernel32!CreateFileW, and kernel32!WinExec. Hook hopping is commonly used to bypass common security protection like AV and HIPS. After successful exploitation, the shellcode will download a Trojan from a remote server.


McAfee NSP will release the UDS “UDS-HTTP: Microsoft Internet Explorer Use-After-Free exCommand Heap Stray Code Execution” to cover the threat.

McAfee HIPS 8.0 P2 can block the zero-day exploit with the following Generic Buffer Overflow Protection signatures:

  • 6013 – Suspicious Function Invocation – CALL Not Found
  • 6048 – Suspicious Function Invocation – Different Stack

AV Detection is available in the current Beta DATs as “Exploit-IEexecCommand

Thanks my colleagues Xiaobo Chen and Hirosh Joseph for the analysis.







Virgin Mobile Shrugs as Coder Warns Accounts Are Easily Hijacked

Virgin Mobile U.S. promises its customers that it uses “standard industry practices” to protect its customers’ personal data – but according to a Silicon Valley web developer, any first-year coder can bust into a subscriber’s account, see who they call and text, register a different phone on the account and even purchase a new iPhone.

That’s according to developer Kevin Burke, who discovered the flaws on his own account in August and notified the company, only to be told that the company had no intention of fixing its systems. Virgin Mobile U.S. serves millions of customers through pre-paid plans and is a wholly owned subsidiary of Sprint.

Virgin Mobile U.S. account security uses a customer’s phone number as the account name, which is very guessable, and then requires a 6-digit PIN as the password — which only provides a million possible passwords. Even worse, the site allows as many password guesses as one likes — something Burke confirmed by writing a short script to guess his own password in a day.

Once an unauthorized user is in, they can change read a customer’s communication logs, register a different phone to lock the customer out and read their text messages, change their address and order a new phone with the credit card on file. They can also lock a user out by changing the PIN and e-mail address on the account — without notification to the previous address.

Burke, who works as a developer at Twilio, says he’s used to looking at security issues thanks to his day job, and noticed how weak the authentication system was. Once he proved to himself that anyone could bust in with a few lines of code, he contacted the company.

“I tried to escalate it following responsible disclosure principles,” Burke said. After eventually finding someone who understood the problem, Burke repeatedly followed up, only to eventually be told not to expect any change.

He then decided to go public so that people would know they were at risk — though there’s nothing users can do to protect themselves, except not use Virgin Mobile.

In a response to a tweet from Burke on Monday, Virgin Mobile U.S. directed Burke to a section of their Terms of Service agreement.

That document says, in part: “You further agree that Virgin Mobile may, in our sole discretion, treat any person who presents your credentials that we deem sufficient for account access as you or an authorized user on the account for disclosure of information or changes in Service.”

UPDATE 8:27 PM PST: Sprint spokeswoman Stephanie Vinge responded to Wired’s earlier inquiries, saying that “A lockout feature for multiple password attempts is part of Sprint’s standard procedures. We are reviewing the systems we have in place and conducting audits to ensure our standards are being met, including for Virgin Mobile.”

Virgin’s website says it protects users, but can’t be responsible in the case of hacks.

Virgin Mobile uses standard industry practices to safeguard the confidentiality of your personally identifiable information. Virgin Mobile treats data as an asset that must be protected against loss and unauthorized access. We employ many different security techniques to protect such data from unauthorized access by users inside and outside the company.

Unfortunately, perfect security does not exist on the Internet, and therefore, Virgin Mobile makes no representations or warranties with regard to the sufficiency of our security measures. Virgin Mobile shall not be responsible for any damages that result from a lapse in compliance with this Privacy Policy because of a security breach, technical malfunction or similar problem. Always be careful and responsible regarding your personal information.

The fixes, according to Burke, start with allowing more complex passwords and locking down accounts after a few failed attempts.

While Virgin Mobile may consider its insecure system to be “standard industry practice,” Twitter ended up signing a 20-year consent decree with federal regulators over its shoddy security practices. One key element in the FTC’s action? Twitter didn’t prevent rapid guessing of passwords.

Comedy Ensues as Twitter Users Hijack Newsweek’s #MuslimRage Hashtag

When Newsweek’s social-media gurus instructed Twitter users to use the hashtag #muslimrage to discuss the magazine’s inflammatory new cover story on Islam, they got more than they bargained for. The hashtag is fast becoming a meme — for Twitter users to mock Newsweek en masse.

In the controversial cover story, which uses the embassy attacks in Benghazi last week as a jumping-off point, outspoken Islam critic Ayaan Hirsi Ali makes the sweeping claim that “in the age of globalization and mass immigration, such intolerance has crossed borders and become the defining characteristic of Islam.”

Ali’s husband Niall Ferguson, the notorious Harvard history professor, authored a widely contested Newsweek cover story last month that took truthy aim at President Obama.

Twitter users — Muslim and non-Muslim alike — took over the #muslimrage hashtag by the thousands on Monday to mock Newsweek’s immediately infamous cover story and its accompanying cynical social media strategy, registering their dismay with the most hilarious tweets possible. (The hashtag #muslimrave is also rising in popularity.)

Here are some of the best recent tweets with the #muslimrage hashtag.

New Internet Explorer Zero-Day Vulnerability Exploited in the Wild

Contributor: Lionel Payet

Eric Romang has released a blog about the Microsoft Internet Explorer Image Arrays Remote Code Execution Vulnerability, a possible zero-day vulnerability in Internet Explorer that is being exploited in the wild. Microsoft has confirmed this vulnerability affects Internet Explorer 9, Internet Explorer 8, Internet Explorer 7, and Internet Explorer 6 browsers.

The exploit is made up of four main components:

  1. The Exploit.html file is the starting point responsible for setting up the exploit. After setting up necessary conditions for the vulnerability it will invoke the Moh2010.swf file.
  2. The Moh2010.swf Flash file is responsible for spraying the heap with the payload that will be executed. After setting up the payload it will invoke the vulnerability trigger Protect.html file by opening it in an IFRAME window.
  3. The Protect.html file is the actual trigger of the vulnerability responsible for executing the malicious payload set up by the Moh2010.swf file.
  4. The payload will download additional malicious executables and run them on the compromised system.

Interestingly, this exploit was hosted on the same servers used in the Nitro attack.

As always, we recommend that you follow best security practices and ensure you have the most up-to-date software patches installed. Use the latest Symantec technologies and virus definitions for the best protection against threats.