Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today
Learn More

Blog Zscaler

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

S'abonner
Recherche sur la sécurité

CVE-2010-0806 Exploit In The Wild

image
THREATLABZ
avril 06, 2010 - 2 Min de lecture
Perspectives sur la sécurité

Contenu

  1. Article
  2. Autres blogs

CVE-2010-0806, a use-after-free vulnerability in the Peer Objects component, was announced in mid-March 2010. The vulnerability impacts Internet Explorer 6, 6 SP1, and 7 - a patch was made available by Microsoft in the MS10-018 security update last week. Zscaler received early notification of the vulnerability through our trusted partnership with Microsoft and was able to deploy signatures to detect and block exploit attempts soon after the public release of the vulnerability.

Today this site was detected and blocked for attempting to exploit CVE-2010-0806:
hxxp://cn.cnsa56.info/w/woz.htm
--> and supporting script: hxxp://cn.cnsa56.info/w/k.js

The JavaScript used to exploit the vulnerability is heavily obfuscated,
ImageAnd the script contains some try-catch statements to evade detection and some automated analysis tools,
Imageand
ImageThe above try{} statements will fail, so the code within catch{} will be run, which defines some variables and logic for decoding the above shellcode.

Wepawet fails to decode/analyze properly, and categorizes the URL as benign. VirusTotal has 2/39 Anti-Virus engines that detect as a suspicious JavaScript downloader through their heuristic engines.

After decoding and analyzing the shellcode, it downloads the payload:
hxxp://v.vkjk6.info/w/win.exe

Unfortunately, VirusTotal shows no detection for this file. When conducting basic analysis on the binary payload, it becomes obvious that this is not a valid PE executable. It is likely that the binary is encrypted or obfuscated and that the shellcode run from the CVE-2010-0806 exploit will decode the binary on the victim's machine. (I will run the exploit in a sandbox, and post any follow-on analysis of the payload).

Often times, the domain information for malicious domains is masked through a domain privacy service (like Domains by Proxy)- however, this was not the case for the domains involved in this attack.

Here is the billing information for the cnsa56.info domain:
ImageThis same registration information was used for another live domain: ac364.info

And for vkjk6.info:
Image126.com is a free email provider,

 

Image
The registration information, email provider used, and variable names used in the attack indicate the attacker is a Chinese speaker and possibly of Chinese nationality.

 

form submtited
Merci d'avoir lu l'article

Cet article a-t-il été utile ?

vote yes
Oui, très utile !
vote no
Pas vraiment

Découvrez d'autres blogs Zscaler

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Lire le blog
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Lire le blog
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Lire le blog
TOITOIN Trojan
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Lire le blog
01 / 02
dots pattern

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

En envoyant le formulaire, vous acceptez notre politique de confidentialité.