Symantec links latest Microsoft zero-day with skilled hacker gang

JMH · Jan 4, 2013

Symantec is crediting a hacker group with an impressive track record as responsible for finding the latest as yet unpatched vulnerability in older versions of Microsoft's Internet Explorer browser.

A gang Symantec calls the Elderwood group appears to have found the latest zero-day vulnerability in IE, which can allow a malicious website to automatically infect a person's computer.

Analysis of the attack code used to exploit the vulnerability has similarities to other code used by the Elderwood group to exploit other zero-day vulnerabilities in Microsoft's software, the company wrote on its blog.

In one example, Symantec found the phrase "HeapSpary" inside several samples of attack code.

Symantec links latest Microsoft zero-day with skilled hacker gang | Security - InfoWorld

AceInfinity · Jan 5, 2013

Very interesting, and again, utilizing a bad security risk in digital certificates... Which allows this exploit once it's affected your system, to run the malicious code every time you boot your system. An encrypted SWF by DoSWF seems to be loaded here on the bad website, which sprays the heap with shellcode used to execute an obfuscated and malicious byte array which uses a signed and embedded dll to run a binary which infects your system. Payload as in further investigation from the report i'm reading seems to be in a file called nv.mp3. To see whether this infection has YOUR system targeted I would highly suggest seeing whether any connections you have over the network target these locations:

Code:

aol.selfip.com 180.210.204.180
 inmailbase.selfip.com 180.210.204.180
 exchange.from-sc.com 180.210.204.180
 exchange.likescandy.com 180.210.204.180
 exchange.is-a-landscaper.com 180.210.204.180
 leanov.gicp.net 180.210.204.180
 netbastthebash.dnsalias.net 180.210.204.180
 wwwh4ck.3322.org 180.210.204.180
 gary-freudenberger.homeftp.org 180.210.204.180

aol.selfip.com 142.4.46.203
 ns18.doomdns.com 142.4.46.203
 exchange.from-sc.com 142.4.46.203
 exchange.likescandy.com 142.4.46.203
 exchange.is-a-landscaper.com 142.4.46.203

edit; Some of the data along the way seems to be encoded with Base64 strings as well.. The SWF itself seems to be used as a dummy to eventually just load an Iframe which does the rest of the work.

"HeapSpary" is just a miss-spelled (either on purpose or not), mixup, of the word "HeapSpray".

Search

Search

Symantec links latest Microsoft zero-day with skilled hacker gang

JMH

Emeritus, Contributor

AceInfinity

Emeritus, Contributor