MS09-002, XML/DOC and initial infection vector
The MS09-002 exploit that we posted a diary about two days ago (http://isc.sans.org/diary.html?storyid=5884) was initially introduced to the target as a Word document. This confused a lot of people as the vulnerability is really in Internet Explorer (it has nothing to do with Microsoft Word), but the attackers used an interesting trick which probably helped a lot as the infection vector.
The attackers created a Word document which was an XML file. Microsoft Office supports XML documents for quite some time already and you can normally save any document as XML. These are fully featured Word documents which means that they can have references to various objects. And this is exactly what the attacker used – what makes it easier is the fact that you can change the extension to .DOC and Word will happily render it. The screenshot below shows a part of the exploit used with MS09-002 (I have deliberately removed part of the URL):
The XML document creates a reference to an object with class ID of AE24FDAE-03C6-11D1-8B76-0080C744F389. This object is a reference to mshtml.dll which features Internet Explorer’s HTML rendering engine. In other words, it will make Word connect to the target web page and render it inside the document, without requiring absolutely any user interaction! As you can guess, since it uses Internet Explorer’s engine, the exploit will get executed unless the machine has been patched against the MS09-002 vulnerability. The w:data tag in this sample just contains the BASE64 encoded URL to the exploit.
While researching this I found two more interesting things:
First, this way of rendering HTML web pages work in fully patched Microsoft Word 2007. This is pretty nasty considering that people can make your web browser render any content on any web page just by opening a Word document. This technique, though, appears to be well known since May 2008 though.
Second, the XML document contains the timestamp of when it was created. While this field can be obviously very easily spoofed, the date it contains is 6th of February 2009, which is before Microsoft released the patch. This could mean that the exploit was known to the attacker before and that there was no reverse engineering of the patch involved as I initially thought.
So, to wrap this up – make sure that your client machines are fully patched but also pay attention to e-mails you receive. Remember that this was sent as a .DOC file, but contained plain text (XML) tags. It makes one wonder how many AV programs fail to properly render this (there are signatures for this specific file).
Thanks to Ivan Macalintal from Trend Micro.
--
Bojan
Sourcefire VRT posts some interesting Conflickr Analysis
Just wanted to put out an article from a few friends of mine at the Vulnerability Research Team at Sourcefire. Lurene posted a really good article entitled: "Making Conficker Cough Up the Goods". I thought it was a great quick little article with some actual hands on analysis done of the Conflickr/Downadup worm. Head on over there to check out the post.
Great job VRT.
-- Joel Esler http://www.joelesler.net
Denial of Service against Time Warner (San Diego)?
We've had unconfirmed reports this morning of a Denial of Service against the DNS servers for Time Warner in San Diego.
We'd appreciate a contact at Time Warner to write in an let us know if they are experiencing any issues so we can clarify this article. The reader that wrote in to tell us said that they switched their DNS resolution to OpenDNS and everything cleared up.
UPDATE: We've had several readers write in to tell us they are experiencing issues with Time Warner in California as well. Thanks for writing in. We still have had no reports from anyone at Time Warner itself.
-- Joel Esler http://www.joelesler.net
Dshield submissions aren't working if you have a Checkpoint Firewall
Checkpoint Firewalls have a feature to be able submit logs directly to Dshield. Well... they are supposed to.
Turns out there is an issue with Checkpoint's submission process, and (as far as I know) you will not get any indication that you are not submitting logs to us. We appreciate it when our readers submit logs into Dshield, and thusly the Internet Storm Center. If you are trying to submit logs to us, and would like it to be native, that'd be great, however, right now, the feature isn't working.
So, in the meantime while several of our readers have called Checkpoint support to ask that they fix this issue, please check out http://www.dshield.org/howto.html in order to submit your logs. There is a module ready for Checkpoint, outside of the actual firewall software itself, and we'd love to have your logs. Thanks!
-- Joel Esler http://www.joelesler.net
Internet Storm Center Podcast Episode Number Thirteen
Hey everyone, sorry it has taken so long to get around to recording another podcast episode. Travel schedules have been very crazy between us lately. Anyway, enough excuses, here is episode thirteen.
-- Joel Esler http://www.joelesler.net
Comments