MS09-002 exploit in the wild

Published: 2009-02-17
Last Updated: 2009-02-18 20:20:16 UTC
by Bojan Zdrnja (Version: 2)
0 comment(s)

Several AV vendors reported about MS09-002 exploits in the wild. We can confirm this – the exploit for the CVE-2009-0075 vulnerability (Uninitialized Memory Corruption) in Internet Explorer 7 is definitely in the wild and working as charm on an unpatched Windows XP machine.

Initially there was some confusion about this attack as most AV vendors mentioned Word documents. The exploit targets Internet Explorer 7, but so far it has been delivered to the end user as a Word document. That being said; there is absolutely nothing preventing attackers from using the exploit in a drive-by attack (and we can, unfortunately, expect that this will happen very soon).

The exploit code does something similar to a heap spray, but there is a difference that it deletes created objects and even calls CollectGarbage() as seen in the code snippet below:

var array = new Array();
var ls = 0x100000-(c.length*2+0x01020);
var b = unescape("%u0C0C%u0C0C");

while(b.length<ls/2) { b+=b;}
var lh = b.substring(0,ls/2);
delete b;
for(i=0; i<0xC0; i++) {
        array[i] = lh + c;

The variable c here contains the shellcode which does a standard job of pulling another executable from a remote site (it’s worth nothing that shellcode appears to be obfuscated quite a bit). This other executable then steals personal data and sends it to a remote site.

As the MS09-002 patch has only been released a week ago, it’s clear that the attacker reverse engineered the patch to create the exploit (especially since the vulnerability has been initially reported by ZDI to Microsoft in September last year). So, check your client machines and make sure that you are patched!


Update from Joel:  Just a quick note from the Snort front, the VRT (Vulnerability Research Team) has some news up about this on their blog: here.

Keywords: ms09002
0 comment(s)

DShield Web Honeypot - Alpha Preview Release

Published: 2009-02-17
Last Updated: 2009-02-17 05:12:33 UTC
by Jason Lam (Version: 1)
0 comment(s)

The attack dynamics had significantly changed since DShield went into service 8 years ago. Web attacks are becoming more popular these days. The SANS ISC is releasing an alpha version of the DShield Web Honeypot today to extend DShield's visibility into this traffic.  The intention of the web honeypot project is to harness multiple capture points run by volunteers for the collection of potentially harmful traffic on the web.

The goal of the Web honeypot project is inline with the original DShield project, the data collected through the sensors feed the Dshield web database where human volunteers as well as machines pour through the data looking for abnormal trends and behavior. In addition, we would like to use the honeypot data to measure web attack prevelance and find objective metrics to recommend protective measures. The data collected will also be shared with the research community upon request later this year and be made available in aggregated form via the DShield website.

Web site attacks had been on SANS' and ISC's radar screen for a long time. SANS had been offering education courses (DEV319, DEV422, DEV538, DEV542) on the defending and testing applications. The ISC produced diaries on multiple massive attacks on web applications. The addition of DShield Web Honeypot project is the next logical step in our effort in helping the community with defending from the web attacks.

The Web Honeypot project is led by Jason Lam and Johannes Ullrich with code contributed from various individuals. The project details and honeypot itself can be downloaded from here.

0 comment(s)

New Poll on the right!

Published: 2009-02-17
Last Updated: 2009-02-17 02:46:06 UTC
by Joel Esler (Version: 1)
0 comment(s)

(If you are reading this through one of the rss feeds, you'll need to click through to see what I am talking about)

We have a new poll up on the right hand side of the page at  If you could take a second and answer it, that'd be great!

-- Joel Esler

0 comment(s)

McAfee 2009 Mobile Security Report

Published: 2009-02-17
Last Updated: 2009-02-17 02:22:18 UTC
by Joel Esler (Version: 1)
0 comment(s)

We received notice of the 2009 McAfee Mobile Security Report today from our fellow SANS collegues, so I decided to check it out.

This report, basically is on the security of Mobile Devices, as the name of the report implies.  However, the report does not define what a "Mobile Device" is.  One will look at the term "Mobile Device" and instantly think of things like the Blackberry, iPhone, and Nokia smartphone platforms.  However, with the rising prevalence of Mobile Computing, there are things like laptops with built in 3G, devices like the Nokia N800/N810 Internet Tablets, or the rising use of so-called Netbooks, one might argue that these fall into the category of Mobile Devices as well.  While the report doesn't exactly specify what a "Mobile Device" is, the report seems to imply that its talking about Smartphones.

There really isn't anything incredibly groundbreaking in this report, except for the chart on the left of page 2. 

This chart details the amount of report Mobile Security issues, it's a simple bar graph of comparisons between 2006, 2007, and 2008.  Each year, steadily increasing in the following areas:

Network or Service capacity issues

Virus/Spyware Infections

Voice or Text Spam Attacks

Third Party Application

Loss of User Data

Phishing Attacks

Privacy issues

Denial of Service Attacks

Now you can attribute this to the fact that maybe people are getting better at reporting security issues, or there are more mobile devices out there now (with the past year seeing a large uptick in number, look at the number of iPhones sold alone!), or there really is a rise in these numbers.  However you want to interpret these numbers, there is no denying that there is an increase in the amount of attacks facing our "Mobile Devices". 

I don't want to reiterate the entire report, so I'll point to it here.  Go read for yourself, enjoy!

-- Joel Esler

0 comment(s)


Diary Archives