Wednesday, January 20, 2010

IExplorer 0day CVE-2010-0249 – Exploit-Comele / Hydraq / Aurora

From Microsoft KB it’s been released an advisory related to a possible “0 day” for IExplorer 6,7 and 8.  It’s an issue used for the recent attack against Google and others big companies through an Advanced Persistent Threat:  

Why it’s been called Aurora ? (an old info)
http://www.chinadaily.com.cn/world/2007-09/27/content_6139437.htm

Operation Aurora: Clues in the Code
http://www.secureworks.com/research/blog/index.php/2010/01/20/operation-aurora-clues-in-the-code/

'Aurora' code circulated for years on English sites
http://www.theregister.co.uk/2010/01/26/aurora_attack_origins/

Report: Cyberattackers hit Google staff via friends
http://news.zdnet.co.uk/security/0,1000000189,40005860,00.htm?s_cid=248

Exploit related:
IE 0-Day on GOV.CN
http://research.zscaler.com/2010/01/ie-0-day-on-govcn.html

Internet Explorer 0-Day hosted GOV.CN domain
http://www.thetechherald.com/article.php/201004/5142/Internet-Explorer-0-Day-hosted-GOV-CN-domain

Hex-Rays against Aurora
http://hexblog.com/2010/01/hexrays_against_aurora.html

Python proof of concept:
http://packetstormsecurity.org/1001-exploits/ie_aurora.py.txt

Metasploit module / ie_aurora.rb
http://blog.metasploit.com/2010/01/reproducing-aurora-ie-exploit.html
http://www.metasploit.com/redmine/projects/framework/repository/revisions/8136/entry/modules/exploits/windows/browser/ie_aurora.rb

praetorianprefect - Demonstration of exploiting the flaw using the new module from Metasploit:
http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/

Additional information about DEP and the Internet Explorer 0day vulnerability
http://blogs.technet.com/srd/archive/2010/01/18/additional-information-about-dep-and-the-internet-explorer-0day-vulnerability.aspx

Bypassing Browser Memory Protections - Dep and others -  (PDF document)
http://taossa.com/archive/bh08sotirovdowd.pdf
CVE-2010-0249 DEP/ASLR bypassed:
http://twitter.com/dinodaizovi

Another memory protection bypass reference:
http://www.corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/

DEP and ASLR bypass
http://blog.trendmicro.com/new-exploit-bypasses-aslr-and-dep/

Detection Rules:

Sourcefire VRT Rules Update - 2010-01-15
http://www.snort.org/vrt/advisories/2010/01/15/vrt-rules-2010-01-15.html/

Mitigation strategies:

Microsoft January Out of Band Patch
http://www.microsoft.com/technet/security/bulletin/MS10-002.mspx

Note: this out of cycle patch cover also the followings CVEs:

CVE-2009-4074
CVE-2010-0027
CVE-2009-0244
CVE-2009-0245
CVE-2009-0246
CVE-2009-0247
CVE-2009-0248
CVE-2009-0249

Security Advisory 979352 – Going out of Band (Microsoft out of band patch)
http://blogs.technet.com/msrc/archive/2010/01/19/security-advisory-979352-going-out-of-band.aspx
Code to mitigate exploit:
http://www.securityfocus.com/archive/1/508961
Green is good Red is bad (client side):
http://www.mywot.com

Malware related:

Aurora PCAP file
https://www.evilfingers.com/projects/pcaps_beta.php

The Trojan.Hydraq Incident
http://www.symantec.com/connect/blogs/trojanhydraq-incident
An Insight into the Aurora Communication Protocol
http://www.avertlabs.com/research/blog/index.php/2010/01/18/an-insight-into-the-aurora-communication-protocol/

Trojan.Hydraq Exposed
http://blog.threatexpert.com/2010_01_01_archive.html

Trojan.Hydraq Exposed  part II
http://blog.threatexpert.com/2010/01/trojanhydraq-part-ii.html

Roarur.dr
http://vil.nai.com/vil/content/v_253415.htm

Exploit-Comele
http://vil.nai.com/vil/content/v_253210.htm

News and old news about:

MS knew of Aurora exploit four months before Google attacks
http://www.theregister.co.uk/2010/01/22/aurora_exploit_known_months/

Security Intelligence: Attacking the Kill Chain
https://blogs.sans.org/computer-forensics/2009/10/14/security-intelligence-attacking-the-kill-chain/

Google-China cyber espionage saga – FAQ
http://blogs.zdnet.com/security/?p=5259&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+zdnet%2Fsecurity+%28ZDNet+Zero+Day%29&utm_content=Twitter

Cyber Espionage: Death by 1000 Cuts
http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100119

France joins Germany warning against Internet Explorer
http://news.bbc.co.uk/2/hi/technology/8465038.stm
*Personal note: Firefox it’s exposed to several issues of this kind for more info Mozilla bugzilla repository it’s a good starting point.

Attacks Continuing Against IE Flaw as Microsoft Preps Patch
http://threatpost.com/en_us/blogs/attacks-continuing-against-ie-flaw-microsoft-preps-patch-011810

More on the IE zero day
http://www.sophos.com/blogs/sophoslabs/?p=8227

IBM ISS Threat Level elevated to AlertCon 2
https://webapp.iss.net/gtoc/index.html

Security expert: Chinese authorities supported cyber attacks
http://blogs.zdnet.com/BTL/?p=29667

Incidents.org said “Exploit code available for CVE-2010-0249”
http://isc.sans.org/diary.html?storyid=8002

Microsoft confirms IE zero-day behind Google attack
http://www.networkworld.com/news/2010/011510-microsoft-confirms-ie-zero-day-behind.html

Vulnerability in Internet Explorer Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/979352.mspx

More Details on “Operation Aurora”
http://www.avertlabs.com/research/blog/index.php/2010/01/14/more-details-on-operation-aurora/

Operation “Aurora” Hit Google, Others
http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/

0day vulnerability in Internet Explorer 6, 7 and 8
http://isc.sans.org/diary.html?storyid=7993

IE zero-day used in Chinese cyber assault on 34 firms
http://www.theregister.co.uk/2010/01/14/cyber_assault_followup/

Google Hack Attack Was Ultra Sophisticated
http://www.wired.com/threatlevel/2010/01/operation-aurora

Shellcode related:

wepawet
http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js
A screen shot of shellcode (md5 124722b0369b4a3dd42c6be6ecac425e)  that I have analyzed using the wepawet shell code hex dump and using http://sandsprite.com/shellcode_2_exe.php for build it.  The following shown the point of code where it’s used the urlmon.dll method to download the binary “ad.jpg” :

aurora01

Virustotal detection for the extracted shellcode above: (comele exploit detected):
http://www.virustotal.com/analisis/d6507cef78269e631e7b6dc746fae49551962a11d80efbfd2ed13f21e00f6eb2-1263694821

Anubis detection for the extracted shellcode above:
http://anubis.iseclab.org/?action=result&task_id=1936ee7010fa1ae340d09531cafb64d66&format=

Analysis of Trojan.Hydraq , aka "Aurora," against Internet Explorer
http://www.wilderssecurity.com/showthread.php?p=1608756

Hydraq / Aurora network stuff related:
Aurora files:
http://www.security.nl/files/aurorafiles.txt
from pastebin (http://pastebin.com/maad7ac3):
203.69.41.0/26
203.69.41.64/27
203.69.66.0/27
203.69.68.96/27
203.69.68.128/25
72.32.6.235

360.homeunix.com and others (at this time are parked)
http://www.symantec.com/security_response/writeup.jsp?docid=2010-
011114-1830-99&tabid=2


yahooo.8866.org (AS4766 KT-NET KORnet)
image

sl1.homelinux.org
360.homeunix.com
ftp2.homeunix.com
update.ourhobby.com
blog1.servebeer.com

This post is under update.

2 comments:

  1. Thanks for the nice blog. This is very useful and interesting.I read this and my self very appreciate with this blog.

    ReplyDelete
  2. evilfinger url is a 404.
    the right one is https://www.evilfingers.com/repository/pcaps.php

    ReplyDelete