14 DAY TRIAL // A 0-day remote code execution vulnerability in Microsoft Video ActiveX Control is actively being exploited as part of an attack that affected thousands of websites so far. The exploit has been incorporated into a drive-by attack kit, which attempts to install a cocktail of malware on visitors' machines.
Security researchers seem to agree that the majority of websites compromised in this attack, originally reported by Danish IT security company CSIS Security Group, is located in China, with some exceptions. For example, Marc Fossi, manager of research development at Symantec, notes that the official website of the Russian Embassy in Washington is amongst the victims.
Meanwhile, AVG's Chief Research Officer, Roger Thompson, points out that the scope of the infection is likely to increase, due to the success exhibited by the attack so far. "At this point, it seems to work really well, so it's likely to become a staple of would-be exploitive websites for years to come," he writes.
Users accessing the infected sites, most of which belong to schools or local community clubs, will load content from a secondary hijacked legit website. Malware analysts from McAfee explain that this is done in order to throw off suspicions, since interlinking between trustworthy websites can be normal. However, the secondary website that is being used as a proxy goes on to load the exploit kit from a payload site, a sub-domain of 8866.org.
It is worthy to note that, while the exploit for the 0-day DirectShow vulnerability that affects IE 6 and 7 users running Windows XP or Windows Server 2003 is the most dangerous component of this attack, the kit also incorporates additional exploits for vulnerabilities in software associated with these browsers. Such is the case with other ActiveX controls or outdated versions of RealPlayer and the Baidu Toolbar.
An analysis of the attack, performed by Trend Micro, reveals that users are offered a malicious .JPG file, which actually contains the exploit code for this 0-day vulnerability. "The shellcode of the exploit is XOR encrypted," Roland Dela Paz, threat response engineer at Trend, writes. Successful exploitation leads to the installation of a trojan, whose initial purpose is to disable a wide range of antivirus products. It then proceeds to downloading a cocktail of other malware, including a keylogger.
Another interesting aspect of this exploit toolkit is that it checks the referring URLs and filters out the ones coming from ".gov.cn" and ".edu.cn," in an attempt to prevent analysis from the Chinese government and academics. Also, according to researchers from Websense, this toolkit is not new itself, being actively used on compromised websites since last year.
Most major AV vendors have added detection for this exploit to their products, so users are advised to keep their definition files up-to-date. There is not yet an official patch available from Microsoft, but the company has released a workaround.
