avg web intelligence

8/9/2019 AVG Web Intelligence

1/9

AVG

WEB INTELLIGENCE REPORT

APRIL 2010

THE EPIDEMIC OF CVE-2010-0806 FOLLOWING A PUBLIC DISCLOSURE


2/9

IntroductionCybercriminals keep on targeting innocent online users. They refine their methods, and search for new

ways to maximize their illegal profit while minimizing their chance of detection. In this report, we will show

you how hackers managed to infect computers with their malware while taking advantage of an unpatched

Internet Explorer vulnerability (zero-day) that was disclosed to the public. We will expose the epidemic of

this zero-day vulnerability on the web and the impact it has on users browsing the web without protection.

Our research shows that a public disclosure information about an un-patched vulnerability (zero-day) leads to a swift

response by hackers. The disclosed information was embedded in an Exploit toolkit known asNeosploit and used by

several cybercriminal gangs around the globe. The exploit toolkit Neosploit is software written by hackers and sold online

to cybercriminals who use it to infect innocent web users with their malware. The toolkit includes everything the

cybercriminal needs to operate its attack the malware, the exploit code, the statistic reports etc.

How did these cybercriminals find the information about the unpatched vulnerability? What means and

methods did they use to infect users? What is the epidemic rate of this attack? What can users do to protect

their digital assets?

In this report, we will shed some light on these questions, including the cybercrime toolkits they used.


3/9

CV -2010-0806 a d P Ds sOn Marc

9thMicrosoftreleasedanadvisoryr

gard

ng a v

nerab

ty in its Internet Exp

rerpr

d

cts versions 6

and 7. According to the infor

ation provided on this advisory the v

nerabilitycould allow remote code execution

(RCE). RCE means that an attacker who successfully exploits thisvulnerabilitycouldgain the same userrights as a

logged on user. For example, if the user is logged on with administrative userrights, an attacker who successfully

exploits this vulnerability could take complete control of an infected system. An attacker could then install

programs, view, change, ordelete data, orcreate new accounts with full userrights.

Following the Microsoft advisory, CVE-2010-0806 was published to alert the public about the existence of suchvulnerability.

Typically, public vulnerability disclosures trigger security researchers to rush in and find out what is under the

hood. The race to find where exactly the vulnerabilitystands and how to exploit it was the obvious nextstep. The

race ended with a report from a security researcher who managed to find a site exploiting this vulnerability

already and used it for creating a public Proof-of-Concept (PoC) and module for the popular open source

penetration testingplatform, Metasploit.

The debate as to whethersuch publicdisclosure isvaluable to the securitycommunity or not hasbeen around for

years. Some claim it helps the community to provide immediate protection against threats while others claim it

helpscybercriminals to trigger their attacks. We believe a responsible disclosure in the security community is a

better way to go.


4/9

T pd t V a ty as D t t d y AVGNot long after the PoC waspublished on the web, AVG spotted a majorspike in compromised websitesserving the

exploitcode targeting the zero-dayvulnerability. We concluded in ourresearch that the exploit isbeingservedby

an Exploit toolkitdubbed Neosploit. Neosploit hasbeen known forsome time already, however itsprice on the

black marketstarted to decline because of the relatively oldvulnerabilities it tries to exploit. It appears that the

people behind Neosploitadded this new exploit to its arsenal to increase its marketpriceagain.

Number of exploitserving websites following the publicdisclosure

2

5002

10002

15002

20002

25002

30002

1 2 3 4 5 6 7 8

Days from MS Advisory

NumberofHits


5/9

Example of Compromised Website Serving the Exploit

Many users believe they can tell if a website is a legitimate one or a malicious one just by visiting it.

There are two false assumptions by this statement:

1. Today s malicious code is invisible to users. Usually it s a code embeddedon the webpage that executes behindthe scene while the user just visits the web page. This is known as a drive-by

download.2. Hackers are compromising legitimate websites and insert their malicious code into them. The reason is simple:

users are visiting legitimate sites more often than other sites.

Below is an example of a compromised website we spotted that automatically attempts to infect the user with an exploit.

an you tell if this site is legitimate or one that serves malicious code? Probably not.


6/9

Here is the code behind this web page .

As you can see at the bottom of the page, the hacker who compromised this website inserted a code that tries to infect the

user this was probably not part of the original code the website owner wanted to have.

For security researchers the highlighted code is very common, but for the average web developer it will look suspiciousor

unknown.

In order to minimize detection of the exploit code by security products, the hackers tried to hide their actions. The served

exploit code in this example was obfuscated. The main reason for obfuscating the code is to avoid detection of it by

traditional signature matching techniques used by security products.

<

m >< e >

(!se

.se

. v g

["

E " + " b e "]()) ! e = ! esc pe;

s =

ew

F ! c

( ! e('%76%61%72%20%62%74%6E%20%3D%20%64%6F%63%75%6D%65%6E%74[RE " OVED]%2E%63%72%65%61%74%65%45%6 # %65%6D%65%6E%6F

%6E%22%29%3B%20%62%74%6E%2Ess = ew F ! c

('v c = ! e("% ! 9090%[--RE " OVED--]% ! 0000"); v y = ew A y(); v s = 0x86000- (c. e g

* 2);

v

b =!

e("%!

0c0c%!

0c0#

"); w

e (b.e

g

avg web intelligence

Documents