News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed
News
Apr
29
A Look at CVE-2014-1776 via Windows Crash Reports
Posted by AlexWatson on 29 April 2014 03:12 AM

Overview

 

  • Through analyzing Windows Error Reports (a.k.a. Dr. Watson logs), we have identified two possible vulnerabilities (anomalous crashes) in VGX.DLL that may be linked to MSIE 0-day CVE-2014-1776.
  • We have seen a significant spike in crashes of Internet Explorer versions 8 and 9 that fail in VGX.DLL, starting in February 2014. These crashes are indicators of application vulnerabilities that may be exploited.
  • Anomalous application crashes from VGX.DLL have been observed originating from the USA, UK, and Brazil. Specific industries with anomalous application crashes include telecommunications, tier-1 financial and municipal government.

 

As we mentioned in our last blog entry, a new vulnerability has been discovered by researchers at FireEye in Microsoft Internet Explorer affecting Internet Explorer versions 6 through 11. Current reported attacks are targeting only Internet Explorer 9 through 11. The vulnerability allows attackers to remotely execute arbitrary code on the target machine by having the user visit a malicious website. The vulnerability has been assigned reference CVE-2014-1776.  The vulnerability lies in the way Internet Explorer handles Vector Markup Language and vector graphics rendering, when Internet Explorer accesses a related object in memory that has been deleted or improperly allocated. This allows the attacker to execute arbitrary code in the context of the current user.

 

Microsoft has released an advisory with recommendations about how users can take steps to mitigate their vulnerability while a patch is prepared. There has been quite a bit of discussion about the impact of the vulnerability, including recommendations from both the US Department of Homeland Security and UK governments that government users avoid the use of Internet Explorer until a bug patch is released by Microsoft.

 

In spite of the ongoing discussions and mitigation options, not many details exist about how the exploit targets Microsoft Internet Explorer, and where it is being seen in the wild. In this blog post, we will examine application crash reports from Microsoft Windows computers that are sent via the WER (Windows Error Reporting) framework, to see if we can learn anything about possible vulnerabilities that are being exploited and/or where attacks are occurring.

 

Comparison to known exploits

 

Microsoft's threat advisory for CVE-2014-1776 recommends disabling the VGX.DLL library as a mitigation option against the exploit. This library is a core library for Internet Explorer's "Vector Markup Language" (VML) capability -- a deprecated vector graphics format that was primarily used in Microsoft Office Applications. It is interesting to see that VGX.DLL has been linked to other vulnerabilities from 2013, including CVE-2013-2551 and CVE-2013-0030, which both use memory corruption techniques that could theoretically be used to compromise IE. We have previously discussed how Microsoft Windows Error Reporting (WER), a.k.a. Dr. Watson, is an opt-out program that exists in Windows XP, Vista, 7, and 8 that sends detailed telemetry to Microsofteach time an application crashes or fails to update, or a hardware change occurs on the network. This data is incredibly valuable to Microsoft and application vendors, to help debug their applications and prioritize fixes on a massive scale. More information on how you can harness intelligence from Windows crash reports, which are sent from over 80% of PCs globally, can be found in our whitepaper.

 

Today, we will search crash reports for evidence of exploit-type activity happening in the VGX.DLL library within Internet Explorer. This can be used to help identify possible vulnerabilities that are being exploited by CVE-2014-1776, and can hint at possible geographic locations that are being targeted during attacks. These application crashes are generated for one of three reasons:

1. Normal application failure, such as running out of memory

2. Crash triggered during normal application use, which may be a vulnerability

3. Failed exploit activity

 

 

Searching for needles in the haystack

 

Let's start by looking at Windows Error Reporting application crashes that we have seen occur in the past 6 months. Out of a total of 19.8 million error reports, the following crashes occurred in Internet Explorer versions 6 - 11 inside the VGX.DLL library

 

  • November 2013: 2 crashes
  • December 2013: 1 crash
  • January 2014: 3 crashes
  • February 2014: 13 crashes
  • March 2014: 9 crashes
  • April 2014: 12 crashes

 

 

We see a significant uptick in crashes starting around February 10th, 2014. Let's take a closer look to see if we can learn anything from the crash reports. Of 39 crashes observed, there are 15 distinct crash reports, grouped by the crash offset location. Two distinct crash reports emerge as being interesting.


Possible vulnerability affecting VGX.DLL in IE 9

 

We have seen the first cluster of application crashes affecting IE version 9 on Windows 7 -- consistent with the vulnerability observed in the wild. We have observed matching crash reports indicating possible failed exploit activity in the United States between March 22nd, 2014, and mid-April 2014.

 

  • 4 matches: http://watson.microsoft.com/StageOne/iexplore_exe/9_0_8112_16483/515df825/vgx_dll/9_0_8112_16483/515df802/c0000005/00026fed.htm?

 

Buffer Overflow vulnerability affecting VGX.DLL in IE 8

A second interesting cluster of crash reports appears to be affecting IE 8 (via our telemetry).  We can see two distinct versions of IE 8 on Windows 7 affected below (8.0.7601.17514 and 8.0.7600.16385). The BEX error type indicates a buffer overflow happening in VGX.DLL, and it is somewhat unusual to see such a large percentage of application crashes being triggered via buffer overflow. While it has not been reported that IE 8 has been targeted via CVE-2014-1776 in the wild, errors like this are consistent with exploits that corrupt and overwrite memory. We have observed these crash reports occurring as early as February 17, 2014 in the United States, United Kingdom, and Brazil. 

 

  • 000000_0:http://watson.microsoft.com/StageOne/Generic/BEX/iexplore_exe/8_0_7601_17514/4ce79912/vgx_dll_unloaded/0_0_0_0/52745e57/644481aa/c0000005/00000008.htm?
  • 000001_0:http://watson.microsoft.com/StageOne/Generic/BEX/iexplore_exe/8_0_7601_17514/4ce79912/vgx_dll_unloaded/0_0_0_0/52745e57/66bda6fa/c0000005/00000008.htm?
  • 000001_0:http://watson.microsoft.com/StageOne/Generic/BEX/iexplore_exe/8_0_7601_17514/4ce79912/vgx_dll_unloaded/0_0_0_0/4dba4373/6987f4b4/c0000005/00000008.htm?
  • 000002_0:http://watson.microsoft.com/StageOne/Generic/BEX/iexplore_exe/8_0_7601_17514/4ce79912/vgx_dll_unloaded/0_0_0_0/52745e57/6aa5b562/c0000005/00000008.htm?
  • 000003_0:http://watson.microsoft.com/StageOne/Generic/BEX/iexplore_exe/8_0_7601_17514/4ce79912/vgx_dll_unloaded/0_0_0_0/52745e57/5e3e8901/c0000005/00000008.htm?
  • 000004_0:http://watson.microsoft.com/StageOne/Generic/BEX/iexplore_exe/8_0_7601_17514/4ce79912/vgx_dll_unloaded/0_0_0_0/4dba4373/6987f4b4/c0000005/00000008.htm?
  • 000009_0:http://watson.microsoft.com/StageOne/Generic/BEX/IEXPLORE_EXE/8_0_7600_16385/4a5bc69e/vgx_dll_unloaded/0_0_0_0/4a5bdb2c/60dee4f3/c0000005/00000008.htm?

 

To conclude - this analysis is not intended to be conclusive, but to provide indicators of possible vulnerabilities in Internet Explorer's VGX.DLL that may be exploited by CVE-2014-1776. More info coming soon.

 

Contributors: Alex Watson


Read more »



Feb
14

Executive Overview

 

  • Websense researchers have discovered the use of CVE-2014-0322 as early as January 20, 2014 - nearly 3 weeks before the previously known first date of the attacks
  • The attack may be targeting organizations associated with the French aerospace association, GIFAS
  • The CVE-2014-0322 exploit in this attack is hosted on a US server
  • We observed the malicious Shockwave Flash (Tope.swf SHA:910de05e0113c167ba3878f73c64d55e5a2aff9a) being uploaded to VirusTotal on January 20. This was presumably done by the attackers to confirm if antivirus had protection for the exploit. At the time there was zero detection
  • The exploit may use an in-memory attack with no file writes to avoid detection from antivirus products
  • Early analysis indicates correlations between this attack and the DeputyDog and EphemeralHydra groups

 

CVE-2014-0322 Attack Analysis

 

Contributors: Alex Watson, Victor Chin - Websense Security Labs

 

Websense Security Labs ThreatSeeker telemetry has confirmed the existence of the Microsoft Internet Explorer 10 0-day exploit CVE-2014-0322 beginning as early as January 20 2014, predating the previously believed first use by nearly three weeks.

 

The CVE-2014-0322 exploit has been seen hosted and delivered from the following URL, which was first seen by Websense on January 20, 2014:

hxxp://gifas.assso.net

 

hxxp://gifas.assso.net is presumably a fake site meant to look like hxxp://gifas.asso.fr, which is a French aerospace association:

 

GIFAS, the French aerospace industries association, has more than 300 members, from major prime contractors and system suppliers to small specialist companies. Activities extend from civil and military aircraft and helicopters to engines, missiles and armament, satellites and launch vehicles, plus aerospace, defence and security major systems, equipment, subassemblies and associated software. 


The use of the very similar domain name may indicate that the French aerospace association is the target, but this domain does not appear to be a campaign with active lures, yet. 

 

Domain History for assso.net

 

An anonymous DNS registration service was originally used to register the domain "assso.net" which was updated to direct users to the malicious site on January 20, 2014. 

 

Name Servers: NS05.DOMAINCONTROL.COM|NS06.DOMAINCONTROL.COM

Registrar Name: GODADDY.COM, LLC

Admin Contact: info com 
hepinglui 
buxhidao, pinghing 512326
8613590978619 

215027763@qq.com 

Registrant Contactinfo com 
hepinglui 
buxhidao, pinghing 512326
8613590978619 

215027763@qq.com 

 

As of January 28, 2014 gifts.assso.net resolved to 173.252.252.204. This IP address is geolocated to Santa Clara, Calif. We noticed the SHA1 for Tope.swf being uploaded to VirusTotal on January 20 (the same day as the fake gifas.assso.net site was set up), with no detection at the time by AV vendors. Presumably this was done by the attackers to check AV coverage for their malware before starting their attacks, further indicating that January 20 was the initial rollout of this campaign of attacks using this 0-day.

Similarity with other observations of CVE-2014-0322

 

As is in the HTTP stream shown below, visitors going to hxxp://gifts.assso.net are linked to include.html, which sets up the ROP exploit and "Tope.swf" Shockwave Flash file (SHA1: 910de05e0113c167ba3878f73c64d55e5a2aff9a) which is utilized after the CVE-2014-0322 use after free vulnerability to access memory through ActionScript in the SWF file.

 


Checking for Microsoft's Exploit Mitigation Toolkit

 

Additional similarities to the attacks on the US Veterans of Foreign Wars website include the Javascript-based check for Microsoft's EMET (exploit mitigation toolkit) which is attempted to be loaded as an XML to determine whether the DLL is present. If the DLL is verified as existing, the attack JavaScript aborts the attack.

 var steeple    ="<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'res://C:\\windows\\AppPatch\\EMET.DLL'>";

Malicious Content in Tope.swf Shockwave Flash File

 

Below is code located in the Tope.SWF that leads to a second stage dropper called "Erido.jpg". Code snippet below :

 

 

The code above shows the Shockwave Flash ActionScript downloading content but not actually storing it to a file. The follow-on code below shows a buffer being written and read as "little endian" to denote the order for the byte array to be executed. The _local(x) variables look to be calculations in memory which makes us believe this is an "in memory" only attack, presumably to make antivirus detection more difficult.

 

 

Analysis of the Malicious ActionScript (AS3) Code

 

Below is the use after free type vulnerability that is triggered when the Vector class is allocated / freed

In the code above, the string: 

appears to  be the culprit responsible for causing the vulnerability to return to malicious memory space allocated.

Links to DeputyDog and EphemeralHydra Campaigns

 

The similarities in the exploit, delivery and search for the EMET.DLL indicate that the same group of threat actors is most likely behind the malicious URL above and the attacks that have been covered by FireEye. More detailed analysis coming soon.

 

[UPDATE]

If you are concerned about your exposure to this vulnerability due to the use of Microsoft Internet Explorer 10 we would recommend that you consider upgrading to Internet Explorer 11.  You can find out more information at Microsoft's IE page here.

This attack is known to check for the presence of Microsoft's Enhanced Mitigation Experience Toolkit (EMET).  If it is found then the exploit attempt terminates.  You can find out more about how to deploy EMET in Microsoft's overview here and the EMET knowledge base article.


Read more »