Thursday, March 20, 2008

Something new tonight

Hi folks,

Tonight we found something new in an exploit pack coming from a site in China. Well, the exploit is actually from May 2007, but this is the first time we've seen it in use. This indicates two things... the first is that the Bad Guys are apparently combing older exploit announcements looking for appropriate samples. When you think about it, any exploit that allows remote code execution, and for which there is no forced or automatic upgrade of the vulnerable program is useful to them. Remember, they don't _want_ to catch everybody. They couldn't manage 100k victims. They don't want to cut down the apple tree, but rather just shake it, and pick up the fruit that falls off. What this means is that old exploits are still valuable when there is no automatic patch mechanism.

Btw, the exploit in question is a buffer overflow in something called Zenturi ProgramChecker, and is described nicely here ... http://www.kb.cert.org/vuls/id/603529.

The second interesting thing is that it is obviously Yet Another Exploit Pack. It has all the common ones that we've come to love and expect with Mpack/IcePack/Neosploit, and the obfuscation scheme is very similar to the one in use with Mpack/ IcePack, so this probably means that someone has bought or stolen a copy of Mpack/ IcePack, and has modified it with the addition of the Zenturi exploit, and is now selling it as their own work.

GASP... no, there's no honor among thieves, and Copyright means when you copy it, it'll be right, and all that stuff.

The full list of exploits is ...

Zenturi ProgramChecker
MDAC/MS06-014
VML/MS07-004
Yahoo Webcam Image Uploader
Yahoo Webcam Viewer
Winzip
QuickTime
and
MSXML/MS06-067

By the way, the exploit site is in China (no surprise there), but the lure site is in the USA, and is quite interesting. We might write about that tomorrow.

Cheers

Roger

Labels:

2 Comments:

At 11:30 AM, Blogger -=[ dxp ]=- said...

Do you mind sharing some of the details regarding the pack?

Specifically, the obfuscation method/technique and the pack's structure.

Or, just a link to the offending CN site.

 
At 5:56 PM, Blogger Roger Thompson said...

Hi dxp,

Email me off-line and I'll see what I can find. It might be a bit buried by now.

Cheers

Roger

 

Post a Comment

<< Home