Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

VML vuln being actively exploited

Published: 2006-09-25
Last Updated: 2006-09-25 23:41:46 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)
Messagelabs has reported that E-cards are being used as an attack vector, exploiting the VML vulnerability in MS Internet Explorer to download malware. There has been an upswing of web sites hosting the exploit, and of course downloading malware.

A reader wrote in after having seen a VML exploit and reviewing his firewall logs. The following web site URLs are deliberately munged and obfuscated until the site owners respond to emails and phone calls advising them of the problem, do not click on them using any web browser on a Microsoft platform.
The first site is
http:// www .allied(snipped) parts .com
The bottom of tha page contains an iframe which loads:
http:// www .traffl(snipped) .info/out.php?s_id=1
Which goes and gets:
http://www .webmasters(snipped) .com/s_test/test/ vml_sp2_gamer .htm

Which contains the VML exploit. The fun doesn't stop there!
By now this system is thoroughly owned, and more malware follows.

vml_sp2_gamer.html pulls gamer.exe off the same site, which in turn grabs gamer1.exe and counter.exe and also reports successful infection to another URL, raff loads.info.  gamer1.exe is a password stealer that is even seen by Clamav: Trojan.Spy.Goldun-141

Many thanks to Daniel and Swa and the other ISC handlers.

Cheers,
Adrien de Beaupré
Cinnabar Networks/BSSI



Keywords:
0 comment(s)
Diary Archives