We are starting our weekly review with a big and ugly exploit. It’s actually not a real exploit, but more like an exploit serving application. It tries to take advantage of 9 known vulnerabilities in order to download and execute an e-threat detected by BitDefender as Generic.Malware.dld!!.8EC79AB8. Here is a brief description of those exploits:
1. Snapshot Viewer Control.1: This is an exploit of the Microsoft Access Snapshot Viewer ActiveX control. It doesn’t have any obvious symptoms, however the exploit allows an attacker to download any file to an arbitrary location on the victims computer. The downloaded file cannot be launched remotely, however the malware can be places in the users startup folder, so it gets executed automatically when the system reboots.
More information availableon BitDefender site and Microsoft Support.
3. Adodb.Stream is an exploit for the ADODB.Stream object, that offers the access to binary files on the victims computer. It allows an attacker to create an invisible iframe to http://222.213asd??.com/ms06014.js which in turn will download the malware mentioned above.
4. ShockwaveFlash.ShockwaveFlash.9 is an exploit for the Flash Player prior to version 18.104.22.168. The exploit serves different malformed swf files to the user depending on which Player version he has installed. The files take advantage of a vulnerability in the Player that allows an attacker to download and run arbitrary files on the users computer.
7. A RealPlayer exploit (IERPCtl.IERPCtl.1 component ) which, for versions lower than 22.214.171.1242, pushes this script 222.213asd??.com/real.js that takes a different approach for distinct versions. If the user has a newer version it creates an invisible iframe with http://222.213asd??.com/Real11.html which again downloads the same threat.
8. Baidu Search Bar (BaiduBar.Tool) exploit that is making use of the vulnerable “DloadDS” function that refers to a *.CAB file on http://222.213asd??.com/Baidu.cab which contains a “Baidu.exe” that is obviously our malware
9. Xunlei Thunder exploit (ActiveXObject DPClient.Vod) with another invisible iframe that leads to 222.213asd??.com/Thunder.html which was not available at the time of analysis however it’s probably downloading the same file.All these exploits download a file named mas1.css or mas1.exe which is a downloader, packed with FSG, for Generic.Malware.dld!!.8EC79AB8.