• Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg
  • Delicious

Anti-Malware Laboratory

Yet Another Malware Blog

About

An informal blog from your friendly neighborhood software security humans.

Blog Archive

  • ►  2015 (5)
    • ►  October (1)
    • ►  August (2)
    • ►  May (1)
    • ►  March (1)
  • ►  2014 (8)
    • ►  October (1)
    • ►  July (1)
    • ►  June (1)
    • ►  May (4)
    • ►  April (1)
  • ▼  2013 (12)
    • ►  December (3)
    • ▼  November (5)
      • Upatre - Zbot downloader in a Spam
      • CryptoLocker - a Ransomware
      • DETAILED ANALYSIS OF Trojan.Win32.Duqu: The Key Lo...
      • CVE 2013 3918 - Another zero day?
      • CIDOX Bootkit
    • ►  August (2)
    • ►  March (2)
  • ►  2012 (35)
    • ►  April (4)
    • ►  March (12)
    • ►  February (17)
    • ►  January (2)

Categories

adobe (1) android (10) android february (1) baksmali (1) Black Hole (2) crimepack (1) disassembler (1) exploit (3) Exploits (4) Fakeav Winrar sfx (1) Fishbowl (1) flash (1) gift certificates (1) Google Authenticator (1) google play (1) hcp (1) java (1) Malware (5) mdac (1) Mobile (24) NSA Mobility Program (1) obfuscated script (1) pdf (1) Reversing (2) rhino (1) skype (1) smali (1) spam (1) test (1) Unpacking (1) vouchers (1) vulnerability (3)

Popular Posts

  • Bank of America spam: An Analysis
    An email claiming to be from Bank of America lures users to open an attachment that shows how to open secure emails from the bank. The mess...
  • [BE CAUTIOUS] Dragon Ball Z: Resurrection of F MALWARE and SCAM
    Be wary of downloading movies in torrent sites.  Executables can also be executed with a file size as huge as a gigabyte...
  • Unpacking MFC Compiled CryptoWall Malware
    Unpacking MFC Compiled CryptoWall Malware Introduction First and foremost, this article does not intend to analyze what CryptoWall malw...

Visitors to this blog

Wednesday, November 13, 2013

CVE 2013 3918 - Another zero day?

Posted on Wednesday, November 13, 2013 by Unknown | No comments
Another HTML exploit has surfaced and made a scene on the AV industry this November 2013. An exploit that takes advantage of the vulnerability of an ActiveX component of Internet Explorer which allows code execution when a user views a specially crafted webpage. Details on the vulnerability can be found on this Microsoft website.

ThreatTrack's Vipre 2013 detects this as Lookslike.HTML.CVE-2013-3918.a

The exploit uses a technique known as ROP (return-oriented-programming) that allows itself to run in non-executable memory areas. Once successfully exploited, it will intentionally exchange the address of the stack and heap and change the memory protection so that it can execute its shellcode. 


ROP in action

In order to for it to execute, it changes the memory protection of the said area using VirtualProtect.


Changes protection level of memory

Once everything is in order, it will pass execution to the part of its shellcode that decrypts and computes for the API's needed to inject itself to another process.

  • LoadLibraryA
  • Winexec
  • CreateThread
  • OpenProcess
  • CreateProcessA
  • VirtualAllocEx
  • WriteProcessMemory
  • CreateRemoteThread
 
It uses the said APIs to create a process named "rundll32" under Internet Explorer, writes another section of its shellcode and activates the process using CreateRemoteThread API. It's interesting to note that it covers itself with multiple layers of encryption and employs multiple jumps in memory to avoid easy detection.

An example of decrypting code

Decryption in rundll32


Another interesting feature of this payload is in the way it calls for the APIs it needs. It initially sets up a jump table that points to single function that performs the call (specifically a jmp) varying only  in the values it pushes. It is highly possible that it enforces this type of calling method in order to prevent researchers to easily identify the calls it uses and to quickly analyze the contents of its body.





Jump table for calling API

While its previous characteristics are trivial, the main purpose of this payload is to connect to a remote server that can be used or is being used for targeted attacks. It connects and listens to a remote IP address 111.68.9.93



Connects to a remote server



Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
volute-glacial
volute-glacial
 volute-glacial
volute-glacial
Copyright © Anti-Malware Laboratory | Powered by Blogger
Design by Fabthemes | Blogger Template by NewBloggerThemes.com