Wednesday, December 05, 2007

MDAC ActiveX Code Execution Exploit Still in the Wild

Who needs zero day vulnerabilities when the average end user is still living in the perimeter defense world and believes that security means having a firewall and an anti virus software running only? Now that's of course a rhetoric question given how modern malware is either blocking the update process of these applications, or shutting them down almost by default these days.

The following URLs are currently active and exploiting CVE-2006-0003, and despite that it was patched in 11 April, 2006, the last quarter of 2007 showcased the malware authors simplistic assumption that outdated but unpatched vulnerabilities can be just as effective as zero day ones, and when the assumption proved to be true -- take Storm Worm's use of outdated vulnerabilities as the best and most effective example -- it automatically lowered the entry barriers into the world of malware, breaking through the myth that it's zero day vulnerabilities acting as they key success factors for a malware embedded attack on a large scale :

dgst.cgs.gov.cn/docc/index.htm
dhyjagri.gov.cn/program/images/img/New/index.htm
sell.c2bsales.com/look.htm
nesoy.com/svcdir/index.htm
qyxjxx.com/admin/inc/index.htm
xi530.com
jzkj.icp365.cn/index.htm
52fans.net
218.84.59.218/img/c/
918a.com.cn/123/index.htm
flch.net/img/img/liqiuf.htm
jiashiyin.com/qq/index.htm
flymir2.com/liouliang/mama/index.htm
22229682.com/pop/20.htm
heitianshi.cn/love/index.htm
jm.xiliao.cc/windows/vip.htm
90to.com/qq/index.htm
cmctn.com
jcqing.com/mm/index.htm
chinesefreewebs.com/admin88/2.htm

These are all courtesy of what looks like Chinese folks, and represent a good example of what malicious economies of scale are as a concept that emerged during 2007. Years ago, when a vulnerability was found and exploit released, malicious parties were quickly taking advantage of the "window of opportunity" following the myth that the more publicity the vulnerability receives, the more useless it will get, given more people will patch. That's such a wishful thinking, one the people behind Storm Worm apparently perceived as FUD-ish one, and by not following it, ended up with operating the largest botnet known for the time being - a botnet that was built on the foundations of outdated vulnerabilities pushed through emails, using sites as the infection vector , and not a single zero day one.

How are risks hedged? Risks are hedged by following the simple diversification principle, which from a malicious perspective means increasing the probability for success. By using a single exploit URLs like the MDAC in this case, the chances for success are much lower compared to diversification of the "exploits set", a daily reality these days thanks to the emerging malicious economies of scale mentality in the form of web exploitation kits such as MPack, IcePack, WebAttacker, the Nuclear Malware Kit and Zunker as the most popular ones.

Here's a related article - "Zero-Day Exploits on The Decline" :

"One of the reasons is that bad guys don't have to use them (zero day)," said Skoudis, who also founded information security consultancy Intelguardians. For example, he said, the Storm worm propagates itself though users clicking on an e-mail link, and does not require a zero-day exploit to function. "When simple techniques work, there is no need to unfurl zero-days," Skoudis said. "Attackers can just save them for more targeted attacks."

So, how did the people behind Storm Worm ended up with the world's largest botnet? They simply didn't believe in the effectiveness of populist generalizations of security in the form of patching, and abused the miscommunication between the industry that's still preaching perimeter defense is the panacea of security, and the end user, the one whose Internet connectivity results in all the spam, phishing and malware we're all receiving, by stopping to target what the solutions protect from, and migrating to niche attack approaches to use as infection vectors - today's client side vulnerabilities courtesy of a malware exploitation kit that were found embedded on the majority of infected web sites incidents I've been assessing for the last couple of months.

No comments:

Post a Comment