Wednesday, July 22, 2009

Another IE 0-day


Another 0-day was released in-the-wild targeting Microsoft Internet Explorer. The bug is inside msvidctl.dll when working with media file (*.gif have been used in the wild exploitation). Below is the in-the-wild exploit analyzed by us (we modified the shellcode to %uxcccc).

Figure 1.0 showed the exception handler is executed and will pointing to our jump address (0c0c0c0c).


Figure 2.0 show the shellcode (xcc) been executed.




It's not really a common stack overflow bug. Please read excellent  vulnerability analysis done by websense <a href="http://securitylabs.websense.com/content/Blogs/3434.aspx">here</a>.

MyCERT released the <a href="http://www.mycert.org.my/en/services/advisories/mycert/2009/main/detail/677/index.html">advisory</a> and workaround (yes, with pictures) on how to do the 'kill-bit' thing for this particular CLSID.


Wednesday, July 15, 2009

Conficker.C and DNS


I have been working to track conficker's dns queries in order to  identify infected machines/network with conficker.c. Tracking a 50K DNS names and 500++ queries from each conficker is a bit troublesome when u have to record all the DNS queries (200M records/day) and compare it with 50K/day conficker.c domain names.:).

The main idea of why we're working on this so that the infected machine can be identify based on queries made by conficker.c to contact to the conficker.c's c&amp;c.  Below is one of the result from our tracking on conficker.c dns query to .MY domains in the hitlist :




Another result for the tracker.


Looking at the trends from both pictures, its coming from the same source (see over geomap). Why?..:)

The tracker is basically is a ruby code build over dnsruby's and ruby-pcap library for collecting packets and processing the dns packets only. So far, the  tracker is working fine except if it receive malformed dns traffic which normally will be discarded by the tracker