"Aurora" exploit code: from Targeted Attacks to Mass Infection.

Last Thursday, Microsoft released an out-of-band update to fix the latest vulnerability in Internet Explorer.  Since then, malware operators have been exploiting this vulnerability to install malware on thousands of PCs.  So far, we have detected more than 650 different versions of the exploit code which is detected as Trojan.JS/Exploit.CVE-2010-0249 by ESET antivirus.  We have also identified more than 220 unique distribution points for the exploit code, mostly located in Asia.  The countries which are seeing the majority of the attacks are China, Korea and Taiwan.

Here is a typical scenario we have recently analyzed. We came upon a link that is a distribution point for the CVE-2010-0249 exploit code.  The shellcode is built with an obfuscated javascript.  The URL of a file that will be downloaded and executed by the shell code is appended to the end of the script, just before the vulnerability is triggered.  If the vulnerability is successfully exploited, a first stage binary is downloaded and executed on the victim’s system.  ESET detects this first stage binary as Win32/AntiAV.NDD.  This first binary tries to disable antivirus protection on the infected host.  If the protection is successfully disabled, Win32/AntiAV.NDD writes a system driver to disk and enables it.  This system driver is detected as Win32/Agent.ONG, a common malicious program which is used to download and install more malware on infected hosts.  This Trojan fetches a list of links from the same server which idistributes the exploit.  At the time of analysis, the list of files to download and execute included 7 links, mostly online game password stealers.

To sum up, if you happen to browse to a web page delivering the latest CVE-2010-0249 exploit code, and if you haven’t patched and are not using an up to date antivirus, you will end up with 8 different pieces of malware on your PC within seconds.

This evolution in the usage of the exploit code follows the natural course we have observed over the last couple of months.  Exploits for high profile vulnerabilities are usually used at first by a very few attackers against specific targets.  When details of the exploit become public, malware operators integrate the code in their toolbox and use it to infect as many users as possible.  

Pierre-Marc Bureau

Senior Researcher