Avatar

Update 2 5/9/2013:

Microsoft has released a “Microsoft fix it” as a temporary mitigation for this issue on systems which require IE8. At this time, multiple sites have been observed hosting pages which exploit this vulnerability. Users of IE8 who cannot update to IE9+ are urged to apply the Fix It immediately.

Update 5/6/2013:

An exploit for this bug is now publicly available within the metasploit framework. Users of the affected browser should consider updating to IE9+ or using a different browser until a patch is released. Given the nature of this vulnerability additional exploitation is likely.

At the end of April a Watering Hole–style attack was launched from a United States Department of Labor website. Many are theorizing that this attack may have been an attempt to use one compromised organization to target another. Visitors to specific pages hosting nuclear-related content at the Department of Labor website were also receiving malicious content loaded from the domain dol.ns01.us. Initially it appeared that this attack used CVE-2012-4792 to compromise vulnerable machines; however, Microsoft is now confirming that this is indeed a new issue. This issue is being designated CVE-2013-1347 and is reported to affect all versions of Internet Explorer 8.

The domain dol.ns01.us may look official, but in reality it belongs to a company named changeip.org. Changeip.org offers “Free Dynamic DNS” among other services. Essentially, a changeip.org customer pays for a base domain name, then if the third-level name is available, it’s included for free.

 

 

changeip.org_

Passive DNS shows that the first sighting of dol.ns01.us was April 30, 2013, and the name is associated with IP address 96.44.136.115.

dns

An nmap TCP connection scan of the IP indicates a Windows box, it is interesting that the MSRPC service is not being firewalled. MSRPC is a very rich attack surface on unpatched/unmaintained machines. It is possible that this could be a compromised machine.

nmap

Reportedly a phone home server is located at microsoftUpdate.ns1.name, another changeip.org address. This was hosted on two different IP addresses previously:

microsoftUpdate.ns1_.name_

The payload itself is base64 encoded within a web page. This is sometimes used in an attempt to evade detection. On the victim machine the browser will automatically decode the payload and will be exploited while attempting to render the web page. Here is some of the decoded payload:

ie8_0day

AlienVault has reported that the web page hosting the exploit contained advanced reconnaissance techniques designed to gather information about the targeted systems which visited the page. This included antivirus and various browser plug-in information. This information will likely be used to facilitate and ensure the success of future attacks. Despite initial reports, CrowdStrike has not yet come to the conclusion that the command and control is related to DeepPanda. If it is, this could mean this is part of an advanced exploit kit.

These techniques, combined with the attempts to bypass security devices by encoding the payload, make this one of the more technically interesting attacks so far this year.



Authors

Craig Williams

Director

Talos Outreach