Monday, July 6, 2009

New MS 0-day ActiveX (MSVidCtl dll exploit)



This was just announced this morning and was found in the wild on several Chinese forums. Apparently this has been rampant for almost a month undetected.

This is a client side (browser) exploit, so visiting a malicious site will result in infection.

There is one known hotfix and that is to set a "kill bit" in the registry for the ActiveX component.

* Create a registry key called:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]

Then, create a dword value named "Compatibility Flags" and give it a value of 400.

Here are the current Snort IDS/IPS signatures for this exploit:


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MSVidCtl 0-day"; flow: to_server, established; uricontent:"/aa/go.jpg"; nocase; classtype: attempted-admin; reference:URL,isc.sans.org/diary.html?storyid=6733; sid: 3000305; rev: 2;)


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Likely MSVIDCTL.dll exploit in transit";
flow:to_client,established; content:"|00 03 00 00 11 20 34|";
content:"|ff ff ff ff 0c 0c 0c 0c 00|"; within:70;
classtype:trojan-activity; sid:2009493; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Vulnerable Microsoft DirectShow ActiveX Load";
flow:to_client,established; content:"clsid"; nocase;
content:"0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"; nocase;
reference:url,csis.dk/dk/nyheder/nyheder.asp?tekstID=799
classtype:web-application-attack; sid:2009xxx; rev:0;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Microsoft DirectShow ActiveX Exploit Attempt";
flow:to_client,established; content:"clsid"; nocase;
content:"0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"; nocase; content:"omybro";
nocase; content:"logo.gif"; nocase;
reference:url,csis.dk/dk/nyheder/nyheder.asp?tekstID=799
classtype:web-application-attack; sid:2009xxx; rev:0;)

No comments: