Tuesday, December 9, 2008

警惕:IE70DAY攻击代码已经遭挂马攻击利用 (Alert: IE70DAY attack code has been linked to the use of attacks horse)

This is the Chinese text in http://www.scanw.com/blog/archives/303, translated English Version given by Google Translator.


Alert: IE70DAY attack code has been linked to the use of attacks horse

发布日期:2008-12-09 16:22(GMT) Release date :2008-12-09 16:22 (GMT)

最后更新日期:2008-12-09 18:13(GMT): Last updated :2008-12-09 18:13 (GMT):


鉴于此漏洞的危险性,作为美国微软在国内的安全服务提供商,我们已第一时间发布公告并且分析出漏洞细节,并提交给美国微软相关部门,这里不再公布具体细节。 In view of the danger of this loophole, as the United States in Microsoft's internal security service providers, we have the first announcement and analysis of the details of the vulnerability, Microsoft and submitted to the relevant departments of the United States, there is no longer publish the details.

知道安全团队(KnownSec team)于近期捕获利用IE7一个内存越界的漏洞进行攻击的恶意代码。 Aware of the security team (KnownSec team) in the near future to use IE7 capture a memory of the loopholes in the cross-border attacks by malicious code. 此漏洞于11月在小范围内泄露,于12月9日前后才完全出售流通在黑色产业,并且有人赶制出网马生成器,相信会在短期内十分流行。 This loophole in November in a small area leak, in the Dec. 9 after the sale of full circulation in the black industry, and was working towards a network of horse generator and I believe it is very popular in the short term.

由于该漏洞在我们监控系统最初捕获时我们团队没有很详细地分析,以为是已经被修补的漏洞,并且在网络上发现了很多网马以及代码帖子,以为不是0DAY漏洞,便在内部共享粘贴流出了网络上流传的代码以及挂马页面的代码。 As the loopholes in our monitoring system to capture the first team when we are not very detailed analysis, is that the loophole has been repaired, and the network has identified a number of MA and the net post code, that is not 0DAY loopholes in the internal sharing paste Out of a network linked to the spread of the code, as well as Ma page code. 这是我们的失误:( This is our mistake: (

历史: History:

IE7的XML里存在可以导致内存越界的漏洞,通过编写畸形XML代码并且使用JavaScript脚本操作SHELLCODE去执行任意代码。 IE7's XML can lead to memory, there are loopholes in cross-border, through the preparation of abnormal use of JavaScript and XML code script SHELLCODE operation to execute arbitrary code.

在2008年下半年开始有流传IE7的漏洞,并于10月份左右开始流出私人买卖,于11月份流入黑市买卖,开始有人面谈出售。 In the second half of 2008 have been loopholes in IE7, and was about to start in October out of a private sale in November into the black market trading, it was the beginning of the sale of Interviews.

最终出现在网络的具体时间为12月份,大量二手三手漏洞在黑产运作层流通,并且于12月份初开始有大量的人购买二手代码去开发生成器,在9号开始出现在挂马利用上。 Finally appear in a specific time for the network in December, a large number of second-hand or third-hand loophole in the production and operation of the flow layer, and in early December to start a large number of people buying second-hand to develop the code generator, on the 9th Malaysia began to hang in the use of On.

分析: Analysis:

影响版本: Impact version:

系统: System:



浏览器: Browser:


描述: Description:

由于SDHTML里处理对象存在在错误导致内存紊乱。 SDHTML to deal with, because of the existence of objects in memory error led to the disorder.
构造某种条件可以使得SDHTML检测到错误释放已被分配的对象,但是释放已被分配的对象后SDHTML并未返回而是继续使用被释放的对象的内存执行,如果这些内存又被分配给其他用途,将导致SDHTML把这些内存当作一个对象来操作。 Construction certain conditions can be detected SDHTML make the release mistakes have been the target of distribution, but the release has been the target of the distribution after the return to SDHTML not been released but continue to use the memory of the implementation of the object, if the memory was allocated to other purposes , Will lead to SDHTML such as a memory object to the operation. 0DAY挂马里使用了XML的SRC字符串对象占用了这些释放对象的空间,而对象指针里包含函数例程指针,最终导致代码执行。 0DAY linked to the use of the Mali XML string of SRC release of these objects taking up space objects, and object pointer included in routine function pointer, leading to the implementation of the code.

由于该漏洞尚未被修补,具体细节请等待微软官方发布补丁的详细参考。 Due to the loophole has not been repaired, please wait for the details of the official Microsoft patch release detailed reference.

防御: Defense:

1.请关注微软官方网站及时下载补丁。 1. Please take heed of the official Microsoft site to download patches in a timely manner.

2. 开启DEP保护: 2. Open the DEP protection:

系统属性——高级——性能——数据执行保护 System Properties - High - Performance - Data Execution Prevention

可以防止恶意攻击。 Can prevent malicious attacks.

3.将wwwwyyyyy.cn以及sllwrnm5.cn加入HOSTS进行屏蔽。 3. Wwwwyyyyy.cn will join sllwrnm5.cn, as well as shielding for HOSTS.

复制一下代码进入HOSTS即可: Copy the code you can enter the HOSTS: wwwwyyyyy.cn wwwwyyyyy.cn sllwrnm5.cn sllwrnm5.cn

Popularity: 27% [ ? ] Popularity: 27% [?]

- EF

No comments: