#by Joshua Gimer
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"ET CURRENT_EVENTS Possible XML 0-day for Internet
Explorer Exploitation Attempt"; flow:established,from_server; content:"document.write('
classtype:web-application-attack; reference:url,isc.sans.org/diary.html?storyid=5458; sid:2008876; rev:3;)
#by matt jonkman, re sllwrnm2.cn/a1/ss.htm
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"ET CURRENT_EVENTS Possible XML 0-day for
Internet Explorer Exploitation Attempt (obfuscation 1)"; flow:established,from_server; content:"|7c|XML|7c 7c|if|7c|SPAN|7c|navigator|7c|CDATA|7c|http|7c
|com|7c|w2k3|7c|appVersion|7c|version|7c|nt|7c 7c|X|7c|MSIE|7c|wxp|7c|114|7c|HTML|7c|DATAFLD|7c
|DATASRC|7c|DATAFORMATAS|7c|ID|7c|while|7c|2003|7c|";
classtype:web-application-attack;
reference:url,isc.sans.org/diary.html?storyid=5458; sid:2008877; rev:2;)
Revision history of the signatures for IE7 0day can be found HERE.
ShadowServer.org has released more information on this, which can be found HERE.
If the above link has changed, here is the information that was given in the above link:
Wednesday, 10 December 2008
IE7 0-Day Exploit Sites
As many of you have seen, there is a new 0-day exploit in the wild affecting Internet Explorer 7 users. This is a new exploit that is being actively exploited and it was not patched yesterday (meaning there is no patch available, yet). Visiting a website with this exploit can result in a full compromise of an affected system. Currently most of the exploits out there will attempt to download a trojan onto the system. Shadowserver is aware of several hosts which are currently hosting exploit code designed to exploit this vulnerability. We would like to share this information so that it can be used for protection and detection. However, we strongly discourage visiting these sites for any reason. DO NOT visit the below sites as they are currently house live exploit code for the new IE7 0day exploit. The majority if not all of them also house several other exploits for different vulnerabilities as well.
We came across a good many of these ourselves while we also had help from others in the security community that shared the sites. We would like to thank them as the information can now being passed on to you for mitigation. If you know any other sites that can be added to this list of IE7 exploit sites (for the current 0day issue), please drop us a line - steven [at] shadowserver [dot] org.
Domains known to be currently exploiting this vulnerability:
baidu.bbtu01.cn - 61.160.213.194
baidu.bbtu02.cn - 61.160.213.194
baidu.bbtu03.cn - 61.160.213.194
baidu.bbtu04.cn - 61.160.213.194
baidu.bbtu05.cn - 61.160.213.194
baidu.bbtu06.cn - 61.160.213.194
baidu.bbtu07.cn - 61.160.213.194
baidu-baiduxin1.cn - 121.12.173.218
baidu-baiduxin2.cn - does not resolve - possibly hostile in the future
baidu-baiduxin3.cn - 59.34.197.63
baidu-baiduxin4.cn - 121.12.173.218
baidu-baiduxin5.cn - 61.143.211.187
baidu-baiduxin6.cn - 121.12.173.218
baidu-baiduxin7.cn - 121.12.173.218
baidu-baiduxin8.cn - 121.12.173.218
baidu-baiduxin9.cn - 59.34.197.63
baidu-baiduzi1.cn - 121.12.173.218
baidu-baiduzi2.cn - 121.12.173.218
baidu-baiduzi3.cn - 121.12.173.218
baidu-baiduzi4.cn - 121.12.173.218
baidu-baiduzi5.cn - 121.12.173.218
baidu-baiduzi6.cn - 121.12.173.218
baidu-baiduzi7.cn - 121.12.173.218
baidu-baiduzi8.cn - 121.12.173.218
baidu-du1.cn - 59.34.197.63
baidu-du2.cn - 202.108.22.180
baidu-du3.cn - 59.34.197.63
baidu-du4.cn - 59.34.197.63
baidu-du5.cn - 121.12.173.218
baidu-du6.cn - 121.12.173.218
baidu-du7.cn - 59.34.197.63
baidu-du8.cn - 121.12.173.218
baidu-du9.cn - 61.143.211.187
sllwrnm1.cn - 59.34.216.92
sllwrnm2.cn - 59.34.216.92
sllwrnm3.cn - does not resolve - possibly hostile in the future
sllwrnm4.cn - 59.34.216.92
sllwrnm5.cn - 59.34.216.92
sllwrnm6.cn - 59.34.216.92
sllwrnm7.cn - 59.34.216.92
sllwrnm8.cn - 59.34.216.92
sllwrnm9.cn - 59.34.216.92
sllwrnm10.cn - 59.34.216.92
sllwbd1.cn - 61.164.118.209
sllwbd2.cn - 61.164.118.209
sllwbd3.cn - 61.164.118.209
sllwbd4.cn - 59.34.216.92
sllwbd5.cn - 59.34.216.92
sllwbd6.cn - 59.34.216.92
sllwbd7.cn - 59.34.216.92
sllwbd8.cn - 59.34.216.92
sllwbd9.cn - 59.34.216.139
sllwbd10.cn - 59.34.216.92
zlwrnm1.cn - does not resolve - possibly hostile in the future
zlwrnm2.cn - does not resolve - possibly hostile in the future
zlwrnm3.cn - does not resolve - possibly hostile in the future
zlwrnm4.cn - does not resolve - possibly hostile in the future
zlwrnm5.cn - 59.34.216.139
zlwrnm6.cn - does not resolve - possibly hostile in the future
zlwrnm7.cn - 59.34.216.139
zlwrnm8.cn - 59.34.216.139
zlwrnm9.cn - 59.34.216.139
zlwrnm10.cn - 59.34.216.139
zlwrnm11.cn - 59.34.216.139
zlwrnm12.cn - 59.34.216.139
zlwrnm13.cn - 59.34.216.139
zlwrnm14.cn - 59.34.216.139
zlwrnm15.cn - 59.34.216.139
zlwrnm16.cn - does not resolve - possibly hostile in the future
zlwrnm17.cn - 59.34.216.139
zlwrnm18.cn - 59.34.216.139
zlwrnm19.cn - 61.164.118.209
zlwrnm20.cn - 61.164.118.209
360avva.akvvv.cn - 58.53.128.136
vip.4s3w.cn - 121.10.107.233
cc4y7.cn - 58.215.76.155
hhhh8886.cn - 121.12.104.88
qqqqttrr.cn - 121.12.104.88
rrrrrrryyy.cn - 121.12.104.88
wwwwyyyyy.cn - 121.12.104.88
fyesn.cn - 121.10.107.233
-- The above list is the data we have as of December 10, 2008 - 20:26 UTC/GMT--
Updated/additional sites:
baidu.baibai1.cn - 61.160.213.143
baidu.xinlang1.cn - 61.160.213.194
cc4y6.cn - 121.10.107.233
cc4y8.cn - 121.10.107.233
The following sites have not been seen hosting the IE7 exploits but are closely associated with above sites and should be considered for blocking/monitoring:
cc4y1.cn - 121.10.107.233
cc4y2.cn - 121.10.107.233
cc4y3.cn - 121.10.107.233
cc4y4.cn - 121.10.107.233
cc4y5.cn - 58.215.76.155
cc4y9.cn - 58.215.76.155
baidu.baibai2.cn - 61.160.213.143
baidu.baibai3.cn - 61.160.213.143
baidu.baibai4.cn - 61.160.213.143
baidu.baibai5.cn - 61.160.213.143
baidu.xinlang2.cn - 61.160.213.143
baidu.xinlang3.cn - 61.160.213.143
baidu.xinlang4.cn - 61.160.213.143
You may have noticed there are a relatively small number of IP addresses involved in our list. It appears that some of the attackers have created several domains with essentially the same set of exploits. We will be updating this list as we get more.
Detection and Prevention
Right now there are just a few things you can do to detect and prevent. Emerging Threats has a few Snort rules that have been released and you can get those by clicking here. However, these will only detect the specific unmodified variants they were written for, so do not consider these fool proof. It can't hurt to throw the rules in though!
Now for prevention, the first step you can take is to block the above domains and/or IP addresses. These sites are for the most part hosting a bunch of bad stuff and not just an IE7 exploit. However, there are certainly sites that we have missed and new ones that will pop up frequently, so this will not stop completely stop it all either. The only other real option against this exploit for now is an obvious one and that's to just not use IE7 until the issue has been resolved. If you are aware of other fixes, please feel free to shoot them our way.
Updated: Microsoft has released a security advisory detailing this vulnerable here. There are additional workarounds now listed such as enabling DEP for IE7. Please take a look.
=>Posted December 10, 2008, at 12:22 PM by Steven Adair
And for getting more info on the exploits, check out yesterday's posting on Exploit release.
- EF
No comments:
Post a Comment