By Dave Michmerhuizen – Research Scientist
Barracuda Labs researchers have been following the CVE-20120-4969 vulnerability since it was discovered by Eric Romang while he was researching recent Java vulnerabilities. Instances of the exploit have been sighted in the wild, and today we happened across one that illustrates just how it works and how it's being used – at least so far.
This exploit is delivered by coercing a user to visit a specially crafted web page, and this is the one we found.
As has been the case with other instances, this (possibly compromised) website was chosen to appeal to those in the space and defense industries. It's not very likely this is a drive-by attack. Although we found none in our honeypots, we believe links to this page have been included in spam emails that were sent to carefully chosen members of those communities with messages requesting a meeting or offering some information. What makes this vulnerability so serious is that just one click on a link in such an email is all it takes to completely carry out the exploit.
The HTML code of that web page shows what is really going on. It really is a case of what you can't see that hurts you.
Two additional HTML pages are loaded into invisible Iframe elements. That's never a good thing.
First comes MT.HTML, which will take advantage of the vulnerability once it is exploited. It sprays the heap (bypassing ASLR) with shellcode that will download and execute a payload.
Then DODGE.HTML checks the browser and java version and, if Internet Explorer is found, sets up the exploit and triggers it.
The exploit triggers automatically and the result is the download and execution of a backdoor which gives the attacker full access to the computer, and, if they're lucky, the organizational network that the computer is on.
Once the backdoor is installed it begins sending signals to the remote attacker. Given that the IP of yzin.com (184.108.40.206) does not match that of the destination traffic to photo.yzin.com (220.127.116.11, hosted by Korean Telecom), it's possible the root domain is the victim of a subdomain hijack.
One message that we repeat often here at Barracuda Labs is “Don't click that link!” We find that users believe that they can tell what is spam and what isn't and are confident that they'll be able to see something bad coming and stop it or get out of the way. That's just not the case with these sorts of attacks. Malicious actors keep developing exploits and refining deceptive messages until they get in the door. While Barracuda Web Filters and the Barracuda Web Security Service stop the download of this threat and Microsoft has issued a work-around for the problem, the repeated appearance of zero-day vulnerabilites like this one are a good reason to investigate preventative technologies such as NoScript and Sandboxie.
And if a little voice says “Don't click that link” – don't.