Microsoft, in their recent Security Bulletin Summary for June 2012, released security bulletin
MS12-037, which is a critical security update covering a host of Internet Explorer (IE) versions ranging from IE6 to IE9. This update addresses a specific vulnerability whereby viewers of a specially-crafted Web page using IE could unintentionally trigger an exploit allowing arbitrary code execution in the context of the current user.
Analysis of the Amnesty International website (which has now been rectified) showed the following script injecting an iframe:
This iframe links to another piece of JavaScript hosted on the Russian domain. The iframe, meanwhile, displays a generic error page suggesting that the requested page is "Under Construction". However, after the page is loaded, a function labeled MyTest() is executed and attempts to exploit a vulnerability in the way IE handles cached objects in memory that have the same property ID.
The exploit itself supports a variety of Windows versions and languages including Windows XP, Windows Vista, and Windows 7. English, Russian, Korean, and French are just a few of the supported languages observed in this exploit so far.
The shellcode executed by this exploit is a small
Downloader that connects to a remote host and downloads an executable, which Symantec detects as
Trojan.Naid, a Remote Access Trojan (RAT) first seen by Symantec as early as January 2010.
Trojan.Naid is a Trojan horse program that listens for and accepts a connection from the attacker to essentially provide unauthorized remote control functionality to the compromised computer over a custom communications protocol. This access allows the attacker to perform numerous nefarious activities such as stealing private information or monitoring Internet activities. The Trojan.Naid sample used in this attack and others has been observed to communicate to IP addresses hosted in Hong Kong by local Internet Service Providers.
In part 2 of this blog, we will examine the techniques used in exploiting this vulnerability.
To reduce the possibility of being affected by exploits and their associated malware, Symantec advises users to ensure that they are using the latest Symantec protection technologies with the latest antivirus definitions installed.