Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

CVE-2010-0806 Exploit In The Wild

image
THREATLABZ
April 06, 2010 - 2 min read
Security Insights

Contents

  1. Article
  2. More blogs

CVE-2010-0806, a use-after-free vulnerability in the Peer Objects component, was announced in mid-March 2010. The vulnerability impacts Internet Explorer 6, 6 SP1, and 7 - a patch was made available by Microsoft in the MS10-018 security update last week. Zscaler received early notification of the vulnerability through our trusted partnership with Microsoft and was able to deploy signatures to detect and block exploit attempts soon after the public release of the vulnerability.

Today this site was detected and blocked for attempting to exploit CVE-2010-0806:
hxxp://cn.cnsa56.info/w/woz.htm
--> and supporting script: hxxp://cn.cnsa56.info/w/k.js

The JavaScript used to exploit the vulnerability is heavily obfuscated,
ImageAnd the script contains some try-catch statements to evade detection and some automated analysis tools,
Imageand
ImageThe above try{} statements will fail, so the code within catch{} will be run, which defines some variables and logic for decoding the above shellcode.

Wepawet fails to decode/analyze properly, and categorizes the URL as benign. VirusTotal has 2/39 Anti-Virus engines that detect as a suspicious JavaScript downloader through their heuristic engines.

After decoding and analyzing the shellcode, it downloads the payload:
hxxp://v.vkjk6.info/w/win.exe

Unfortunately, VirusTotal shows no detection for this file. When conducting basic analysis on the binary payload, it becomes obvious that this is not a valid PE executable. It is likely that the binary is encrypted or obfuscated and that the shellcode run from the CVE-2010-0806 exploit will decode the binary on the victim's machine. (I will run the exploit in a sandbox, and post any follow-on analysis of the payload).

Often times, the domain information for malicious domains is masked through a domain privacy service (like Domains by Proxy)- however, this was not the case for the domains involved in this attack.

Here is the billing information for the cnsa56.info domain:
ImageThis same registration information was used for another live domain: ac364.info

And for vkjk6.info:
Image126.com is a free email provider,

 

Image
The registration information, email provider used, and variable names used in the attack indicate the attacker is a Chinese speaker and possibly of Chinese nationality.

 

form submtited
Thank you for reading

Was this post useful?

vote yes
Yes, very!
vote no
Not really

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read post
TOITOIN Trojan
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read post

01 / 02

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.