Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

IE 0-Day On GOV.CN

image
THREATLABZ
January 25, 2010 - 2 min read
A few days back, there was a post on a forum about malware warnings displayed when visiting: www[dot]latax[dot]gov[dot]cn

Image
Translates:

Image

Upon analysis of the page, it appears that this GOV.CN page is hosting a page exploiting the Internet Explorer 0-day vulnerability (CVE-2010-0249). The same vulnerability exploited to compromise Google, Adobe, and other vendors in an attack dubbed 'Operation Aurora.'

Here is a snippet of the GOV.CN source, building the shellcode variable:
Image
There is a slight deviation to the way that the shellcode is constructed (visible in above image) from some of the other variants that we have seen. Though, it uses the same exploit structure as past variants, including the ev1() and ev2() function names.
The ev1() function is used to dereference the previously declared event object:Imageand attack the vulnerability
Imageusing the ev2() function to load the shellcode into memory and call the previously dereferenced object:
ImageThe JavaScript loads the shellcode and exploits the vulnerability, which downloads the payload v.exe from the same GOV.CN domain.
VirusTotal identifies 12/41 Anti-Virus engines detect the v.exe payload. It is a variant of the Chinese based Hupigon Backdoor, which F-Secure lists some of its features as:
• It allows others to access the computer
• Allows for recording with the user's webcam
• Can make the user's computer to attack various servers
• Send victim's computer messages
• Has rootkit functionality so it has a stealth component that hides files
• Create logs from keystrokes, steals passwords, and sends this information to remote servers

The Hupigon malware kit is described as being "maintained in a very professional fashion with a highly developed User Interface (UI)." Screenshot below:

Image
This is just one example of this IE 0-day impacting GOV.CN sites; I have seen a few other reports of this. While there are several other examples of malware being hosted on GOV.CN domains, for example,
  • .wscz.gov.cn
  • .zhepb.gov.cn
  • .jssalt.gov.cn
  • .xfgh.gov.cn
  • .laspzx.linan.gov.cn
  • .zsjs.nmfc.gov.cn
The question is: are these CN Government sponsored for the purposes of potentially spying on its citizens, or have GOV.CN websites been infiltrated by hackers? In either case, browse safe, and if you are using IE 6, please upgrade or consider a different browser.
form submtited
Thank you for reading

Was this post useful?

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.