We’ve actually spotted in-the-wild exploitation of “Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness” (Bugtraq ID 10514), a vulnerability first released in 2003. The exploit does get a little more modern as the code also targets vulnerability from 2009 (MS09-002). Here is a screenshot of the live infected page,
The malicious obfuscated JavaScript has been injected at the bottom of webpage. Let’s decode it. Here is the small part of the decoded script.
From the above code, it is clear that it is targeting the ADODB.Stream vulnerability from 2003. Here is the other part of the decoded content which exploits the MS09-002 vulnerability.
I am not going into the more details of this exploit as the code is pretty self explanatory. It is going to download additional malicious binaries and execute them on the system. The author who discovered this older ADODB.Stream vulnerability has posted a proof-of-concept. For those interested, an explanation of the MS09-002 vulnerability can be found here.
Virustotal results for the infected webpage show it being detected by 13 of 41 AV engines – not very impressive results for a seven year old vulnerability. It would appear that no matter how old vulnerabilities are, attackers will still try to leverage them as weapon. Hopefully most people have patched their systems at some point during the past seven years. Sadly, despite the age of the vulnerability, the use of JavaScript obfuscation has made this attack a challenge for AV vendors – a topic that we’ve discussed in the past.
Umesh
