CVE-2012-1889 Is Still Alive!
In Zscaler’s dailyscanning, we identified an instance where CVE-2012-1889 (MSXML Uninitialized Memory Corruption Vulnerability) is still alive. Lets take a look.
The site hxxp://wm.17wan.info:9999/zx/zip.html?mag.fznews.com.cn is a Chinese site, which targets online gamers by serving malicious code which exploits Microsoft XML Core Services. This attack allows a remote attacker to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site. The site serves highly obfuscated code to evade antivirus solutions.
https://www.virustotal.com/en/file/3eaf208c67ec268b969f260f55ef7d70fd06f3b086a6dcc9fdfb57758dd62240/analysis/1380076165/You can see the highly obfuscated code served by the malicious site in the screen shot below.
Lets take a look at a beautified version of this code.
This highlighted section shows the suspicious function, which leverages the shell code for exploiting the vulnerability.
Here function heapLib() performs a heap spray. You can see the complete series of functions utilized in the full attack.
Let's decode the script which is shown in first screen shot
Here you can see the sourcode contains a link which drops a malicious Rar file.
This site makes a connection with following sites
Zscaler provides complete protection for these threats.