In Zscaler’s dailyscanning, we identified an instance where CVE-2012-1889 (MSXML Uninitialized Memory Corruption Vulnerability) is still alive. Lets take a look.
The site hxxp://wm.17wan.info:9999/zx/zip.html?mag.fznews.com.cn is a Chinese site, which targets online gamers by serving malicious code which exploits Microsoft XML Core Services. This attack allows a remote attacker to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site. The site serves highly obfuscated code to evade antivirus solutions.
You can see the highly obfuscated code served by the malicious site in the screen shot below.
The highlighted code shows that the a CLSID object is being used, which is exploited by parsing long strings of the letter “A”. This CLSID object is related to the vulnerability detailed in CVE-2012-1889.
Lets take a look at a beautified version of this code.
This highlighted section shows the suspicious function, which leverages the shell code for exploiting the vulnerability.
Here function heapLib() performs a heap spray. You can see the complete series of functions utilized in the full attack.
Let's decode the script which is shown in first screen shot
Here you can see the sourcode contains a link which drops a malicious Rar file.
This site makes a connection with following sites
Zscaler provides complete protection for these threats.