View Full Version : MS07-009 exploit code released

2007-03-26, 20:06

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=758
March 26, 2007 ~ "Full exploit code was published this morning for MDAC vulnerability MS07-009. The original demonstration of this vulnerability occurred on July 29, 2006 in HD Moore's Month of Browser Bugs #29. At the time, only a denial-of-service demonstration was published... Our scanners are now actively searching for any live sites that are attempting to exploit this vulnerability. This type of vulnerability has been very popular with malicious attacks in the past and we expect to see its usage increase substantially, now that exploit code is publicly available. On February 13, 2007, Microsoft® released patch MS07-009 to address this vulnerability. We recommend that you apply this patch immediately, if you have not yet done so. See the Microsoft Security Bulletin at:
> http://www.microsoft.com/technet/security/bulletin/ms07-009.mspx ..."

Also noted here: http://www.us-cert.gov/current/#ADODBActiveX


2007-03-26, 22:21

- http://www.websense.com/securitylabs/blog/blog.php?BlogID=115
Mar 26 2007 ~ "...Everything starts with a very kind email, offering us a unique opportunity for investment, where we can make a minimum of 15% profit per day for a period of 10 days... What we do not see is the code trying to exploit the MDAC vulnerability it contains. Through that code, it downloads and executes a file called Junix.exe, which is a self-extracting, compressed file that contains several other files:
* bpk.exe
* bpkhk.dll
* bpkr.exe
* inst.dat
* pk.bin
The two exe files and the dll are in charge of handling the keystrokes and sending the information to the attacker. The inst.dat file contains configuration data for installing the application. The pk.bin file contains the email address where the information is being sent, along with additional data. To avoid being discovered, the files bpk.exe, bpkhk.dll, and pk.bin are encrypted with a simple XOR operation. After everything has been installed on the system, the malware notifies the attacker that the installation has been successfully carried out... After alerting the attacker, it remains vigilant for anything typed on the keyboard and captures it. Additionally, every five minutes it takes a full-sized screenshot and prepares a thumbnail of it. These are both kept in a directory called dt, which the Trojan has previously created. Then the captured information is sent to the attacker, so that he or she can check which pages we have been visiting and what we have been typing..."

(More detail and screenshots available at the URL above.)