Vulnerability in Windows Help Center Misused By Attacker

Security firm Symantec has detected an extremely sophisticated assault against two defense contractors, which exploited the unpatched vulnerability in Windows Help Center disclosed in the beginning of June 2010.

The attack involved gaining unauthorized access to the Defense Contractor A's website, followed by creating fake press release directory on the server. Then in this folder, attackers dropped an obfuscated JavaScript file, a Web page and a binary file.

There was a code on the Web page for inspecting User-Agent header field as well as extracting the browser and operating system information. After this, a malicious exploit was loaded if the user used Firefox, IE7 or IE8 on Windows XP.

The attacker's second step was researching Defense Contractor B and to detect e-mail addresses in that organization. The attacker sent a sequence of e-mails claiming to be coming from a webmail address and reporting the alleged arrest of the CEO of Defense Contractor B on charges of breaching US export regulations. A link was also provided that directed to a malicious webpage in the fake press release directory that was hosted on the genuine website of Contractor A.

A Senior malware Analyst Martin Lee at Symantec Hosted Services explained that in either of the cases, the attacker tries to get browser to download a second file from the same site. It contains two levels of malicious JavaScript that abuses the vulnerability in Microsoft Help detected on June 9, 2010, reported softpedia.com on June 30, 2010.

When the exploitation was successful, the binary file that was being stored on the server with .txt extension got implanted and executed on invoking an ActiveXObject. However Lee didn't mentioned the name of the malware involved in the attack, but noted that it was able to receive instructions from the remote attacker.

An especially striking feature of this assault was the preparation level undertaken by the cybercriminal as well as the fact that the attack targeted two different defense contractors.

It is noteworthy that companies that work under Defense Department contracts are regarded as high-profile targets, owing to the nature of data they deal with. Earlier in January 2010, Finnish anti-virus firm F-Secure stated that several defense contractors were target of an assault that used malicious PDF files.

Related article: Vulnerabilities in Web Applications Invite Hackers’ Activities

» SPAMfighter News - 12-07-2010

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next