MiniDuke Hampers Java and Internet Explorer Vulnerabilities to Compromise Computers

On analysis of the MiniDuke backdoor, researchers from Kaspersky and CrySyS Lab have discovered some latest infection mechanisms that remained unknown till now and accords to them for relying on vulnerabilities in Java and Internet Explorer.

When the campaign was discovered initially, it was been observed to have used a zero-day vulnerability that exploited Adobe Reader 9, 10, and 11 (CVE-2013-0640) through spear phishing e-mails including convincing looking PDF files that comprised of information from combined sources like human rights seminar information, Ukraine's foreign policy, and NATO (North Atlantic Treaty Organization) membership plans.

However, it turns out that this might not be the only method by which it propagates.

Researchers at Kaspersky also accords that during rifling through one of the MiniDuke's C&C (command and control) servers, researchers have come across files that seem to have been prepared specially for the purpose of infecting visitors that had been utilizing web-based vulnerabilities.

One among the two HTML files comprises of two frames. One is used for loading a decoy web page, while the other is utilized for the purpose of performing malicious activities. Mostly JavaScript codes are included in the second file and it actually works as a primitive exploit pack noted the researcher. The other web pages actually contain the exploit.

The exploit page either operate as an exploit for the Java CVE-2013-0422 vulnerability or the IE8 (Internet Explorer 8) CVE-2012-4792 flaw. Both exploits are very much analogous to the ones that are printed in the Metasploit kit, and both offer MiniDuke's main backdoor module that then gets instructions from the very same Twitter account.

"Even though the exploits were by now identified and published at during the attack, they were still very new and could have employed against designated targets," says Igor Soumenkov, a Kaspersky Lab Expert, according to a statement published by darkreading.com on March 11, 2013.

During the initial week of March 2013, researchers at Bitdefender found that a type of MiniDuke had been working since 20 June 2011, predating an earlier-seen kind of the spyware by a year.

Bitdefender said that this simple presently demand encrypted C&C instructions through an active Twitter account, with a sole instruction on February 21 2012. This 2011 version does not utilize Google to check out for command and control instructions, but lays latent if it can't associate to Twitter.

» SPAMfighter News - 3/20/2013