Tuesday, June 12, 2007 3:18 PM
cmosby
McAfee Avert Labs Blog - MS07-027: Revenge of the Script Kiddies
MS07-027: Revenge of the Script Kiddies
Monday June 11, 2007 at 5:14 am CST
Posted by Shinsuke Honjo, Geok Meng Ong
Trackback
As we talked about organized cyber crime on the rise, the script kiddies are not taking a break. CVE-2007-2221 was patched in MS07-027 on May 8th, 2007; barely two days after a proof of concept was published on the Internet. During the weeks that followed, we saw the original proof of concept exploit code posted onto hundreds of script kiddie websites and forums. Fine, all proof of concepts we’ve seen in the past already spread like fire; and CVE-2007-2221, a vulnerability for a non-default Windows service, is unlikely to have an impact quite like Exploit-AniFile.c. So what’s the big deal ?
Amusingly, we see many variations of the original proof of concept code. In most cases, we know they all originated from the same source because none of the comments or author’s name were changed (oh yes, script kiddies give credit too). Some impress with shellcode “boosters”, others rip off a heap buffer overflow “turbo-kit” from Exploit-VMLFill; all that for a vulnerability that doesn’t even cause a buffer overflow. With so much script kiddie goodies, it deserves a GUI script kiddie tool written by a 18-year old.
What brought this to our attention was an in-the-wild discovery of Exploit-CVE2007-2221. We believe this would be the first time that a malicious exploit for CVE-2007-2221 is discovered in the wild. Exploit-CVE2007-2221 is abusing a vulnerability in a Microsoft Windows Media Server 4.1 component through Internet Explorer. When successful, attackers can overwrite any files on the victim’s machine with malware.
The discovered exploit code was hosted on hxxp://web733{blocked}914.{blocked}.128web.com which was reportedly hosting the infamous Exploit-AniFile.c back in March 2007. At the time of writing, the malicious payload was no longer available for download. Exploit-CVE2007-2221 used on this site was, as you guessed, generated with that “shellcode-enhanced” script kiddie tool.
As for the malicious sites which are monitored by McAfee Avert Labs, some are dead, moved or no longer host exploit codes. However, as long as site administrators do not enforce a policy of taking malicious sites down, many can continue to seek opportunities to host new malware, and will be awakened whenever a new exploit made available for their malicious activities. But did they tell you the exploit code doesn’t even have to make sense ?
Source: Computer Security Research - McAfee Avert Labs Blog
Filed under: Security and Anti-Virus, Patch Management, Microsoft Windows, AntiVirus Information, Internet Explorer, Internet Hacks