Elderwood Project Behind Latest Internet Explorer Zero-Day Vulnerability


 

In our recent blogs about the latest Internet Explorer zero-day vulnerability, we explained what watering hole attacks are and referenced our research paper about the Elderwood Project. The paper highlights a string of watering hole attacks by the Elderwood group. After revisiting those previous attacks, we have been able to confirm that this latest Internet Explorer zero-day is a continuation of the Elderwood Project.
 

Related Elderwood zero-day vulnerabilities

The following are the vulnerabilities produced by the Elderwood group that are directly related to the most recent Internet Explorer zero-day.

CVE

BID

Description

Discovered

2012-1875

53847

Microsoft Internet Explorer CVE-2012-1875 Same ID Property Remote Code Execution Vulnerability

May 2012

2012-1889

53934

Microsoft XML Core Services CVE-2012-1889 Remote Code Execution Vulnerability

Jun 2012

2012-4969

55562

Microsoft Internet Explorer Image Arrays Use-After-Free Remote Code Execution Vulnerability

Sep 2012

2012-4792

57070

Microsoft Internet Explorer 'CDwnBindInfo' Use-After-Free Remote Code Execution Vulnerability

Dec 2012

Table 1. Vulnerabilities produced by the Elderwood group
 

In May 2012, Amnesty International’s Hong Kong website was compromised and used to serve up a malicious SWF file that exploited CVE-2012-1875. In September 2012, the same group was responsible for CVE-2012-4969.  In addition, late last month the website for a US based think tank was compromised to serve up CVE-2012-4792. But that wasn’t the only site serving this vulnerability.

Security Researcher Eric Romang wrote about another website that was found to be hosting the latest Internet Explorer zero-day. In his post, he also ties the same website to another zero-day vulnerability, CVE-2012-4969, back in September. Our own research has come to the same conclusion and we can add that this website was compromised to serve CVE-2012-1889 back in June with a file called movie.swf. The file, movie.swf, is associated with the Elderwood Project.
 

Figure 1. Three zero-day vulnerabilities hosted on a single site
 

Shockwave files

We have analyzed a sampling of the SWF files that were used in the Elderwood watering hole attacks and found that the Flash exploit author included symbols in some of the attacks.

Filename

CVE

Common symbols

 

 

HeapSpary

hexToBin

OS_Version

URL_Addr

Flahs_Version

Geoffrey.swf

2012-1875

Yes

Yes

Yes

Yes

Yes

Moh2010.swf

2012-4969

Yes

Yes

Yes

Yes

Yes

Today.swf

2012-4792

Yes

Yes

Yes

No

No

Table 2. Symbols included in attacks
 

Figure 2. Comparison of symbols used in the decompiled ActionScript
 

As noted in Figure 2, all the samples we identified include a function named HeapSpary. HeapSpary is a clear mistyping of Heap Spray, a common attack step used in vulnerability exploitation. In addition to this commonality, there are many other symbols in common between the files. Examples include Geoffrey.swf and Moh2010.swf both using variables named URL_Addr and Flahs_Version (mistyping of Flash_Version), as well as all three exploit files using the variable name OS_Version.

We were unable to recover the symbols of movie.swf for comparison, but movie.swf is tied directly to Moh2010.swf by the packer registrant information for the SWF files. Additionally, movie.swf and Moh2010.swf share similar structure and shellcode.

AlienVault Labs has previously published some great research investigating the authors behind the Moh2010.swf attacks – the attackers believed to be behind the latest attack.

It has become clear that the group behind the Elderwood Project continues to produce new zero-day vulnerabilities for use in watering hole attacks and we expect them to continue to do so in the New Year.