Recently, a DeepSight honeypot was compromised by a rogue website that served a variety of malicious scripts to users. From the dozens of websites that we investigate everyday, what makes this case special is the fact that this is the first detected instance of in-the-wild exploitation of Microsoft Internet Explorer Speech API 4 COM Object Instantiation Buffer Overflow Vulnerability (BID 24426). This exploit appears to be a derivation of the publicly available exploit released at milw0rm.com. The vulnerability lies in the way two COM objects in the Speech API 4, namely Windows DirectSpeechSynthesis Module (XVoice.dll, EEE78591-FE22-11D0-8BEF-0060081841DE ) and DirectSpeechRecognition Module (XListen.dll, 4E3D9D1F-0C63-11D1-8BFB-0060081841DE), handle certain user input. The malicious attacker can instantiate these COM objects via Internet Explorer, and pass overly long arguments to certain routines. In this case, the exploit passes a maliciously crafted a rgument (ModeName) to the DirectSS.FindEngine function. The overflowed buffer is then populated with attacker-supplied shellcode over-writing the Structured Exception Handler, thus resulting in the execution of arbitrary code. This exploit is being detected as Bloodhound Exploit.150 by Norton AntiVirus.

Upon further investigation we found that this website was also serving an exploit which leveraged an unpatched vulnerability in a very popular Chinese peer-to-peer file sharing application called Xunlei (Thunderbolt in English). Xunlei has an estimated user base of around 80 million which makes it a very lucrative target to exploit. The vulnerability lies in the Xunlei WebThunder, which can be used as a web-based alternative for the original application accessible th rough browsers like the Microsoft Internet Explorer. However, the COM control ‘ThunderServer.webThunder.1’ (03507A1A-E0C5-4404-AA26-205385C0892D) fails to properly validate the supplied user-input. The attackers abused a certain sequence of routines supplied by this COM control in order to download arbitrary files on the user’s system. This exploit is being detected as Downloader by Norton AntiVirus.

Both of these client side exploits deliver the same malicious payload, which is being detected as W32.Looked.BK.

Another interesting aspect of this attack was the clever JavaScript obfuscation techniques used to hide these attacks. At first glance, what appeared to be a garbled webpage turns out to be an obfuscated JavaScript exploit using up to six-levels of obfuscation (see image). This is primarily used to evade security products like web-application which implement on-the-fly script parsers. This is how the exploit was obfuscated:

1. For the original exploit, all the variable names are randomized and the string values are replaced by their hexadecimal counterparts.
2. It is then encoded using a wrapper function which performs mathematical substitution operations on the code.
3. The wrapper function is further encoded using the JavaScript escape() function.
4. All the new-line characters in the resulting code are then escaped.
5. It is then packed with a routine which performs another set of substitution operations on the code.

Client-side attacks have become the most prominent vector in the ever-evolving threat landscape. With the increased reach, ease and effectiveness, such attacks have become the bread and butter of cyber-criminals. Almost every other day we hear a legitimate website being compromised to cater such attacks, with innocuous users bearing the brunt. We anticipate that the frequency and the complexity of such attacks are expected to increase in the coming future. To avoid falling victim to such an attack, users should patch their system regularly, update the AntiVirus definitions and browse only trusted websites.