Snort detections for Targeted attack using CVE-2012-0754 exploit

 Contagiodump blog published an analysis of a targeted attack using new CVE-2012-0754 exploit. The blog talks about the whole exploit attempt and a great details about the exploit and payload analysis. I will not repeat the analysis in this post but talk about the key points. I liked the adjacent picture posted on contagio blog so much that I shamelessly copied it.

  • Like all targeted attacks, it started with the word document attachment in an email “Iran’s Oil and Nuclear Situation.doc”
  • This document has embedded flash file which is coded to download and parse malicious MP4 file.
  • This specially crafted MP4 file exploits the vulnerability in Adobe Flash Player versioning before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; and allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.

 

We can detect the exploit attempt of this vulnerability using below SNORT rules. I would recommend having network detections for the similar exploit attempts till your network is completely patched for this vulnerability.

1
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Potential download of CVE-2012-0754 exploit MP4 file."; flow:to_client, established; flowbits: isset, file.quicktime; content:"Content-Type: video/mp4";nocase; http_header; content:"|66 74 79 70 6d 70 34 32|"; file_data; distance:4; within: 8; content:"|0c 0c 0c 0c 0c 0c 0c 0c|"; file_data; distance:28; within: 30; flowbits: unset, file.quicktime; sid:1000028;rev:1;)

Above rule uses flow bit file.quicktime set in sid:15865 which detects the download attempt of MP4 file.

In case you don’t want to detect the download attempt instead are interested only in the exploit then below rule can be used.

1
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Potential download of CVE-2012-0754 exploit MP4 file."; flow:to_client, established; content:"Content-Type: video/mp4";nocase; http_header; content:"|66 74 79 70 6d 70 34 32|"; file_data; distance:4; within: 8; content:"|0c 0c 0c 0c 0c 0c 0c 0c|"; file_data; distance:28; within: 30; reference:url,contagiodump.blogspot.in/2012/03/mar-2-cve-2012-0754-irans-oil-and.html; classtype:misc-attack; sid:1000029;rev:1;)

Microsoft detects the payload dropped by the exploit (SHA1: 8b79abcb79a8ab962d386dfc3e51ac5de9428d4f) is detected as Trojan:Win32/Yayih.A.

Stay safe!

Update: If your SNORT is configured with FILE_DATA_PORTS variable which targets SMTP ports as well, then please replace it with $HTTP_PORTS variable from above rules to extend the detection across multiple protocols. Thanks to rmkml for suggestion.

Special thanks to Mila Parkour from Contagiodump for sharing the exploit details.

Update: Below Snort signatures are more reliable on above written rules. Kindly update your rules.

1
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Potential download of CVE-2012-0754 exploit MP"; flow:established,to_client; content:"|66 74 79 70 6D 70 34 32|"; fast_pattern; content:"|6D 70 34 32 69 73 6F 6D|"; distance:0; content:"|63 70 72 74 00 FF FF FF|";distance:0; classtype:attempted-user;reference:url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html#more;reference:bid,52034; reference:cve,2012-0754; sid:1000028; rev:2;)
Rating 3.50 out of 5

Leave a Reply

This entry was posted on Tuesday, March 6th, 2012 at 12:07 am and is filed under Malware analysis, Snort Signature. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Get Adobe Flash playerPlugin by wpburn.com wordpress themes