exploit the possibilities

Technical Cyber Security Alert 2010-55A

Technical Cyber Security Alert 2010-55A
Posted Feb 25, 2010
Authored by US-CERT | Site us-cert.gov

Technical Cyber Security Alert 2010-55A - Malicious activity detected in mid-December targeted at least 20 organizations representing multiple industries including chemical, finance, information technology, and media. Investigation into this activity revealed that third parties routinely accessed the personal email accounts of dozens of users based in the United States, China, and Europe. Further analysis revealed these users were victims of previous phishing scams through which threat actors successfully gained access to their email accounts.

tags | advisory
SHA-256 | cceaf3df3ab1ccf182366803b6bfb56b7c9cea916f742e8b4f9563252efe670d

Technical Cyber Security Alert 2010-55A

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA10-055A


Malicious Activity Associated with "Aurora" Internet Explorer Exploit

Original release date:
Last revised: --
Source: US-CERT


Systems Affected

* Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
* Microsoft Internet Explorer 6, 7, and 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows 2008, Windows 7, and Windows Server 2008 R2


Overview

Malicious activity detected in mid-December targeted at least 20
organizations representing multiple industries including chemical,
finance, information technology, and media. Investigation into
this activity revealed that third parties routinely accessed the
personal email accounts of dozens of users based in the United
States, China, and Europe. Further analysis revealed these users
were victims of previous phishing scams through which threat actors
successfully gained access to their email accounts.


I. Description

Through analysis of the malware used in this incident, McAfee
discovered one of the malware samples exploited a vulnerability in
Microsoft Internet Explorer (IE). The vulnerability exists as an
invalid pointer reference within IE and, if successfully exploited,
allows for remote code execution.

Microsoft has released Security Bulletin MS10-002, which provides
updates for Internet Explorer that address this and other
vulnerabilities.

US-CERT is providing technical indicators that can be incorporated
into an organizations security posture to detect and mitigate any
malicious activity.

Please see <https://www.us-cert.gov/cas/techalerts/TA10-055A.html>
for further detail.

The following signatures can be deployed to assist in detecting
malicious activity associated with this incident:

Primary Malware Beacon

alert tcp any any -> any any (msg:"Targeted Malware Communication
Beacon Detected"; flow:to_server,established; dsize:20;
content:"|ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88
ff|"; depth:20; sid:7777777; rev:1;)

Secondary Malware Beacon

alert tcp any any <> any any (msg:"ORC:DIS:BEACON_380DFF";
content:"|38 0d ff 0a d7 ee 9d d7 ec 59 13 56|"; sid:99980060;
rev:1;)

Note: US-CERT has not verified or tested these signatures and
recommends proper testing prior to deployment.


II. Impact

By convincing a user to view a specially crafted HTML document or
Microsoft Office document, an attacker may be able to execute
arbitrary code with the privileges of the user.


III. Solution

The Internet Explorer vulnerability used in these attacks is
addressed with the updates provided in Microsoft Security Bulletin
MS10-002.

Other recommendations include:

* As a best practice, limit end-user permissions on systems by
granting minimal administrative rights.
* Enable Data Execution Prevention (DEP) for IE 6 Service Pack 2 or
IE 7. IE 8 automatically enables DEP.
* Inspect network traffic history for communication with external
systems associated with the attack.
* Examine computers for specific files or file attributes related
to the attack.


IV. References

* How Can I Tell if I Was Infected By Aurora? -
<http://www.mcafee.com/us/local_content/reports/how_can_u_tell.pdf>

* How do I know if my organization has been infected? -
<http://www.mcafee.com/us/threat_center/aurora_enterprise.html>

* McAfee Labs Tools Aurora Stinger 10.0.1.765 -
<http://download.nai.com/products/mcafee-avert/aurora_stinger.exe>

* Operation Aurora Hit Google, Others -
<http://siblog.mcafee.com/cto/operation-%25E2%2580%259Caurora%25E2%2580%259D-hit-google-others/>

* Vulnerability in Internet Explorer Could Allow Remote Code
Execution -
<http://www.microsoft.com/technet/security/advisory/979352.mspx>

* Microsoft Security Bulletin MS10-002 -
<http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA10-055A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA10-055A Feedback VU#492515" in
the subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2010 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________

Revision History

February 24, 2010: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBS4XBny/E9ke+6HGsAQIqbwgAoL3VP5PBhWiwuwcxDZ+1qoxl9md/0SYn
wCrWIaVn3gRVAFgOCkOwNOU3b5ZCZoiEA7X8Ez74XzpctpStO5tAGXu6cVYViUWK
ASJIRprfSkaNHJ2BDi/uqPPFKshsHW0oZhYnz3yzbjOa8h5TLWIap8Bs4VxjZH+Z
uwu71vgzuCXA/CXaTJEDGkhKUyhtNf675+oYTR4bpTFhMIyDi3ywtV51acpdCKNi
atUw4Z03U2HDwg5erCeKDI+pym58acDKumOOVDqBAWlwsDZ4j81U9bg4PEHHpCMZ
H07EVTyCQ2moau/cTpwVMxhLMdh5dVoRmK1AnC4Pms8eV7FOlbJ3KQ==
=AtB/
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close