November 10, 2010

Amnesty International Hong Kong Website Injected With Latest Internet Explorer 0-day

Ulysses Wang

Websense Security Labs™ ThreatSeeker™ Network has detected that the Hong Kong Website of human rights organization Amnesty International has been compromised by multiple exploits, including the most recent Microsoft Internet Explorer 0-day. In one attack, an iframe has been injected into the index page, resulting in a quiet redirection of any visitor to an exploit server controlled by the cyber criminals. Websense customers are protected from this exploit by our ACE real-time analytics.


The exploit server is hosted in the United States. It combines several recent vulnerabilities in Adobe Flash, Adobe Shockwave, Apple QuickTime, and Internet Explorer.


Every URL in the picture above hosts an exploit. Let's analyze each one:


The index.htm (code snippet is below) hosts malcode that exploits a Flash vulnerability (CVE-2010-2884). This vulnerability, discovered in September 2010, has already been patched by Adobe. The vulnerable SWF file triggers the embedded shellcode to download a malicious executable file from hxxp://www.[removed].org:9126/hha.exe.  Because some of the bytes in the file have been xored with 0x95, the detection rate is very low (2/43)


The quicktime.html (code snippet is below) contains the code used to exploit a QuickTime vulnerability (CVE-2010-1799). Discovered in August 2010, this vulnerability has been patched by Apple. The shellcode triggered by the vulnerability in the HTML page executes a trojan from hxxp://www.[removed].org:9126/qq.exe. This trojan belongs to the Hupigon family of notorious backdoor trojans from China. Here is the detection result


The ad.html is used to exploit a Shockwave vulnerability (CVE-2010-3653), which was just discovered in October 2010 and already patched by Adobe. The page embeds a vulnerable Shockwave file and some highly obfuscated shellcode. Deobfuscation reveals that the shellcode downloads a trojan file from hxxp://www.[removed].org:9126/pdf.exe. The sample holds zero antivirus detection.

The qqq.html does not return any content at the moment, but because the server is under the cyber criminals' control, anything malicious could be added at any time.


And that's not all

In a separate attack from the injected iframe just described, the Hong Kong Amnesty International Website has also been injected directly in one of its inner directories with code that exploits the latest 0-day vulnerability in Internet Explorer (CVE-2010-3962). This vulnerability was found only a few days ago and has not yet been patched. The injected code resides at hxxp://www.amnesty.org.hk/schi/[removed]ox.html.


Here is a snippet:


Enabling Data Execution Prevention (DEP) and Protected Mode in Internet Explorer can mitigate this vulnerability.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.