Last June 13, Microsoft released its security update for Cumulative Security Update for Internet Explorer (2699988) (CVE-2012-1875), which is exploited by a malware detected by Trend Micro as JS_DLOADER.SMGA. The attack code for this vulnerability has also been made public. There are few cases where that attack code is released simultaneously with Microsoft’s security update. In general, malware exploiting such vulnerabilities don’t show up quickly. Since the affected software is Internet Explorer, this attack has significant impact among millions of IE8 users.
By exploiting CVE-2012-1875, JS_DLOADER.SMGA poses a bigger threat to users as it also downloads the backdoor BKDR_AGENT.BCSG, disguised as a .JPG file. This backdoor is capable of communicating with a command-and-control (C&C) server via port 80. In effect, this communication compromises an infected system’s security, making it exposed to further infection.
How JS_DLOADER.SMGA Exploits CVE-2012-1875
I’m sharing my analysis of JS_DLOADER.SMGA to inform users of the key issue in CVE-2012-1875, as well as introducing our solution.
Based on my analysis, the noteworthy routines of JS_DLOADER.SMGA include:
· Heap spray. Once JS_DLOADER.SMGA exploits CVE-2012-1875, it executes Heap Spray method to run specific shellcode.
· Return-Oriented Programming (ROP). Though JS_DLOADER.SMGA successfully exploits CVE-2012-1875, its code cannot jump to the specified Heap Spray due to Data Execution Prevention (DEP) found on affected applications such as IE8, IE9. To bypass DEP, this exploit uses return-oriented programming (ROP) method to check system environment like OS and languages. It uses a specific script in order to determine the loaded modules in memory at different addresses, which are dependent on OS and language information. Then, based on the confirmed system information, it generates specific ROP code.
For Technical Analysis of JS_DLOADER.SMGA visit here!