23 June 2012

JS_DLOADER.SMGA Exploits CVE-2012-1875 Vulnerability in Internet Explorer

Last June 13, Microsoft released its security update for Cumulative Security Update for Internet Explorer (2699988) (CVE-2012-1875), which is exploited by a malware detected by Trend Micro as JS_DLOADER.SMGA. The attack code for this vulnerability has also been made public. There are few cases where that attack code is released simultaneously with Microsoft’s security update. In general, malware exploiting such vulnerabilities don’t show up quickly. Since the affected software is Internet Explorer, this attack has significant impact among millions of IE8 users.

IE vulnerability

By exploiting CVE-2012-1875, JS_DLOADER.SMGA poses a bigger threat to users as it also downloads the backdoor BKDR_AGENT.BCSG, disguised as a .JPG file. This backdoor is capable of communicating with a command-and-control (C&C) server via port 80. In effect, this communication compromises an infected system’s security, making it exposed to further infection.

How JS_DLOADER.SMGA Exploits CVE-2012-1875

I’m sharing my analysis of JS_DLOADER.SMGA to inform users of the key issue in CVE-2012-1875, as well as introducing our solution.

Based on my analysis, the noteworthy routines of JS_DLOADER.SMGA include:

·         Affected systems check. Unlike exploit document files, this malicious JavaScript gathers OS versions and language used in the infected systems by using a simple script.

·         Heap spray. Once JS_DLOADER.SMGA exploits CVE-2012-1875, it executes Heap Spray method to run specific shellcode.

·         Return-Oriented Programming (ROP). Though JS_DLOADER.SMGA successfully exploits CVE-2012-1875, its code cannot jump to the specified Heap Spray due to Data Execution Prevention (DEP) found on affected applications such as IE8, IE9. To bypass DEP, this exploit uses return-oriented programming (ROP) method to check system environment like OS and languages. It uses a specific script in order to determine the loaded modules in memory at different addresses, which are dependent on OS and language information. Then, based on the confirmed system information, it generates specific ROP code.

Source: TrendMicro

For Technical Analysis of JS_DLOADER.SMGA visit here!

AbhiShek SinGh
Founder of 'TheHackingArticles'. Cyber Security Analyst, Cyber Security Researcher, and Software Engineer. Follow 'AbhiShek SinGh' on Facebook , Twitter or Google+ or via Email

Subscribe to stay up to date