« September 2008 · March 2009 · February 2016 »

November 2008
MonTueWedThuFriSatSun
     0102
03040506070809
10111213141516
17181920212223
24252627282930
December 2008
MonTueWedThuFriSatSun
01020304050607
08091011121314
15161718192021
22232425262728
293031    
January 2009
MonTueWedThuFriSatSun
   01020304
05060708091011
12131415161718
19202122232425
262728293031 

Calendar:

Newest first Oldest first

Wednesday, 10 December 2008

IE7 0-Day Exploit Sites


As many of you have seen, there is a new 0-day exploit in the wild affecting Internet Explorer 7 users. This is a new exploit that is being actively exploited and it was not patched yesterday (meaning there is no patch available, yet). Visiting a website with this exploit can result in a full compromise of an affected system. Currently most of the exploits out there will attempt to download a trojan onto the system. Shadowserver is aware of several hosts which are currently hosting exploit code designed to exploit this vulnerability. We would like to share this information so that it can be used for protection and detection. However, we strongly discourage visiting these sites for any reason. DO NOT visit the below sites as they are currently house live exploit code for the new IE7 0day exploit. The majority if not all of them also house several other exploits for different vulnerabilities as well.

We came across a good many of these ourselves while we also had help from others in the security community that shared the sites. We would like to thank them as the information can now being passed on to you for mitigation. If you know any other sites that can be added to this list of IE7 exploit sites (for the current 0day issue), please drop us a line - steven [at] shadowserver [dot] org.


Domains known to be currently exploiting this vulnerability:

	baidu.bbtu01.cn - 61.160.213.194
	baidu.bbtu02.cn - 61.160.213.194
	baidu.bbtu03.cn - 61.160.213.194
	baidu.bbtu04.cn - 61.160.213.194
	baidu.bbtu05.cn - 61.160.213.194
	baidu.bbtu06.cn - 61.160.213.194
	baidu.bbtu07.cn - 61.160.213.194

	baidu-baiduxin1.cn - 121.12.173.218
	baidu-baiduxin2.cn - does not resolve - possibly hostile in the future
	baidu-baiduxin3.cn - 59.34.197.63
	baidu-baiduxin4.cn - 121.12.173.218
	baidu-baiduxin5.cn - 61.143.211.187
	baidu-baiduxin6.cn - 121.12.173.218
	baidu-baiduxin7.cn - 121.12.173.218
	baidu-baiduxin8.cn - 121.12.173.218
	baidu-baiduxin9.cn - 59.34.197.63


	baidu-baiduzi1.cn - 121.12.173.218
	baidu-baiduzi2.cn - 121.12.173.218
	baidu-baiduzi3.cn - 121.12.173.218
	baidu-baiduzi4.cn - 121.12.173.218
	baidu-baiduzi5.cn - 121.12.173.218
	baidu-baiduzi6.cn - 121.12.173.218
	baidu-baiduzi7.cn - 121.12.173.218
	baidu-baiduzi8.cn - 121.12.173.218

	baidu-du1.cn - 59.34.197.63
	baidu-du2.cn - 202.108.22.180
	baidu-du3.cn - 59.34.197.63
	baidu-du4.cn - 59.34.197.63
	baidu-du5.cn - 121.12.173.218
	baidu-du6.cn - 121.12.173.218
	baidu-du7.cn - 59.34.197.63
	baidu-du8.cn - 121.12.173.218
	baidu-du9.cn - 61.143.211.187

	sllwrnm1.cn - 59.34.216.92
	sllwrnm2.cn - 59.34.216.92
	sllwrnm3.cn - does not resolve - possibly hostile in the future
	sllwrnm4.cn - 59.34.216.92
	sllwrnm5.cn - 59.34.216.92
	sllwrnm6.cn - 59.34.216.92
	sllwrnm7.cn - 59.34.216.92
	sllwrnm8.cn - 59.34.216.92
	sllwrnm9.cn - 59.34.216.92
	sllwrnm10.cn - 59.34.216.92


	sllwbd1.cn - 61.164.118.209
	sllwbd2.cn - 61.164.118.209
	sllwbd3.cn - 61.164.118.209
	sllwbd4.cn - 59.34.216.92
	sllwbd5.cn - 59.34.216.92
	sllwbd6.cn - 59.34.216.92
	sllwbd7.cn - 59.34.216.92
	sllwbd8.cn - 59.34.216.92
	sllwbd9.cn -  59.34.216.139
	sllwbd10.cn - 59.34.216.92

	zlwrnm1.cn - does not resolve - possibly hostile in the future
	zlwrnm2.cn - does not resolve - possibly hostile in the future
	zlwrnm3.cn - does not resolve - possibly hostile in the future
	zlwrnm4.cn - does not resolve - possibly hostile in the future
	zlwrnm5.cn - 59.34.216.139
	zlwrnm6.cn - does not resolve - possibly hostile in the future
	zlwrnm7.cn - 59.34.216.139
	zlwrnm8.cn - 59.34.216.139
	zlwrnm9.cn - 59.34.216.139
	zlwrnm10.cn - 59.34.216.139
	zlwrnm11.cn - 59.34.216.139
	zlwrnm12.cn - 59.34.216.139
	zlwrnm13.cn - 59.34.216.139
	zlwrnm14.cn - 59.34.216.139
	zlwrnm15.cn - 59.34.216.139
	zlwrnm16.cn - does not resolve - possibly hostile in the future
	zlwrnm17.cn - 59.34.216.139
	zlwrnm18.cn - 59.34.216.139
	zlwrnm19.cn - 61.164.118.209
	zlwrnm20.cn - 61.164.118.209

	360avva.akvvv.cn - 58.53.128.136
	vip.4s3w.cn - 121.10.107.233
	cc4y7.cn - 58.215.76.155
	hhhh8886.cn - 121.12.104.88
	qqqqttrr.cn - 121.12.104.88
	rrrrrrryyy.cn  - 121.12.104.88
	wwwwyyyyy.cn - 121.12.104.88
	fyesn.cn - 121.10.107.233

 -- The above list is the data we have as of December 10, 2008 - 20:26 UTC/GMT--

Updated/additional sites:

	baidu.baibai1.cn - 61.160.213.143
	baidu.xinlang1.cn - 61.160.213.194
	cc4y6.cn - 121.10.107.233
	cc4y8.cn - 121.10.107.233

Updated 12/12/2008 - 14:17 UTC/GMT:

	www.17gamo.com - 207.154.202.219 *seen from SQL injection attacks*
	www.comefood.com - 210.51.174.28
	bzka.3322.org - 210.51.174.28
	lianrong.com.cn - 210.51.174.28
	doubleluck.com.cn - 210.51.174.28
	dingli.net - 210.51.174.28
	www.mianfei58.cn - 222.189.228.146
	www.yhgames.com - 61.189.7.6
	iuwei.com - 219.232.224.87
	www.6dsoft.cn - 125.67.67.177
	w.c66i.cn - 222.174.93.34
	www.800.look.tw - 61.63.72.161 - * legit site that was hacked - now clean
	b81.8800.org - 80.244.188.87
	web.jha2.cn - 218.83.161.134

Updated 12/16/2008 - 13:09 UTC/GMT:

	vw.wd2a.cn - 218.83.161.134
	927.bigwww.com - 221.10.254.228
	h3hs4.cn - 218.6.12.75
	buxhere.com - 203.169.184.78
	517wyt.com - 66.90.67.98

	googlehk.3322.org - 218.69.98.5
	congs.zziyuan.com - 222.191.251.69
	cookie7.cn - 218.3.53.168
	mm.hacker315.cn - 222.172.81.12
	ak136.justcctv6.cn - 58.53.128.136
	china-jinpin.com - 124.172.156.27
	zief.pl - 58.65.234.89 *well known hostile domain (Virut)
	1ku.cn - 210.72.225.25
	kkkkppp.cn - 121.14.156.59
	64.209.8.98 - no DNS
	ptxk.com - 122.225.103.24
	1ku.cn - 210.72.225.25
	97.zjz-004.com - 222.215.136.19
	ok16899.cn - 60.190.114.37
	entmba.com - 91.121.78.143
	cznutchuei.cn - 218.83.161.15
	dmc.hb.cn - 72.167.118.133
	mba.beisen.com - 61.232.10.78
	218.38.28.113 - no DNS
	worldvedrcoo.com - 79.174.72.85
	sothink1.cn - 218.3.53.168
	sothink2.cn - 218.3.53.168
	sothink3.cn - 218.3.53.168
	sothink4.cn - 218.3.53.168
	sothink5.cn - 218.3.53.168
	sothink6.cn - 218.3.53.168
	sothink7.cn - 218.3.53.168
	sothink8.cn - 218.3.53.168
	sothink9.cn - 218.3.53.168
	sothink10.cn - 218.3.53.168
	s.ardoshanghai.com - 61.84.116.158
	wieyou.com - 121.10.108.161
	abcrot.cn - 121.10.108.161
	ak136.justbt1.cn - 58.53.128.136
	www.golfinau.com - 85.17.212.137
	w.c66b.cn - 58.53.128.112
	w.c66d.cn - 58.53.128.82
	w.c66f.cn - 222.174.93.34
	w.c66g.cn - 222.174.93.34
	jcl-0006.cn - 222.73.44.125
	jcl-0007.cn - 222.73.44.125

	252623.cn - 221.0.193.228
	www.633r.com - 218.95.37.110
	www.zjz-aaa.cn - 222.215.136.19
	www.zjz-bbb.cn - 222.215.136.19
	www.zjz-ccc.cn - 222.215.136.19
	www.zjz-ddd.cn - 222.215.136.19
	www.zjz-eee.cn - 222.215.136.19
	www.zjz-fff.cn - 222.215.136.19
	www.zjz-ggg.cn - 222.215.136.19
	www.zjz-hhh.cn - 222.215.136.19
	www.zjz-iii.cn - 222.215.136.19
	dx.dxwyt1.com - 222.215.136.19
	97.zjz-001.com - 222.215.136.19
	97.zjz-002.com - 222.215.136.19
	97.zjz-003.com - 222.215.136.19
	www.federalservicesinfo.com - 195.122.26.133

We would like to thank Websense Security Labs and Ivan Macalintal from Trend Micro, the Microsoft Malware Protection Center team, Jonas Lindebring, Johan Dalesjöand, and several other anonymous contributors for additions to this list.

The following sites have not been seen hosting the IE7 exploits but are closely associated with above sites and should be considered for blocking/monitoring:

	cc4y1.cn - 121.10.107.233
	cc4y2.cn - 121.10.107.233
	cc4y3.cn - 121.10.107.233
	cc4y4.cn - 121.10.107.233
	cc4y5.cn - 58.215.76.155
	cc4y9.cn - 58.215.76.155

	baidu.baibai2.cn - 61.160.213.143
	baidu.baibai3.cn - 61.160.213.143
	baidu.baibai4.cn - 61.160.213.143 
	baidu.baibai5.cn - 61.160.213.143 

	baidu.xinlang2.cn - 61.160.213.143
	baidu.xinlang3.cn - 61.160.213.143
	baidu.xinlang4.cn - 61.160.213.143

You may have noticed there are a relatively small number of IP addresses involved in our list. It appears that some of the attackers have created several domains with essentially the same set of exploits. We will be updating this list as we get more.

Detection and Prevention


Right now there are just a few things you can do to detect and prevent. Emerging Threats has a few Snort rules that have been released and you can get those by clicking here. However, these will only detect the specific unmodified variants they were written for, so do not consider these fool proof. It can't hurt to throw the rules in though!

Now for prevention, the first step you can take is to block the above domains and/or IP addresses. These sites are for the most part hosting a bunch of bad stuff and not just an IE7 exploit. However, there are certainly sites that we have missed and new ones that will pop up frequently, so this will not stop completely stop it all either. The only other real option against this exploit for now is an obvious one and that's to just not use IE7 until the issue has been resolved. If you are aware of other fixes, please feel free to shoot them our way.

Updated: Microsoft has released a security advisory detailing this vulnerable here. There are additional workarounds now listed such as enabling DEP for IE7. Please take a look.

=>Posted December 10, 2008, at 12:22 PM by Steven Adair