Wednesday, January 16, 2013

JavaScript Anti-Automated Detection


Yesterday, I came across a relatively rudimentary webpage attempting to exploit a vulnerability in Microsoft Internet Explorer. The particular vulnerability in question is defined in CVE-2012-1875 and is identified by Microsoft in MS12-037. Excellent coverage of this exploit in the wild was posted by AlienVault Labs http://labs.alienvault.com/labs/index.php/2012/ongoing-attacks-exploiting-cve-2012-1875/

Though hardly cutting edge now (a fix was issued in June of 2012), I was curious about one of the sections of code. Following the ROP techniques used to bypass Windows Vista (And later) DEP [Data Execution Prevention], there is a section of code, a "Trigger" that looks like the following [Code follows the Break]:




<DIV id=testfaild>
<img id="imgTest" style="display:none">
<a href="javascript:OnTest();" id="MyA" onClick="OnTest();">
<div style="background-color:#FFFFFF; width:3000; height:4000" id="imgTest" src="" onMouseOver="OnTest2();" onMouseOut="OnTest2();"> </div>
</a>
</DIV>


Ok, so what is actually going on here? It appears that some user action is required to trigger this exploit. Fortunately for the exploit writers, a user who was redirected to an attack page will probably perform one of the following triggers:

1) Click their mouse
2) Move their mouse

Looking at the div parameters (3000x4000), the malicious page will detect any of the above triggers anywhere on the screen. This brings me to an interesting point: automated analysis, unless previously scripted, doesn't typically manipulate a mouse (or utilize a GUI in any form). Pretty interesting way to dodge automated detection based on pulling the page (curl or wget). In 2012, the trend of aiming to defeat automated analysis certainly grew in the world of malware. Seeing it in the attack pages shouldn't be unexpected.

One thing is for sure: 2013 is going to be interesting.


Edit:
Since its public, the full exploit code can be found here:
http://pastebin.com/sFqxs4qx

The Metasploit Module (Released June 14, 2012) is available here:
http://www.exploit-db.com/exploits/19141/


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)