2014-10-02 - Exploit Integration

CVE-2013-7331/CVE-2015-2413 (onload variant) and Exploit Kits

Thanks to EKWatcher and his decoding skills saving me a lot of time.

As we can see more and more of those "XMLDOM" checks in  exploit kits i decided to write here some of the checks spotted. This is a fast moving area and it will be hard to keep up to date with this, but this may give an idea of how it's being used.

Magnitude EK:
2015-09 [CVE-2015-2413 onload res:// variant ]

Won't details as this part of the code has been disparead around end of november 2015 then reappeared in middle of march inside the redirector in front of Magnitude
See:  http://pastebin.com/raw/gfEz25fa (from 2016-03-30)

Angler EK:

2015-05-16 [Edit : I know that here some information are not totally exact]
[Edit2: appears to be something that was unpatched at that time and that has been fixed with the bug covered by CVE-2015-2413]

+="Malwarebytes Anti-Exploit\\mbae.exe", "Malwarebytes Anti-Malware\\mbam.exe", "FiddlerCoreAPI\\FiddlerCore.dll"

 Angler EK checks integrates MBAE and Mbam

'res://C:\\Program Files\\Fiddler2\\Fiddler.exe/#3/#32512',
'res://C:\\Program Files (x86)\\Fiddler2\\Fiddler.exe/#3/#32512'



+ Avoid firing CVE-2013-2551 if Symantec product are detected (maybe also for CVE-2014-0322. Didn't check),
+Checks for :
res://C:\\Program Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#26567', 'res://C:\\Program Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#30996', 'res://C:\\Program Files\\Oracle\\VirtualBox Guest Additions\\uninst.exe/#2/#110',
'res://C:\\Program Files\\Parallels\\Parallels Tools\\Applications\\setup_nativelook.exe/#2/#204'];

http://pastebin.com/EAKZk43e  2014-10-01
Previously :
http://pastebin.com/pzx2xPDJ 2014-08-23

Astrum EK :

http://pastebin.com/PfAjuvPR 2014-09-06

Nuclear Pack :

Read more:
Attackers abusing Internet Explorer to enumerate software and detect security products - Jaime Blasco - AlienVault - 2014-07-25
Software enumeration using Internet Explorer - 2014-10-21 - HiddenCodes

CVE-2013-7331 CVE-2015-2413 res:// variant onload