Spam exploiting MS05-016

To: Bugtraq@xxxxxxxxxxxxxxxxx
Subject: Spam exploiting MS05-016
From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
Date: Mon, 30 May 2005 01:30:53 +1200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Personal account
Priority: normal
Reply-to: nick@xxxxxxxxxxxxxxxxxxx

Yesterday at least two of my spam-traps received the following message 
(I've elided the MIME boundary values just in case...):

   Subject: We make a business offer to you
   MIME-Version: 1.0
   Content-type: multipart/mixed;
           boundary="[...]"

   [...]
   Content-Type: text/plain;
           charset="Windows-1252"
   Content-Transfer-Encoding: 8bit

   Hello!  It is not spam, so don't delete this message.
   We have a business offer to you.
   Read our offer.
   You can increase the business in 1,5 times.
   We hope you do not miss this information.


   Best regards, Keith

   [...]
   Content-type: application/octet-stream;
           name="agreement.zip"
   Content-Transfer-Encoding: base64
   Content-Disposition: attachment;
           filename="agreement.zip"

   <<encoded ZIP file data>>

There are a few trivial differences between the messages to the 
different addresses I checked, so don't anyone try to turn the above 
into a totally literal filtering rule...

Anyway, the "agreement.zip" attachment held only one file, apparently 
called "agreement.txt", but on closer inspection it turned out the file 
was called "agreement.txt " where the apparent trailing space was 
actually a 0xFF character.  This "pseudo-TXT" file was, in fact, an 
OLE2 format file (originally a Word document file) with the OLE2 Root 
Entry CLSID set to that of the Microsoft HTML Application Host (MSHTA). 
This was all done as per the description in the iDEFENSE advisory 
announcing this vulnerability:

   http://www.idefense.com/application/poi/display?id=231&type=vulns

This "pseudo-TXT" file is an example of what is produced by the PoC 
generator posted to Bugtraq.  Oddly, that message is not archived in 
SecurityFocus' own mailing list archives, but its PoC code is listed 
with the vulnerability's BID entry:

   http://www.securityfocus.com/bid/13132/info/

That PoC may be identified from the comment at the top of its code:

   MS05-016 POC
   Made By ZwelL
   zwell@xxxxxxxx
   2005.4.13

Anyway, the "agreement.txt " file contained a script to write a text 
file with commands and responses for use with the Windows ftp client 
via its "-s" option and further commands to run ftp with those scripted 

commands and then to run the executable that ftp script would cause to 
be downloaded from a Russian web site.  At the time of writing, that 
site is still up and the executable that is downloaded (a backdoor) is 
the same one that was there when the spam was first seen.

If you haven't installed the MS05-016 Windows Shell patch yet:

   http://www.microsoft.com/technet/security/bulletin/ms05-016.mspx

or at least taken reasonable precautions to defang possible 
exploitation of this vulnerability (particularly through MSHTA), it 
would be  advisable to do so now.  When initially discovered, only two 
of more than 20 tested virus scanning engines detected the exploit in 
"agreement.txt ".  Since alerting the antivirus developer community of 
the field discovery of this exploit, a couple more "big name" scanners 
have added a degree of detection for this exploit, and I expect that 
number to grow as the new week dawns and new updates are pushed to 
customers.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092

Prev by Date: TSL-2005-0026 - multi
Next by Date: TSL-2005-0025 - binutils
Previous by thread: TSL-2005-0026 - multi
Next by thread: TSL-2005-0025 - binutils
Index(es):
- Date
- Thread