Internet Explorer ZeroDay hosted GOV.CN domain
by Steve Ragan - Jan 26 2010, 07:30Researchers at Zscaler have discovered the recently patched Internet Explorer vulnerability, which gained fame after it was used in the attacks on Google earlier this month, being used to serve Malware on a Chinese government domain.
The discovery started with a forum post reporting Malware warnings to visitors of latex [dot] gov [dot] cn. Visitors to the site triggered malicious JavaScript, which then targeted the Internet Explorer vulnerability, delivering v.exe [detection] to the host system.
Zscaler researchers noted that the shellcode used to exploit the Internet Explorer vulnerability used a “slight deviation” in its construction, but contained the same structure as previous examples of the code.
The Malware detected exists as a variant of the 'Hupigon' and, if installed, can offer various uses to the criminals serving it. According to F-Secure research, Hupigon is delivered as part of a Malware kit sold online, and is packed with a specialized user interface.
Hupigon can act as a keylogger and password stealer, and offers the ability for camera control if a webcam is present. Moreover, it can also simply just open the system to the attacker; and since it has rootkit functionality, it’s easily hidden.
“This is just one example of this IE 0-day impacting GOV.CN sites; I have seen a few other reports of this,” noted Zscaler’s Mike Geide. “The question is: is it CN Government sponsored for the purposes of potentially spying on its citizens, or have GOV.CN websites been infiltrated by hackers?”
Microsoft issued an out-of-cycle patch to fix the Internet Explorer flaw late last week -- shipping out seven other fixes for the browser along with it.
Comment on this Story