URI Handling Vulnerability and RBN
Thursday, October 25. 2007
The URL handling vulnerability in Windows XP and Windows Server 2003 is being actively exploited in the wild according to a posting to full-disclosure. The PDF file attached to that mail contains an exploit for this vulnerability, which contains shellcode to download a binary via FTP from 81.95.146.130. A whois lookup of this IP shows that it belongs to RBN, the Russian Business Network. RBN was quite often in the press recently.
The downloaded binary injects itself into several Windows processes and collects various information from the infected machine. This data is then sent to http://81.95.147.107/cgi-bin/pstore.cgi, another IP address within the RBN network. A complete CWSandbox analysis of the binary is also available.
The downloaded binary injects itself into several Windows processes and collects various information from the infected machine. This data is then sent to http://81.95.147.107/cgi-bin/pstore.cgi, another IP address within the RBN network. A complete CWSandbox analysis of the binary is also available.
Continue reading "URI Handling Vulnerability and RBN"
".
