Over the past few weeks, I have been fortunate to watch the birth of a new CVE-2012-0158 builder that demonstrates original technique with excellent results (not for long). What is a builder you ask? Well, some attackers/researchers/whatever like to go beyond frameworks like metasploit and canvas to create their own one-off creations for generating exploits. Focusing on one exploit means you can tweak the creation of the payload a bit more and thus evade anti-virus better than the generic solutions.
I managed to stumble across 26 documents that showed a clear progression from metasploit to a custom builder solution that was able to achieve extremely low detections on an old exploit oftern found in targeted attacks. Rather then just out the activity, I thought it would be worthwhile to briefly step through it and and identify the new technique introduced.
Activity began on February 13th with the creation of a generic CVE-2010-3333 document. Not much was done to adjust this payload and instead our US-based developer moved on to CVE-2012-0158. Without any changes to a metasploit created document, you end up being detected by some 30 anti-viruses.
What’s interesting to note in these observations are some of the filenames used by the creator. This person knows the file is exploiting CVE-2012-0158 yet he specifically names the file “zeroday_word_X.doc”. Having been contacted by folks trying to sell me 0-days, I am thinking this guy is building documents with low detection in hopes of tricking some fool into buying his latest RTF “0-day”. I saw some chatter of this on Twitter roughly around the same time, so it wouldn’t shock me if that were the situation.
In any case, it’s not often you get to see a new technique come to life in real time. Our friend here was able to achieve some excellent results with a little elbow grease and 24 hours of effort. This again goes back to my statement of why burn an 0-day when you can just use these existing bugs with no issues.