So this morning I was doing my usual malware roundup and looking for anything new or vaguely interesting. Lots of the usual sites all serving the same thing. The pdf exploit (I've a special fondness for this one, see the pentesting failures post), the snapshot_viewer_activex exploit, ms08_053, realplayer11, ms08_011, ms06_014 and a few others. All pretty popular right now.
Then I saw a site that has been floating around serving up malware for a while now. It's been up for about a year I think. It's always had a nice index.htm page with a list of iframes serving up all of the above and some others. I generally have a quick look every now and again and find it's always the same stuff. Lots of reuse of exploits, etc...
Today was a surprise as I found something 'new'. The page has another exploit added. Nothing new about that but it's what the exploit is for that is surprising.
In August a stack overflow exploit in the Iconics Vessel ActiveX control was released. The exploit is in the dlgwrapper.dll [Dialog Wrapper Module ActiveX control]. Tebo and kf wrote a Metasploit exploit module for it. [http://www.milw0rm.com/exploits/6570].
Iconics makes plant automation software for various industries including oil, gas, pharma, airports, etc... SCADA anyone?
A quick decode of the ucs2 encoded payload reveals:
The exploit downloads taskmgr.exe, a dropper that installs a second stage piece of malware. I've not downloaded that as yet so I don't know the actual payload or it's function.
I guess what is interesting to me is that the malware authors have decided to use an exploit that has a somewhat small target audience. I could be wrong as I'm not that familiar with those industries and perhaps the software is really widespread.