daily pastebin goal
59%
SHARE
TWEET

Some unnoticed facts about cve-2013-3906

a guest Nov 11th, 2013 2,607 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Some unnoticed facts about cve-2013-3906
  2.  
  3.  
  4. 1. Embedded in cve-2013-3906 exploit are Excel Russian files.
  5. http://i.imgur.com/rq0pIeD.png
  6.  
  7. Means: fuzzing artifacts or intended decoy.
  8.  
  9. 2. Embedded in cve-2013-3906 exploit Excel files are not required for triggering and exploitation of the vulnerability.
  10.  
  11. Means: exploit acquired for hacking campaigns to be used 'as is', rather than produced in-lab.
  12.  
  13. 3. All known samples of cve-2013-3906 from all hacking campaigns have same useless XLS embeddings inside.
  14.  
  15. Means: one exploit seller, brainless tool usage.
  16.  
  17. 4. First submission of cve-2013-3906 to VirusTotal was on 2013-07-07 (JoseMOlazagasti.docx, MY, NL, DK, other EU).
  18.  
  19. http://cryptam.com/docsearch.php?sha256=2c48b4b75db16a32f2ea872454c5cb0fe281302d2d6a18d5bdc98c64f31dd2d6
  20. https://www.virustotal.com/ru/file/2c48b4b75db16a32f2ea872454c5cb0fe281302d2d6a18d5bdc98c64f31dd2d6/analysis/1373962220/
  21.  
  22. Means: @fireeye research is missing at least one hacking group/campaign.
  23.  
  24. 5. First appearance of cve-2013-3906 in the wild (2013-07-07) was mistaken by @avast_antivirus for cve-2012-0158.
  25.  
  26. http://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/
  27. https://www.virustotal.com/ru/file/2c48b4b75db16a32f2ea872454c5cb0fe281302d2d6a18d5bdc98c64f31dd2d6/analysis/1373962220/
  28. https://www.virustotal.com/ru/file/2c48b4b75db16a32f2ea872454c5cb0fe281302d2d6a18d5bdc98c64f31dd2d6/analysis/
  29.  
  30. Means: shame.
  31.  
  32. 6. First submission of cve-2013-3906 internals (tiff, ActiveX) to VirusTotal was on September (TW,IN,IS). Not by previously attacked EU. Not reported until November.
  33.  
  34. https://www.virustotal.com/ru/file/f9f82073a52aec988a14f19ffce79ed716a88fe9bf70b55919d47bc0464276ba/analysis/#additional-info
  35. https://www.virustotal.com/ru/file/2cfaf996f64ba5b370dd3a92e2e255474267bb4fe68933faa052625773d2da22/analysis/#additional-info
  36. (see Additional info section)
  37.  
  38. Means: unqualified incident response or testing/analysis by 0day-interested parties.
  39.  
  40. 7. In beginning of October, a few named and very single samples of cve-2013-3906 were submitted to VirusTotal (mostly US).
  41.  
  42. 2013-10-01 21:01:52      Illegality_Supply details.docx
  43. https://www.virustotal.com/ru/file/c8367b47ade998dff759ee149ffa72276c8b71ccb45d4203a93dd7edafe14cbe/analysis/
  44. 2013-10-07 18:27:25      Re-credit.docx_
  45. https://www.virustotal.com/ru/file/b238d7d16fd0ccba6c15ea5670ed67c155469c36a3645b12d37f8e11ea153b9d/analysis/
  46. 2013-10-07 20:28:38      Swift Message $288,550 USD.docx
  47. https://www.virustotal.com/ru/file/5ad4c6d89a847535fac398c431c3e4e247e2d5313e493ac72cc6c88e8db7b725/analysis/
  48. ……
  49.  
  50. Means: incident response of a campaign against one-shot targets or 0day exploit testing.
  51.  
  52.  
  53. Summary
  54.  
  55.  
  56. The cve-2013-3906 exploit was produced most likely by a Russian developer around March 2013 (ref:EXIF) and sold to multiple parties, beginning from July, 2013. The exploit was used in 3 (at least) distinct hacking campaigns: #1 in July 2013 and against Europe, #2 & #3 in October 2013 and against Middle East and Asia. The exploit remained unnoticed for 2 months, and was detected shortly after beginning of the 2nd/3rd campaigns (possibly due to their connection with known malware Citadel). Some parties involved in campaigns ordering and production may reside in Taiwan, India, Israel and the United States.
  57.  
  58.  
  59. Previous research
  60.  
  61.  
  62. http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx
  63. http://blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2
  64. http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html#more-3703
  65. http://www.securelist.com/ru/blog/207768960/Novyy_staryy_0day_dlya_Microsoft_Office_CVE_2013_3906
  66. http://pastebin.ca/2474735
  67.  
  68.  
  69. @alisaesage
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top