Symantec Security Response has observed web based exploit attacks using a previously unknown vulnerability in the Xunlei Thunder PPlayer ActiveX control. This is a component of the Chinese download accelerator and file-sharing application, Xunlei Thunder 5.7.4 401.

The attack originates from a server on the 522love.cn domain. If a user navigates to the site, a Web page hosted on the site employs a client detection technique to determine the appropriate exploit code that should be sent back to the requesting client in order to successfully exploit it. This technique is similar to the techniques used by the MPack attack kit that is already widely used. We have seen a whole range of vulnerabilities both new and old used by this site, including the following:

• Xunlei Thunder PPLAYER.DLL_1_WORK ActiveX Control Buffer Overflow Vulnerability

• Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability

• SSReader Ultra Star Reader ActiveX Control Register Method Buffer Overflow Vulnerability

• BaoFeng Storm MPS.DLL ActiveX Control Multiple Remote Buffer Overflow Vulnerabilities

• PPStream PowerPlayer.DLL ActiveX Control Buffer Overflow Vulnerability

• Xunlei Web Thunder ActiveX Control DownURL2 Method Remote Buffer Overflow Vulnerability

• Microsoft Windows Vector Markup Language Buffer Overrun Vulnerability

• Microsoft Windows Cursor And Icon ANI Format Handling Remote Buffer Overflow Vulnerability

Successful exploitation of the client results in code execution that may result in the download and installation of additional malicious files. These files are currently detected by Symantec as Downloader and Trojan.Maliframe!html.

Until a vendor patch is available, users can minimize their risk of exposure by avoiding unknown or untrusted URLs, such as those sent in spam emails and unsolicited instant messages, disabling JavaScript and ActiveX in their Web browser and ensuring that their antivirus software is up-to-date.

Update:

Upon further analysis we have discovered that the following vulnerabilities are also used on this Web server:

• Yahoo! Webcam ActiveX Control Buffer Overrun Vulnerability

• Baidu Soba Search Bar BaiduBar.DLL ActiveX Control Remote Code Execution Vulnerability

Clearly this piece of malware attempts to cover its bases pretty well in terms of market coverage. However, on closer inspection we have also found that the server appears to be misconfigured, as a result the client detection and exploit selection code is appended to everything that the server serves up–HTML, data, and binary files included. As a result, clients receiving the content may behave unpredictably in many cases, causing browser crashes. Perhaps the quality control department must have had a bad day at the office in this operation.