有人在pastebin上贴了个分析,原始地址:http://pastebin.com/64pBCgbw。
Some unnoticed facts about cve-2013-3906 1. Embedded in cve-2013-3906 exploit are Excel Russian files.View post on imgur.comMeans: fuzzing artifacts or intended decoy. 2. Embedded in cve-2013-3906 exploit Excel files are not required for triggering and exploitation of the vulnerability. Means: exploit acquired for hacking campaigns to be used 'as is', rather than produced in-lab. 3. All known samples of cve-2013-3906 from all hacking campaigns have same useless XLS embeddings inside. Means: one exploit seller, brainless tool usage. 4. First submission of cve-2013-3906 to VirusTotal was on 2013-07-07 (JoseMOlazagasti.docx, MY, NL, DK, other EU). http://cryptam.com/docsearch.php?sha256=2c48b4b75db16a32f2ea872454c5cb0fe281302d2d6a18d5bdc98c64f31dd2d6 https://www.virustotal.com/ru/file/2c48b4b75db16a32f2ea872454c5cb0fe281302d2d6a18d5bdc98c64f31dd2d6/analysis/1373962220/ Means: @fireeye research is missing at least one hacking group/campaign. 5. First appearance of cve-2013-3906 in the wild (2013-07-07) was mistaken by @avast_antivirus for cve-2012-0158. http://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/ https://www.virustotal.com/ru/file/2c48b4b75db16a32f2ea872454c5cb0fe281302d2d6a18d5bdc98c64f31dd2d6/analysis/1373962220/ https://www.virustotal.com/ru/file/2c48b4b75db16a32f2ea872454c5cb0fe281302d2d6a18d5bdc98c64f31dd2d6/analysis/ Means: shame. 6. First submission of cve-2013-3906 internals (tiff, ActiveX) to VirusTotal was on September (TW,IN,IS). Not by previously attacked EU. Not reported until November. https://www.virustotal.com/ru/file/f9f82073a52aec988a14f19ffce79ed716a88fe9bf70b55919d47bc0464276ba/analysis/#additional-info https://www.virustotal.com/ru/file/2cfaf996f64ba5b370dd3a92e2e255474267bb4fe68933faa052625773d2da22/analysis/#additional-info (see Additional info section) Means: unqualified incident response or testing/analysis by 0day-interested parties. 7. In beginning of October, a few named and very single samples of cve-2013-3906 were submitted to VirusTotal (mostly US). 2013-10-01 21:01:52 Illegality_Supply details.docx https://www.virustotal.com/ru/file/c8367b47ade998dff759ee149ffa72276c8b71ccb45d4203a93dd7edafe14cbe/analysis/ 2013-10-07 18:27:25 Re-credit.docx_ https://www.virustotal.com/ru/file/b238d7d16fd0ccba6c15ea5670ed67c155469c36a3645b12d37f8e11ea153b9d/analysis/ 2013-10-07 20:28:38 Swift Message $288,550 USD.docx https://www.virustotal.com/ru/file/5ad4c6d89a847535fac398c431c3e4e247e2d5313e493ac72cc6c88e8db7b725/analysis/ …… Means: incident response of a campaign against one-shot targets or 0day exploit testing. Summary The cve-2013-3906 exploit was produced most likely by a Russian developer around March 2013 (ref:EXIF) and sold to multiple parties, beginning from July, 2013. The exploit was used in 3 (at least) distinct hacking campaigns: #1 in July 2013 and against Europe, #2 & #3 in October 2013 and against Middle East and Asia. The exploit remained unnoticed for 2 months, and was detected shortly after beginning of the 2nd/3rd campaigns (possibly due to their connection with known malware Citadel). Some parties involved in campaigns ordering and production may reside in Taiwan, India, Israel and the United States. Previous research http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx http://blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2 http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html#more-3703 http://www.securelist.com/ru/blog/207768960/Novyy_staryy_0day_dlya_Microsoft_Office_CVE_2013_3906 http://pastebin.ca/2474735 @alisaesage
这脸打得真是啪啪响。
如果不是McAfee的Advanced Exploit Detection System有所动静加上之后的详细分析和确认,很可能各大厂商会继续忽略。从他们的博客来看,AEDS应该还没投入到产品中。