Zero-day exploit“sandworm”how to step by step enter your system Microsoft on patch today May to-vulnerability warning-the black bar safety net

ID MYHACK58:62201454741
Type myhack58
Reporter 佚名
Modified 2014-10-17T00:00:00


! 0 9at Microsoft this month the Update Patch before the release, Trend Micro yesterday released the latest zero-day vulnerability“sandworm”(CVE-2 0 1 4-4 1 1 4)of the analysis report, the safety of cattle is considered that the vulnerability analysis is by far the most clear and easy to understand, and therefore quickly sorted out for everyone to share.

“Sand worms”(sandworm)vulnerability affecting vista, win7 desktopoperating systemas well as Windows 2008 Serveroperating system, the data of the vulnerability being Russian cyber-espionage organization used to attack NATO. The vulnerability exists in a Dynamic Link Library File PACKAGER. DLL file is a Windows object linking and embedding function of the component. Hackers can carefully construct a PPT document, through a remote shared folder copy a. INF file and install to the system. An attacker can use this logic flaw to perform additional malicious software.

The vulnerability of the high danger that the use is very simple, since it belongs to a logical flaw, an attacker would need to establish a Shellcode or return oriented programming ROP, a bypass Data Execution protection method is executable malware, which is very difficult to be the majority of heuristic detection method detected.

Sandworms may be the user is not aware or to allow the case, by following step 2 of“drill”into your system:

  1. From a remote shared folder to copy files;

  2. Install the downloaded. The INF file.

By. PPSX file analysis of samples(MD5 hash: 330e8d23ab82e8a0ca6d166755408eb1)to understand its implementation process. Unravel the attacker carefully constructed. ppsx file, which reads as follows:


The following is oleObject1. bin and oleObject2. bin content, it has been pointed out that the statement of the OLE object is located in a remote shared folder:



And in the Slide1. xml, you can see 2 Shell packaged object rid4 and rid5 is:

[1] [2] next