Internet Security Systems - AlertCon(TM)

SCH and Yahoo! Webcam ActiveX control vulnerabilities

Posted by Mark Vincent Yason on June 15, 2007 at 12:15 PM EDT.

On June 6, 2007 (8pm), our Virus Prevention System (VPS) technology integrated into our Catfish honeypot alerted us of several detections. So, I grabbed the samples and found that they were actually PoCs for two Yahoo! Webcam ActiveX control vulnerabilities.  These PoCs were freshly copied from posts in a forum that had gone up just a few hours before (one post at 5:50pm and the other at 7:03pm).  The vulnerability had been reported just a day before.

These PoCs were detected by the Shellcode Heuristics (SCH) component in VPS (currently available to Early Access Proventia Desktop customers), and they were detected because they (obviously!) contained shellcode:



The shellcode was even stored in a variable named “shellcode”, well, that’s a give away! :)

Humor aside, this technique has become commonplace - if an attacker exploits a given vulnerability, whether it is a known or a 0-day vulnerability, the attacker will typically include shellcode as a payload for buffer overflow and memory corruption bugs.  This is exactly why we developed SCH - to detect these types of exploitation attempts against known and 0-day vulnerabilities.

And, yeah, even if attackers get smart and rename the shellcode variable name from “shellcode” to “not_shellcode_really”, we can still catch it! :)

More information about Shellcode Heuristics technology can be found on the following link:
X-Force Threat Insight Monthly (February, 2007)

More information about the Yahoo! Webcam ActiveX control vulnerabilities can be found on the following links:
Yahoo! Messenger Webcam Viewer ActiveX control buffer overflow
Yahoo! Messenger Webcam Upload ActiveX control buffer overflow

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.