Exploit IE0Day MS08-078 to DUmete.exe

When Microsoft announced one of their famous browser IE had 0Day vulnerability in wild, lots of hosted web servers especially from China were compromised to host MS08-078 vulnerability.
One of the server called http:// fvgit.cn/01/index.htm hosting malicious code.

http:// fvgit.cn/01/index.htm
http:// fvgit.cn/01/real10.htm
http:// fvgit.cn/01/real11.htm
http:// fvgit.cn/01/fl.htm
http:// fvgit.cn/01/cx.htm
http:// fvgit.cn/01/06014.htm
-http://www. iegif.com/01/DUMete.exe
http:// fvgit.cn/01/I7.htm
http:// fvgit.cn/01/Ix7.htm (IE 7 0Day)
http:// fvgit.cn/01/ff.htm
-http://www. iegif.com/01/DUMete.exe
http:// fvgit.cn/01/xl.htm

However, the website not alive anymore when I write this article. This website consists from different webpages and link to it showed as above. At here I would like to emphasis at MS08-078.

The exploit inject malicious code to memory and initiate downloading trojan file to machine.



To decode the unicode, you may use FreShow or Malzilla tool.

The virustotal result for the DUMete.exe can be viewed http://www.virustotal.com/analisis/399358e5ba2ff6973bc3a23e7eca8469




When further analysis to this link through IP address, there have similar website host at same IP address and offering same exploit.

http:// bfemf.cn/39/index.htm
http:// bfemf.cn/39/real10.htm
http:// bfemf.cn/39/real11.htm
http:// bfemf.cn/39/fl.htm
http:// bfemf.cn/39/cx.htm
http:// bfemf.cn/39/06014.htm
http:// bfemf.cn/39/I7.htm
http:// bfemf.cn/39/ff.htm
http:// bfemf.cn/39/xl.htm

Anyway, to preven this, antivirus companies and browser vendors already mark these website as malicious site to visit. :D

Merry Christmas !!