Cyberattacks September 2012 – IE Zero-Day Exploited in the Wild
A new zero-day vulnerability affecting Internet Explorer is being exploited in the wild affecting IE 9 and earlier. The vulnerability, if exploited, would allow full remote code execution and enable an attacker to take over an affected system. Security researcher Eric Romang discovered the vulnerability and exploit over the weekend while monitoring some infected servers said to be used by the alleged Nitro gang. To run the attack, a file named ‘exploit.html’ is the entry point of the attack … According to analysis by VUPEN, the exploit takes advantage of a ‘use-after-free vulnerability’ that affects the mshtml.dll component of Internet Explorer. Rapid7 on Monday released an exploit module for Metaspolit which will let security teams and attackers alike test systems.
This new vulnerability exploitation consists of a few malicious files which include exploit[dot]html, Moh2010[dot]swf, Protect[dot]html and 111[dot]exe.
Each of the files plays its own role:
- exploit[dot]html – Loads the flash file Moh2010[dot]swf as an initial vector for exploitation.
- Moh2010[dot]swf – Facilitates arbitrary code execution (heap spray), loads Protect[dot]html, encrypted using DoSWF
- Protect[dot]html – Checks for IE version and Windows OS and execute the malicious payload – 111[dot]exe if the criteria are matched.
The payload executed is poison Ivy RAT. It is a dropper similar to the one found in the Java Zero-Day exploit .
Eric Romang, co-founder of ZATAZ.com had tested the exploits and it seems to work on an up-to-date Microsoft Windows XP Pro SP3 with an up-to-date Adobe Flash (11,4,402,265). Alien Vault Labs further verified this via its blog where it mentioned that this zero-day appears to affect Internet Explorer 7 and 8 and seems to be exploitable at least on Windows XP. Furthermore, Metasploit had integrated this exploit into its framework, and it had demonstrated a successful attack against a Windows 7 machine with Internet Explorer 9 installed.
So far, the C&C servers involved are ie[dot]aq1[dot]co[dot]uk and hello[dot]icon[dot]pk which are resolving to a same IP address 126.96.36.199 located in USA.
Stop using Internet Explorer 7, 8 and 9 until Microsoft releases a new patch
Block 188.8.131.52 – ie[dot]aq1[dot]co[dot]uk and hello[dot]icon[dot]pk.