New Internet Explorer zero day being exploited in the wild

September 17, 2012 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

After the http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/ [no longer available] last zero day exploit on Java we reported some weeks ago it appears that a new 0day has been found in Internet Explorer by the same authors that created the Java one.

Yesterday, Eric Romang reported the findings of a new exploit code on the same server that the Java 0day was found some weeks ago. The new vulnerability appears to affect Internet Explorer 7 and 8 and seems to be exploitable at least on Windows XP.

The exploit code found in the server works as follow:

- The file exploit.html creates the initial vector to exploit the vulnerability and loads the flash file Moh2010.swf.

- Moh2010.swf is a flash file encrypted using DoSWF http://www.doswf.com [no longer available]. We’ve seen the usage of DoSWF in the exploit code of other targeted attacks such as:

- http://labs.alienvault.com/labs/index.php/2012/several-targeted-attacks-exploiting-adobe-flash-player-cve-2012-0779/ [no longer available] Several Targeted Attacks exploiting Adobe Flash Player (CVE-2012-0779)

The Flash file is in charge of doing the heap spray. Then it loads Protect.html

 

 

Due to the usage of DoSWF, the malicious code is encrypted. The easiest way to obain the decrypted content is executing the file within Internet Explorer and attaching to the process once the content is decrypted. Then you can obtain the raw content when we can find the following Bytearray declared:

 

 

If we obtain the raw content of the hexadecimal string and then we apply a XOR “E2” operation we can obtain the following bytes that contains the URL of the malicious payload.

 

 

  

- Protect.html checks if the system is running Internet Explorer version 7 or 8 under Windows XP. If the victim satisfies those conditions, the vulnerability is triggered and the malicious payload is executed.

 

 

The payload dropped is Poison Ivy as in the http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/previous Java 0day [no longer available].

https://www.virustotal.com/file/85ad20e922f5e9d497ec06ff8db5af81fbdcbb6e8e63dc426b8faf40d5cc32c6/analysis/

The C&C server configured is ie.aq1.co.uk that is currently resolving to 12.163.32.15:

We’ve also seen that the domain used in the previous attacks hello.icon.pk is also pointing to the new IP address.

Once executed, the payload creates the file C:\WINDOWS\system32\mspmsnsv.dll and the service WmdmPmSN is configured and started.

It seems the Metasploit guys are already woking on a Metasploit module so let’s see how fast Microsoft handle the issue.

More info coming soon!

Update:

Metasploit has released a working exploit

You can download the following Yara rule http://alienvault-labs-garage.googlecode.com/files/ie80day.yara [no longer available] to match both exploit versions.

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL