http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/ [no longer available] last zero day exploit on Java we reported some weeks ago it appears that a new 0day has been found in Internet Explorer by the same authors that created the Java one.
Yesterday, Eric Romang reported the findings of a new exploit code on the same server that the Java 0day was found some weeks ago. The new vulnerability appears to affect Internet Explorer 7 and 8 and seems to be exploitable at least on Windows XP.
The exploit code found in the server works as follow:
- The file exploit.html creates the initial vector to exploit the vulnerability and loads the flash file Moh2010.swf.
- Moh2010.swf is a flash file encrypted using DoSWF
http://www.doswf.com [no longer available]. We’ve seen the usage of DoSWF in the exploit code of other targeted attacks such as:
http://labs.alienvault.com/labs/index.php/2012/several-targeted-attacks-exploiting-adobe-flash-player-cve-2012-0779/ [no longer available] Several Targeted Attacks exploiting Adobe Flash Player (CVE-2012-0779)
The Flash file is in charge of doing the heap spray. Then it loads Protect.html
Due to the usage of DoSWF, the malicious code is encrypted. The easiest way to obain the decrypted content is executing the file within Internet Explorer and attaching to the process once the content is decrypted. Then you can obtain the raw content when we can find the following Bytearray declared:
If we obtain the raw content of the hexadecimal string and then we apply a XOR “E2” operation we can obtain the following bytes that contains the URL of the malicious payload.
- Protect.html checks if the system is running Internet Explorer version 7 or 8 under Windows XP. If the victim satisfies those conditions, the vulnerability is triggered and the malicious payload is executed.
The payload dropped is Poison Ivy as in the
http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/previous Java 0day [no longer available].
The C&C server configured is ie.aq1.co.uk that is currently resolving to 126.96.36.199:
We’ve also seen that the domain used in the previous attacks hello.icon.pk is also pointing to the new IP address.
Once executed, the payload creates the file C:WINDOWSsystem32mspmsnsv.dll and the service WmdmPmSN is configured and started.
It seems the Metasploit guys are already woking on a Metasploit module so let’s see how fast Microsoft handle the issue.
More info coming soon!
You can download the following Yara rule
http://alienvault-labs-garage.googlecode.com/files/ie80day.yara [no longer available] to match both exploit versions.