New Internet Explorer zero day being exploited in the wild

September 17, 2012  |  Jaime Blasco

After the [no longer available] last zero day exploit on Java we reported some weeks ago it appears that a new 0day has been found in Internet Explorer by the same authors that created the Java one.

Yesterday, Eric Romang reported the findings of a new exploit code on the same server that the Java 0day was found some weeks ago. The new vulnerability appears to affect Internet Explorer 7 and 8 and seems to be exploitable at least on Windows XP.

The exploit code found in the server works as follow:

- The file exploit.html creates the initial vector to exploit the vulnerability and loads the flash file Moh2010.swf.

- Moh2010.swf is a flash file encrypted using DoSWF [no longer available]. We’ve seen the usage of DoSWF in the exploit code of other targeted attacks such as:

- [no longer available] Several Targeted Attacks exploiting Adobe Flash Player (CVE-2012-0779)

The Flash file is in charge of doing the heap spray. Then it loads Protect.html



Due to the usage of DoSWF, the malicious code is encrypted. The easiest way to obain the decrypted content is executing the file within Internet Explorer and attaching to the process once the content is decrypted. Then you can obtain the raw content when we can find the following Bytearray declared:



If we obtain the raw content of the hexadecimal string and then we apply a XOR “E2” operation we can obtain the following bytes that contains the URL of the malicious payload.




- Protect.html checks if the system is running Internet Explorer version 7 or 8 under Windows XP. If the victim satisfies those conditions, the vulnerability is triggered and the malicious payload is executed.



The payload dropped is Poison Ivy as in the Java 0day [no longer available].

The C&C server configured is that is currently resolving to

We’ve also seen that the domain used in the previous attacks is also pointing to the new IP address.

Once executed, the payload creates the file C:WINDOWSsystem32mspmsnsv.dll and the service WmdmPmSN is configured and started.

It seems the Metasploit guys are already woking on a Metasploit module so let’s see how fast Microsoft handle the issue.

More info coming soon!


Metasploit has released a working exploit

You can download the following Yara rule [no longer available] to match both exploit versions.

Share this with others

Get price Free trial