New zero-day bug in IE 10 exploited in active malware attack, MS warns

The article notes that once redirected to the attacker's site, javascript starts the exploit :

Digging a little deeper reveals some interesting details:

Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website
http://www.fireeye.com/blog/uncateg...ises-us-veterans-of-foreign-wars-website.html

The reference to the "XML string" explains the yellow highlighted string in the screen shot in the article.

Malware Payload
MD5 8455bbb9a210ce603a1b646b0d951bce
https://malwr.com/analysis/MWU2ZjNjMjg4Y2UwNDZjY2IyOTllYzdlYzc4ZDU2NDc/

----
rich

 

I'm safe with ie11

 

Even if you don't use EMET, having a dummy Emet.dll file on your system in the right location might cause an attack to halt .

 

There are several places in this drive-by attack where the exploit can be thwarted.

It all starts when the user goes to the vfw web site which has been compromised with an i-frame.
Here is one scenario of possibilities:

Code:

[B]IF[/B] i-frame disabled
[B]THEN[/B] exploit fails

	[B]{else}[/B] user redirected to attacker's site

[B]IF[/B] Javascript whitelisted
[B]THEN[/B] exploit fails

 	[B]{else}[/B] code runs

[B]IF[/B] emet.dll found
[B]THEN[/B] exploit aborted by attacker

	[B]{else}[/B] code downloads swf.object

[B]IF[/B] Flash Plugin configured on demand
[B]THEN [/B]exploit fails [unless user activates plugin]

	[B]{else}[/B] swf code runs to exploit CVE-2014-0322 against IE10

[B]IF [/B]browser other than IE10
[B]THEN[/B] exploit fails

	[B]{else}[/B] code downloads|executes malware payload PE executable

[B]IF [/B]user's system's executables white listed
[B]THEN[/B] exploit fails

	[B]{else}[/B] payload executes and installs ZxShell backdoor

----
rich

 

French aerospace group says website targeted, not directly attacked

http://www.reuters.com/article/2014/02/15/us-hacking-microsoft-france-idUSBREA1E0JO20140215

 

For those who didn't read post #6, IE 9 is vulnerable also.

 

http://www.computerworld.com/s/arti..._Internet_Explorer_users_at_risk_from_attacks

 

but not IE 11 right ?

 

Ha Ha! Best not to use "safe" and "IE" in the same sentence.

 

As Rmus has pointed out there are several ways of preventing these attacks even against vulnerable applications with some proper security measures in place. The majority of drive-by download attacks still rely on good old javascript to work. Even in the case where shellcode is part of the attack, client-side js is still used to trigger it.

There's an excellent pdf document on mitigation of drive-by download attacks available at the following:

https://www.eurecom.fr/en/publicati...nges-and-open-problems-open-research-problems

 

Exclusive: France's Snecma targeted by hackers - researcher

http://www.reuters.com/article/2014/02/18/us-hacking-snecma-idUSBREA1H1Z320140218

 

Researcher claims two hacker gangs exploiting unpatched IE bug

http://www.computerworld.com/s/arti..._two_hacker_gangs_exploiting_unpatched_IE_bug

 

Interesting that it checks for the presence of EMET DLL prior to proceeding with the exploit. Seems like they choose to go for the low hanging fruits instead of attempting to work around the mitigations.

 

MS releases Advisory and Fix It
http://support.microsoft.com/kb/2934088

MS TechNet Article:
http://technet.microsoft.com/en-us/security/advisory/2934088

 

Poor vista users has to continue to use vulnerable IE9. Vista after sp2 and updates is as stable as win 7. Only drawback is poor publicity Time to look for alternative browsers.