Warning: zero day exploit

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_DLOADER.BXR&VSect=T

http://vil.nai.com/vil/content/v_139048.htm

SpywareWarriors' suzi found one active on a Dutch site and asked if I could assist in getting it removed.

Added a screenshot where you can see how much memory iexplore was using just before the VM crashed.

Although I saw no warning for this anywhere visiting that site using Opera also crashed the VM after a few prompts that I was low on virtual memory.

Regards,

Pieter

 

WMF-Like Zero-Day Attack Underway

. . .

Oh no not more rutekites !


StevieO

 

Yeah, i pretty much yawned when i look at the post. Zero day exploits kind of dangerous i guess, particularly ones that can install all kinds of payloads without user interaction. Still not a big deal as long as we don't talk about rootkits.

But this one can actually do *rootkits*! That's damn unique!!

Thank god Stevio (who is pretty much is a bloodhound when we talk about news reports containing the word 'rootkit') saw this, and brought it to our attention that a zero day exploit that can do remote execution code can allow install rootkits! We would never have known otherwise.

 

Due to the increased threat in regards to 2 0-Day IE Exploits, I've decided to take some time from schoolwork and work on two filters to address these two issues, while not being overkill:

Code:

[Patterns]
Name = "IE: Kill Excessive JS Event Handlers [hpguru] {Kye-U}"
Active = TRUE
Multi = TRUE
URL = "($TYPE(htm)|$TYPE(js))"
Limit = 512
Match = "(\son[a-z]+{3,16}=$AVQ(*))++{20,*}"
Replace = "\k$ALERT(Excessive JS Event Handlers have been detected and killed on:\n\n\u\n\nThe page will not be displayed properly.)"

Name = "IE: Detect createTextRange() Function [Kye-U]"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js))"
Limit = 17
Match = ".createTextRange\("
        "$CONFIRM(The function "createTextRange()" has been detected on:\n\n\u\n\nWould you like this function to be removed?)"
Replace = ".Shonenscape\("

Feel free to comment on these two filters as I look for more exploits to knock down in my next KBSP release!

Test JS Event Handler here:

http://testing.onlytherightanswers.com/iedie.html

Test "createTextRange" filter here:

http://testing.onlytherightanswers.com/TextRange.html

 

How serious is this threat? I was punching along the other day when I encountered a site that caused my VM to crash when using Firefox. Should I do repeated full system scans now in fear? HIPS and all are in place at the time of incident. I must figure out proximitron soon.

 

There are many reasons that VM could crash, but just because it crashed doesn't meant it broke out and infected your system. If you're worried about it, you could restore a VM snapshot.

 

Hello,
I tried the test pages - with Firefox.
Nothing special happened within FF - on the other hand, the anti-virus found a bloodhound exploit in a cached file from the visited page and removed it...
Mrk

 

Do you remember the filename of that bloodhound exploit?

 

If it just detected the exploit, it would have just been the cached HTML page.

 

Hello,
I don't remember, but I could try again.
And it's prolly what Notok say. Brb.
Mrk

EDIT: The exploit was Bloodhound. Exploit.60. The file - just a cached html file, random name like 0E67....and some more letters numbers. The testing page is offline, btw.

 

OK, I misunderstood you - I thought you were referring to the test sites in Kye-U's post, which cache only three items.