New zero-day bug in IE 10 exploited in active malware attack, MS warns

Discussion in 'other security issues & news' started by ronjor, Feb 13, 2014.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,777
    Location:
    Texas
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The article notes that once redirected to the attacker's site, javascript starts the exploit :

    Digging a little deeper reveals some interesting details:

    Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website
    http://www.fireeye.com/blog/uncateg...ises-us-veterans-of-foreign-wars-website.html
    The reference to the "XML string" explains the yellow highlighted string in the screen shot in the article.

    Malware Payload
    MD5 8455bbb9a210ce603a1b646b0d951bce
    https://malwr.com/analysis/MWU2ZjNjMjg4Y2UwNDZjY2IyOTllYzdlYzc4ZDU2NDc/
    ----
    rich
     
  3. SnowFlakes

    SnowFlakes Registered Member

    Joined:
    Jun 29, 2011
    Posts:
    194
    I'm safe with ie11



    o_O
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Even if you don't use EMET, having a dummy Emet.dll file on your system in the right location might cause an attack to halt :thumb:.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    There are several places in this drive-by attack where the exploit can be thwarted.

    It all starts when the user goes to the vfw web site which has been compromised with an i-frame.
    Here is one scenario of possibilities:


    Code:
    [B]IF[/B] i-frame disabled
    [B]THEN[/B] exploit fails
    
    	[B]{else}[/B] user redirected to attacker's site
    
    [B]IF[/B] Javascript whitelisted
    [B]THEN[/B] exploit fails
    
     	[B]{else}[/B] code runs
    
    [B]IF[/B] emet.dll found
    [B]THEN[/B] exploit aborted by attacker
    
    	[B]{else}[/B] code downloads swf.object
    
    [B]IF[/B] Flash Plugin configured on demand
    [B]THEN [/B]exploit fails [unless user activates plugin]
    
    	[B]{else}[/B] swf code runs to exploit CVE-2014-0322 against IE10
    
    [B]IF [/B]browser other than IE10
    [B]THEN[/B] exploit fails
    
    	[B]{else}[/B] code downloads|executes malware payload PE executable
    
    [B]IF [/B]user's system's executables white listed
    [B]THEN[/B] exploit fails
    
    	[B]{else}[/B] payload executes and installs ZxShell backdoor


    ----
    rich
     
    Last edited: Feb 14, 2014
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,777
    Location:
    Texas
  7. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    French aerospace group says website targeted, not directly attacked
    http://www.reuters.com/article/2014/02/15/us-hacking-microsoft-france-idUSBREA1E0JO20140215
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    For those who didn't read post #6, IE 9 is vulnerable also.
     
  9. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  10. SnowFlakes

    SnowFlakes Registered Member

    Joined:
    Jun 29, 2011
    Posts:
    194
    but not IE 11 right ? ;)
     
  11. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
    Ha Ha! Best not to use "safe" and "IE" in the same sentence.
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    As Rmus has pointed out there are several ways of preventing these attacks even against vulnerable applications with some proper security measures in place. The majority of drive-by download attacks still rely on good old javascript to work. Even in the case where shellcode is part of the attack, client-side js is still used to trigger it.

    There's an excellent pdf document on mitigation of drive-by download attacks available at the following:

    https://www.eurecom.fr/en/publicati...nges-and-open-problems-open-research-problems
     
  13. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Exclusive: France's Snecma targeted by hackers - researcher
    http://www.reuters.com/article/2014/02/18/us-hacking-snecma-idUSBREA1H1Z320140218
     
  14. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Researcher claims two hacker gangs exploiting unpatched IE bug
    http://www.computerworld.com/s/arti..._two_hacker_gangs_exploiting_unpatched_IE_bug
     
  15. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    Interesting that it checks for the presence of EMET DLL prior to proceeding with the exploit. Seems like they choose to go for the low hanging fruits instead of attempting to work around the mitigations.
     
  16. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Last edited: Feb 19, 2014
  17. sm1

    sm1 Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    520
    Poor vista users has to continue to use vulnerable IE9. Vista after sp2 and updates is as stable as win 7. Only drawback is poor publicity :rolleyes: Time to look for alternative browsers.
     
Loading...
Thread Status:
Not open for further replies.