So another IE 0-Day has been uncovered, and is in use in the wild for drive-by attacks on unwitting web users. I have to say, technically speaking, this attack is rather impressive – in terms of the exploit, the delivery method and the way that it runs.
It retrieves the PE headers from a DLL then returns a specific version of the exploit to the DLL file, after that it doesn’t ever write to the disk and only executes in memory directly. This makes it extremely hard for anti-virus scanners to spot it.
The down-side is the attacks lose the persistence aspect, as if the infected user reboots their machine – the malware code is basically gone.
Security researchers have discovered new zero-day vulnerabilities in Internet Explorer that are already being harnessed by hackers to run a new type of drive-by attack.
FireEye, the security firm that discovered the attack method, said that the flaw is present in various versions of Internet Explorer 7, 8, 9 and 10, while running Windows XP or Windows 7.
“The exploit leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution,” FireEye explains. “It is one vulnerability being exploited in various different ways.”
The IE flaw is unpatched and separate from the TIFF image-handling zero-day vulnerability that surfaced late last month – which is also under active attack.
Malware slung via the latest exploit is designed to load directly into the memory of victimised Windows PC, bypassing the hard drive. The tactic makes it harder for antivirus software or similar security tools to detect and block the attack.
The attackers are probably under the assumption that the same user will probably visit the same site again, and get reinfected – even after a reboot. The exploit also contains a large multi-stage shellcode payload, to avoid downloading further code (and thus writing to the disk).
In terms of forensics, this also makes it extremely hard to identify infected endpoints as the malware running in memory only leaves little to no artifacts.
However, simply rebooting compromised machines would appear to remove them from the botnet, so what this new type of attack gains in stealth, it loses in persistence. FireEye posits that “the use of this non-persistent first stage may suggest that the attackers were confident that their intended targets would simply revisit the compromised website and be[come] re-infected”.
One of the sites spreading the exploit covers national and international security policy, according to FireEye. This, and other instances of the attack method, make it more than likely we are looking at some type of state-backed cyber-espionage campaign, it says.
The infrastructure used in the attack shares similarities with the earlier Operation DeputyDog assaults against targets in Japan and China, claims FireEye. The same hacking crew is suspected of involvement in a high profile hack against whitelisting firm Bit9.
If anything, the latest assaults are even more sophisticated.
More stuff you can read about if you are interested in this topic:
You can find the original info and blog post here:
And a very technical look at the techniques used here:
Source: The Register