Another IE 0-Day Hole Found & Used By In-Memory Drive By Attacks

The New Acunetix V12 Engine


So another IE 0-Day has been uncovered, and is in use in the wild for drive-by attacks on unwitting web users. I have to say, technically speaking, this attack is rather impressive – in terms of the exploit, the delivery method and the way that it runs.

It retrieves the PE headers from a DLL then returns a specific version of the exploit to the DLL file, after that it doesn’t ever write to the disk and only executes in memory directly. This makes it extremely hard for anti-virus scanners to spot it.

The down-side is the attacks lose the persistence aspect, as if the infected user reboots their machine – the malware code is basically gone.

Security researchers have discovered new zero-day vulnerabilities in Internet Explorer that are already being harnessed by hackers to run a new type of drive-by attack.

FireEye, the security firm that discovered the attack method, said that the flaw is present in various versions of Internet Explorer 7, 8, 9 and 10, while running Windows XP or Windows 7.

“The exploit leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution,” FireEye explains. “It is one vulnerability being exploited in various different ways.”

The IE flaw is unpatched and separate from the TIFF image-handling zero-day vulnerability that surfaced late last month – which is also under active attack.

Malware slung via the latest exploit is designed to load directly into the memory of victimised Windows PC, bypassing the hard drive. The tactic makes it harder for antivirus software or similar security tools to detect and block the attack.

The attackers are probably under the assumption that the same user will probably visit the same site again, and get reinfected – even after a reboot. The exploit also contains a large multi-stage shellcode payload, to avoid downloading further code (and thus writing to the disk).

In terms of forensics, this also makes it extremely hard to identify infected endpoints as the malware running in memory only leaves little to no artifacts.


However, simply rebooting compromised machines would appear to remove them from the botnet, so what this new type of attack gains in stealth, it loses in persistence. FireEye posits that “the use of this non-persistent first stage may suggest that the attackers were confident that their intended targets would simply revisit the compromised website and be[come] re-infected”.

One of the sites spreading the exploit covers national and international security policy, according to FireEye. This, and other instances of the attack method, make it more than likely we are looking at some type of state-backed cyber-espionage campaign, it says.

The infrastructure used in the attack shares similarities with the earlier Operation DeputyDog assaults against targets in Japan and China, claims FireEye. The same hacking crew is suspected of involvement in a high profile hack against whitelisting firm Bit9.

If anything, the latest assaults are even more sophisticated.

More stuff you can read about if you are interested in this topic:

Return-oriented programming
APT – Advanced Persistent Threat

You can find the original info and blog post here:

New IE Zero-Day Found in Watering Hole Attack

And a very technical look at the techniques used here:

Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method

Source: The Register

Posted in: Exploits/Vulnerabilities, Malware, Windows Hacking

, , , , , , ,


Latest Posts:


Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.


Comments are closed.