Contributor: Lionel Payet
Eric Romang has released a blog about the Microsoft Internet Explorer Image Arrays Remote Code Execution Vulnerability, a possible zero-day vulnerability in Internet Explorer that is being exploited in the wild. Microsoft has confirmed this vulnerability affects Internet Explorer 9, Internet Explorer 8, Internet Explorer 7, and Internet Explorer 6 browsers.
The exploit is made up of four main components:
- The Exploit.html file is the starting point responsible for setting up the exploit. After setting up necessary conditions for the vulnerability it will invoke the Moh2010.swf file.
- Symantec detects this stage as Bloodhound.Exploit.474 and Bloodhound.Exploit.475.
- Symantec detects this stage as Bloodhound.Exploit.474 and Bloodhound.Exploit.475.
- The Moh2010.swf Flash file is responsible for spraying the heap with the payload that will be executed. After setting up the payload it will invoke the vulnerability trigger Protect.html file by opening it in an IFRAME window.
- Symantec detects this stage as Trojan.Swifi.
- Symantec detects this stage as Trojan.Swifi.
- The Protect.html file is the actual trigger of the vulnerability responsible for executing the malicious payload set up by the Moh2010.swf file.
- Symantec also detects this stage as Bloodhound.Exploit.474 and Bloodhound.Exploit.475.
- Symantec also detects this stage as Bloodhound.Exploit.474 and Bloodhound.Exploit.475.
- The payload will download additional malicious executables and run them on the compromised system.
- Symantec detects these executables as Trojan.Dropper and Backdoor.Darkmoon.
- Symantec detects these executables as Trojan.Dropper and Backdoor.Darkmoon.
Interestingly, this exploit was hosted on the same servers used in the Nitro attack.
As always, we recommend that you follow best security practices and ensure you have the most up-to-date software patches installed. Use the latest Symantec technologies and virus definitions for the best protection against threats.