Symantec is currently investigating reports of a potential zero-day exploit affecting Internet Explorer 10 in the wild. This appears to be a watering hole attack that was hosted on a compromised website in the United States. The watering hole attack website redirected unsuspecting users to another compromised website that hosted the zero-day attack.
We continue to analyze the attack vector and associated samples for this potential zero-day. Our initial analysis reveals that the Adobe Flash malicious SWF file contains shell code that appears to be targeting 32-bit versions of Windows 7 and Internet Explorer 10. We have identified a back door being used in this attack that takes screenshots of the victim’s desktop and allows the attacker to take control of the victim’s computer. We identify and detect this file as Backdoor.Trojan.
Symantec also has the following IPS coverage for this watering hole attack:
Symantec Security Response is currently working with Microsoft on this issue and will continue to update our protections. Please monitor our Security Response blog for further developments.
UPDATE 02/13/2014
Additional information has become available for the files involved in this potential zero-day attack.
A malicious .html page loaded by an iframe injected into the compromised Web site is detected as Trojan.Malscript. The malicious .html page runs a Flash file, detected as Trojan.Swifi, containing shell code that downloads a PNG file from a remote site. Opening the PNG file displays an innocent-looking software logo, however, two encrypted files are attached at the bottom of the image file. One file is a DLL and its sole purpose is to run the other file which is a payload desrcibed in the original section of this blog. The DLL is detected as Trojan Horse and the payload has been renamed from Backdoor.Trojan to Backdoor.Winnti.B.