Researchers share details about recent IE 0-day exploit and its delivery
Posted on 05 May 2014.
Given that Microsoft has closed the Internet Explorer 0-day vulnerability that was exploited to compromise US-based defense and financial firms, the Sourcefire vulnerability research team has decided to share some more details about the exploit.

"The first thing to notice is that even though CVE 2014-1776 is an Internet Explorer vulnerability that uses Javascript to cause exploitation, there was almost no obfuscation of the code," they noted. "Usually multiple layers of obfuscation are used and free javascript obfuscators are layered on top of each other to make it difficult for researchers and detection devices to identify what is happening in the code. Instead, almost all the functions and variables were there in plain sight."

The exploit condition was not that obvious, they say, but was found in a Flash SWF file that accompanied the malicious sample. The file was made to perform a heap spray to facilitate the code execution, but also contained the actual IE exploit, which is unusual.

The email campaign delivering the exploit code used a variety of ruses: emails about refinance reports, updated galleries, registration confirmation:


They also shared the domains from which the malicious code was downloaded so that admins could block access to them: profile.sweeneyphotos.com, web.neonbilisim.com, web.usamultimeters.com, and inform.bedircati.com.

Also, on the day that the patch for the bug was pushed out, FireEye researchers have noted that the attackers have begun using a new version of the attack - one that targets Windows XP machines running IE 8. This could definitely explain why Microsoft has decided to push out an update for Windows XP, as well.

"We have also observed that multiple, new threat actors are now using the exploit in attacks and have expanded the industries they are targeting. In addition to previously observed attacks against the Defense and Financial sectors, organization in the Government- and Energy-sector are now also facing attack," the researchers shared.









Spotlight

How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals itís our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Sep 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //