Comele – New IE zero-day exploit (Jan 15, 2010)

By

SonicWALL UTM Research team found reports of new zero-day vulnerability (CVE-2010-0249) in Internet Explorer DOM operations that leads to arbitrary code execution. The vulnerability exists in the way Internet Explorer handles certain DOM operations that allow access to invalid pointer after an object is deleted. Successful exploitation of this vulnerability can be used for allowing remote code execution.

This vulnerability was supposedly part of the targeted attack campaign used against Google, Adobe and other major companies that was reported by Google. Microsoft has acknowledged this issue in their security advisory and is currently investigating the vulnerability.

SonicWALL UTM Research team got hold of a zero-day exploit for this vulnerability which is a specially crafted web page containing heavily encoded malicious Javascript code. This exploit functions on any version of Internet Explorer with JavaScript enabled and Data Execution Prevention (DEP) disabled. A decoded version of the malicious page can be seen below:

screenshot

If the exploit is successful in exploiting the vulnerability, it attempts to download and execute a malicious executable via HTTP connection to following URL:

  • http://demo1.ftp(REMOVED)/ad.jpg [ Detected as GAV: Roarur.DR (Trojan) ]

The downloaded malware executable is a Trojan dropper that performs following activities on the victim machine:

  • Drops another Trojan as (Windows System)Rasmon.dll [ Detected as GAV: Roarur.DLL (Trojan) ]
  • Injects the dropped Trojan Rasmon.dll into the address space of svchost.exe and starts a new service ‘UpsMYi’
  • Performs registry modifications:
    • HKLMSYSTEMControlSet001ServicesRaS7BL8ParametersServiceDll = “%System%rasmon.dll”
    • HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesRaS7BL8ImagePath = “%System%svchost.exe -k netsvcs”

There is no patch currently available from Microsoft and the only way to mitigate this vulnerability is by setting IE’s Internet zone security to high. Microsoft may release an out-of-band patch for this threat outside of the normal monthly patch cycle.

SonicWALL Gateway AntiVirus provides protection against this threat via GAV: Comele (Exploit) signature.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.