New IE 0 day seen in the wild (Sep 17, 2012)


Dell SonicWALL UTM Research team received reports of a new zero day exploit targeting newer versions of Internet Explorer in the wild. This zero day exploit targets a use-after-free vulnerability in Internet Explorer. The exploit is packaged in an encrypted SWF file along with JavaScript helper files. On successful exploit, it leads to the download and execution of a Poison Ivy RAT.

The exploit is attempted using the following components:


  • Exploit.html: This is the initial entry point of the exploit. It creates an img element and loads Moh2010.swf.
  • Moh2010.swf: The SWF is encrypted and obfuscated using DoSWF as shown below. On execution it performs a heap spray and creates an Iframe that leads to Protect.html.

  • Protect.html: It checks if it is running in Windows XP and Internet Explorer 7 or 8. It is to be noted however that this exploit is also successful on Internet explorer 9 and Windows Vista. We advise Dell SonicWALL customers to refrain from using Internet Explorer until this vulnerability is patched.

  • Poison Ivy RAT: When the exploit succeeds it downloads and executes a Poison Ivy RAT Trojan. The downloaded Trojan is XOR’ed using the key ‘0x70’ and is decrypted before execution. The Trojan performs the following activities when executed:
    • It creates a copy of itself:
      %temp%/1992218.dat [Detected as “GAV: Poison.NHM (Trojan)”
    • It creates a service to start itself on reboot:
    • It attempts to contact a remote server which was found to be taken down at the time of analysis

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: SWFExp.G (Trojan)
  • GAV: SWFLoad.G (Trojan)
  • GAV: Malformed.html.MT.2 (Exploit)
  • GAV: Shellcode.GEN_12
  • IPS: 8669 Microsoft IE selectAll execCommand Invocation
  • IPS: 7370 HTTP Client Shellcode Exploit 68a
  • IPS: 4665 HTTP Client Shellcode Exploit 13a

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.