Microsoft Windows IE Vulnerability(CVE-2013-1347) attacks spotted in the Wild (Oct 17, 2013)

Dell Sonicwall Threats Research team has found the old Internet Explorer vulnerability(CVE-2013-1347) still getting actively exploited.
This is the same vulnerability exploited in the Department of Labor Attacks earlier this year.
This is a use-after-free condition which occurs when an Object gets deleted but its reference is re-used causing memory corruption thereby allowing arbitrary code execution.

Following is an in-depth analysis of the attack.

Malicious Javascript is shown below employing ROP techniques.

Debugging shows successful exploitation of the vulnerability

This page includes payload which downloads a binary which is saved as C:rund11.exe

Another binary is downloaded as shown.

This binary upon execution sends requests to following domains.

Following signatures are already proactively detecting the attack.

• IPS:9470 DOM Object Use-After-Free Attack 2
• IPS:9872 Windows IE DOM Object Use-After-Free (MS13-038) 1
• IPS:9873 Windows IE DOM Object Use-After-Free (MS13-038) 2

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.