Heap Manipulation - Key to Internet Explorer Attacks

Heap manipulation techniques along with good old-fashioned copy & paste can combine to result in successful attacks aimed at Internet Explorer. The "Heap Spraying" technique involves taking advantage of the way JavaScript handles heap-blocks. Following the availability of proof-of-concept code for "Heap Spraying," the techniques was adopted on a large scare in exploits targeting Internet Explorer, revealed Elia Florio, Symantec Security Response Engineer.

"Well, it was not the most efficient thing in the world, but it has been proven to work so well that it actually is the most copied-and-pasted piece of code used to exploit many of the Internet Explorer vulnerabilities discovered since 2004. So, I was surprised to come across an exploit in the wild that uses a different heap manipulation technique," Florio stated.

The new exploit, of Russian origin, still uses heap manipulation and is designed to run a shellcode that in turn will download and execute malicious code. Florio was surprised by the advanced level of the heap allocation code in the proof-of-concept. This was in fact nothing more than another case of copy & paste as the code was presented as part of a research paper at the 2007 Black Hat conference. With the sole exception that while the original code was harmless, the Russian variant carries with it a malicious payload.

"It's always a shame seeing malware writers misusing the findings and efforts of individual researchers to do such bad things. It's just another proof of how limited their skills are. The bad guys were also too lazy to remove messages and comments from the original code, which is now going to be distributed on many malicious sites with the original author's name still inside the code," Florio added.