A few hours ago, researchers from Rapid 7 confirmed that an exploit code for a zero-day that affected Internet Explorer 9 and older versions on Windows XP, Vista and 7 had been added to Metasploit. In the meantime, security companies have started spotting attacks that leverage the vulnerability.
Identified by Eric Romang, the zero-day exploits a use-after-free vulnerability in Internet Explorer 7, 8 and 9, and it could allow a remote attacker to execute arbitrary code on the affected system.
Romang found the new exploit while analyzing some of the infected servers used by the Nitro gang. On one of the servers, he discovered a curious folder which hosted 4 files.
While initially it appeared to be an exploit for Adobe Flash, it later turned out that it was actually one for Microsoft’s web browser.
Analysis performed by Symantec has revealed that the four files are actually the exploit’s main components: an html file (exploit.html) that represents the starting point for the exploit, a Flash file (Moh2010.swf) responsible for “spraying the heap with the payload,” protect.html which triggers the vulnerability, and the actual payload.
The payload downloads additional executable files – identified as Trojan.Dropper and Backdoor.Darkmoon - and runs them on the affected computer.
Apparently, the exploit’s developers are unhappy with the fact that their creation was discovered and they removed the files from the server two days after Romang stumbled upon them.
Trend Micro experts have found that the .swf file actually drops a backdoor identified as BKDR_POISON.BMN, which is none other than the infamous Poison Ivy.
Microsoft has released an advisory to inform customers that it’s aware of the issue. The company is currently working on addressing the flaw, users being advised to implement a few workarounds to protect themselves against such attacks.
Here is a video in which Romang demonstrates the Internet Explorer zero-day: