14 DAY TRIAL // Microsoft's security team finally addressed a zero-day vulnerability that affected both Internet Explorer and Edge and which was used for almost two years in a massive malvertising campaign exposed last month by Proofpoint security researchers.
The zero-day, tracked by CVE-2016-3351, allowed the people behind this malvertising campaign to avoid security products and security engineers investigating the malicious ads.
Technically, the zero-day is an information disclosure bug that exposed details about the operating system via JavaScript calls executed inside the IE or Edge browsers, an attack also known as a "MIME type check."
Zero-day used to identify and avoid infosec researchers
Attackers using the zero-day were able to discover if certain file extensions had been assigned to locally installed applications. They used this information to see if file extensions often used by reverse engineering software was found on the PC of a possible victim.
If they were, the people behind this massive malvertising campaign, known as AdGholas, could pretty accurately determine that the computer belonged to a security engineer or was running a sandboxed environment or virtual machine, where the malicious ad code was probably analyzed.
When this happened, further JavaScript redirections that led the user to the actual exploitation point would not execute anymore, dropping the connection.
By default, the AdGholas malvertising campaigns checked for the presence of the following file extensions: .cap, .hwl, .har, .halog, .chls, .py, .bfr, and .pcap.
Proofpoint researchers, who discovered this zero-day, say the vulnerability was also used to check if a user had Internet Explorer as their default web browser.
Zero-day was used for both blacklisting and whitelisting
Additionally, attackers would check if common file extensions like .torrent, .mkv, or .doc were assigned, a sign that a real user was behind the keyboard, with other interests than analyzing software code.
The zero-day was traced back to as early as January 2014. Proofpoint says that the AdGholas group had been active since 2013, and in the last year managed to pull over 1.5 million users via its malicious ads and redirect them to infection points.
You can read more details about the group and its tactics in our AdGholas story from last month. Microsoft patched the zero-day in security bulletins MS16-104 and MS16-105.
The zero-day was also deployed in malvertising campaigns from other groups, such as GooNky.
