A dating website, which resembles the popular Facebook design, has been prepped to attack visiting web surfers using the newly discovered vulnerability in Microsoft’s IE 6 to 9 browsers. The vulnerability is described in CVE-2012-4969.

Even the German Federal Office for Information Security (BSI) has warned German citizens not to use Microsoft’s browser until the software vendor issued a security update and therefore rated the 0-day as a severe problem.

The current case

A detailed analysis of the current case will follow soon!
So far we can say the following:

• The initial site uses a highly obfuscated JavaScript that prepares the memory for the attack using a Heap Spray if the visiting computer uses IE 8.x in Windows.
  The Heap Spray code was detected by G Data as JS:Exploit.JS.Agent.AR.
  ⇒ This method, using JavaScript, differs from the initial PoC. The PoC used Flash to prepare the memory, as a fellow researcher initially pointed out.
• An embedded iframe (URL on the same domain) loads the 0-day exploit.
  The exploit was detected by G Data as JS:CVE-2012-4969-A [Expl].
• The shellcode downloads a binary from the same server and executes it.
• This file downloads another binary from this server and also executes it.
• This second binary seems to be a normal TOR client, connecting to a TOR hidden service acting as the Command and Control server.

Microsoft has reacted quickly and issued instructions on how to apply mitigating factors, a Fix it and an update for the Internet Explorer versions within a short period of time!

What do we learn from that?

• The 0-day exploit has been accepted and adapted by the underground community!
• The Flash file is no longer an essential part of the preparation for the exploit.
• The quality of the payloads suggests that it is not the work of script kiddies.
• We suspect that it won’t take long before attackers include the attack into exploit packs.

What you can do:

• Install the update Microsoft released on 21 September 2012!
  
• Remain suspicious – Do not click on links or file attachments in emails and social networks without pausing to think first. The files or website could be infected with malicious code. If a message from a friend seems strange, users should first check if it is authentic.
• Use an up-to-date, comprehensive security solution with a virus scanner, firewall, web and real-time protection. A spam filter that protects you from unwanted spam mails also makes sense.
  
  

Want information about the analyzed website and samples? Contact: samplerequest [at] gdata.de