IE 0-Day exploit found "in the wild"


Attackers are actively using a modified version of the PoC of the newly discovered flaw in the Internet Explorer (IE) to infect Internet users on a broad scale.

A dating website, which resembles the popular Facebook design, has been prepped to attack visiting web surfers using the newly discovered vulnerability in Microsoft’s IE 6 to 9 browsers. The vulnerability is described in CVE-2012-4969.

Even the German Federal Office for Information Security (BSI) has warned German citizens not to use Microsoft’s browser until the software vendor issued a security update and therefore rated the 0-day as a severe problem.

The current case

A detailed analysis of the current case will follow soon!
So far we can say the following:

  • The initial site uses a highly obfuscated JavaScript that prepares the memory for the attack using a Heap Spray if the visiting computer uses IE 8.x in Windows.
    The Heap Spray code was detected by G Data as JS:Exploit.JS.Agent.AR.
    ⇒ This method, using JavaScript, differs from the initial PoC. The PoC used Flash to prepare the memory, as a fellow researcher initially pointed out.
  • An embedded iframe (URL on the same domain) loads the 0-day exploit.
    The exploit was detected by G Data as JS:CVE-2012-4969-A [Expl].
  • The shellcode downloads a binary from the same server and executes it.
  • This file downloads another binary from this server and also executes it.
  • This second binary seems to be a normal TOR client, connecting to a TOR hidden service acting as the Command and Control server.

Microsoft has reacted quickly and issued instructions on how to apply mitigating factors, a Fix it and an update for the Internet Explorer versions within a short period of time!

What do we learn from that?

  • The 0-day exploit has been accepted and adapted by the underground community!
  • The Flash file is no longer an essential part of the preparation for the exploit.
  • The quality of the payloads suggests that it is not the work of script kiddies.
  • We suspect that it won’t take long before attackers include the attack into exploit packs.


What you can do:

  • Install the update Microsoft released on 21 September 2012!
  • Remain suspicious – Do not click on links or file attachments in emails and social networks without pausing to think first. The files or website could be infected with malicious code. If a message from a friend seems strange, users should first check if it is authentic.
  • Use an up-to-date, comprehensive security solution with a virus scanner, firewall, web and real-time protection. A spam filter that protects you from unwanted spam mails also makes sense.

Want information about the analyzed website and samples? Contact: samplerequest [at]