Comele - New IE zero-day exploit

January 18, 2010

SonicWALL UTM Research team found reports of new zero-day vulnerability (CVE-2010-0249) in Internet Explorer DOM operations that leads to arbitrary code execution. The vulnerability exists in the way Internet Explorer handles certain DOM operations that allow access to invalid pointer after an object is deleted. Successful exploitation of this vulnerability can be used for allowing remote code execution.

This vulnerability was supposedly part of the targeted attack campaign used against Google, Adobe and other major companies that was reported by Google. Microsoft has acknowledged this issue in their security advisory and is currently investigating the vulnerability.

SonicWALL UTM Research team got hold of a zero-day exploit for this vulnerability which is a specially crafted web page containing heavily encoded malicious Javascript code. This exploit functions on any version of Internet Explorer with JavaScript enabled and Data Execution Prevention (DEP) disabled. A decoded version of the malicious page can be seen below:


If the exploit is successful in exploiting the vulnerability, it attempts to download and execute a malicious executable via HTTP connection to following URL:

  • http://demo1.ftp(REMOVED)/ad.jpg [ Detected as GAV: Roarur.DR (Trojan) ]

The downloaded malware executable is a Trojan dropper that performs following activities on the victim machine:

  • Drops another Trojan as (Windows System)Rasmon.dll [ Detected as GAV: Roarur.DLL (Trojan) ]
  • Injects the dropped Trojan Rasmon.dll into the address space of svchost.exe and starts a new service 'UpsMYi'
  • Performs registry modifications:
    • HKLMSYSTEMControlSet001ServicesRaS7BL8ParametersServiceDll = "%System%rasmon.dll"
    • HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesRaS7BL8ImagePath = "%System%svchost.exe -k netsvcs"

There is no patch currently available from Microsoft and the only way to mitigate this vulnerability is by setting IE's Internet zone security to high. Microsoft may release an out-of-band patch for this threat outside of the normal monthly patch cycle.

SonicWALL Gateway AntiVirus provides protection against this threat via GAV: Comele (Exploit) signature.