New IE 0 day seen in the wild

September 17, 2012

Dell SonicWALL UTM Research team received reports of a new zero day exploit targeting newer versions of Internet Explorer in the wild. This zero day exploit targets a use-after-free vulnerability in Internet Explorer. The exploit is packaged in an encrypted SWF file along with JavaScript helper files. On successful exploit, it leads to the download and execution of a Poison Ivy RAT.

The exploit is attempted using the following components:


  • Exploit.html: This is the initial entry point of the exploit. It creates an img element and loads Moh2010.swf.
  • Moh2010.swf: The SWF is encrypted and obfuscated using DoSWF as shown below. On execution it performs a heap spray and creates an Iframe that leads to Protect.html.

  • Protect.html: It checks if it is running in Windows XP and Internet Explorer 7 or 8. It is to be noted however that this exploit is also successful on Internet explorer 9 and Windows Vista. We advise Dell SonicWALL customers to refrain from using Internet Explorer until this vulnerability is patched.

  • Poison Ivy RAT: When the exploit succeeds it downloads and executes a Poison Ivy RAT Trojan. The downloaded Trojan is XOR'ed using the key '0x70' and is decrypted before execution. The Trojan performs the following activities when executed:
    • It creates a copy of itself:
      %temp%/1992218.dat [Detected as "GAV: Poison.NHM (Trojan)"
    • It creates a service to start itself on reboot:
    • It attempts to contact a remote server which was found to be taken down at the time of analysis

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: SWFExp.G (Trojan)
  • GAV: SWFLoad.G (Trojan)
  • GAV: Malformed.html.MT.2 (Exploit)
  • GAV: Shellcode.GEN_12
  • IPS: 8669 Microsoft IE selectAll execCommand Invocation
  • IPS: 7370 HTTP Client Shellcode Exploit 68a
  • IPS: 4665 HTTP Client Shellcode Exploit 13a