New IE 0 day seen in the wild

Dell SonicWALL UTM Research team received reports of a new zero day exploit targeting newer versions of Internet Explorer in the wild. This zero day exploit targets a use-after-free vulnerability in Internet Explorer. The exploit is packaged in an encrypted SWF file along with JavaScript helper files. On successful exploit, it leads to the download and execution of a Poison Ivy RAT.

The exploit is attempted using the following components:

• Exploit.html: This is the initial entry point of the exploit. It creates an img element and loads Moh2010.swf.
• Moh2010.swf: The SWF is encrypted and obfuscated using DoSWF as shown below. On execution it performs a heap spray and creates an Iframe that leads to Protect.html.

  

• Protect.html: It checks if it is running in Windows XP and Internet Explorer 7 or 8. It is to be noted however that this exploit is also successful on Internet explorer 9 and Windows Vista. We advise Dell SonicWALL customers to refrain from using Internet Explorer until this vulnerability is patched.

  

• Poison Ivy RAT: When the exploit succeeds it downloads and executes a Poison Ivy RAT Trojan. The downloaded Trojan is XOR'ed using the key '0x70' and is decrypted before execution. The Trojan performs the following activities when executed:
  • It creates a copy of itself:
    %temp%/1992218.dat [Detected as "GAV: Poison.NHM (Trojan)"
  • It creates a service to start itself on reboot:
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWmdmPmSN
  • It attempts to contact a remote server which was found to be taken down at the time of analysis

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: SWFExp.G (Trojan)
• GAV: SWFLoad.G (Trojan)
• GAV: Malformed.html.MT.2 (Exploit)
• GAV: Shellcode.GEN_12
• IPS: 8669 Microsoft IE selectAll execCommand Invocation
• IPS: 7370 HTTP Client Shellcode Exploit 68a
• IPS: 4665 HTTP Client Shellcode Exploit 13a