Symantec Security Response has confirmed that the Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Vulnerability is being exploited in the wild.
The vulnerability itself affects IE versions 6, 7, and 8. However, the exploit we have acquired seems to only affect version 8. Microsoft has already released patches as part of the MS Tuesday release on June 14, so Symantec advise all users to install the patch.
So far we have only seen limited attacks taking advantage of this vulnerability and believe that the exploit is only being carried out in targeted attacks at present.
The attack we have been able to confirm involves a compromised website hosting content for a neighborhood restaurant. It appears that a duplicate of the top page of the website was either hacked to include a hidden iframe tag linking to an exploit page or prepared from scratch, which if run successfully, the shell code included downloads an encrypted malicious file from the same site. Interestingly, a link to cnzz.com, which is a site that offers statistical analysis, is included in the page to perhaps to give an idea to the attacker how the attack is progessing. The downloaded malware then contacts 323332.3322.org using HTTP protocol and awaits further commands. 3322.org provides a type of dynamic DNS service and is known to be used for various malicious purposes, so it may not be a bad idea to block access to the domain and, if needed, whitelist those subdomains that you may need access to. It's likely that the attacker sends emails to the targets with a link to the website with the intent to steal confidential information, which is a common method used in targeted attacks.
To protect themselves, users should apply the latest patch for this vulnerability. They should also keep all other software on their computer up-to-date as well, including security software. Users should also be cautious when receiving emails with attachments and links they receive from both known and unknown sources.
Thanks to Masaki Suenaga and Kazumasa Itabashi for their help analyzing the threat.
Leave a reply