The Latest in IT Security

IE 0-Day (CVE-2012-4969) – JavaScript only – Attack found, exploiting in the wild and being capable of infecting the masses


On Friday, 21 September 2012, at 10:52:27, the G Data SecurityLabs detected a malicious website containing a partially obfuscated and suspicious looking JavaScript. We suspect that this detected attack is one of the first attempts to use the exploit in a modified version and in a large scale attack, which stands in contrast to the reported targeted attacks that have been detected until now.

The following analysis will give an insight to some interesting technical details, which were previously introduced in our first overview article about this current exploit.


The website

The malicious site is located in a subdirectory of an erotic dating site. The webserver hosts a lot of different sites and the domain in question has been registered more than 3 years ago. Furthermore, we were able to observe the usage of outdated social network software, which indicates that we are dealing with a hacked website and not a website especially registered for the attack. Therefore, we do not publish the affected domain name but focus on the technical details we could observe.



In the first part of the script, an array is created and a new “img” tag is inserted into the first element of this array. This is similar to the code used in the initial exploit version (exploit.html) first reported about by Eric Romang. Furthermore, an iframe loads further code from the same server into the website. The rest of the code is obfuscated.

Figure 1: Obfuscated JavaScript code

The html page loaded by the iframe is not obfuscated at all and contains two interesting elements:

  1. A function call to document.execCommand(“selectAll”), necessary to trigger the exploit.
  2. The first array element’s source attribute is set to
    which is identical to the string used in the initial version (protect.html).

Figure 2: The iframe source

At this point it becomes clear that the website exploits CVE-2012-4969. However, the initial exploit version involves a flash file performing a JIT-Spray to prepare the memory according to the needs of the exploit. So let’s take a closer look to the obfuscated part of the script and search for the flash file:
The deobfuscated script can be divided into two parts. The first part (figure 3) declares the function “heaplib()”, which is taken from heaplib.js library. It has been developed by the security researcher Alexander Sotirov.

Figure 3: Deobfuscated JavaScript - Heaplib

The second part of the script (figure 4) declares the variable “code” where the shellcode is assigned to and which is executed after a successful exploitation. After checking the victim’s browser and operating system version, the heaplib library is used to perform a heapspray.

Figure 4: Deobfuscated JavaScript - Heapsray


  1. In this case, only Internet Explorer version 8.x running on a Windows XP machine is attacked.
  2. There is no flash file involved. The heapspray technique, using the heaplib.js library is used to prepare the victim’s heap memory for the exploit. So, only JavaScript is needed to perform a successful attack.



The shellcode used in this attack is a typical download and execute code adjusted to work with this specific exploit. It downloads a file from the same server, located under /theme/f5.jpg. The name implies that we are dealing with an image file, but in fact it is a binary payload, directly executed by the shellcode.


On execution of the payload, which is the main bot component, a new process spawns and downloads another component located under /theme/z5.jpg on the same webserver. These processes are displayed in the Windows Task manager and the bot doesn’t attempt to hide its activities.

To assure the persistence of the malware, the main bot component copies itself to %SYSDIR%:\Users\%Username%\AppData\Local\838e5661\juschedj.exe which imitates the name of SUN Microsystem’s Java updater. Furthermore, a shortcut file in the Windows autorun directory (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup) is created, named MSupdate.lnk, and it points to the previously copied file and thereby enables the malware to become active again after a system reboot.
A noteworthy fact is the absence of any kind of packer, but the heavy usage of string obfuscation to complicate static analysis. All in all, the bot avoids suspicious operations and therefor has a good chance to stay undetected by behavior based detection mechanisms.

The downloaded file  is another binary which has been identified as a Tor Client and it is started directly by the main bot component using these parameters:

  • –SocksPort 52300
  • –FascistFirewall 1

The Tor Client tries to connect to a Command and Control (C&C) server through hidden services of the Tor network. If the first address is not reachable, another address is contacted after a few attempts:

  1. anhmgho2efkywudt.onion/ct2.php (initial service)
  2. xtrb3h5gyswyzdc5.onion/ct2.php (fall back)

The G Data SecurityLabs recently analyzed a different malware also instrumenting a Tor hidden service to hide the C&C server: – The strategy seems to get popular among malware authors.

After successfully connecting to the Tor network, the malware collects some hardware characteristics and sends an HTTP Post request to the C&C server. The anonymized request is listed in figure 5 and shows the following keys sent to the C&C server: id, v, cf, os, d.

Figure 5: Bot requests new commands from C&C server

The malware repeats this procedure regularly to fetch new commands from the C&C server.
The number of built-in commands accepted from the C&C server is quite limited, but it supports the downloading and decrypting of further binary files which makes it extremely flexible. Given that the C&C by now only seems to send "idle" responses and that the bot’s only significant function is Download&Execute, it is likely that the goal of this attack is to sell the bots in a "pay per install" model.



Since the release of the first article on the IE 0-Day by Eric Romang, on 14 September, and the publication of the MetaSploit module on 17 September, security researchers as well as the underground community have paid a lot of attention to this vulnerability.

At least 10 different versions of the exploit have been seen in the wild, mostly used in targeted attacks, as stated by Anup Ghosh (CEO of Invincea) in this article, by Microsoft’s Yunsun Wee, Driector of Trustworthy Computing and others.
Until now, we could only observe attacks using modified versions of the initially published exploit code using different flash files to prepare the memory appropriately for the exploit. Now we could see the first versions relying on the usage of JavaScript only and addressing the normal Internet user. Due to our analysis we believe that the exploit used in this current attack is a refined version of the initial exploit version published by Eric Romang. It can be assumed that integration into the major exploit packs, like Blackhole, will follow soon.

Microsoft’s exemplary and quick response, publishing various instructions, a Fix it and finally an out of cycle patch on 21 September, also hints at the possible impact of the exploit. Every IE user is advised to directly apply the provided security update if it has not already been applied through the auto update mechanism.

Involved components

ie2.php?x=2 (iframe source)
JS:CVE-2012-4969-A [Expl]
f5.jpg (bot)
z5.jpg (Tor client)

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments

Social Networks