Such a dangerous Internet Explorer ...

We have not yet begun a real leaf fall, and zero-day vulnerabilities showered like autumn leaves. How much time has passed since identifying the last 0-day vulnerability (in Java SE 7) - less than three weeks? And now a new, and no less interesting vulnerability is the remote execution of arbitrary code in all versions of Microsoft Internet Explorer (from 6 to 9) on all versions of Windows OS - from 98 to 7.

In general, it has already been described in this post. I’ll talk in more detail about how the exploit works, what its origins are, and share my opinion on what to do with all of this ... We

’ve unearthed a new vulnerability by studying the operation of C & C servers that attacked the Java SE 7 vulnerability. One of them (223.25.233.244) was known since the attackin July-September 2011, the Chinese group Nitro in the chemical industry with the aim of stealing intellectual property - formulas, descriptions of chemical processes, etc. In the future, he participated in other attacks. Researchers were also focusing on several infected servers used by the Nitro team. On September 14, on one of them, located in Italy, a new folder appeared with the following contents:



We tested these files on a completely updated Microsoft Windows XP Pro SP3 server with the latest version of Adobe Flash (11,4,402,265). As a surprise, additional files uploaded to the test computer were discovered. Scanning the files under study on the VirusTotal resource yielded zero result - not one of the antiviruses recognized malicious code in them.

The analysis showed that the exploit consists of 4 main components:

1. The file “Exploit.html” is the starting point and preliminary preparation of the exploit. After creating the necessary conditions for exploitation of the vulnerability, it launches the flash file “Moh2010.swf”.
Symantec detects this process as Bloodhound.Exploit.474

2. “Moh2010.swf” is responsible for covertly downloading executable code. After downloading the malicious code, it launches the Protect.html file in the iFrame that opens the vulnerability.
Symantec detects this process as Trojan.Swifi.

3. The file “Protect.html” is the opening trigger of this vulnerability, responsible for the execution of malicious code downloaded using “Moh2010.swf”.
Symantec also detects this process as Bloodhound.Exploit.474.

4. Downloaded malicious code pumps up additional malicious programs and runs them on a compromised system.
Symantec detects these malicious programs as Trojan.Dropper and Backdoor.Darkmoon.

Thus, it turned out that Microsoft Internet Explorer contains a vulnerability that could allow arbitrary code to be executed remotely on a user's computer in the context of user rights, which has already been confirmed by the manufacturer, Microsoft.

And now what i can do? To panic, and how does the German government stop using IE? Then pay attention to the fact that one 0-day vulnerability was born after another, moreover, in the hands of the same criminal group. And not the fact that anything else will not appear. And not necessarily for internet browsers. I think that excluding one software product after another, we will not come to a secure computing environment, unless we switch to accounts.

On the contrary, I propose to be reasonable people and rely on best practices:

• use a special account with the minimum necessary rights to work with the Internet;
• be sure to install the released software updates; and
• always keep the security features up to date.

Good luck on the Internet!

Andrey Zerenkov, Symantec Russia