Paul Baccas, a researcher at SophosLabs, has uncovered two new sites which have been hit by the recently-discovered Internet Explorer zero-day remote code execution vulnerability.
The attacks bear all the hallmarks of previous infections spread by the so-called Elderwood Project.
First up is a website serving the Uyghur people of East Turkestan:
A folder called "netyanus" had been created on the website, containing the following files:
- Helps.html
- deployJava.js
- news.html
- robots.txt
- today.swf
- xsainfo.jpg
The website has since been cleaned-up of its malware infection, but clearly whoever infected it had an interest in infecting anyone who visited the site.
Sophos products detect the HTML files as Exp/20124792-B.
The file news.html (detected as Exp/20124792-B) decodes the obfuscated zero-day exploit code inside robots.txt, and executes it.
Sophos products detect the SWF file as Troj/SWFExp-BF, the remaining HTML file as Exp/20124792-B, and the obfuscated code hidden inside xsainfo.jpg as the Troj/Agent-ZMC Trojan horse.
As there is currently no proper patch for the Internet Explorer security vulnerability, chances are that a good proportion of people visiting the Uyghur site could have ended up with their computers becoming infected.
If you weren't aware, the Uyghur people of East Turkestan have, like the inhabitants of Tibet, long campaigned for independence from the People's Republic of China and complained about persecution.
At the same time, SophosLabs discovered another infected website - this time, it's the website of an Iranian oil company, based in Tehran.
At the time of writing, the Iranian website is still carrying an infection so we have obscured some of its details in the image above.
On this occasion, the files implanted by hackers code take the following form:
- deployJava.js
- exploit.html
- news.html
- robots.txt
- today.swf
- xsainfo.jpg
Hopefully, if you have been paying attention, some of those filenames will look familiar to you.
You may not be in the habit of visiting websites associated with the Uyghur people, or checking out the websites of Iranian oil firms... but clearly some people and organisations may visit such sites, and could be at risk of having their computers silently infected as a result.
All the same, until a proper patch is pushed out by Microsoft, Internet Explorer users are potentially at risk from attacks which exploit this vulnerability and should take care to ensure that they have layered defences in place to minimise the risk.
Follow @gcluley
Alert image courtesy of Shutterstock.
![Password security infomerical leaves Ellen DeGeneres in disbelief.. and it will you too [VIDEO]](http://sophosnews.files.wordpress.com/2013/04/ellen-thumb.jpg?w=75&h=75&crop=1)
![Can multiple moving cursors really hide your password from spyware and peepers? [VIDEO]](http://sophosnews.files.wordpress.com/2013/03/cursors-thumb.jpg?w=75&h=75&crop=1)
![Hacked TV channels broadcast zombie apocalypse emergency alert [VIDEO]](http://sophosnews.files.wordpress.com/2013/02/zombie-thumb.jpg?w=75&h=75&crop=1)
Would this also make IE10 on Windows 8 vulnerable if someone visited those using IE10?
According to all of the articles I've read IE9 and IE10 aren't susceptible to this specific vulnerability so they should be safe. Note the "should be safe".
Hi Freida Gray and Don,
According to the following Microsoft blog post on the Security Research and Defense blog, IE 9 and IE 10 are not affected since they do not contain the vulnerable code. Thus the phrase “should be safe” does not apply. The exploit cannot run if the vulnerable does not exist in these versions.
http://blogs.technet.com/b/srd/archive/2012/12/29...
If you are using IE 6 to IE 8, please consider implementing one of the alternative workarounds mentioned in the following security advisory that does not rely on the Fix It solution published since that Fix It solution has recently been bypassed:
http://blogs.technet.com/b/srd/archive/2012/12/29...
I would recommend protecting IE 6 to IE 8 with Microsoft EMET.
I hope this helps. Thank you.