IE zero day exploit prime suspect in Google attacks

IESince last week Google disclosed some facts about the attacks against Gmail accounts of Chinese human rights activists and decided to review the feasibility of doing business in China everybody was wondering just what kinds of exploits were used in attack.

It was clear that the recently patched Adobe Reader vulnerability described in APSB10-02 was the prime candidate for the attack, since the vulnerability has not been patched when the attacks occurred in mid December. Recent examples of PDF exploits which are well documented in ISC handler’s diaries show just how complex the attacks can be.

However, when yesterday Microsoft security team released an advisory with the announcement of a new Internet Explorer zero day vulnerability it was clear that the this new vulnerability jumps to the first position in the chart of suspects. The latest vulnerability affects all commonly used versions of Internet Explorer, including IE6, IE7 and IE8. As always SophosLabs have also written a vulnerability analysis of the latest vulnerability and are working with Microsoft on the threat mitigation.

Regardless of which of the above exploits was used in the initial stage of the attack, it seems that a backdoor Trojan was used as a payload to allow for remote control of the attacker over compromised system. From information posted on several websites it seems that the backdoor Trojan used in the attack is a variant of PcClient backdoor which is an old and well known backdoor family. Samples of the family are detected by Sophos products as Mal/PcClient and Troj/Spy-EY.

Now that more information about the latest IE vulnerability is available we can expect a rush towards public proof of concept exploits which will soon after be included in various exploit toolkits. It seems that the guys from Microsoft Security Response team will be working overtime to release yet another out of band update for Internet Explorer. Let us hope they will be able to make it before exploits become widespread on malicious websites.