New IE zero day exploit circulating, used to install Poison Ivy

The gang behind the recent Java zero day attacks apparently hasn’t packed up for the season.

A researcher examining one of the servers used to launch attacks on vulnerable Java installations says he has found a new zero day exploit for Microsoft’s Internet Explorer web browser.

The new and previously unknown (or “zero day”) exploit can be used to load malicious software on machines running fully patched Windows XP SP3 along with the latest editions of the IE 7 and IE 8 browser and Adobe’s Flash software, said Eric Romang, who discovered the vulnerability.

Further analysis by the firm AlienVault suggests that the zero day is being used in attacks that install the Poison Ivy Trojan.

In a blog post, Romang, a Luxemborg-based IT security advisor at ZATAZ.com, said he discovered the exploit when analyzing a batch of files hosted on one of the servers used by the Nitro gang to distribute attacks that exploited the Java vulnerability.

After running one of the sample files on a fully patched Windows XP SP3 system with an up-to-date version of Adobe Flash, Romang was surprised to find that the files loaded malicious software to his fully patched XP system.

Further analysis revealed that .html and Flash files were used to identify proper targets (Windows XP systems running IE 7 and 8) and use a common technique called a “heap spray” to lay the groundwork for a successful iFrame attack against the systems that exploited the vulnerability and used it to install a malicious program, 111.exe.

That malware has been identified as a new variant of the Posion Ivy Trojan horse program, according to the security firm AlienVault Labs.

Writing about the attack on the AlienVault Labs blog, researcher Jaime Blasco said that evidence collected online suggest the gang behind the Java attacks in August and September may be moving on: with domains used in that attack located at new IP addresses and serving up the new and more potent attacks.

Oracle issued an emergency patch for the vulnerability in Java on August 30, though researchers subsequently showed that the patch could be circumvented.

The new IE exploit is being implemented in the Metasploit penetration testing tool and a module that allows Metasploit users to launch IE 7 and IE8 exploit is expected by Monday, Romang wrote.

(Customers should note that Sophos products protect against the vulnerability detecting attempts to exploit it as Exp/20124969-A – however, we would still recommend that IE users apply the security patch as soon as it is released by Microsoft).

_{Poison Ivy image from Shutterstock.}