Internet Explorer zero-day exploit found on more websites. Fingers point towards Elderwood Project

Filed Under: Featured, Internet Explorer, Malware, Vulnerability

Paul Baccas, a researcher at SophosLabs, has uncovered two new sites which have been hit by the recently-discovered Internet Explorer zero-day remote code execution vulnerability.

The attacks bear all the hallmarks of previous infections spread by the so-called Elderwood Project.

First up is a website serving the Uyghur people of East Turkestan:

Uyghur website

A folder called "netyanus" had been created on the website, containing the following files:

  • Helps.html
  • deployJava.js
  • news.html
  • robots.txt
  • today.swf
  • xsainfo.jpg

The website has since been cleaned-up of its malware infection, but clearly whoever infected it had an interest in infecting anyone who visited the site.

Sophos products detect the HTML files as Exp/20124792-B.

Alert. Image courtesy of ShutterstockThe file news.html (detected as Exp/20124792-B) decodes the obfuscated zero-day exploit code inside robots.txt, and executes it.

Sophos products detect the SWF file as Troj/SWFExp-BF, the remaining HTML file as Exp/20124792-B, and the obfuscated code hidden inside xsainfo.jpg as the Troj/Agent-ZMC Trojan horse.

As there is currently no proper patch for the Internet Explorer security vulnerability, chances are that a good proportion of people visiting the Uyghur site could have ended up with their computers becoming infected.

If you weren't aware, the Uyghur people of East Turkestan have, like the inhabitants of Tibet, long campaigned for independence from the People's Republic of China and complained about persecution.

At the same time, SophosLabs discovered another infected website - this time, it's the website of an Iranian oil company, based in Tehran.

Infected Iranian oil website

At the time of writing, the Iranian website is still carrying an infection so we have obscured some of its details in the image above.

On this occasion, the files implanted by hackers code take the following form:

  • deployJava.js
  • exploit.html
  • news.html
  • robots.txt
  • today.swf
  • xsainfo.jpg

Hopefully, if you have been paying attention, some of those filenames will look familiar to you.

You may not be in the habit of visiting websites associated with the Uyghur people, or checking out the websites of Iranian oil firms... but clearly some people and organisations may visit such sites, and could be at risk of having their computers silently infected as a result.

All the same, until a proper patch is pushed out by Microsoft, Internet Explorer users are potentially at risk from attacks which exploit this vulnerability and should take care to ensure that they have layered defences in place to minimise the risk.

Alert image courtesy of Shutterstock.

, , , , , ,

You might like

3 Responses to Internet Explorer zero-day exploit found on more websites. Fingers point towards Elderwood Project

  1. Freida Gray · 1004 days ago

    Would this also make IE10 on Windows 8 vulnerable if someone visited those using IE10?

    • Don · 1004 days ago

      According to all of the articles I've read IE9 and IE10 aren't susceptible to this specific vulnerability so they should be safe. Note the "should be safe".

      • JimboC_Security · 1004 days ago

        Hi Freida Gray and Don,

        According to the following Microsoft blog post on the Security Research and Defense blog, IE 9 and IE 10 are not affected since they do not contain the vulnerable code. Thus the phrase “should be safe” does not apply. The exploit cannot run if the vulnerable does not exist in these versions.

        If you are using IE 6 to IE 8, please consider implementing one of the alternative workarounds mentioned in the following security advisory that does not rely on the Fix It solution published since that Fix It solution has recently been bypassed:

        I would recommend protecting IE 6 to IE 8 with Microsoft EMET.

        I hope this helps. Thank you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley