Exploit for June MS Tuesday Vulnerability in the Wild

Symantec Security Response has confirmed that the Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Vulnerability is being exploited in the wild. The vulnerability affects Internet Explorer versions 6, 7, and 8; however, the exploit we have acquired seems to only affect version 8. Microsoft has already released patches as part of the MS Tuesday release on June 14, so Symantec advises all users to install the patch. So far, we have only seen limited attacks taking advantage of this vulnerability and believe that the exploit is only being carried out in targeted attacks at present.

We have been able to confirm the existence of one such attack that involves a compromised website hosting content for a neighborhood restaurant. It appears that a duplicate of the top page of the website was either hacked to include a hidden iframe tag linking to an exploit page or was prepared from scratch, which, if run successfully, the included shell code downloads an encrypted malicious file from the same site. Interestingly, a link to cnzz.com, which is a site that offers statistical analysis, is included in the page to perhaps to provide the attackers with an idea of how the attack is progessing. The downloaded malware then contacts 323332.3322.org using the HTTP protocol and awaits further commands. 3322.org provides a type of dynamic DNS service and is known to be used for various malicious purposes, so it may not be a bad idea to block access to this domain and, if needed, whitelist the subdomains that you may need access to. It's likely that the attacker sends emails to targets with a link to the website with the intent to steal confidential information, which is a common method used in targeted attacks.

To protect themselves from attack, users should apply the latest patch for this vulnerability. They should also keep all other software on their computer up to date as well, including security software. Users should also be cautious when receiving emails with attachments and links they receive from both known and unknown sources.

Symantec detects the exploit as Trojan.Shixploit and the payload has been detected as Backdoor.Trojan since January 2010.

Thanks to Masaki Suenaga and Kazumasa Itabashi for their help analyzing the threat.