Zero-day leak in Internet Explorer and Edge actively abused since 2014

vbimport

#1

We’ve just posted the following news: Zero-day leak in Internet Explorer and Edge actively abused since 2014[newsimage]http://www.myce.com/wp-content/images_posts/2010/10/Malware-Behavioral-Patterns.jpg[/newsimage]

The zero-day leak in Internet Explorer and Edge, that was patched last Patch Tuesday, has been actively used to infect internet users since 2014. Users were infected by viewing malcious advertisements.

            Read the full article here: [http://www.myce.com/news/zero-day-leak-internet-explorer-edge-actively-abused-since-2014-80446/](http://www.myce.com/news/zero-day-leak-internet-explorer-edge-actively-abused-since-2014-80446/)

            Please note that the reactions from the complete site will be synched below.

#2

So, the cybercriminals who wrote this exploit could program the exploit to not run on a cyber research machine? How would this program know the difference between a cyber research machine and any other machine? Are these researchers somehow leaving clues for such programs?


#3

Since the malware research computers are dedicated and for the most automated systems and have special restrictions implemented, there are some clues to be found in that they will typically include various installation like the Python programming/scripting language, software to analyze proxy dumps, HTTP debuggers and network monitors/sniffers.
These programs associates file extensions and in this case, the attackers checked for the presence of associations by these programs and if found no infection would take place. We have seen this before as well with sandbox aware malware which will exit if it detects a sandbox or even VM.

Threat actors are increasingly exploiting non-critical bugs and low-level vulnerabilities that may remain unpatched for months or years at a time.
More interesting, the exploit also searched for typical consumer associations for audio/video and even the presence of an OEM logo and various DLLs before infecting the system. For a comprehensive list of checks, look here (pretty impressive).

Additionally, in this campaign the actor was ensuring that Internet Explorer was the default browser (with checks on .html).
For more thorough insight into this very advanced exploit, look here.
Microsoft’s security bulletins: Internet Explorer, Edge.


#4

I turned on my barely used desktop to do a full sector check on a harddrive overnight, I came back in the morning and it was waiting to login after a friggin emergency update.