IE zero-day exploit disappears on reboot
By Shona Ghosh
Posted on 11 Nov 2013 at 11:34
Criminals are taking advantage of unpatched holes in Internet Explorer to launch "diskless" attacks on PCs visiting malicious sites.
Security company FireEye uncovered the zero-day flaw on at least one breached US site, describing the exploit as a "classic drive-by download attack".
But FireEye also noted the malware doesn't write to disk and disappears on reboot - provided it hasn't already taken over your PC - making it trickier to detect, though easier to purge.
"[This is] a technique not typically used by advanced persistent threat (APT) actors," the company said. "This technique will further complicate network defenders' ability to triage compromised systems, using traditional forensics methods."
The vulnerability affects English-language versions of IE 7, 8, 9 and 10 on Windows XP and Windows 7.
Microsoft has not responded to a request for comment but told Ars Technica that it was still looking into the report. FireEye said attacks could be prevented with the latest version of Microsoft's Enhanced Mitigation Experience Toolkit, a malware blocking tool.
The exploit is separate from the Windows zero-day vulnerability revealed last week, which involves the TIFF graphics-format parser.
How it works
According to FireEye, the exploit takes advantage of two separate vulnerabilities in Internet Explorer - system information leaks and remote access to a PC's memory.
The company described the exploit as "exceptionally accomplished", and said attackers had managed to insert the exploit into a site likely visited by US defence workers, though it didn't say which.
"Specifically, the attackers inserted this zero-day exploit into a strategically important website, known to draw visitors that are likely interested in national and international security policy," said FireEye.
Using malware that doesn't stick around on reboot signalled the attackers' "confidence" in their own ability to take control of infected machines fast.
"As the payload was not persistent, the attackers had to work quickly, in order to gain control of victims and move laterally within affected organisations," said the company. "If the attacker did not immediately seize control of infected endpoints, they risked losing these compromised endpoints, as the endpoints could have been rebooted at any time."
Alternatively, it's possible the hackers were certain their intended victims would likely revisit the compromised site, FireEye said.
Is your business a social business? For helpful info and tips visit our hub.
So it only lasts a month
Given that most people only reboot on patch Tuesday the exploit will be present for quite a long time.
By tirons1 on 11 Nov 2013
Makes sense. For some crazy reason DoD and USG like IE, and make their sites more user friendly and compatible for IE than for more secure browsers like FF or GC. I only use IE when a site makes other browsers difficult to use.
By nightdreamer on 11 Nov 2013
So IE11 on Windows 7 is not affected and IE 10 and 11 on Windows 8 are unaffected?
And as all my machines are German language, they are unaffected anyway?
By big_D on 12 Nov 2013
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- Apple Watch, iPhone 6 and 6 Plus: Tim Cook's Apple back with a bang?
- BT Home Hub 5: how to get maximum speed
- 20 years of PC Pro: one-star reviews (including "the worst tablet we've ever seen")
- 20 years of PC Pro: our best covers
- Why we've closed the PC Pro forums
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords