IE zero-day exploit disappears on reboot
By Shona Ghosh
Posted on 11 Nov 2013 at 11:34
Criminals are taking advantage of unpatched holes in Internet Explorer to launch "diskless" attacks on PCs visiting malicious sites.
Security company FireEye uncovered the zero-day flaw on at least one breached US site, describing the exploit as a "classic drive-by download attack".
But FireEye also noted the malware doesn't write to disk and disappears on reboot - provided it hasn't already taken over your PC - making it trickier to detect, though easier to purge.
"[This is] a technique not typically used by advanced persistent threat (APT) actors," the company said. "This technique will further complicate network defenders' ability to triage compromised systems, using traditional forensics methods."
The vulnerability affects English-language versions of IE 7, 8, 9 and 10 on Windows XP and Windows 7.
Microsoft has not responded to a request for comment but told Ars Technica that it was still looking into the report. FireEye said attacks could be prevented with the latest version of Microsoft's Enhanced Mitigation Experience Toolkit, a malware blocking tool.
The exploit is separate from the Windows zero-day vulnerability revealed last week, which involves the TIFF graphics-format parser.
How it works
According to FireEye, the exploit takes advantage of two separate vulnerabilities in Internet Explorer - system information leaks and remote access to a PC's memory.
The company described the exploit as "exceptionally accomplished", and said attackers had managed to insert the exploit into a site likely visited by US defence workers, though it didn't say which.
"Specifically, the attackers inserted this zero-day exploit into a strategically important website, known to draw visitors that are likely interested in national and international security policy," said FireEye.
Using malware that doesn't stick around on reboot signalled the attackers' "confidence" in their own ability to take control of infected machines fast.
"As the payload was not persistent, the attackers had to work quickly, in order to gain control of victims and move laterally within affected organisations," said the company. "If the attacker did not immediately seize control of infected endpoints, they risked losing these compromised endpoints, as the endpoints could have been rebooted at any time."
Alternatively, it's possible the hackers were certain their intended victims would likely revisit the compromised site, FireEye said.
Is your business a social business? For helpful info and tips visit our hub.
So it only lasts a month
Given that most people only reboot on patch Tuesday the exploit will be present for quite a long time.
By tirons1 on 11 Nov 2013
Makes sense. For some crazy reason DoD and USG like IE, and make their sites more user friendly and compatible for IE than for more secure browsers like FF or GC. I only use IE when a site makes other browsers difficult to use.
By nightdreamer on 11 Nov 2013
So IE11 on Windows 7 is not affected and IE 10 and 11 on Windows 8 are unaffected?
And as all my machines are German language, they are unaffected anyway?
By big_D on 12 Nov 2013
- CeBit 2014 diary: Cameron comes to town
- The 5 most interesting UK businesses at SXSW
- Quickest way to upload 1GB? Hop on a train
- Move over Delia: IBM Watson is cooking tonight
- Eric Schmidt on the double-edged smartphone: friend and foe
- Getty joins the race to the bottom
- Hour of Code: five steps to learn how to code
- Sony Xperia Z2 Tablet review: first look
- Sony Xperia Z2 review: first look
- Samsung Galaxy Gear 2 review: first look
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords
- How to deal with a ransomware attack