Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    We’re currently investigating a new zero-day exploit that affects Internet Explorer versions 7, 8, and 9. The exploit, which is detected by Trend Micro as HTML_EXPDROP.II, is found to be hosted in {BLOCKED}.{BLOCKED}.104.149. Incidentally, this server also hosted the Java zero-day exploit reported last August 30.

    Based on our initial analysis, when executed, HTML_EXPDROP.II drops a malicious .SWF file (SWF_DROPPR.II). The .SWF file then drops a backdoor detected as BKDR_POISON.BMN. More information the analysis will be posted in this entry.

    Trend Micro Smart Protection Network™ blocks access to the malicious servers and detects the exploit and other malicious files. Watch this space for updates and additional analysis information.

    Update as of September 18, 2012 6:11 AM PDT

    We have identified a second attack that uses this zero-day exploit as well. BKDR_PLUGX.BNM — a variant of the recently discovered PlugX remote access tool (RAT), is the payload of this other attack. It has been demonstrated to have significant information theft and backdoor capabilities, and is used as a component of sophisticated information theft campaigns.

    We detect the malicious files as noted above and URL reputation blocks access to the command-and-control servers. In addition, Deep Security protects users from this threat via IDF rule 1005194 – Microsoft Internet Explorer ‘execCommand’ Use-After-Free Vulnerability.

    Update as of September 18, 2012 6:57 PM PDT

    Microsoft announced that they will be issuing a workaround for this vulnerability within the next few days.

    Update as of September 18, 2012 11:22 PM PDT

    BKDR_PLUGX.BNM has been renamed to TROJ_PLUGX.ME. For more information on PlugX and its capabilities, please check our previous reports:

    Update as of September 19, 2012 10:02 PM PDT

    Microsoft has announced that an out-of-bound patch to resolve this vulnerability will be released on Friday, at 10AM PDT (5PM UTC). In the mean time, a workaround has also been added to the earlier bulletin.

    While this vulnerability may have seen limited exploitation previously, we have seen more and more attacks exploit this security hole. This may have led Microsoft to decide to release a patch outside of the regular Patch Tuesday cycle.

    Until the patch is released, the browser exploit prevention built into Titanium 2013 also protects users against exploits targeting this vulnerability.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Kale



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice