Microsoft's Security Advisory (2887505), regarding a vulnerability in Internet Explorer, was issued just over two weeks ago. We added exploit detection soon thereafter. At the time, Microsoft reported that exploitation of the vulnerability was in limited use.
Since then, evidence of attacks on Japanese targets via media sites has surfaced.
And in the last week, our customer upstream data indicates limited use within Taiwan.
Most importantly, there is now Metasploit support for CVE-2013-3893. So it's only a matter of time before it's added to popular exploit kits such as Blackhole. If not this week, then almost certainly a day or two after Microsoft releases its patch next Tuesday.
We recommend avoiding IE (if possible) until it's updated. If you manage a network, Microsoft has a Fix it tool available.
In March of this year, researchers on Symantec's Security Response team began looking at ways in which they might be able to "sinkhole" (takedown) ZeroAcess — one of the world's largest botnets. But then… in late June, the botnet started updating itself, removing the flaw that the researchers hoped to take advantage of. Faced with the choice of some or nothing, the team moved to sinkhole what they could. And that was over 500,000 bots.
A very commendable effort!
Ross Gibb and Vikram Thakur are presenting a paper about lessons learned at this year's Virus Bulletin.
Unfortunately, the bulk of ZeroAcess is still with us…
Recently, we been seeing a new breed of TDL variants going around. These variants look to be clones of the notorious TDL4 malware reported by Bitdefender Labs.
The new TDL dropper variants we saw (SHA1: abf99c02caa7bba786aecb18b314eac04373dc97) were caught on the client machine by DeepGuard, our HIPS technology (click the image below to embiggen). From the detection name, we can see that the variants are distributed by some exploit kits.
Last year, ESET mentioned a TDL4 variant (some AV vendors refer to it as Pihar) that employs new techniques to bypass HIPS as well as to elevate a process's privileges to gain administrator access. The droppers of the variants we recently saw also use the same techniques mentioned in ESET's blog post, but with some minor updates.
Recap: TDL4 exploits the MS10-092 vulnerability in Microsoft Window's Task Scheduler service to elevate the malware's process privileges in order to load the rootkit driver. The new variants instead exploits the CVE-2013-3660 EPATHOBJ vulnerability discovered by security researcher Tavis Ormandy:
One of the notable differences between the new variants and classic TDL4 is the configuration file, which is embedded in the resource section of the dropper as RC4 encoded data:
This is hardly the first malware family to exploit CVE-2013-3660, but it is a neat demonstration of how fast malware authors take up publicly available exploit code - in this case, the exploit code went public three months ago.
Microsoft is currently aware of "a limited number of targeted attacks specifically directed at Internet Explorer 8 and 9." The limited nature of attacks is very likely to change in the near future as exploit kit providers will now move to add support for an exploit based on the vulnerability. Our detection for such exploits is already in progress.
In the meantime, Microsoft has released a Fix it tool to mitigate potentially attacks until a patch is released.
Updated to add:
Our exploit detection based on this vulnerability has now been released.
