Whew, the IE 0-day exploit is really in the
wild! As soon as the PoC for this bug hit the net we’ve seen
malicious websites pop up that use this PoC to infect users. From
simply executing calc.exe on the affected system (JS_ONLOADXPLT.A) then modified to drop and
execute malicious programs on the affected system as seen in
JS_WINDEXP.A.
Okey, you’ve seen numerous blogs that discuss this bug, but this
time it is embedded on the main page of a website that is dedicated
to blogs! Yes, you heard me right! Up until this moment the main
page of the a certain site still contains embedded links to the
three files (fillmem.htm, bug.htm, and bug2k.htm) enclosed in
iframe tags. But, when I tried to obtain the files, it returned an
error 404 (File not found). Maybe sometime soon it will be
available again, up and infecting viewers’ and bloggers’
systems.
Since the release of the PoC for this exploit, we’ve seen a
modified version that really does malicious things on the affected
system and then from a simple website to a blogger’s site. This is
just the means of the attacker to further increase its chance of
infections. On this particular incident however, we still do not
know if the abovementioned files does new malicious activities.
But, we will keep you updated once we get the copy of the files
(and once we have checked out new sites that use the said POC).
;=)
Note:
The three files abovementioned are the three important components
for the exploit to work. Fillmem.htm contains the actual malicious
code (shellcode) and bug2k.htm and bug.htm are called to trigger
the execution of malicious code on Win2K(Universal) and WinXP(All
SP) systems, respectively.
wild! As soon as the PoC for this bug hit the net we’ve seen
malicious websites pop up that use this PoC to infect users. From
simply executing calc.exe on the affected system (JS_ONLOADXPLT.A) then modified to drop and
execute malicious programs on the affected system as seen in
JS_WINDEXP.A.
Okey, you’ve seen numerous blogs that discuss this bug, but this
time it is embedded on the main page of a website that is dedicated
to blogs! Yes, you heard me right! Up until this moment the main
page of the a certain site still contains embedded links to the
three files (fillmem.htm, bug.htm, and bug2k.htm) enclosed in
iframe tags. But, when I tried to obtain the files, it returned an
error 404 (File not found). Maybe sometime soon it will be
available again, up and infecting viewers’ and bloggers’
systems.
Since the release of the PoC for this exploit, we’ve seen a
modified version that really does malicious things on the affected
system and then from a simple website to a blogger’s site. This is
just the means of the attacker to further increase its chance of
infections. On this particular incident however, we still do not
know if the abovementioned files does new malicious activities.
But, we will keep you updated once we get the copy of the files
(and once we have checked out new sites that use the said POC).
;=)
Note:
The three files abovementioned are the three important components
for the exploit to work. Fillmem.htm contains the actual malicious
code (shellcode) and bug2k.htm and bug.htm are called to trigger
the execution of malicious code on Win2K(Universal) and WinXP(All
SP) systems, respectively.