Video Screencast Help
Security Response

Trojan.Vimalov: A zero-day exploit in VML, in Internet Explorer

Created: 20 Sep 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:56:50 GMT
Amado Hidalgo's picture
0 0 Votes
Login to vote

The trend of new exploits being releasedimmediately after Microsoft's Patch Tuesday is continuing (we arestarting to call it "exploit week"). Symantec Security Response haveconfirmed a new Internet Explorer zero-day vulnerability today. It wasfirst reported by Sunbelt Software. Security Response is rating it as critical because an exploit for this vulnerability is already in-the-wild.

Wehave confirmed that this exploit takes advantage of a bug in VML(vector markup language, which is an XML language used to producevector graphics) to overflow a buffer and inject shell code. Theexploit then downloads and installs multiple security risks, such as spyware, on the compromised machine.

An interesting feature of the Web sites hosting themalicious pages is that they appear to track the IP addresses ofvisitors, preventing further downloads. If you attempt to visit themalicious Web sites again, the following message is displayed:

Figure 1

Although Microsoft has already been informed, at the time of writing there is no patch available for this particular exploit.

In order to provide proactive protection for our customers againstmalicious attacks that attempt to leverage the vulnerability, SymantecSecurity Response has released intrusion prevention (IPS) signaturesfor the vulnerability, as well as antivirus signatures for the exploit.We currently detect this specific exploit as Trojan.Vimalovand have created a heuristic detection for this exploit as well.Customers are advised to ensure that they have the latest securityupdates installed.

Update: Microsoft have published an advisory (Microsoft Security Advisory 925568) with further information on the vulnerability, as well as mitigating strategies.

Upon further analysis, we have determined that the malicious Website administrators hosting this exploit appear to be using anoff-the-shelf suite, called Web-Attacker. This modular suite, availablefor purchase for only a few dollars, is capable of serving visitorswith a number of different exploits—the VML exploit being just thelatest available in the suite. The main page can identify the OSversion (including the presence of Windows XP Service Pack 2), browsertype, JVM version, the presence of antivirus software, and then it willchoose the right exploit to run.

Figure 2

The Web-Attacker suite, by means of a simple Web interface (figure2), provides detailed statistics on successful exploits by host,operating system, Web browsers used, and even calculates an “exploitefficiency” ratio, as well as step-by-step instructions to configurethe shellcode. Typical shellcode payloads include download-and-executefiles (dependent on exploit used), all configurable via the suite'scontrol panel.

Update 2: Further investigation shows thatdisabling JavaScript in IE does not prevent the exploit from runningand as such, the content above has been modified accordingly. Pleasefollow the mitigating strategies described in Microsoft SecurityAdvisory 925568, or use a browser that is not vulnerable to thisexploit.