Using obvious clues from a McAfee blog post, an Israeli hacker was able to pinpoint the latest Internet Explorer zero-day vulnerability and create working exploit code. The exploit code, which provides a clear roadmap to launch drive-by download attacks against IE 6 and IE 7 users, is being fitted into the Metasploit point-and-click tool.
The latest developments come less than 24 hours after Microsoft confirmed the flaw was being used in targeted attacks and puts the company under added pressure to ship an emergency, out-of-band patch as soon as possible.
Here's the gist of the McAfee post that gave Ben Abu a place to find the zero-day malware:
McAfee Labs is aware of an attack emanating from the domain topix21century.com (over both http and https). In this attack, vulnerable users are directed to a malicious webpage that downloads and executes a file named notes.exe or svohost.exe (classified as BackDoor-EMN) in drive-by download fashion (visiting the page is enough to get infected). There are multiple variants of this trojan involved. Notes.exe creates two copies of itself in the %temp% directory, and drops a DLL file. This DLL file is injected into Internet Explorer and provides remote access to an attacker.
The backdoor allows an attacker to perform various functions on the compromised system, including uploading & downloading files, executing files, and terminating running processes. Infected systems may attempt to communicate with the domain notes.topix21century.com over https.
"It just took a few minutes of digging in that host to find the exploit," Ben Abu said in an e-mail exchange. He said it took about 10 minutes to de-obfuscate the exploit and pinpoint the underlying vulnerability.
"I did some basic debugging to the vulnerability on found the vulnerable code within iepeers.dll," he added.
Metasploit's HD Moore confirmed the exploit code is somewhat reliable. "It's 50% reliable on XP SP2/SP3 with IE7 (no DEP). A little better with IE6," Moore said in an e-mail.
Microsoft has already activated its security response process and issued a pre-patch advisory with mitigations but the availability of public exploit code is sure to light a fire and raise the likelihood of an emergency update before next month's Patch Tuesday.