IE zero-day is targeted, sophisticated

IE zero-day is targeted, sophisticated

Summary: FireEye has followed up on their report of a zero-day attack on Internet Explorer with deeper analysis. It seems to come from the same gang that launched the recent Operation DeputyDog attack.

TOPICS: Security, Malware

On Saturday, security company FireEye reported a zero-day attack against Internet Explorer. Sunday they followed up with more detail on the attack. They call the attack "the diskless 9002 RAT." RAT is Remote Access Trojan; this specific trojan is a variant of the earlier Trojan.APT.9002; we will explain "diskless" below.

The attack is a sophisticated one, and appears to be the work of the same gang that pulled off FireEye calls the recent Operation DeputyDog. Both attacks used command and control servers in the same domain (

The attack has the earmarks of a highly-targeted attack against a target on which the attackers have conducted some reconnaissance. FireEye adds "…the attackers inserted this zero-day exploit into a strategically important website, known to draw visitors that are likely interested in national and international security policy". There seems to be no reason to be concerned about widespread use of the attack for now.

FireEye seems most taken with the fact that this attack is non-persistent. Most APTs (Advanced Persistent Threats) write themselves to disk so that they can reload on reboot. Not the diskless 9002 RAT; it injects itself into memory and executes, but does not persist. This is why it is called diskless.

Disklessness makes the threat much harder to identify through forensic methods. It also means that attack may not live in the system long enough to accomplish its goal. FireEye speculates that either the attackers are confident that the targets will revisit the site often enough to get the job done or they expected that the attack would move laterally within the organization, hunting for their goal.

The attack also uses a new method of self-encryption which is more sophisticated than earlier versions of the Trojan.APT.9002.

FireEye says they are working with Microsoft on the threat, but Microsoft has not publicly acknowledged either the attack or the vulnerability behind it. 

Topics: Security, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Where is the details

    Why no details? Wonder what versions of IE are affected? All? Any work around?
    • From Saturdays post linked to in this article:

      "The specific exploit targets the English versions of Internet Explorer 7 and 8 on Windows XP and IE8 on Windows 7. FireEye says their analysis indicates that the vulnerability behind it affects IE 7, 8, 9 and 10."
      • And

        English language versions only, at the current time...
  • An additional detail from FireEye

    From the article's link to FireEye's most recent blog regarding this exploit:

    "The exploit chain was limited to one website. There were no iframes or redirects to external sites to pull down the shellcode payload."

    This also makes it more difficult to defend against as placing one's frequently-visited, legitimate websites in IE's Trusted zone where JavaScript and iFrames are allowed (and simultaneously disallowing JavaScript and iFrames in IE's Internet Zone) will not help with this particular exploit.

    P.S. Note that this approach with IE is, more or less, equivalent to the use of the NoScript add-on with Mozilla Firefox.
    Rabid Howler Monkey
  • CVE-2013-3893

    Regarding to the info found from Fireeye. It make use of echnique called “Hook hopping” to bypass monitoring of the WinExec call.
    Seems this is not new, noticed that few malware make use of this technique also. They relies application or OS vulnerability then place the code to memory side (a Ring 0 attack). It fool with local anti-virus until malware calling C&C server detect by anti malware machanism.
  • Non-persistance

    Not much of an issue if the attacker can reinfect at will. Given how it's hard to get "smart" people to log out, let alone shut their systems down, pinpoint attacking an ADHD executive who can't be arsed to follow procedure will probably have enough persistence meet its goal.

    After all, our major NSA leak shows how much we pay attention to securing our systems. 20-30 people gave credentials away to a person "of authority" and Snowden's history.