IE zero-day exploit disappears on reboot

IE vulnerability runs solely in memory, making it difficult to detect

Shona Ghosh
11 Nov 2013

Criminals are taking advantage of unpatched holes in Internet Explorer to launch "diskless" attacks on PCs visiting malicious sites.

Security company FireEye uncovered the zero-day flaw on at least one breached US site, describing the exploit as a "classic drive-by download attack".

But FireEye also noted the malware doesn't write to disk and disappears on reboot - provided it hasn't already taken over your PC - making it trickier to detect, though easier to purge.

"[This is] a technique not typically used by advanced persistent threat (APT) actors," the company said. "This technique will further complicate network defenders' ability to triage compromised systems, using traditional forensics methods."

The vulnerability affects English-language versions of IE 7, 8, 9 and 10 on Windows XP and Windows 7.

Microsoft has not responded to a request for comment but told Ars Technica that it was still looking into the report. FireEye said attacks could be prevented with the latest version of Microsoft's Enhanced Mitigation Experience Toolkit, a malware blocking tool.

The exploit is separate from the Windows zero-day vulnerability revealed last week, which involves the TIFF graphics-format parser.

How it works

According to FireEye, the exploit takes advantage of two separate vulnerabilities in Internet Explorer - system information leaks and remote access to a PC's memory.

The company described the exploit as "exceptionally accomplished", and said attackers had managed to insert the exploit into a site likely visited by US defence workers, though it didn't say which.

"Specifically, the attackers inserted this zero-day exploit into a strategically important website, known to draw visitors that are likely interested in national and international security policy," said FireEye.

Using malware that doesn't stick around on reboot signalled the attackers' "confidence" in their own ability to take control of infected machines fast.

"As the payload was not persistent, the attackers had to work quickly, in order to gain control of victims and move laterally within affected organisations," said the company. "If the attacker did not immediately seize control of infected endpoints, they risked losing these compromised endpoints, as the endpoints could have been rebooted at any time."

Alternatively, it's possible the hackers were certain their intended victims would likely revisit the compromised site, FireEye said.

Read more about: