New zero-day Internet Explorer exploit hard to catch
A new Trojan has turned up on the Internet. It exploits a flaw in Internet Explorer, and you won't find it by scanning your hard drive because it's not on the drive.
The good news: Booting your PC will flush out the Trojan. Besides, the people behind the malware probably aren't going after you.
On Sunday, industrial security company FireEye released a report on the new IE zero-day exploit. "Specifically, the attackers inserted this zero-day exploit into a strategically important website, known to draw visitors that are likely interested in national and international security policy."
The nature of the Web site, whose name and URL FireEye did not identify, suggests that the perpetrators are going after specific people, or at least people in a specific industry. In fact, it suggests that government espionage could likely be behind the attack, although which government is difficult to ascertain.
The new Trojan, which FireEye has named "the diskless 9002 RAT," appears to be an improved version of previous malware. "We have identified relationships between the infrastructure used in this attack and that used in Operation DeputyDog." That earlier Trojan, first discovered in September, used another IE exploit and appeared to target organizations in Japan.
The term diskless refers to the Trojan's behavior of staying in memory and not storing itself on the infected PC's hard drive or SSD. At first glance, this appears to make 9002 RAT considerably less scary--a considerably non-persistent threat. Reboot and your PC is clean.
But malicious code in RAM is less likely to be caught than similar code on the hard drive. And it may not need a lot of time to do the desired harm. Besides, as FireEye points out, "the use of this non-persistent first stage may suggest that the attackers were confident that their intended targets would simply revisit the compromised website and be re-infected."
The acronym RAT doesn't refer to its developers' morals, but stands for Remote Access Trojan. A RAT inserts a backdoor into the infected machine, so that it can be controlled by whoever sent out the malware.
At the present time, this RAT appears to be targeting only English language versions of Internet Explorer 7 and 8 in Windows XP, and IE8 in Windows 7. But that could change. "The exploit targets the English version of Internet Explorer, but we believe the exploit can be easily changed to leverage other languages," explains another FireEye report. "Based on our analysis, this vulnerability affects IE 7, 8, 9, and 10."
FireEye sees this not only as a clever targeted attack, but as a suggestion of bad things to come. The diskless 9002 RAT "has proven to be exceptionally accomplished and elusive. APT [advanced persistent threat] actors are clearly learning and employing new tactics. With uncanny timing and a penchant for consistently employing Zero-day exploits in targeted attacks, we expect APT threat actors to continue to evolve and launch new campaigns for the foreseeable future. Not surprisingly, these old dogs continue to learn new tricks."