|« 2008's Top 12 Popular Applications with Critical Vulnerabilities||Cisco Releases MARS Software Version 6.0.1 »|
In case you've been vacationing in the jungles of Borneo, the currently unpatched IE XML Handling Remote Code Execution Vulnerability is now a week old now and unsurprisingly being used to deliver malware.
A detailed analysis of the vulnerability, payloads, and domains currently hosting the exploit can be found on any number of security-related sites including SANS ISC. One of several relative SANS entries referenced an active sample named win.exe. As of the SANS diary post date (12.11.2008), VirusTotal reported a 52.63% detection rate from AV vendors (http://www.virustotal.com/analisis/244ae03fed5b32d999c50b614fddde6a).
As a simple comparison, a scenario was set up to observe CSA 6.0 behavioral rules in action. Note that all testing was done in a closed lab environment.
The details of the test included:
With the CSA 6.0 default desktop (behavioral) policy, the initial buffer overflow was detected with a single CSA System API rule (event 1 in the example above). Without user interaction enabled, the initial buffer overflow rule would have taken its default query action (high-priority terminate process) resulting in a deny of the buffer overflow and the termination of the vulnerable browser instance. By detecting and denying the browser exploit, the win32_downloadexec payload can't be delivered and the malware is never downloaded.
Although admittedly limited, this simple test scenario demonstrates the proactive role of behavioral policy in preventing 0-day vulnerabilities.
List of many domains exploiting CVE-2008-4844:
SANS ISC Diary:
VirusTotal entry for win.exe (12.11.2008):
Write-up on win.exe: