Elite hacker gang pulls out another IE zero-day from bottomless pocket

Symantec links latest IE vulnerability -- which Microsoft won't patch next week -- to group that's exploited nine zero-days in last two years

An elite hacker group credited last year with having an inexhaustible supply of zero-day vulnerabilities was responsible for digging up and first using the newest unpatched bug in Internet Explorer (IE), a Symantec manager today.

The gang, dubbed "Elderwood" after a source code variable regularly used by the hackers, had been profiled last September by Symantec in a research paper that outlined its strategies as well as its hacking tactics.

Yesterday, Symantec linked Elderwood to the newest IE zero-day, which researchers said last week was being used to attack Windows PCs whose owners visited the Council on Foreign Relations' (CSR) website using IE6, IE7 or IE8. CSR is a high-profile foreign policy think-tank.

Symantec based its conclusion on several factors, including similarities in attack code used both in past exploits and the most recent.

"We analyzed a number of different source files, then cross-referenced them to make our conclusion," Satnam Narang, a manager in Symantec's security response team, said in an interview Friday.

Another clue was the common license of the commercial code packer used to obfuscate Elderwood Flash-based attack files, those definitely attributed to the gang as well as the one Symantec analyzed from the December attacks.

Narang acknowledged that it was possible others beside Elderwood could have gone so far as to spoof the packer licensee, but thought it very unlikely.

By Symantec's count, Elderwood uncovered and used eight zero-days, all in either IE or Adobe's Flash Player, in a 20-month stretch from 2010 through the fall of 2012, including four in a 16-week stretch last year. The newest IE vulnerability, now assigned the identifier CVE-2012-4792, is then the ninth.

The appearance of CVE-2012-4792 does bolster Symantec's assertion last year that Elderwood has an unlimited supply of zero-days, or the technical skills to root out new ones as it exhausts others in attacks that eventually go public. "They've been churning out zero-days," Narang said today, "and we certainly expect this to continue."

Although Microsoft has promised to patch the CVE-2012-4792 in the older versions of IE -- IE9 and IE10 are unaffected -- it has expressed little desire to push out an emergency fix. Next week's Patch Tuesday will not include an IE update, and experts do not expect the company to issue an "out-of-band" patch between then and February's regularly-scheduled security updates.

In lieu of a patch, Microsoft has offered an automated "Fixit" workaround to protect customers. But according to Exodus Intelligence, that workaround is not a foolproof defense.

"After less than a day of reverse engineering, we found that we were able to bypass the [Fixit] and compromise a fully-patched system with a variation of the exploit we developed earlier this week," said the company in a Friday blog post.

Microsoft's hand may be forced if recent online reports are accurate. Those reports, citing researchers who said they have spotted exploits of the IE bug being served by other compromised websites, may indicate an uptick in the number of attacks, often a factor in whether Microsoft issues an emergency update.

Narang was unable to confirm the additional attack sources, or say whether Elderwood was behind them.

Attack code, however, has been public since Saturday, Dec. 29, when a module was added to the open-source Metasploit penetration testing framework, a tool used by legitimate researchers and cyber criminals alike.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at  @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies