A security researcher Eric Romang has found a Internet Explorer 0-day exploit in the wild of CVE-2012-4969 where a malicious flash file uses Adobe Flash Player to conduct a "heap spray" to bypass the ASLR (Address Space Layout Randomization) protection in Windows.
This could allow the installation of a backdoor allowing remote access to a fully patched Windows PC.
Detecting this Threat using RSA NetWitness:
- Customers who wish to alert on this Malware may create a custom feed to tag sessions that have the following filenames:
Protect.html (This filename may produce false positives as seen in Google advanced search of: allinurl: Protect.html)
Please refer to Primus Article A59743 for information on creating custom feeds
There's a diagram which shows the relationship between the files.
- At present only one IP address has been detected as supplying the payload. A custom feed or App Rule could be used to alert on accesses to IP: 18.104.22.168
- Future 3rd party feeds may include compromised websites that have this Malware.
- Spectrum should detect 111.exe if it is transferred over the network (if the VirusTotal service is enabled through the Spectrum Cloud)
The Microsoft Advisory has further details on using the Enhanced Mitigation Experience Toolkit (EMET) and Internet Explorer's Enhanced Security Configuration on Windows Servers.
Microsoft Advisory page - http://technet.microsoft.com/en-us/security/advisory/2757760
CVE page - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4969