000026609 - How to detect Microsoft Advisory 2757760/CVE-2012-4969 - IE 0-day with RSA NetWitness

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026609
Applies ToRSA NetWitness NextGen
RSA NetWitness Spectrum
RSA NetWitness Spectrum 1.1.5.2
RSA NetWitness Spectrum 1.1.5.5
Microsoft Windows Internet Explorer
Microsoft Advisory 2757760
CVE-2012-4969
IssueHow to detect Microsoft Advisory 2757760/CVE-2012-4969 - IE 0-day with RSA NetWitness.
Resolution

Background:
A security researcher Eric Romang has found a Internet Explorer 0-day exploit in the wild of CVE-2012-4969 where a malicious flash file uses Adobe Flash Player to conduct a "heap spray" to bypass the ASLR (Address Space Layout Randomization) protection in Windows.
This could allow the installation of a backdoor allowing remote access to a fully patched Windows PC.
Source: http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/

 

Detecting this Threat using RSA NetWitness:

  • Customers who wish to alert on this Malware may create a custom feed to tag sessions that have the following filenames:
            111.exe
            Moh2010.swf
            Protect.html  (This filename may produce false positives as seen in Google advanced search of:
allinurl: Protect.html)
           exploit.html

           Please refer to Primus Article A59743 for information on creating custom feeds

            There's a diagram which shows the relationship between the files.
            http://labs.alienvault.com/labs/index.php/2012/new-internet-explorer-zero-day-being-exploited-in-the-wild/


  • At present only one IP address has been detected as supplying the payload. A custom feed or App Rule could be used to alert on accesses to IP: 12.163.32.15
            source: http://labs.alienvault.com/labs/index.php/2012/new-internet-explorer-zero-day-being-exploited-in-the-wild/


  • Future 3rd party feeds may include compromised websites that have this Malware.
  • Spectrum should detect 111.exe if it is transferred over the network (if the VirusTotal service is enabled through the Spectrum Cloud)

 


Threat Mitigation:
The Microsoft Advisory has further details on using the Enhanced Mitigation Experience Toolkit (EMET) and Internet Explorer's Enhanced Security Configuration on Windows Servers.


References:
Microsoft Advisory page - http://technet.microsoft.com/en-us/security/advisory/2757760
CVE page - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4969

Legacy Article IDa59825

Attachments

    Outcomes