Detecting CVE-2014-1776: Internet Explorer Zero-Day
Originally published . Last modified .
Red Canary is actively detecting CVE-2014-1776, the latest “Internet Explorer zero-day,” on the endpoint by leveraging our global network of managed Bit9+Carbon Black sensors. This post provides some insight into how you can do the same.
We know this exploit targets Internet Explorer (iexplore.exe), requires VGX.dll be loaded by the targeted iexplore.exe process, and is triggered by a malicious Flash file.
Using Carbon Black, we can quickly identify processes meeting these criteria:
Note this simply identifies processes where potentially exploitable conditions exist; results are not necessarily indicative of malicious activity. On this particular Carbon Black server, this query yields 175 results over 24 hours (click to enlarge images):
175 results is still a lot to go through, so we need to narrow our search down a bit. We know that upon exploitation, iexplore.exe spawns a child process, which by itself is fairly common behavior. However, the child process name in this case will match *.dll. And while we do observe legitimate processes spawned from DLLs, this is atypical at best. Doubly so when the parent process is a web browser. What we end up with is this:
Running this query over the same period of time yields a single result, and a confirmed victim:
The process tree for our match:
And a sample of some of the activity associated with child process 0159.dll:
Note: This raw Carbon Black query may identify activity that is not associated with CVE-2014-1776. Additionally, while this will detect exploitation of the aforementioned vulnerability, processes matching this query may have been compromised in another manner. In any event, a process matching these criteria should be further investigated.
While we are providing this detection for the benefit of the Carbon Black community, it also highlights a key benefit of our approach: rapid identification of suspicious behaviors without explicit knowledge of the tool(s) an attacker uses.After alerting our client to the occurrence, they or their IR partners can surgically remediate the threat. This also allows them to determine whether a more expansive investigation is warranted.
Red Canary uses internally-developed intelligence, intelligence gleaned from partners, and expert human analysts to sort through the noise, identifying and communicating legitimate threats to our clients in a timely manner. Put another way: Red Canary’s alerts to our customers are 100% actionable and contain zero false positives.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.