Carbon Black & VMware Announce Expanded Partnership to Secure the Software-Defined Data Center (SDDC) Learn more

Using Carbon Black to Detect CVE-2014-1776 on the Endpoint

Using Carbon Black to Detect CVE-2014-1776 on the Endpoint internet explorer logo
KeithM
May 12, 2014 / Keith McCammon

logo (1)Our company, Red Canary, a provider of managed threat detection, is actively detecting CVE-2014-1776, the latest “Internet Explorer 0-day,” on the endpoint by leveraging our network of managed Bit9 + Carbon Black sensors. This post provides some insight into how you can do the same.

To begin, we know a few things:

1) This exploit targets Internet Explorer (iexplore.exe).

2) It requires VGX.dll be loaded by the targeted iexplore.exe process.

3) It is triggered by a malicious Flash file.

Using Carbon Black, we can quickly identify processes meeting these criteria:

`process_name:iexplore.exe modload:vgx.dll modload:*.ocx`

Note: This method simply surfaces processes where potentially exploitable conditions exist. Results are not indicative of malicious activity. On this particular Carbon Black server, this query yields 175 results over 24 hours:

cve1

Fortunately, we can narrow this search further, yielding much more useful results.

Upon exploitation, iexplore.exe spawns a child process—which by itself is fairly common behavior. However, the child process name in this case will match *.dll. And while we observe legitimate processes spawned from DLLs, this is atypical at best; doubly so when the parent process is a Web browser. What we end up with is this:

`modload:vgx.dll process_name:iexplore.exe modload:*.ocx childproc_name:*.dll`

Running this query over the same period of time yields a single result, and a confirmed victim:

cve2-1024x576The process tree for our match:

cve3-1024x576

And a sample of some of the activity associated with child process 0159.dll:

cve4-1024x576

Note: This raw Carbon Black query may identify activity that is not associated with CVE-2014-1776. Additionally, while this will detect exploitation of the aforementioned vulnerability, processes matching this query may have been compromised in another manner. In any event, a process matching these criteria should be further investigated.

While we are providing this detection for the benefit of the Bit9 + Carbon Black community, it also highlights a key benefit of our approach: rapid identification of suspicious behaviors without explicit knowledge of the tool(s) an attacker uses. After alerting our client to the occurrence, they (or their IR partner) can surgically remediate the threat. This enables them to determine whether a more expansive investigation is warranted.

Red Canary uses internally developed intelligence—gleaned from partners—and expert human analysts to sort through the noise, identifying and communicating these legitimate threats to our clients in a timely manner. Put another way: Red Canary’s alerts to our customers are 100 percent actionable and contain zero false positives.

Contact us at Red Canary if your business needs to know when it is threatened by this or hundreds of other attacks. Zero-day attacks demand zero-day detection.

TAGS: bit9 / Carbon Black / Detect CVE / endpoint protection / internet explorer / Red Canary / Vulnerability

Related Posts