Our company, Red Canary, a provider of managed threat detection, is actively detecting CVE-2014-1776, the latest “Internet Explorer 0-day,” on the endpoint by leveraging our network of managed Bit9 + Carbon Black sensors. This post provides some insight into how you can do the same.
To begin, we know a few things:
1) This exploit targets Internet Explorer (iexplore.exe).
2) It requires VGX.dll be loaded by the targeted iexplore.exe process.
3) It is triggered by a malicious Flash file.
Using Carbon Black, we can quickly identify processes meeting these criteria:
`process_name:iexplore.exe modload:vgx.dll modload:*.ocx`
Note: This method simply surfaces processes where potentially exploitable conditions exist. Results are not indicative of malicious activity. On this particular Carbon Black server, this query yields 175 results over 24 hours:
Fortunately, we can narrow this search further, yielding much more useful results.
Upon exploitation, iexplore.exe spawns a child process—which by itself is fairly common behavior. However, the child process name in this case will match *.dll. And while we observe legitimate processes spawned from DLLs, this is atypical at best; doubly so when the parent process is a Web browser. What we end up with is this:
`modload:vgx.dll process_name:iexplore.exe modload:*.ocx childproc_name:*.dll`
Running this query over the same period of time yields a single result, and a confirmed victim:
And a sample of some of the activity associated with child process 0159.dll:
Note: This raw Carbon Black query may identify activity that is not associated with CVE-2014-1776. Additionally, while this will detect exploitation of the aforementioned vulnerability, processes matching this query may have been compromised in another manner. In any event, a process matching these criteria should be further investigated.
While we are providing this detection for the benefit of the Bit9 + Carbon Black community, it also highlights a key benefit of our approach: rapid identification of suspicious behaviors without explicit knowledge of the tool(s) an attacker uses. After alerting our client to the occurrence, they (or their IR partner) can surgically remediate the threat. This enables them to determine whether a more expansive investigation is warranted.
Red Canary uses internally developed intelligence—gleaned from partners—and expert human analysts to sort through the noise, identifying and communicating these legitimate threats to our clients in a timely manner. Put another way: Red Canary’s alerts to our customers are 100 percent actionable and contain zero false positives.
Contact us at Red Canary if your business needs to know when it is threatened by this or hundreds of other attacks. Zero-day attacks demand zero-day detection.