Bit9 Threat Advisory - Diskless Internet Explorer Zero Day
This document outlines information and mitigation for a recent Internet Explorer Zero Day attack that was released. There is at least one way to report or prevent this specific behaviour using the Bit9 Security Platform.
This attack involves running a known-good system executable and injecting malicious code into that executable, thereby evading file-based controls. In this case it involves attacker code running in Internet Explorer launching an instance of rundll32.exe and injecting code into that process. This technique is generally referred to as Reflective DLL Injection (RDI).
Please see the Important Notes section for some details on this rule. 1. Login to the Bit9 Console 2. Navigate to Rules -> Software Rules -> Memory Rules 3. Click "Add Memory Rule" 4. Fill in the following information:
Action: Report Permissions: Write Access Target Process: *\rundll32.exe Source Process: *\iexplore.exe User: Any User Policy: All policies
5. Hit Save
One thing to keep in mind is that mitigations such as the one listed above have greater value when they are kept hidden from attackers. One way to reduce the likelihood that attackers discover this mitigation is to use a report-only rule (which is what we recommended here). As designed, this rule will only report when malicious code is running in Internet Explorer and trying to write/modify rundll.exe.
You can change the Action of this rule to "Block" in order to turn this into a prevention rule, but it is highly recommended that you use this rule in Report mode for a period of time to mitigate the possibility of unintended consequences. In addition, placing this rule into prevention mode may provide information to attackers about how to adjust attack attempts that are unsuccessful in order to bypass the controls.
In addition, memory rules are not supported on Windows Server 2003 64-bit due to a limitation in that OS version.
If you have any concerns or questions, please contact Bit9 Support