(LiveHacking.Com) – Security researcher Eric Romang was monitoring some infected servers, allegedly being used by the Nitro gang for targeted attacks using the recent Java 7 zero-day vulnerabilities, when he found four files on the server which have turned out to be an unknown exploit for IE 7 , IE8 and IE9. The four files (an executable, a Flash Player movie and two HTML files called exploit.html and protect.html) are used in conjunction to download a malicious executable on to the victim’s computer.
The attackers can upload any executable of their choosing and use sthe victim’s machine as part of a botnet or install a banking information stealing trojan. According to a tweet by Malc0de the currently used payload could be Poison Ivy (http://bit.ly/PkRPIP).
Eric discussed his findings with a variety of security researchers @binjo and @_sinn3r. He also got further help from those who frequent the Metasploit IRC channel. The conclusion is that the files represent a vulnerablity in all versions of Internet Explorer, from IE 7 onwards, that is not dependent on any known Adobe Flash vulnerabilities.
It appears as if his actions haven’t gone unnoticed:
The guys who developed this new 0day were not happy to have been caught, they have removed all the files from the source server just 2 days after my discovery. But more interestingly, they also removed a Java 0-day variant from other folders.
It is thought that a Metasploit exploit module will be released sometime today and progress on the module is going well.