On the new Explorer XML zero day
See update below!
More tomorrow hopefully.
It turned out when we investigated this in detail that it’s not related to the XML zero-day vulnerability. We’ve now seen four of these events at various customers with the same starting <object> tag with the same classid. We haven’t seen that particular form before, and Google does not find other discussions of it. The obfuscated body is polymorphic but when deobfuscated reveals a bunch of older browser/plugin exploits. One of the incidents succeeded in infecting the client, and on investigation, that turned out to be this fresh packing of the Grum bot. The destination IP of the exploit server was the same in all cases, and it’s a known RBN IP address. The campaign appears to be driven by malicious ads. Thanks to Julia, Atif, and Alex for help in investigating, and apologies for any confusion: it appears to be a new obfuscation idiom and a new packing that was not recognized by almost any AV, but not a new exploit – just coincidence that the XMLHTTP classid was used on the same day that the new XML exploit was out.