Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: MS09-002 exploit in the wild - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS09-002 exploit in the wild

Several AV vendors reported about MS09-002 exploits in the wild. We can confirm this – the exploit for the CVE-2009-0075 vulnerability (Uninitialized Memory Corruption) in Internet Explorer 7 is definitely in the wild and working as charm on an unpatched Windows XP machine.

Initially there was some confusion about this attack as most AV vendors mentioned Word documents. The exploit targets Internet Explorer 7, but so far it has been delivered to the end user as a Word document. That being said; there is absolutely nothing preventing attackers from using the exploit in a drive-by attack (and we can, unfortunately, expect that this will happen very soon).

The exploit code does something similar to a heap spray, but there is a difference that it deletes created objects and even calls CollectGarbage() as seen in the code snippet below:

var array = new Array();
var ls = 0x100000-(c.length*2+0x01020);
var b = unescape("%u0C0C%u0C0C");

while(b.length<ls/2) { b+=b;}
var lh = b.substring(0,ls/2);
delete b;
for(i=0; i<0xC0; i++) {
        array[i] = lh + c;

The variable c here contains the shellcode which does a standard job of pulling another executable from a remote site (it’s worth nothing that shellcode appears to be obfuscated quite a bit). This other executable then steals personal data and sends it to a remote site.

As the MS09-002 patch has only been released a week ago, it’s clear that the attacker reverse engineered the patch to create the exploit (especially since the vulnerability has been initially reported by ZDI to Microsoft in September last year). So, check your client machines and make sure that you are patched!


I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Pen Test Hackfest Europe 2022 - Berlin


403 Posts
ISC Handler
Feb 17th 2009

Sign Up for Free or Log In to start participating in the conversation!