Eric Romang, while looking in a server infected through the recently patched Java 7 zero-day, stumbled upon four files: 111.exe, Moh2010.swf, Protect.html, exploit.html. The researcher went about downloading them and executed them on an up-to-date Windows XP system with patched Adobe Flash. According to the researcher, these files dropped files onto his system giving him an indication that some kind of zero-day was being exploited.

The researcher tested all the files through online virus scanner VirusTotal, now acquired by Google, and to his surprise none of the files raised any red flags except Moh2010.swf (as of his blog post). We checked it as of now and there has been no improvement on that front. On investigation of the Moh2010.swf, the researcher found that the file was packed using DoSWF that gets decompressed in memory once executed.

Surprisingly as soon as the researcher published his results online, the people behind the exploit removed the files as well as another Java zero-day variant from other folders. Romang shared his results with other people and it was confirmed by them as well that the exploit is meant for some Internet Explorer 7 / 8 zero-day.

Developers over at Metasploit have already released an early version of the zero-day. Read the complete analysis on Eric Romang’s Blog.


[Update: 18/09/2012@19:34 UTC] AlienVault labs blog has got more detailed explanation of the whole exploit process. The metasploit module can be found here. Ars Technica has it from Rapid7 CSO that the vulnerability can be exploited in Windows Vista and Windows 7 system as well.