2014 has certainly been the year where catchy names and logos were associated with vulnerabilities. One of the vulnerability that attracted our attention was CVE-2014-6332, the “unicorn-like” bug affecting Internet Explorer. There are several reasons why this vulnerability is particularly attracting for attackers. First, it affects Internet Explorer versions from 3.0 all the way to 11.0, meaning that, at the time of discovery, Windows 95 through 8.1 default Internet Explorer install was vulnerable. A reliable proof of concept, which could easily be repurposed by an attacker, was quickly released publicly. Moreover, as the vulnerability affects the browser directly, popular mechanisms such as drive-by downloads and watering hole attacks can easily and reliably use it. From this point on, there has been an intensive arms-race between detection teams and attackers. Analyzing the efforts deployed by the miscreants to evade detections would allow the anti-virus community to come up with new ways of tracking such rapidly propagating exploits.
In this presentation, we will cover the way the different cybercriminals have used this vulnerability and their efforts to thwart tracking by security companies. We will thus cover in detail the different variations of the exploit code and show how exploit kits and APT groups are using it. Finally, we will show some of the most interesting case studies we stumbled upon while investigating the usage of this “unicorn-like” bug.