When the Internet Explorer 0-day CVE 2014-1776 was announced, we turned to our intelligence feeds for more information. In the course of taking it apart we found a few things that were quite interesting that we wanted to share.
The first thing to notice is that even though CVE 2014-1776, which we talked about earlier this week, is an Internet Explorer vulnerability that uses Javascript to cause exploitation, there was almost no obfuscation of the code. Usually multiple layers of obfuscation are used and free javascript obfuscators are layered on top of each other to make it difficult for researchers and detection devices to identify what is happening in the code. Instead, almost all the functions and variables were there in plain sight, with names like "dword2data" and "arrLen" showing up without so much as a base64 encoding in sight.
more here.......http://vrt-blog.snort.org/2014/05/anatomy-of-exploit-cve-2014-1776.html
The first thing to notice is that even though CVE 2014-1776, which we talked about earlier this week, is an Internet Explorer vulnerability that uses Javascript to cause exploitation, there was almost no obfuscation of the code. Usually multiple layers of obfuscation are used and free javascript obfuscators are layered on top of each other to make it difficult for researchers and detection devices to identify what is happening in the code. Instead, almost all the functions and variables were there in plain sight, with names like "dword2data" and "arrLen" showing up without so much as a base64 encoding in sight.
more here.......http://vrt-blog.snort.org/2014/05/anatomy-of-exploit-cve-2014-1776.html