The attack uses the methodology described by Vupen; a non-trivial exploit that works in Internet Explorer 6 to 9. Microsoft fixed this vulnerability in its January patch release.
M86 describes how an infected web page hosted in South Korea loads a malicious MIDI file. The MIDI file is used to download an executable which is itself a downloader. This fetches the ultimate payload; a basic rootkit.
M86 notes that the malware goes to some length to avoid detection. “The author uses a common evading technique: XOR encryption, with a decrypting loop at the prologue. This technique is usually very effective against signature based detection engines.” When tested against VirusTotal (which only tests the signature detection element of anti-virus software and not the on-access heuristic detection), only 3 out of the 43 products could detect this malware.
Bradley Anstis, technical strategy VP at M86, says the exploit indicates how quickly malware creators can move to take advantage of new vulnerabilities. He notes that the successful code obfuscation in this attack makes it likely to evade signature-based exploitation, while simply “blocking the offending URL will protect against this exact attack, but is unlikely to protect against the next zero-day attack.” The solution is that users must be diligent in patching their systems. “If users’ computers are not fully patched, they may get infected with malware that enables attackers to run any malicious code at any time.”