Zero-Day Attack on IE6 – JS.Sykipot Doesn’t Spare Retired Software

Internet Explorer 6 may have taken its path to retirement but it still remains a good target for exploits, as we can see from JS.Sykipot. This zero-day was found on March 8th and it exploits a vulnerability in some Internet Explorer versions (CVE-2010-0806 , BID 38615) that can lead to remote code execution. Upon successful exploitation, JS.Sykipot will download and run Backdoor.Sykipot, which is a back door capable of communicating with its control server to receive and run several commands.
In my tests, the exploit worked successfully on IE6, caused the browser to freeze on IE7, and did not work at all in IE8. In particular, IE8 shows an error box when running the JavaScript code, so it seems to not be affected by this vulnerability.
Let’s have a look at the exploit itself. It begins with a simple JavaScript tag; surprisingly, the code is only slightly obfuscated:

Image 1: The beginning

The page defines a button, then the JavaScript code will call the ‘onclick()’ method of the button to run the associated function ‘blkjbdkjb()’. This function contains the exploit code itself. Note how the code also includes another JavaScript file, named bypasskav.txt. This file only contains the following code:

var oipoipqirpoewrioipowqeriqq = unescape;
The code is used to associate the ‘unescape’ function with (continue reading...)