Newly Detected IE Exploit Spells Massive Spyware Trouble
A previously undocumented flaw in Microsoft's Internet Explorer Web browser is reportedly being exploited by online criminals to install an entire kitchen sink of malicious software on any computer that visits any of a handful of sites currently exploiting the vulnerability.
Researchers at Sunbelt Software discovered the exploit last week while conducting some routine online surveillance of known crimeware gangs. According to Sunbelt researcher Eric Sites, the exploits at the moment appear to be hosted mainly on hardcore porn sites. But if past experience with new IE exploits holds true, we may soon see this exploit being sewn into the fabric of legitimate, but poorly programmed, business Web sites that hackers can manipulate to their advantage.
According to Sites, among the nasty pieces of software an IE user can expect to be whacked with upon visiting one of the sites is the BigBlue keystroke logger, which monitors and captures data from computers including screenshots, keystrokes, web cam and microphone data; it also records instant messaging chat sessions, e-mail information and the Web sites visited by the user.
The exploit is also being used to install the incredibly invasive Spybot worm and VXGame Trojan, as well as adware titles that scam artists profit from on a per installation basis, such as Virtumondo, SafeSurfing, Avenue Media, WebHancer, Internet Optimizer, SurfSidekick, DollarRevenue, and the bogus anti-spyware program SpySheriff.
And that's not even the half of it, Sites said. "We haven't even fully analyzed this piece of malware yet."
Sites said Sunbelt had notified Microsoft of the discovery. I put in a call to the company late Monday but haven't heard back yet. I will update the blog when I hear back or when the company issues an advisory about this.
This whole thing is starting to smell a lot like the activity that preceded similar attacks on an unpatched IE flaw at the beginning of the year. For a week or so at the end of 2005, a handful of crime groups were using an undocumented IE vulnerability to attack people who visited a small number of fringe or hardcore porn Web sites, and Microsoft downplayed the threat from it by noting that fact. As the new year arrived, however, hundreds of legitimate Web sites had been compromised and were installing spyware on the computers of any user who visited them with the IE browser.
"Usually, as soon as we see these things in the wild like this they start spreading very quickly," Sites said.
Sites said the flaw appears to be the result of Microsoft's implementation in IE of "vector mark-up language," or "VML" for short -- an XML Web programming language used to create scalable graphics.
This new exploit, combined with two other publicly available exploits for a separate, unpatched IE flaw, should give pause to anyone using the Microsoft browser. My advice: If you or someone you care about is in the habit of cruising the Web with IE, now would be a very good time to get acquainted with another browser that doesn't use IE's rendering engine, such as Firefox or Opera.
But if IE is your browser of choice, make sure you have Windows set to receive automatic software updates, and be very careful about visiting Web sites that are off the Internet's beaten path.
Update, Sept. 19, 12:08 p.m.: Microsoft is now acknowleging the existence of this flaw, which it said "could allow an attacker to execute arbitrary code on the user's system," and that Redmond "is aware of limited attacks that attempt to exploit the vulnerability. The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the October security updates on October 10, 2006, or sooner as warranted."
Microsoft may quickly find that sooner is in fact warranted in this case. It's worth noting that once again online crooks have waited until just after Microsoft releases its monthly patches to begin exploiting this new flaw (Sunbelt said it first spotted this new exploit last week, just hours after Patch Tuesday). The bad guys appear to be gaming Microsoft's patch process with a fair degree of regularity.
Posted by: jcanto | September 19, 2006 3:19 AM | Report abuse
Posted by: jl726 | September 19, 2006 4:10 AM | Report abuse
Posted by: BDLRVA | September 19, 2006 7:51 AM | Report abuse
Posted by: Tim B | September 19, 2006 8:59 AM | Report abuse
Posted by: ah | September 19, 2006 9:38 AM | Report abuse
Posted by: Roger | September 19, 2006 11:28 AM | Report abuse
Posted by: Bill Carman | September 19, 2006 11:59 AM | Report abuse
Posted by: Frank Doss | September 19, 2006 12:28 PM | Report abuse
Posted by: Tom | September 19, 2006 1:01 PM | Report abuse
Posted by: LUA | September 19, 2006 1:04 PM | Report abuse
Posted by: Constance | September 19, 2006 1:46 PM | Report abuse
Posted by: mac | September 19, 2006 1:56 PM | Report abuse
Posted by: Tim B | September 19, 2006 2:51 PM | Report abuse
Posted by: GTexas | September 19, 2006 6:22 PM | Report abuse
Posted by: Rich Gibbs | September 19, 2006 11:26 PM | Report abuse
Posted by: quitnus fabius | September 20, 2006 3:04 AM | Report abuse
Posted by: Bob AB | September 20, 2006 6:03 PM | Report abuse
Posted by: Nickolas | September 21, 2006 12:40 PM | Report abuse
Posted by: Stephane | September 21, 2006 5:52 PM | Report abuse
Posted by: John E Shore | September 22, 2006 7:46 AM | Report abuse
The comments to this entry are closed.