Network News

X My Profile
View More Activity

Newly Detected IE Exploit Spells Massive Spyware Trouble

A previously undocumented flaw in Microsoft's Internet Explorer Web browser is reportedly being exploited by online criminals to install an entire kitchen sink of malicious software on any computer that visits any of a handful of sites currently exploiting the vulnerability.

Researchers at Sunbelt Software discovered the exploit last week while conducting some routine online surveillance of known crimeware gangs. According to Sunbelt researcher Eric Sites, the exploits at the moment appear to be hosted mainly on hardcore porn sites. But if past experience with new IE exploits holds true, we may soon see this exploit being sewn into the fabric of legitimate, but poorly programmed, business Web sites that hackers can manipulate to their advantage.

According to Sites, among the nasty pieces of software an IE user can expect to be whacked with upon visiting one of the sites is the BigBlue keystroke logger, which monitors and captures data from computers including screenshots, keystrokes, web cam and microphone data; it also records instant messaging chat sessions, e-mail information and the Web sites visited by the user.

The exploit is also being used to install the incredibly invasive Spybot worm and VXGame Trojan, as well as adware titles that scam artists profit from on a per installation basis, such as Virtumondo, SafeSurfing, Avenue Media, WebHancer, Internet Optimizer, SurfSidekick, DollarRevenue, and the bogus anti-spyware program SpySheriff.

And that's not even the half of it, Sites said. "We haven't even fully analyzed this piece of malware yet."

Sites said Sunbelt had notified Microsoft of the discovery. I put in a call to the company late Monday but haven't heard back yet. I will update the blog when I hear back or when the company issues an advisory about this.

This whole thing is starting to smell a lot like the activity that preceded similar attacks on an unpatched IE flaw at the beginning of the year. For a week or so at the end of 2005, a handful of crime groups were using an undocumented IE vulnerability to attack people who visited a small number of fringe or hardcore porn Web sites, and Microsoft downplayed the threat from it by noting that fact. As the new year arrived, however, hundreds of legitimate Web sites had been compromised and were installing spyware on the computers of any user who visited them with the IE browser.

"Usually, as soon as we see these things in the wild like this they start spreading very quickly," Sites said.

Sites said the flaw appears to be the result of Microsoft's implementation in IE of "vector mark-up language," or "VML" for short -- an XML Web programming language used to create scalable graphics.

This new exploit, combined with two other publicly available exploits for a separate, unpatched IE flaw, should give pause to anyone using the Microsoft browser. My advice: If you or someone you care about is in the habit of cruising the Web with IE, now would be a very good time to get acquainted with another browser that doesn't use IE's rendering engine, such as Firefox or Opera.

But if IE is your browser of choice, make sure you have Windows set to receive automatic software updates, and be very careful about visiting Web sites that are off the Internet's beaten path.

Update, Sept. 19, 12:06 a.m.: I neglected to mention that IE users can mitigate this flaw by disabling Javascript in the browser. To do this, click on "Tools," then "Options," and then on the "Security" tab, scroll down to the section marked "Scripting," select either the option for "prompt" or "disable" of active scripting.

Update, Sept. 19, 12:08 p.m.: Microsoft is now acknowleging the existence of this flaw, which it said "could allow an attacker to execute arbitrary code on the user's system," and that Redmond "is aware of limited attacks that attempt to exploit the vulnerability. The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the October security updates on October 10, 2006, or sooner as warranted."

Microsoft may quickly find that sooner is in fact warranted in this case. It's worth noting that once again online crooks have waited until just after Microsoft releases its monthly patches to begin exploiting this new flaw (Sunbelt said it first spotted this new exploit last week, just hours after Patch Tuesday). The bad guys appear to be gaming Microsoft's patch process with a fair degree of regularity.

By Brian Krebs  |  September 18, 2006; 10:25 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: New Firefox Version Fixes 7 Security Holes
Next: Guarding Against the New IE Exploit

Comments

The exploit is being detected right now by Microsoft and AntiVir engines.

Posted by: jcanto | September 19, 2006 3:19 AM | Report abuse

I purchased a MAC Mini a few weeks ago and after reading this, I know I made the CORRECT decision. Life with Microsoft is like liviing in a war zone with bombs and mortars coming in at you everyday.

Posted by: jl726 | September 19, 2006 4:10 AM | Report abuse

"crimeware gangs"?

Posted by: BDLRVA | September 19, 2006 7:51 AM | Report abuse

Time to go virtual it would seem! With a free VMPlayer and the 'Browser Appliance' you can browse without fear. If you get hit, just reboot the VM and start over. You'll never keep up anyway. Switching browsers away from IE is just making the target smaller. Security through obscurity, if you will.

(BTW, can't wait to see all the smarmy Mac-ophile posts, here. Hi, I'm a Mac. *Punch* *Thud* Hi, I don't give a crap!)

Posted by: Tim B | September 19, 2006 8:59 AM | Report abuse

Tim B. says "can't wait to see all the smarmy Mac-ophile posts, here. Hi, I'm a Mac. *Punch* *Thud* Hi, I don't give a crap!"

Yet you're posting a solution of using VMPlayer and a browser appliance to avoid these problems? How is that less "smarmy" than using a mac and your browser of choice? You, like Mac users, have opted to avoid the security problems by using an alternative--but Mac users and not you are being smug?

Posted by: ah | September 19, 2006 9:38 AM | Report abuse

Well, that's just great. As the president of a leading 24x7 end-user HSIA support company for hotels, colleges, hospitals and other facilities, I congratulate MicroSoft for yet again making our client's end-users and our agent's lives miserable and reducing our profits while through their incompitance they skate on relativily unaffected as ususal. It's not the 'cleaning and deleting' that is so annoying, it is the time and effort that is needed to educate the casual user that 1-This is the true reason they can't connect, 2-It has nothing to do with the facility, 3-It is their responsibility to use the tools that are available in the market to clean their PCs. Their mistake, our time and effort.

Posted by: Roger | September 19, 2006 11:28 AM | Report abuse

Brian

IE 6.0 has security settings for "Active Scripting" "Allow pasting ..." and "Scripting of Java applets". So, do I set them all to "Prompt" or just the two that refer to scripting?

Does this vulnerability affect IE 6.0 with the Sun Java VM as default?

Posted by: Bill Carman | September 19, 2006 11:59 AM | Report abuse

"Switching browsers away from IE is just making the target smaller."
Uh no, it makes the target obsolete, like IE was 3 years ago.
Tim B is a tool.

Posted by: Frank Doss | September 19, 2006 12:28 PM | Report abuse

If Mac OS had the largest install base it would be attacked just as heavily as Windows and IE are now.

Just because Windows and IE are always targeted it does not say that Mac OS could handle it better if it were the favorite target.

If everyone were to switch to Mac the jerks writing viruses and spyware would just change the platform they target to Mac.

Be careful what you wish for. These criminals don't care what technology they write their malware for, just as long as they're hitting the most computers possible.

Posted by: Tom | September 19, 2006 1:01 PM | Report abuse

Brain,

Good article, however, you are doing your readers a disservice by not providing the real threat information here.

You write: "to install an entire kitchen sink of malicious software on any computer that visits any of a handful of sites currently exploiting the vulnerability"

Ok. How is this possible if the user is _not_ running with administrator privilege?

If the user is running with normal (LUA) privileges, as all users should be, then as far as I can tell, there is no threat here. The malware mentioned would not be able to be installed if the user is running with normal user privileges.

Please provide this clarity in future posts regarding malware and these "massive threats".

Posted by: LUA | September 19, 2006 1:04 PM | Report abuse

Right on. I use firefox, just a statement, nothing else. However, whenever I am on the net, I use an XP account that doesn't have admin rights, in addition to my firewall. When I'm not on the net, I set my firewall to block all net activity, incoming and outgoing.

I've had my PC for over 3 years now and I have never had a virus or anything else, except the horrible, slimy thing that came courtesy of Sony records in their greedy attempt to control music that I paid for instead of downloading for free. That'll teach me to be honest and stuff.

Posted by: Constance | September 19, 2006 1:46 PM | Report abuse

Tell me, Why don't the story tell everyone that it only exploit IE5 and 6.01. The way the story tells it, all of MS IE is exploited, IE5 thru IE7. Please tell the whole story next time.

Posted by: mac | September 19, 2006 1:56 PM | Report abuse

No one would say I was freak or tool or whatever, if I hadn't made allusion to the whole Mac arogance thing. Mac-o-philes frequently ignore that enterprise level sysadmins - those who are most affected by these endless exploit-patch cycles - have NO CHOICE to switch browsers, or operating systems because line of biz apps only run on Windows and IE. Thus, my suggestion to run browsers in a virtual machines on Windows keeps the malware in virtual machines, and off the host. It's certainly a more feasible solution than just saying "Buy a Mac!" And it costs a lot less.

Posted by: Tim B | September 19, 2006 2:51 PM | Report abuse

Quis Custodiet Ipsos Custodes?

When are we going to learn that the foxes at Microsoft have no business guarding our internet chicken-coops ?


Posted by: GTexas | September 19, 2006 6:22 PM | Report abuse

Here is a link to the Microsoft security bulletin on this vulnerability (KB925568):
http://www.microsoft.com/technet/security/advisory/925568.mspx

There are some suggested mitigations, including unregistering or modifying the ACL for the relevant DLL (vgx.dll) -- probably not for the faint-hearted. It's not completely clear from the bulletin, but I don't think that turning off scripting will protect you in all cases. The vulnerability seems to be in the processing of the VML itself.

Posted by: Rich Gibbs | September 19, 2006 11:26 PM | Report abuse

Just another thing to make one wonder why "the wolds biggest" software manufacturer can't produce a single piece of good software. Not one. Not even a simple instant messaging program...

Posted by: quitnus fabius | September 20, 2006 3:04 AM | Report abuse

Brian what ever happened to your report on the "Hijacking a Macbook in 60 Seconds or Less"?
http://blog.washingtonpost.com/securityfix/2006/08/hijacking_a_macbook_in_60_seco.html

Going to almost 2 months now since their demo, did they ever prove or disclosed how they're able to hack this MacBook?

Posted by: Bob AB | September 20, 2006 6:03 PM | Report abuse

Are we talking IE 6.0 or 7.0 beta RC1?

Posted by: Nickolas | September 21, 2006 12:40 PM | Report abuse

no comments

Posted by: Stephane | September 21, 2006 5:52 PM | Report abuse

RE VML flaw.
Go to www.grc.com for a temporary "fix" for this problem.Hope this information will help.
John

Posted by: John E Shore | September 22, 2006 7:46 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company