AOH :: ISN-3027.HTM

Spyware, Bots, Rootkits Flooding Through Unpatched IE Hole

Spyware, Bots, Rootkits Flooding Through Unpatched IE Hole
Spyware, Bots, Rootkits Flooding Through Unpatched IE Hole

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Type: TEXT/PLAIN; charset=UTF-8
Content-Transfer-Encoding: QUOTED-PRINTABLE,1895,2017626,00.asp 

By Ryan Naraine
September 19, 2006

The newest zero-day flaw in the Microsoft Windows implementation of the 
Vector Markup Language is being used to flood infected machines with a 
massive collection of bots, Trojan downloaders, spyware and rootkits.

Less than 24 hours after researchers at Sunbelt Software discovered an 
active malware attack against fully patched versions of Windows, virus 
hunters say the Web-based exploits are serving up botnet-building 
Trojans and installations of ad-serving spyware.

"This is a massive malware run," says Roger Thompson, chief technical 
officer at Atlanta-based Exploit Prevention Labs. In an interview with 
eWEEK, Thompson confirmed the drive-by attacks are hosing infected 
machines with browser tool bars and spyware programs with stealth 
rootkit capabilities.

The laundry list of malware programs seeded on Russian porn sites also 
includes a dangerous keystroke logger capable of stealing data from 
computers and a banker Trojan that specifically hijacks log-in 
information from financial Web sites.

According to Sunbelt Software researcher Eric Sites, the list of malware 
programs includes VirtuMonde, an ad-serving program that triggers 
pop-ups from Internet Explorer; Claria.GAIN.CommonElements, an adware 
utility; AvenueMedia.InternetOptimizer; and several browser plug-ins and 
tool bars and variants of the virulent Spybot worm.

eWEEK has confirmed the flaw=C2=97and zero-day attacks=C2=97on a fully patched 
version of Windows XP SP2 running IE 6.0. There are at least three sites 
hosting the malicious executables, which are being served up on a 
rotational basis.

In some cases, a visit to the site turns up an error message that reads 
simply: "Err: this user is already attacked."

The attack is closely linked to the WebAttacker do-it-yourself spyware 
installation tool kit. On one of the maliciously rigged Web sites, the 
attack code even goes as far as referencing the way Microsoft identifies 
its security patches, confirming fears that a well-organized crime ring 
is behind the attacks.

The URL that's serving up the exploit includes the following: 
"MS06-XMLNS&SP2," a clear reference to the fact that the flaw is a 
zero-day that will trigger a quick patch from Microsoft.

A Microsoft spokesman said the company is aware of the public release of 
detailed exploit code that could be used to exploit this vulnerability. 
"Based on our investigation, this exploit code could allow an attacker 
to execute arbitrary code on the user's system. Microsoft is aware of 
limited attacks that attempt to exploit the vulnerability," the 
spokesman said in a statement sent to eWEEK.

The company plans to ship an IE patch as part of its October batch of 
updates due Oct. 10. An emergency, out-of-cycle patch could be released 
if the attacks escalate.

Microsoft has added signature-based detection to its Windows OneCare 
anti-virus product. A formal security advisory with pre-patch 
workarounds will be posted within the next 24 hours.

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: 

Site design & layout copyright © 1986-2015 CodeGods