Washington Post
Newly Detected IE Exploit Spells
Massive Spyware Trouble
A previously undocumented flaw in Microsoft's
Internet Explorer Web browser is reportedly being exploited by online criminals
to install an entire kitchen sink of malicious software on any computer
that visits any of a handful of sites currently exploiting the vulnerability.
Researchers at Sunbelt Software discovered
the exploit last week while conducting some routine online surveillance
of known crimeware gangs. According to Sunbelt researcher Eric Sites, the
exploits at the moment appear to be hosted mainly on hardcore porn sites.
But if past experience with new IE exploits holds true, we may soon see
this exploit being sewn into the fabric of legitimate, but poorly programmed,
business Web sites that hackers can manipulate to their advantage.
According to Sites, among the nasty pieces
of software an IE user can expect to be whacked with upon visiting one
of the sites is the BigBlue keystroke logger, which monitors and captures
data from computers including screenshots, keystrokes, web cam and microphone
data; it also records instant messaging chat sessions, e-mail information
and the Web sites visited by the user.
The exploit is also being used to install the
incredibly invasive Spybot worm and VXGame Trojan, as well as adware titles
that scam artists profit from on a per installation basis, such as Virtumondo,
SafeSurfing, Avenue Media, WebHancer, Internet Optimizer, SurfSidekick,
DollarRevenue, and the bogus anti-spyware program SpySheriff.
And that's not even the half of it, Sites said.
"We haven't even fully analyzed this piece of malware yet."
Sites said Sunbelt had notified Microsoft of
the discovery. I put in a call to the company late Monday but haven't heard
back yet. I will update the blog when I hear back or when the company issues
an advisory about this.
This whole thing is starting to smell a lot
like the activity that preceded similar attacks on an unpatched IE flaw
at the beginning of the year. For a week or so at the end of 2005, a handful
of crime groups were using an undocumented IE vulnerability to attack people
who visited a small number of fringe or hardcore porn Web sites, and Microsoft
downplayed the threat from it by noting that fact. As the new year arrived,
however, hundreds of legitimate Web sites had been compromised and were
installing spyware on the computers of any user who visited them with the
IE browser.
"Usually, as soon as we see these things in
the wild like this they start spreading very quickly," Sites said.
Sites said the flaw appears to be the result
of Microsoft's implementation in IE of "vector mark-up language," or "VML"
for short -- an XML Web programming language used to create scalable graphics.
This new exploit, combined with two other publicly
available exploits for a separate, unpatched IE flaw, should give pause
to anyone using the Microsoft browser. My advice: If you or someone you
care about is in the habit of cruising the Web with IE, now would be a
very good time to get acquainted with another browser that doesn't use
IE's rendering engine, such as Firefox or Opera.
But if IE is your browser of choice, make sure
you have Windows set to receive automatic software updates, and be very
careful about visiting Web sites that are off the Internet's beaten path.
Update, Sept. 19, 12:06 a.m.: I neglected to
mention that IE users can mitigate this flaw by disabling Javascript in
the browser. To do this, click on "Tools," then "Options," and then on
the "Security" tab, scroll down to the section marked "Scripting," select
either the option for "prompt" or "disable" of active scripting. |