OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[ISN] Spyware, Bots, Rootkits Flooding Through Unpatched IE Hole

From: InfoSec News (alertsinfosecnews.org)
Date: Wed Sep 20 2006 - 05:08:04 CDT

http://www.eweek.com/article2/0,1895,2017626,00.asp

By Ryan Naraine
September 19, 2006

The newest zero-day flaw in the Microsoft Windows implementation of the
Vector Markup Language is being used to flood infected machines with a
massive collection of bots, Trojan downloaders, spyware and rootkits.

Less than 24 hours after researchers at Sunbelt Software discovered an
active malware attack against fully patched versions of Windows, virus
hunters say the Web-based exploits are serving up botnet-building
Trojans and installations of ad-serving spyware.

"This is a massive malware run," says Roger Thompson, chief technical
officer at Atlanta-based Exploit Prevention Labs. In an interview with
eWEEK, Thompson confirmed the drive-by attacks are hosing infected
machines with browser tool bars and spyware programs with stealth
rootkit capabilities.

The laundry list of malware programs seeded on Russian porn sites also
includes a dangerous keystroke logger capable of stealing data from
computers and a banker Trojan that specifically hijacks log-in
information from financial Web sites.

According to Sunbelt Software researcher Eric Sites, the list of malware
programs includes VirtuMonde, an ad-serving program that triggers
pop-ups from Internet Explorer; Claria.GAIN.CommonElements, an adware
utility; AvenueMedia.InternetOptimizer; and several browser plug-ins and
tool bars and variants of the virulent Spybot worm.

eWEEK has confirmed the flaw—and zero-day attacks—on a fully patched
version of Windows XP SP2 running IE 6.0. There are at least three sites
hosting the malicious executables, which are being served up on a
rotational basis.

In some cases, a visit to the site turns up an error message that reads
simply: "Err: this user is already attacked."

The attack is closely linked to the WebAttacker do-it-yourself spyware
installation tool kit. On one of the maliciously rigged Web sites, the
attack code even goes as far as referencing the way Microsoft identifies
its security patches, confirming fears that a well-organized crime ring
is behind the attacks.

The URL that's serving up the exploit includes the following:
"MS06-XMLNS&SP2," a clear reference to the fact that the flaw is a
zero-day that will trigger a quick patch from Microsoft.

A Microsoft spokesman said the company is aware of the public release of
detailed exploit code that could be used to exploit this vulnerability.
"Based on our investigation, this exploit code could allow an attacker
to execute arbitrary code on the user's system. Microsoft is aware of
limited attacks that attempt to exploit the vulnerability," the
spokesman said in a statement sent to eWEEK.

The company plans to ship an IE patch as part of its October batch of
updates due Oct. 10. An emergency, out-of-cycle patch could be released
if the attacks escalate.

Microsoft has added signature-based detection to its Windows OneCare
anti-virus product. A formal security advisory with pre-patch
workarounds will be posted within the next 24 hours.

_________________________________
HITBSecConf2006 - Malaysia
The largest network security event in Asia
32 internationally renowned speakers
7 tracks of hands-on technical training sessions.
Register now: http://conference.hitb.org/hitbsecconf2006kl/