Vulnerabilities in Microsoft's Internet Explorer Web browser have been exploited again, security experts said on Thursday, this time by a Trojan horse that redirected traffic from more than 100 popular Web sites to an IP address designated by the attacker.
The Trojan, dubbed Qhosts and Delude.B by various anti-virus vendors, redirected traffic on compromised machines from a large number of legitimate sites--primarily search engines, among them those found at AltaVista, Google, Lycos, MSN, and Yahoo. According to Computer Associates, requests to surf to those search sites were shunted instead to a Web site that was taken offline within 24 hours of the Trojan's appearance.
"This is another attempt by an attacker, probably the same attacker who wrote the original Delude Trojan earlier this month, to hijack Web sites and potentially profit from that redirection," said Ken Dunham, the director of malicious code for iDefense, a 5-year-old company that specializes in security intelligence and provides information to clients through partners such as British Telecom and Japan's Itochu Corp. "It's definitely another exploit of the vulnerabilities that still exist within Internet Explorer."
Qhosts is only the most recent exploit of Internet Explorer vulnerabilities. Starting last week, and continuing over the weekend, others commandeered AOL Instant Messenger accounts and downloaded code that forced users' computers to dial 900 numbers.
The flaw in Internet Explorer stems from a problem the browser has in correctly determining Object Types, and was thought to be patched by a fix that Microsoft released on Aug. 20. But that patch hasn't put a stop to attacks.
"Just by surfing the Web with Internet Explorer, attackers can install anything, at will, on your system and you won't even know it," said Dunham. By exploiting the vulnerabilities, "attackers can use any kind of HTML content to install a Trojan."
As of Thursday, Microsoft hasn't released an updated patch to close Internet Explorer's security holes. A Microsoft spokesman said the company "is investigating an exploit of a variation on a vulnerability originally patched in Microsoft Security Bulletin MS03-032. We will release a fix for this variation shortly."
Microsoft also recommended that users protect themselves against the newer exploits by changing Internet Explorer's security zone settings to prompt before running ActiveX controls, and although the original patch doesn't cover all the bases, install that fix nonetheless.
Most anti-virus vendors have released updated signature files that will trap Qhosts, and rated the vulnerability as moderate. Symantec Corp. ranked Qhosts as '2' in its 1-through-5 scale, while Network Associates labeled it as "low-profile."
Though Qhosts doesn't seem to be a particularly disruptive or damaging Trojan, and the destination site for its redirection was quickly shuttered--that could easily change, said Dunham.
"The possibilities are very large that a worm could come out of this exploit," he said, due to the tempting target that Internet Explorer makes and how easy it would be to wrap the exploit code into, say, a worm delivered by mass E-mail.
"An E-mail worm that takes advantage of this vulnerability could be devastating," Dunham said. While he doesn't have any direct evidence that a worm is imminent, Dunham did say that he's spotted code on hacker sites, including one based in Russia, indicating that attackers are working on such a worm.
Symantec, which released its six-month evaluation of vulnerabilities and threats on Wednesday, pointed to Internet Explorer as software that IT managers should monitor closely.
Users can protect Internet Explorer against attack, or at least mitigate those attacks, said Dunham, by following Microsoft's advice to disable ActiveX controls or prompt the user before running them. "But another idea is to use a non-vulnerable browser," such as Netscape Navigator, Mozilla, or Opera. The Internet Explorer vulnerability "will be a constant avenue of attack, so it's a good idea, and common sense, to have a multiple-browser setup, just in case," he said. "Enterprises could continue to use IE for trusted sites or internally, and another browser to reach external or questionable sites. It would be the best of both worlds."
Machines already infected with the Qhosts Trojan can be cleaned using a variety of anti-virus packages, or cleansed manually by editing the Windows Registry. Instructions for the latter can be found on several security sites.