New IE, Media Player Attacks Begin; E-Mail Lures Users - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

05:46 PM

New IE, Media Player Attacks Begin; E-Mail Lures Users

Mass-mailed lures are designed to draw users to a page posing as a Yahoo Greeting Card, where PCs are compromised as soon as they hit the bogus site.

E-mailed bait to exploits of the still-unpatched vulnerability in Internet Explorer have been sent, a security company said Monday, escalating the threat facing Windows users. In addition, an earlier zero-day bug in IE is now being exploited in the wild, and an unfixed flaw in Windows Media Player is behind a third attack.

San Diego-based Websense said it was starting to see mass-mailed lures, i.e. messages with links to sites hosting a Vector Markup Language (VML) exploit. The sites, noted Websense, are using the WebAttacker "kit" that has been updated to include the VML exploit.

The message cited by Websense drew users to a page posing as a Yahoo Greeting Card. Users' PCs are compromised as soon as they hit the bogus site, since the VML exploit code is hidden in a 1-by-1-pixel iframe that looks like nothing more than a stray dot on the page. The site downloads and installs an IE Browser Helper Object that directs all HTTP posts to forms -- such as a logon form for an online bank -- to a third party. The object, naturally, is to collect lucrative financial information like bank or credit card account data.

"Every form entered gets posted to this third party site," said Dan Hubbard, Websense's head of research. "We've seen some of the results," he added, and confirmed that among the information were account usernames and passwords.

"Surprisingly, we haven't seen any mass e-mailed campaign yet, but we have seen some people try to access this site," Hubbard continued. Bugs in the WebAttacker kit's code, he said, may be why more sites aren't hosting the exploit, and thus why the volume of e-mail remains low.

The escalation to e-mail was expected. Last week, security analysts said that the next step for hackers would be to draw users to malicious sites with spammed lures, rather than wait for the unlucky to surf to an infected URL.

To make matters worse, other exploits are now in the wild, including one against IE that preceded the VML vulnerability, and another against at least some versions of Windows Media Player.

"The 'daxtcle.ocx' exploit was first just a denial-of-service proof-of-concept, but now we're seeing an exploit against a different function in that animation control," said Eric Sites, vice president of research and development at Sunbelt Software. "This is a working exploit" that can download malware to a fully-patched Windows XP SP2 system, he added.

Two weeks ago -- and just three days after Microsoft unveiled its September security updates -- news broke that Internet Explorer was vulnerable to attack through the daxctle.ocx COM object, which is part of a Microsoft ActiveX control dubbed "Microsoft DirectAnimation Path." Although that flaw was pushed to the background by the more dangerous VML vulnerability, it too has not been patched.

At the moment, the exploit that Sunbelt uncovered drops only one file on a compromised computer: a backdoor Trojan that will likely be used to download and install additional malware in the near future.

The newest exploit, said Sites, doesn't attack IE, but instead targets an apparently unpatched bug in Windows Media Player. The exploit, added Sites, isn't reliable: sometimes it works, sometimes it doesn't. "We're just starting to analyze this one," Sites said. "It looks like Windows Media Player 9 is vulnerable, maybe 10 too."

In other attack news Monday, both Hubbard and Sites said that the number of sites using the updated WebAttacker code remains quite low. Hubbard put it at "only a handful, five or six," while Sites said that "the sites using WebAttacker are not upgrading very quickly."

That, however, could change in a matter of hours.

"That would be awful if they all updated," said Sites, who estimated that there were at least 1,000 malicious sites hosting the Russian-made exploit kit. "We'd be screwed."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
7 Technologies You Need to Know for Artificial Intelligence
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2019
A Practical Guide to DevOps: It's Not that Scary
Cathleen Gagne, Managing Editor, InformationWeek,  7/5/2019
Diversity in IT: The Business and Moral Reasons
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  6/20/2019
Register for InformationWeek Newsletters
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll