Saturday 13 December 2008

IE Zero-Day Follow-Up: Now Featuring Mass SQL Injections

We recently reported about a flaw in IE that could be exploited by hackers and now we have discovered an even further flaw. This needs to be stopped asap.

Read on.....

Malware criminals were quick to pounce on the recently discovered — and still unpatched — zero-day exploit for Internet Explorer and to mount mass SQL injection attacks, Trend Micro researchers have found. Researchers industry-wide have correctly warned that it was only a matter of time before this exploit, which is publicly available, was used for a wider scope of attack. The folks at the SANS Internet Storm Center (ISC) are also reporting this.

Advanced Threats Researcher Ivan Macalintal puts the number of infected sites so far at 6,000 and (quickly) increasing in number. He cites at least two Web sites infected with code that exploits the zero-day vulnerability, one in the .tw domain, and the other under .cn. The first is a Taiwanese search engine [Update: Now clean. -Ed.] which was found injected with the malicious JavaScript code through SQL injection.

The second is a Chinese sporting goods site with a traffic rank of close to 7 million, which was found containing HTML code directing users to a remote site which contains the same malicious script.


Fig. 1. A webpage of the compromised popular Chinese skating/sporting goods site


Fig. 2. An image of an injected redirection to a third-party site hosting the exploit

The final payload is a worm detected by Trend Micro as WORM_AUTORUN.BSE. Other exploits that also lead to the worm are as follows:

  • HTML_IFRAME.ZM
  • JS_DLOADER.QGV
  • HTML_AGENT.CPZZ

Obfuscated JavaScript in the HTML webpages are also detected as JS_DLOAD.MD, the same malicious script found to exploit the zero-day vulnerability in IE7.

Microsoft posted revisions to its Security Advisory with the latest analysis about the underlying flaw in this attack, which the advisory also states, renders Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, Microsoft Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported versions of Microsoft Windows as potentially vulnerable.

The Trend Micro Smart Protection Network already detects the malicious scripts as well as WORM_AUTORUN.BSE at the desktop level, and provides solutions for the removal of the worm.

Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)