14 DAY TRIAL // Security researchers from antivirus vendor Trend Micro warn of a new strain of malware that targets a recently-patched vulnerability in Internet Explorer 7. Successful exploitation results in remote code execution in the form of a malicious .dll file.
During "Patch Tuesday" last week, Microsoft addressed a critical vulnerability (MS09-002) in Internet Explorer 7, which it warned it could be easily exploited by visiting a specially-crafted Web page. The new malware targeting unpatched systems propagates by spamming a malicious .doc file.
"This file has a very limited distribution script, suggesting it may be a targeted attack," Jake Soriano, responsible with technical communications at Trend, notes. The document executes an ActiveX control, which in turn opens a Web page serving the exploit in Internet Explorer.
If the exploitation is successful, a backdoor component, identified by Trend Micro as BKDR_AGENT.XZMS, is installed on the victim's machine. Subsequently, the backdoor drops yet another malicious component in the form of an information-stealing .dll file. The stolen data is then transferred to a server on port 443, the malware analyst points out.
In addition to installing the rogue .dll, the backdoor is also capable of taking screen shots of the system while it is being used and uploading them to a remote location. It also connects to a control server through a hidden IE window and awaits for commands from the attackers.
"Although the install base of the IE family is slowly eaten up by stiff competition such as Firefox and Chrome, IE7 is used by about one in every four Web users, a much larger share than previous versions of IE. This could explain why cybercriminals seem to be eagerly searching for more bugs," Mr. Soriano explains.
Bojan Zdrnja, malware researcher for the Internet Storm Center (ISC), has also confirmed and documented this new attack. He claims that, while under the current form it is limited, the vulnerability can easily be exploited on a wide scale. "The exploit targets Internet Explorer 7, but so far it has been delivered to the end user as a Word document. That being said; there is absolutely nothing preventing attackers from using the exploit in a drive-by attack (and we can, unfortunately, expect that this will happen very soon)," the analyst comments.
Mr. Zdrnja also thinks that the attacker is likely to have reverse-engineered the Microsoft patch in order to write the working exploit. The success of the Conficker worm has proven that a lot of users and companies are still slow to patch their systems, even when critical vulnerabilities are being announced. Everyone is urged to update to install the MS09-002 patch in order to protect themselves from possible attacks and avoid another global-scale security incident.