14 DAY TRIAL // Security Researchers from Trend Micro have intercepted a new drive-by download attack which exploits a critical Internet Explorer vulnerability in order to install multiple malware components on targeted systems.
Drive-by download attacks are a common and effective malware propagation method and are usually launched from legitimate websites that have been compromised.
They involve exploiting vulnerabilities in outdated versions of popular applications like Adobe Reader, Flash Player, Java, Internet Explorer, Firefox or the operating system itself, in order to silently infect computers.
The exploit used in this case is detected as JS_SHELLCOD.SMGU by Trend Micro products and targets an IE vulnerability patched in Microsoft's MS10-090 security bulletin released on December 14.
This bulletin is rated as critical and addresses a total number of seven vulnerabilities in Internet Explorer. Trend Micro does not mention, which one is targeted in the attack, but the most likely candidate is CVE-2010-3962.
CVE-2010-3962 is an uninitialized memory corruption vulnerability, which affects all supported IE versions (6, 7, and 8) and has been actively exploited in the wild since its discovery at the beginning of November.
Proof-of-concept attack code has been later published online and according to some reports, the exploit was even integrated into the Eleonore attack toolkit.
Trend Micro also mention a second exploit for an older IE vulnerability, being used and identifies the downloaded malware as TROJ_LAMECHI.D, TROJ_DLOADR.DAM, TROJ_GAMETHI.FMS, PE_PARITE.A and TSPY_ARDAMAX.HR.
It's worth noting that one of these threats is a trojan downloader, whose purpose is to download and install even more malware. Another one is a trojan that steals online gaming information and a third is an .EXE file infector.
Users are strongly advised to keep their applications and operating system up to date in order to avoid falling victims to such attacks. Running a capable antivirus program with a Web protection component is also critical to block zero-day attacks.