|
|
|
Spyware, Bots, Rootkits Flooding Through Unpatched IE Hole
By: Ryan Naraine
2006-09-19
Article Rating: / 1
There are 0 user comments on this Network Security & Hardware story.
The latest zero-day flaw in Microsoft's Internet Explorer browser is being used to dump a massive collection of bots, Trojan downloaders, spyware and rootkits on infected Windows machines.The newest zero-day flaw in the Microsoft Windows implementation of the Vector Markup Language is being used to flood infected machines with a massive collection of bots, Trojan downloaders, spyware and rootkits.
Less than 24 hours after researchers at Sunbelt Software discovered an active malware attack against fully patched versions of Windows, virus hunters say the Web-based exploits are serving up botnet-building Trojans and installations of ad-serving spyware.
"This is a massive malware run," says Roger Thompson, chief technical officer at Atlanta-based Exploit Prevention Labs. In an interview with eWEEK, Thompson confirmed the drive-by attacks are hosing infected machines with browser tool bars and spyware programs with stealth rootkit capabilities.
The laundry list of malware programs seeded on Russian porn sites also includes a dangerous keystroke logger capable of stealing data from computers and a banker Trojan that specifically hijacks log-in information from financial Web sites.
According to Sunbelt Software researcher Eric Sites, the list of malware programs includes VirtuMonde, an ad-serving program that triggers pop-ups from Internet Explorer; Claria.GAIN.CommonElements, an adware utility; AvenueMedia.InternetOptimizer; and several browser plug-ins and tool bars and variants of the virulent Spybot worm.
eWEEK has confirmed the flaw—and zero-day attacks—on a fully patched version of Windows XP SP2 running IE 6.0. There are at least three sites hosting the malicious executables, which are being served up on a rotational basis.
In some cases, a visit to the site turns up an error message that reads simply: "Err: this user is already attacked."
The attack is closely linked to the WebAttacker do-it-yourself spyware installation tool kit. On one of the maliciously rigged Web sites, the attack code even goes as far as referencing the way Microsoft identifies its security patches, confirming fears that a well-organized crime ring is behind the attacks.
The URL thats serving up the exploit includes the following: "MS06-XMLNS&SP2," a clear reference to the fact that the flaw is a zero-day that will trigger a quick patch from Microsoft.
A Microsoft spokesman said the company is aware of the public release of detailed exploit code that could be used to exploit this vulnerability. "Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the users system. Microsoft is aware of limited attacks that attempt to exploit the vulnerability," the spokesman said in a statement sent to eWEEK.
The company plans to ship an IE patch as part of its October batch of updates due Oct. 10. An emergency, out-of-cycle patch could be released if the attacks escalate.
Microsoft has added signature-based detection to its Windows OneCare anti-virus product. A formal security advisory with pre-patch workarounds will be posted within the next 24 hours.
 Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
|
|
�������xv6(;^+(gL햲dKnkb[�Kݞ9giQ$$1H�IVfK?/qT�M�Z%ٻ;-�D�U*�
w�}Aȅ3!9)ٟ0O-��Ij}݇P�AeFAU�M7
J�Զ�O7�RM3i��/4�w�7GlJ A���:':D�PL5
MH�}ٚ��7�'x2)X��$8��v@'A�jZ$��6m��(GJ��{<�K���E!H�c�oquB)~{
Cw&�tb9�Q��)+Jt/"(?c&�c-4rFwA�̚2Pcw��Ҵ��Gdd�vux�;2oF֠Cl�u�y!l�
�1#oKݿ!HݤNoޤ@d`jId:D:",���#63!1�kT%R>l[}@�ݑ�[cXsIVH��aSӤב�?TBRp`�V�G?j%yp�Ol+�;)\x uȭC�¿{��߂#ݸ1ܷM[b�6�Z ۆ@ظz00!}�%�DhOǍ�Huhs�2�
eþ;JP+qV�*cgQ`9�ؖ3p*s~3�_~_(UU�=.�#[w
u�P\vOozـ\>w..>ȣ-�N.�� [oL�0QR�&jt�5M0\ܱ¬:cU?Z�܌vO|��g6~�b
M���u�ô�W+Z�vtC!Ժtr=%�IoK�?���;BesU З?�7#R(E34�i[��2)�-ߖIf@�[�)�@( �k:���YKS7B��3��KsQ8�n�ZK�0�[RFp�\� Д��Q�#\ذ�1�"%̟iJ@O�XZދ�"�}Et"Ayi>�]Q4{3B�ɽ`g@IE�!\J�!}!
g�|�8S%Kus7p�W-czjNڊ1Wr{禿,1e�ޡ:Y5tiuO~�S�%g�5F4�,i�eݴ%!��8WoۛZzOVq�**r[T�Qn�ũl�:2X�
jXR7XaQ�ǟl�A`�:�g1>QӚ�#qRO#Gs�>H2胎6mb8�-�"�
,70}Hw@zqI�4wX�8|}Zc�O6�/|�\a���^��i$�>6(Z\?`�
V�Cf@B랂9����ޚA�"�Qޚґ4�a���q�j 8=�*~s��=��{`� ��њ�uG
&��SsnPB�=�J�dN˵�K��] cRRR$S_�]HPw9�DJ�
B�!B��0H��V0(� a�r
T<��ʶ�B�I��cvn2�V�{T�Kh!+�K@fsfd(4{~4�cbB�|#'f�Xr`Y
�\d+|�^h)lc
lԨ[6؛ri:|:ioBg<��0���Һ:-$-X� I[��$%\Ew,t�3�AP��C1!q"=%�t0x>f"̴b֜�E�i|X#,T6n,��S˘
R
�g?f0-���qڛ�uV<ۢf|a* ,q;r�ׁ�fX8oȣ�=p
�TfYv�Y۶h
|T&](\u�I�J&��k:HY3�j-yrD�rm
�־�O7�\EYbꁦq�H1g0d0{V@q=13�7R�tgZ�C+>q^i:[@�Oe{kfTIn^ӛAr ~ޯ�R[k�ҁY�%��9&ۊxceƠ�umLGe+-m"��
IHf�(XKke�zlxE���D6*�Cô
7=���}0�V5))Ka�W4E%sXf&`ܱ�
&���P
���wS~8��;[0P!k�^GgV�u<]|$}��r;C6�]���S�p>x>JeH�כAB6ҧ��;BSjj�33�-F �
o�_�׆�K c*8t̳tgyq8XY�:tՒ��үxO泛Np��u�Gу�9Je!6�c�{e/6�{ӞW+H>LZ`!?ՊRRՄ4'���i/#Y���X6Tصm!0}�ugAPOKK˙@�'�@&"Y#�gѠV���Ē8vYPzP*
�W�G˿\�fc�p'zpg�I�7�Ѿ'hʰe�Yh`Zu'6$kD(�OqӞ�rFVyUBYa0O#ykR^K?M
qYj8Q�7�cSO@X��5�ǡ;��S�翢7~��g2�-s�pHo)��:��gn�%'�שUXT8ᔱe���1`7
$̮�fG`Ó
R)ψP^Cs�2]*W:h3�si��z<_?9!�e>c'^}R�c'o�:Z�$t'n=��UI�%T[b5�Ji�Qx`�f�zli�y�_7)~(zC9�m��uA>�T�U]~T�#U\+ԊR?ETAtU] n?cVPVW`Zd&�\%\s�L�i0(Q빋a fT}Z/)+iQ/
~ dwm!�� ���E�&7
u�
Yx\�XLd;}�X^�5MtX�"Hq'ZP`V$": 7�Cw�d',�BGI}? �\%�I's3ҿn���BDo0|7=���#S�GRie�mR�ߓJ\Z 8Z�rV�S�"YKrv�zJ5+d��<� �j�;!$|{W
!&1ǷWX�L]���tK�O%EDOC�Vi&�gX&�JU�f4A<8&/?�C�85@���E1v܆kJV�~�ZgZ�Sq=Κb2�{?w}wm�ΏHIcgtֺ^|9#@&̫�H;At�#:Lx>��%<�8W{T ,j~xtՖ�~t1���}L�@IP
��4 7?&Y�#O2nw>J7�6zv9�D���2SH#�U9
�K�u{%d}ڻz{ՑҽN
zע �7*E�ˁB�<�Mt�y)q�fڎ7�MJ,�$L=\?ֈd�Ȱ
�6 �J*XťwpfjZ�^/k=W'�17L�U8ވFh6;²V�XȬe`&|oH:|X1�b��X��H\�R
~tDۿh}Olgu�؋^k �
m D785�C*QW22�Eh�i�A&;�g
<"D�9FWxDwDpoEr�}#wnSo2MĜ�yk�NEm 펧{-~=�p��rv��G�P2)B~(IZ;Ũˢ
ݖ2h�9K:)�Oz.ϕp��|Ni�'i^VӲQ6T$��4%�44ALN�C]A+d#g�ҿn]mOp6<5ޥ]ƙWxvImc%ytrŹ*kE�e85(Au�M�H�IFiI g֢Ѭ]}+
ɏ�x���R̅0O�"� f�Ү�zX,�гO5nf�}z@Q��-gFq?Kmظ�N*rb*9,_�Aݾne)ܱ�r0�jw�操�~{j9Л�3}A&ԢnL q;�f='�9��X�1#6q=��p�v#({A�\AFFTrk�㻞�Zt
�VdaRxa9yh3r�?ހ.��Һ28�5LN:0�g,H~ Zн�>��{l&�|)'A�ޚ�u�haXKono6a4�ݣR:_�Kѧme��4
tijVT�cf{i6$B�UU+j��A\8%/+dxrt2��ע �@7YM��(f~Z;pGʠ%c�cmf�}ݸ;w{f�1vi�Én�JP���Y>�]aw�PxI=)TÞ6YiEu�/K\�-"Pnz${II5)ts<-K`RTo�y^v} m$>?G{o D:*t'�y�||ng �yi�襎�D,滂;��a!3,"��а�5]m)��H!q��' !4T4x�l|n�wkJbjl�� <1Q�h�)q��٦h��
["
6a'�FYC,g
p$|+؊w�O_��o+NO֊�3W��p?Mj
wS�-p+�W��.w?.FӞ܊�NQ@(|�2.mE�>zQ%Fc?YS+xϗiL@g�4ۺG�YsrR�Cy_[;t|�ڰ��n�ˉ�E��$O`�~`Է %;?$A� ]9A�)tl�u�>�\��nB0NS��.o!3i7i]G�&]S�#ٱl#10L�x�!~�!���Ù�˿�-tf�}'"G��ʻ�,�2^� jjx/O/`�{e�&Ĥڍ��>^ -QXrc2�V1r?Lh%��s 6*s1TR?���i�r�7� _L�KZg<&,ʨ
S>w�B25=�c��*i�134o�RuLd�J#1�C8�*�}8r.�;3&J*�/UJ^�,ג}rLAJd埇]qF"u�/*I�=uNaI礎g`r�(Kj%I4�J�r1"My
5��J%POtɵ
b �xlT.C c(�ȺMph���=g-,Uf�\�45%�z�\|�?:\�T#fE@4F({#�1Y� ��D >P�7_w�uZMR)�n �)s��r[)
�u;�>.�C��sJ�O�12_vsצ�U1��c[����!��4@��ĠIC�RFD�*{�dKSr'RϦFuW._�3|�[CI=|>>Ð�2bϬV'�o�x�\2�u63�ohw"6cXjmǷ���o�H6X� @K�8zFk{",nz0C�� �0kk� �4�Nu;_�ϼ�"J:͗B؉]A�lˮWgWtܰw|+��Rn� V���s͟sv{yG�\6RD��Sкx�Ճ9c|�gSsBߘ2c{b4wKy}�i[H}(Hi[�XgK&
"7�+�2Q3��lmjʻ�vͧrT_1ڒN\7�S7d8lM"
*�
":_P�R3xˡ{}'!̇c�+J8I]?&`2��5]H0�JBj+��*1keU7v�fp@ZCX�`��X@rǘ4m10U4I��pe�mV! � /юq�oi��u$iK�~O��ۍ��5�]XSª n7O#�4r'_k"b?̳��;�N27MzDwCf��]Ue_� hgyy{i_�S�"B:�<)Ԋt�sL5u=bfJL}YΌw� �� .S�BE3-bų+]kKn�Q+u�$[>.ܑ�3w4T].1ŵk�z�roK.p%,\
~Mͷ;J"|N-0lnۻ6k9
{ݟs۔Z#w�r�^63 MW9lsjx�6ok�cE Z\<2�t1Q��o\����s=FM%�\Qpމ�HoO{�ݜ'}ދNaU�gw���_g˛j'.�ʹh�zm)��}M�\!W{qcK ߃r:�̝IEF�̮1���qI;6;wj\8fER��m��[�o�fK6௶�a}�^�\j$�|`�+Z~mĬә{OW^+e)�Zn}-S;`(}&4p�@m�AɼW�Hj:! RJD:`���F3VL��2G�J63Jj`�p�ED�VSt��rMz�<�sZ;L�>c {jW闶Upħ%y d
�e-^~�'KAatx��j=�-Tw߁^<@�Y!&�-30&[i3ů#?Ҹ{l`1tq*��o��(�.7���~�X67ཆ
~V�xrϪv�^'F�+� 㱓�QYH鎸:-AҘX?_Cn~(Rp7g�@�a]I��Ye�ͦ.��0�m0By��꤯�7v.F�9L]kK�QXcJ:*{u��k~;{х�٧0�G���_H&��Dcঐ_T?���o�N
=vgx��� |XUrc[Q|[��SSU~�kK[,zŭ+p�AYê)"(lsh�F]̑�26,ܠ��A\ۦv�C75Ns�.%J�({ôeXL]E��a�!/(�/.�~�aI{ō<&$9�q}͛x� �+բ�~KZ�# �O��]�c)i��Ň!^G E!Lj>p(h#8YL˃y��ԣ,~Q8gFS�Y�h9J�ncjF]j5P]/O?�P/�K�]ZX:Ȓ~WeL<^_A�S+ iM��u"�r*ރ0H>PSa`H UH+4h 9^D/k�!O69^�3#l@�&O/�lMO/LtT8Ow|
e�-�JfDk9m�ǘ}ki��#PxA��p3�SK�CR�<6$Ae�ȇ5T?�0'
)U�8O5�n�UPD8AHer6
_{B'`D@� XPp���]I9�T~f
Nǧ�d�>�M�Qx\Jӑu
/`�|$z6̥7f{@\q
81q,�-E|E|z['Au}�>l1d珖+62�1���^
�_�a]�Z�rչ_t�M�=<�2��Lp@R�{.�gZ��}Phb<[ٱ"t8@�!'v�
2;1T"aK�.����!�G\oX|J7�1[�>�BZ�p4c��?�/7W}P)a�#{~�����LƘ
D"´"c�)41GJ[#1}Os?��~I79t)�45aBX���RAA�]Bŏ6"))Ĵc1C�LD:oXaٌ4m^kLJry:2 gW�S�r?ԙpm.4�EqɃw�]d;�<�ĩ;�^< JWz�o&Ll��7=vkJr�/OПgg:ޖZ�9u�!65BA5{J�c>6
5N>{0.8���SL~s: N�ԼVxu�xS�S+S~�7O[�rʑ�@v'�O7�}r�1�?AB.4r_7^C9_h)�_6_��x#X\�9_�<@�^�}.ss _ yß92zg(S~�9_BeN9U^\�U@rO�K/G\�\5ԿΩ�s?}�?���P埀>g(W�}3s�n6�6oۜons/=IR<��9k]T�$RhK
"~
)�PWg9PϪ
��~2:R�@~W~_} kN+ťfW�*7KL썆cn-:AbCa �c|:�,y&����)htVydSr�bye?VRRw;]�Cڤ\�z.�{]�W[O'i��kz(#s<2g)�h{U2�6#�{"�c7���|,y��|8SNtw<17 Q-c�#}q�8�&,OArr m�v3})^�ća�^vCg>k'[_
}�F`ͼTV�)pF;F,R+|c ,>z��Oa4ܧ�fƔC=�կIF�.{2�"ބP?͡a[�C �o>eM+5VkZpWrD&70q����z@���PdU:��.�UJ�0�XR��/�s>P�`26UF`��Ԋ�z!O J1��4�`tK_c4wp%E�?!O'�*
^ʘH,%Nj�æJጽID�ʑ�$`
�f�A0Jb/�c{��z=�8$KRy0`;fͬf��.fж!K؊ET-#G6)�jn�,ID�O�j;L�eރz�r��a�E�1`˫B0H�tE��$0y."�^K�%�3i -`Z}�nҘI�R�I��JxLkT橘�Z|6S�bZ�J.bG���Z�zhLS,gjvs��O��Fd}#�Oaq�1<̡PlDm (~%.,wjsSXyȅ=y�1G/A#ش�B='E�fKH"L'l�/>[o�,�*1 {��;kh.4�s `����C�{9B9
H|\,��<##1ˌY�MS�G:�U|6�a8Yzt>�\��ł72FX`^̀ԛ�Zd5\�A]���6LGÇ5 (T'z�)>�yϐ��їh�:"QF�AG�}FV垓g�_7�b
Ge&�3@p�+�#]|e�KF$u�g�
�;EϩnS�C��>X�Y��c.-s(ŬBSd�<�)�Pg[nE'\��<>c�iЄ.ap穎ml��U|��J��A1Yp9<Щ0�O�Jv��E=b�\�v�Qm`#xaW�Ai`P,�l�p/>S�wϏq�`�3[﮳~�g[8K�iZ�� e�pClkIW�{{Q0��&iEȓl`C�v�_)~ph;?�2Y�A� wVǰ�-XR!&ۅ�?�O80�Ux|�-h\�}{X\e,8Lgނ"?�X=�ODN<<�Sf )`�|@t&W3.r�W���<�aep��|܍W�X�Yj .�_xH%L}Sw�
�qR�O�(Uƥ>x>8ZS|ڻ$`֍;^z:MU[^Q��- Nɂ`�RY{v{1"׳o�
.A|>Ǩy6�#x�L�
-2�VjwN㛾VtƦ�I:1qzr륭Q'b(5�lS2G4K�_jj64>S9v�7v6Є
��'nM�v�bes�WSr�^(��
|
Network Security & Hardware 
