Researchers at Exploit Prevention Labs, an Atlanta-based Internet security outfit, said several bot-seeding scripts are targeting the MDAC (Microsoft Data Access Components) flaw covered in the software makers MS06-014 bulletin.
"Ive seen three different scripts in one week. Thats an indication that at least three different [hacker] groups have independently worked out their own exploit," said Roger Thompson, chief technical officer at Exploit Prevention Labs.
"As far as I know, there has been no published proof-of-concept for this exploit. Usually, they will simply copy and paste a published exploit with their own payload. But, it looks like they are now reverse-engineering the patches themselves," Thompson said in an interview with eWEEK.
The flaw is a remote code execution bug that exists in the RDS.Dataspace ActiveX control that is provided as part of the ActiveX Data Objects distributed in MDAC. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
In the latest attacks, Thompson said, Internet users can become at risk by simply browsing to a maliciously rigged Web site or opening a specially crafted e-mail message.
In some cases, banner advertisements on Web sites can be used to deliver the payload to vulnerable, unpatched machines.
Thompson said the attacks include the use of a downloader that puts the infected machine under the control of attackers. "Once the downloader is installed, that computer is now owned by the Web mob. They typically just hose the machine with spyware and fake anti-spyware programs. Its all about using that machine to make money," he said.
Thompsons intelligence network found the exploit seemed related to the WebAttacker do-it-yourself spyware-making toolkit that is being sold on underground Russian Web sites for about $300 a pop. The WebAttacker kit includes scripts that simplify the task of infecting computers and spam-sending techniques used to lure victims to specially rigged Web sites.
Thompson said the MDAC exploits present a serious threat to corporate Windows users who have not yet deployed the patch. "Some businesses take a long time to completely install all patches. In some cases, they are six months behind."
Of the three exploit scripts nabbed in the wild, Thompson found they were all "complete rewrites" and not simply minor variants, he said. "This is really unusual, and is probably happening because the exploit is not relying on an application crash and buffer overflow, but simply using a feature in MDAC," he said, likening the latest attacks to the WMF (Windows Metafile) zero-day situation in December 2005
"What this means is that its very easy to exploit this vulnerability and, if we can get three in a week, we can expect more. WMF was equally easy, and we had lots of variants of that within a few days," Thompson warned.
He said Windows users using Automatic Updates to apply patches should be safe, but because its a Web-based exploit, enterprise IT departments should avoid depending entirely on firewalls for protection.