Crime Ring Targets IE Setslice Flaw

Russian cyber-crime group launches attacks

In-the-wild exploits against the latest unpatched Windows vulnerability have started circulating, using Internet Explorer as the attack vector to load identity theft Trojans and rootkits on infected machines.

The exploits target a Windows Shell vulnerability that was first released during the Month of Browser Bugs project in July. The project was kicked off by security researcher HD Moore (famous for creating the open-source penetration testing tool Metasploit).

The exploits are being launched by a known cyber-crime organization operating out of Russia, according to virus hunters tracking the threat.

Microsoft has released an advisory with prepatch workarounds. Executives have said an official update is on tap for delivery Oct. 10.

The attack uses IE to trigger an integer overflow error in the "setSlice()" method in the "WebViewFolderIcon" ActiveX control. Microsoft recommends that IE users disable attempts to instantiate the ActiveX control by setting the kill bit for the control in the registry.

According to Exploit Prevention Labs, a company that provides zero-day protection tools, two online groups of criminals are hacking into legitimate Web sites and message boards and quietly planting a malicious HTML tag called an iFrame on the sites.

When a Web surfer visits one of the maliciously rigged sites, his or her browser is redirected to an exploit server operated by the gang. The gang then attempts to deposit up to eight exploits onto the users computer.

"These guys have a huge network of lures drawing traffic in from legitimate search engines," said Roger Thompson, chief technology officer at Exploit Prevention Labs, in Atlanta.

The iFrame exploit technique has spawned a lucrative business for underground hackers. The groups use an affiliate model that offers cash for Web site owners who use the iFrame code. In one known case, at, the so-called affiliate program pays 55 cents per install or $55 for 1,000 unique installs of a 3KB program that "changes the homepage and installs toolbar and dialer," according to the Web sites Terms page.

The escalation of the latest attacks, which come just a week after the Sept. 18-19 VML (Vector Markup Language) exploits that also targeted IE users began, has prompted the release of another batch of third-party fixes from security researchers.

Determina, in Redwood City, Calif., has shipped a run-time fix for the vulnerability. It can be applied to Windows 2000, Windows XP and Windows 2003 systems. The fix patches the vulnerable code in memory without modifying any files on disk.

The nonprofit ZERT (Zeroday Emergency Response Team) has endorsed the Determina patch. The group has also released Zprotector, a patch that automates Microsofts recommended mitigation for Windows users.

Inside the setSlice flaw

* First discovered and reported in July as part of HD Moores Month of Browser Bugs project

* The vulnerability is exposed by the WebViewFolderIcon ActiveX control (Web View) in Windows

* Malicious sites hosted in Russia are targeting IE users with drive-by exploits that load spyware, Trojans, bots and rootkits without any user action